+ | Password | Enter, and then confirm, a secure password for the local administrator to create on the VM. Don't specify a domain user account's credentials. [Windows LAPS](/windows-server/identity/laps/laps-overview) isn't supported. |

+For Azure AD Multi-Factor Authentication or SSPR, users can choose to receive an SMS message with a verification code to enter in the sign-in interface, or receive a phone call.

+> [!NOTE]

+> Starting July 2023, we apply delivery method optimization such that tenants with a free or trial subscription may receive an SMS message or voice call.

+### SMS message verification

+With SMS message verification during SSPR or Azure AD Multi-Factor Authentication, a Short Message Service (SMS) text is sent to the mobile phone number containing a verification code. To complete the sign-in process, the verification code provided is entered into the sign-in interface.

+* [Multi-tier multi-tenant application sample](https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/blob/main/6-AdvancedScenarios/2-call-api-mt/README.md)

+> | Blazor | Blazor Server Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-OIDC/MyOrg) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-OIDC/B2C) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-graph-user/Call-MSGraph) <br/> &#8226; [Call web API](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-your-API/MyOrg) <br/> &#8226; [Call web API (B2C)](https://github.com/Azure-Samples/ms-identity-blazor-server/tree/main/WebApp-your-API/B2C) | [MSAL.NET](/entra/msal/dotnet) | Hybrid flow |

+> | Node.js </p> Express | Express web app series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/1-Authentication/1-sign-in/README.md)<br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/1-Authentication/2-sign-in-b2c/README.md)<br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/2-Authorization/1-call-graph/README.md) <br/> &#8226; [Call Microsoft Graph via BFF proxy](https://github.com/Azure-Samples/ms-identity-node) <br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/3-Deployment/README.md)<br/> &#8226; [Use App Roles for access control](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/4-AccessControl/1-app-roles/README.md)<br/> &#8226; [Use Security Groups for access control](https://github.com/Azure-Samples/ms-identity-javascript-nodejs-tutorial/blob/main/4-AccessControl/2-security-groups/README.md) | [MSAL Node](/javascript/api/@azure/msal-node) | &#8226; Authorization code <br/>&#8226; Backend-for-Frontend (BFF) proxy |

+> | .NET Core | [Call Microsoft Graph by signing in users using username/password](https://github.com/azure-samples/active-directory-dotnetcore-console-up-v2) | [MSAL.NET](/entra/msal/dotnet) | Resource owner password credentials |

+> | Windows Presentation Foundation (WPF) | &#8226; [Sign in users and call ASP.NET Core web API](https://github.com/Azure-Samples/active-directory-dotnet-native-aspnetcore-v2/tree/master/1.%20Desktop%20app%20calls%20Web%20API) <br/> &#8226; [Sign in users and call Microsoft Graph](https://github.com/azure-samples/active-directory-dotnet-desktop-msgraph-v2) | [MSAL.NET](/entra/msal/dotnet) | Authorization code with PKCE |

+### Browserless (Headless)

+ $sku = Get-MgSubscribedSku -SubscribedSkuId $skuId

+ - To change the properties of an attribute, select a value under the **Label**, **Required**, or **Attribute type** columns, and then type or select a new value. (For security reasons, **Email Address** properties can't be changed).

+ Title: Sign in users in a sample ASP.NET browserless app

+description: Use a sample to learn how to configure a sample ASP.NET browserless app.

+#Customer intent: As a dev, devops, I want to learn about how to configure a sample ASP.NET browserless app to sign in users with my Azure Active Directory (Azure AD) for customers tenant

+# Sign in users into a sample ASP.NET browserless app using Device Code flow

+This how-to guide uses a sample ASP.NET browserless app to show how to add authentication to the app. The sample app enables users to sign in. The sample ASP.NET browserless app uses [Microsoft Authentication Library for .NET (MSAL NET)](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet) to handle authentication.

+## Prerequisites

+- [.NET 7 SDK](https://dotnet.microsoft.com/download/dotnet/7.0).

+- [Visual Studio Code](https://code.visualstudio.com/download) or another code editor.

+- Azure AD for customers tenant. If you don't already have one, <a href="https://aka.ms/ciam-free-trial?wt.mc_id=ciamcustomertenantfreetrial_linkclick_content_cnl" target="_blank">sign up for a free trial</a>.

+## Register the headless app

+## Enable public client flow

+## Grant API permissions

+Since this app signs-in users, add delegated permissions:

+## Create a user flow

+## Associate the browserless app with the user flow

+## Clone or download sample browserless app

+To get the browserless app sample code, you can do either of the following tasks: [Download the .zip file](https://github.com/Azure-Samples/ms-identity-ciam-dotnet-tutorial/archive/refs/heads/main.zip) or clone the sample web application from GitHub by running the following command:

+```console

+git clone https://github.com/Azure-Samples/ms-identity-ciam-dotnet-tutorial.git

+```

+If you choose to download the *.zip* file, extract the sample app file to a folder where the total length of the path is 260 or fewer characters.

+## Configure the sample browserless app

+1. Open the project in your IDE (like Visual Studio or Visual Studio Code) to configure the code.

+1. In your code editor, open the *appsettings.json* file in the *1-Authentication* > *4-sign-in-device-code* folder.

+1. Replace `Enter_the_Application_Id_Here` with the Application (client) ID of the app you registered earlier.

+

+1. Replace `Enter_the_Tenant_Subdomain_Here` with the Directory (tenant) subdomain. For example, if your primary domain is *contoso.onmicrosoft.com*, replace `Enter_the_Tenant_Subdomain_Here` with *contoso*. If you don't have your primary domain, learn how to [read tenant details](how-to-create-customer-tenant-portal.md#get-the-customer-tenant-details).

+## Run and test sample browserless app

+1. Open a console window, and change to the directory that contains the ASP.NET browserless sample app:

+ ```console

+ cd 1-Authentication/4-sign-in-device-code

+ ```

+1. In your terminal, run the app by running the following command:

+ ```console

+ dotnet run

+ ```

+1. When the app launches, copy the suggested URL *https://microsoft.com/devicelogin* from the terminal and visit it in a browser. Then, copy the device code from the terminal and [follow the prompts](./how-to-browserless-app-dotnet-sign-in-sign-in.md#sign-in-to-your-app) on *https://microsoft.com/devicelogin*.

+## How it works

+The browserless app is initialized as a public client application. You acquire token using the device code auth grant flow. This flow allows users to sign in to input-constrained devices such as a smart TV, IoT device, or a printer. You then pass a callback to the `AcquireTokenWithDeviceCodeAsync` method. This callback contains a `DeviceCodeResult` object that contains the URL a user navigates to and sign in. Once the user signs in, an `AuthenticationResult` is returned containing an access token and some basic account information.

+```csharp

+var scopes = new string[] { }; // by default, MSAL attaches OIDC scopes to every token request

+var result = await app.AcquireTokenWithDeviceCode(scopes, async deviceCode => {

+ Console.WriteLine($"In a broswer, navigate to the URL '{deviceCode.VerificationUrl}' and enter the code '{deviceCode.UserCode}'");

+ await Task.FromResult(0);

+}).ExecuteAsync();

+Console.WriteLine($"You signed in as {result.Account.Username}");

+```

+## Next steps

+Next, learn how to prepare your Azure AD for customers tenant.

+> [!div class="nextstepaction"]

+> [Build your own ASP.NET browserless app and sign in users >](how-to-browserless-app-dotnet-sign-in-overview.md)

+ Title: Sign in users in a sample Node.js browserless application using the Device Code flow

+description: Learn how to configure a sample browserless application to sign in users in an Azure Active Directory (Azure AD) for customers tenant

+#Customer intent: As a dev, devops, I want to learn about how to configure a sample Node.js browserless application to authenticate users with my Azure Active Directory (Azure AD) for customers tenant

+# Authenticate users in a sample Node.js browserless application using the Device Code flow

+This how-to guide uses a sample Node.js application to show how to sign in users in a browserless application. The sample application uses the device code flow to sign in users in an Azure Active Directory (Azure AD) for customers tenant.

+In this article, you complete the following tasks:

+- Register an application in the Microsoft Entra admin center.

+- Create a sign-in and sign-out user flow in Microsoft Entra admin center.

+- Associate your browserless application with the user flow.

+- Update a sample Node.js browserless application using your own Azure AD for customers tenant.

+- Run and test the sample browserless application.

+## Prerequisites

+- [Node.js](https://nodejs.org).

+- [Visual Studio Code](https://code.visualstudio.com/download) or another code editor.

+- Azure AD for customers tenant. If you don't already have one, <a href="https://aka.ms/ciam-free-trial?wt.mc_id=ciamcustomertenantfreetrial_linkclick_content_cnl" target="_blank">sign up for a free trial</a>.

+## Register the browserless app

+## Grant API permissions

+## Create a user flow

+## Associate the browserless application with the user flow

+## Clone or download sample browserless application

+To get the browserless app sample code, you can do either [download the .zip file](https://github.com/Azure-Samples/ms-identity-ciam-javascript-tutorial/archive/refs/heads/main.zip) or clone the sample browserless application from GitHub by running the following command:

+```powershell

+ git clone https://github.com/Azure-Samples/ms-identity-ciam-javascript-tutorial.git

+```

+## Install project dependencies

+1. Open a console window, and navigate to the directory that contains the Node.js sample app. For example:

+ ```powershell

+ cd 1-Authentication\4-sign-in-device-code\App

+ ```

+1. Run the following command to install app dependencies:

+ ```powershell

+ npm install

+ ```

+## Update the sample app to use its Azure app registration details

+1. In your code editor, open the `App\authConfig.js` file.

+1. Find the placeholder:

+

+ 1. `Enter_the_Application_Id_Here` and replace it with the Application (client) ID of the app you registered earlier.

+

+ 1. Find the placeholder `Enter_the_Tenant_Subdomain_Here` and replace it with the Directory (tenant) subdomain. For instance, if your tenant primary domain is `contoso.onmicrosoft.com`, use `contoso`. If you don't have your tenant domain name, [learn how to read your tenant details](how-to-create-customer-tenant-portal.md#get-the-customer-tenant-details).

+## Run and test sample browserless app

+You can now test the sample Node.js browserless app.

+1. In your terminal, run the following command:

+ ```powershell

+ npm start

+ ```

+1. Open your browser, then go to the URL suggested from the message in the terminal, https://microsoft.com/devicelogin. You should see a page similar to the following screenshot:

+ :::image type="content" source="media/how-to-browserless-app-node-sample-sign-in/browserless-app-node-sign-in-enter-code.png" alt-text="Screenshot of the enter code prompt in a node browserless application using the device code flow.":::

+1. To authenticate, copy the device code from the message in the terminal then paste it in the **Enter Code** prompt. After entering the code, you'll be redirected to the sign-in page as follows:

+ :::image type="content" source="media/how-to-browserless-app-node-sample-sign-in/browserless-app-node-sign-in-page.png" alt-text="Screenshot showing the sign in page in a node browserless application.":::

+1. On the sign-in page, type your **Email address**. If you don't have an account, select **No account? Create one**, which starts the sign-up flow.

+1. If you choose the sign-up option, after filling in your email, one-time passcode, new password and more account details, you complete the whole sign-up flow. After completing the sign up flow and signing in, you see a page similar to the following screenshot:

+ :::image type="content" source="media/how-to-browserless-app-node-sample-sign-in/browserless-app-node-signed-in-user.png" alt-text="Screenshot showing a signed-in user in a node browserless application.":::

+1. Move back to the terminal and see your authentication information including the ID token claims returned by Microsoft Entra.

+## Next steps

+Learn how to:

+- [Sign in users in your own Node.js browserless application by using Microsoft Entra](how-to-browserless-app-node-sign-in-overview.md)

+ Title: Call an API in a sample Node.js daemon application

+description: Learn how to configure a sample Node.js daemon application that calls an API protected Azure Active Directory (Azure AD) for customers

+#Customer intent: As a dev, devops, I want to configure a sample Node.js daemon application that calls an API protected by Azure Active Directory (Azure AD) for customers tenant

+# Call an API in a sample Node.js daemon application

+This article uses a sample Node.js daemon application to show you how a daemon app acquires a token to call a web API. Azure Active Directory (Azure AD) for customers protects the Web API.

+A daemon application acquires a token on behalf of itself (not on behalf of a user). Users can't interact with a daemon application because it requires its own identity. This type of application requests an access token by using its application identity and presenting its application ID, credential (password or certificate), and application ID URI to Azure AD.

+A daemon app uses the standard [OAuth 2.0 client credentials grant](../../develop/v2-oauth2-client-creds-grant-flow.md). To simplify the process of acquiring the token, the sample we use in this article uses [Microsoft Authentication Library for Node (MSAL Node)](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node).

+## Prerequisites

+- [Node.js](https://nodejs.org).

+- [.NET 7.0](https://dotnet.microsoft.com/learn/dotnet/hello-world-tutorial/install) or later.

+- [Visual Studio Code](https://code.visualstudio.com/download) or another code editor.

+- Azure AD for customers tenant. If you don't already have one, <a href="https://aka.ms/ciam-free-trial?wt.mc_id=ciamcustomertenantfreetrial_linkclick_content_cnl" target="_blank">sign up for a free trial</a>.

+## Register a daemon application and a web API

+In this step, you create the daemon and the web API application registrations, and you specify the scopes of your web API.

+### Register a web API application

+### Configure app roles

+### Configure optional claims

+### Register the daemon app

+### Create a client secret

+### Grant API permissions to the daemon app

+## Clone or download sample daemon application and web API

+To get the web app sample code, you can do either of the following tasks:

+- [Download the .zip file](https://github.com/Azure-Samples/ms-identity-ciam-javascript-tutorial/archive/refs/heads/main.zip) or clone the sample web application from GitHub by running the following command:

+ ```console

+ git clone https://github.com/Azure-Samples/ms-identity-ciam-javascript-tutorial.git

+ ```

+If you choose to download the *.zip* file, extract the sample app file to a folder where the total length of the path is 260 or fewer characters.

+## Install project dependencies

+1. Open a console window, and change to the directory that contains the Node.js sample app:

+ ```console

+ cd 2-Authorization\3-call-api-node-daemon\App

+ ```

+1. Run the following commands to install app dependencies:

+ ```console

+ npm install && npm update

+ ```

+## Configure the sample daemon app and API

+To use your app registration in the client web app sample:

+1. In your code editor, open `App\authConfig.js` file.

+1. Find the placeholder:

+ - `Enter_the_Application_Id_Here` and replace it with the Application (client) ID of the daemon app you registered earlier.

+

+ - `Enter_the_Tenant_Subdomain_Here` and replace it with the Directory (tenant) subdomain. For example, if your tenant primary domain is `contoso.onmicrosoft.com`, use `contoso`. If you don't have your tenant name, learn how to [read your tenant details](how-to-create-customer-tenant-portal.md#get-the-customer-tenant-details).

+

+ - `Enter_the_Client_Secret_Here` and replace it with the daemon app secret value you copied earlier.

+

+ - `Enter_the_Web_Api_Application_Id_Here` and replace it with the Application (client) ID of the web API you copied earlier.

+To use your app registration in the web API sample:

+1. In your code editor, open `API\ToDoListAPI\appsettings.json` file.

+1. Find the placeholder:

+

+ - `Enter_the_Application_Id_Here` and replace it with the Application (client) ID of the web API you copied.

+

+ - `Enter_the_Tenant_Id_Here` and replace it with the Directory (tenant) ID you copied earlier.

+

+ - `Enter_the_Tenant_Subdomain_Here` and replace it with the Directory (tenant) subdomain. For example, if your tenant primary domain is `contoso.onmicrosoft.com`, use `contoso`. If you don't have your tenant name, learn how to [read your tenant details](how-to-create-customer-tenant-portal.md#get-the-customer-tenant-details).

+## Run and test sample daemon app and API

+1. Open a console window, then run the web API by using the following commands:

+ ```console

+ cd 2-Authorization\3-call-api-node-daemon\API\ToDoListAPI

+ dotnet run

+ ```

+1. Run the web app client by using the following commands:

+ ```console

+ 2-Authorization\3-call-api-node-daemon\App

+ node . --op getToDos

+ ```

+If your daemon app and web API successfully run, you should see something similar to the following JSON array in your console window

+```json

+{

+ id: 1,

+ owner: '3e8....-db63-43a2-a767-5d7db...',

+ description: 'Pick up grocery'

+},

+{

+ id: 2,

+ owner: 'c3cc....-c4ec-4531-a197-cb919ed.....',

+ description: 'Finish invoice report'

+},

+{

+ id: 3,

+ owner: 'a35e....-3b8a-4632-8c4f-ffb840d.....',

+ description: 'Water plants'

+}

+```

+### How it works

+The Node.js app uses [OAuth 2.0 client credentials grant](../../develop/v2-oauth2-client-creds-grant-flow.md) to acquire an access token for itself and not for the user. The access token that the app requests contains the permissions represented as roles. The client credential flow uses this set of permissions in place of user scopes for application tokens.You [exposed these application permissions](#configure-app-roles) in the web API earlier, then [granted them to the daemon app](#grant-api-permissions-to-the-daemon-app).

+On the API side, the web API must verify that the access token has the required permissions (application permissions). The web API can't accept an access token that doesn't have the required permissions.

+### Access to data

+A Web API endpoint should be prepared to accept calls from both users and applications. Therefore, it should have a way to respond to each request accordingly. For example, a call from a user via delegated permissions/scopes receives the user's data to-do list. On the other hand, a call from an application via application permissions/roles may receive the entire to-do list. However, in this article, we're only making an application call, so we didn't need to configure delegated permissions/scopes.

+## Next steps

+- Learn how to [Acquire an access token, then call a web API in your own Node.js daemon app](how-to-daemon-node-call-api-overview.md).

+- Learn how to [Use client certificate instead of a secret for authentication in your Node.js confidential app](how-to-web-app-node-use-certificate.md).

+- Learn about [permissions and consent](../../develop/permissions-consent-overview.md).

+ Title: Sign in users in a sample vanilla JavaScript single-page application

+description: Learn how to configure a sample JavaSCript single-page application (SPA) to sign in and sign out users.

+#Customer intent: As a dev, devops, I want to learn about how to configure a sample vanilla JS SPA to sign in and sign out users with my Azure Active Directory (Azure AD) for customers tenant

+# Sign in users in a sample vanilla JavaScript single-page application

+This how-to guide uses a sample vanilla JavaScript single-page Application (SPA) to demonstrate how to add authentication to a SPA. The SPA enables users to sign in and sign out by using their own Azure Active Directory (AD) for customers tenant. The sample uses the [Microsoft Authentication Library for JavaScript (MSAL.js)](https://github.com/AzureAD/microsoft-authentication-library-for-js) to handle authentication.

+## Prerequisites

+* Although any IDE that supports vanilla JS applications can be used, **Visual Studio Code** is recommended for this guide. It can be downloaded from the [Downloads](https://visualstudio.microsoft.com/downloads) page.

+* [Node.js](https://nodejs.org/en/download/).

+* Azure AD for customers tenant. If you don't already have one, <a href="https://aka.ms/ciam-free-trial?wt.mc_id=ciamcustomertenantfreetrial_linkclick_content_cnl" target="_blank">sign up for a free trial</a>.

+## Register the SPA in the Microsoft Entra admin center

+## Grant API permissions

+## Create a user flow

+## Associate the SPA with the user flow

+## Clone or download sample SPA

+To get the sample SPA, you can choose one of the following options:

+* Clone the repository using Git:

+ ```powershell

+ git clone https://github.com/Azure-Samples/ms-identity-ciam-javascript-tutorial.git

+ ```

+* [Download the sample](https://github.com/Azure-Samples/ms-identity-ciam-javascript-tutorial/archive/refs/heads/main.zip)

+If you choose to download the `.zip` file, extract the sample app file to a folder where the total length of the path is 260 or fewer characters.

+## Install project dependencies

+1. Open a terminal window in the root directory of the sample project, and enter the following snippet to navigate to the project folder:

+ ```powershell

+ cd 1-Authentication\0-sign-in-vanillajs\App

+ ```

+1. Install the project dependencies:

+ ```powershell

+ npm install

+ ```

+## Configure the sample SPA

+1. Open `authConfig.js`.

+1. Find `Enter_the_Tenant_Name_Here` and replace it with the name of your tenant.

+1. In **Authority**, find `Enter_the_Tenant_Subdomain_Here` and replace it with the subdomain of your tenant. For example, if your tenant primary domain is *caseyjensen@onmicrosoft.com*, the value you should enter is *casyjensen*.

+1. Save the file.

+## Run your project and sign in

+1. Open a new terminal and run the following command to start your express web server.

+ ```powershell

+ npm start

+ ```

+1. Open a web browser and navigate to `http://localhost:3000/`.

+1. Select **No account? Create one**, which starts the sign-up flow.

+1. In the **Create account** window, enter the email address registered to your customer tenant, which starts the sign-up flow as a user for your application.

+1. After entering a one-time passcode from the customer tenant, enter a new password and more account details, this sign-up flow is completed.

+1. If a window appears prompting you to **Stay signed in**, choose either **Yes** or **No**.

+1. The SPA will now display a button saying **Request Profile Information**. Select it to display profile data.

+ :::image type="content" source="media/how-to-spa-vanillajs-sign-in-sign-in-out/display-vanillajs-welcome.png" alt-text="Screenshot of sign in into a vanilla JS SPA." lightbox="media/how-to-spa-vanillajs-sign-in-sign-in-out/display-vanillajs-welcome.png":::

+## Sign out of the application

+1. To sign out of the application, select **Sign out** in the navigation bar.

+1. A window appears asking which account to sign out of.

+1. Upon successful sign out, a final window appears advising you to close all browser windows.

+## Next steps

+> [!div class="nextstepaction"]

+> [Enable self-service password reset](./how-to-enable-password-reset-customers.md)

+ Title: Sign in users in a sample Angular single-page application.

+description: Learn how to configure a sample Angular Single Page Application (SPA) using Azure Active Directory for Customers

+#Customer intent: As a dev, devops, I want to learn about how to configure a sample Angular Single Page Application to sign in and sign out users with my Azure Active Directory (Azure AD) for customers tenant

+# Sign in users in a sample Angular single-page application

+This how-to guide uses a sample Angular single-page application (SPA) to demonstrate how to add authentication users into a SPA. The SPA enables users to sign in and sign out by using your Azure Active Directory (Azure AD) for customers tenant. The sample uses the [Microsoft Authentication Library for JavaScript (MSAL.js)](https://github.com/AzureAD/microsoft-authentication-library-for-js) to handle authentication.

+## Prerequisites

+* Although any IDE that supports vanilla JS applications can be used, **Visual Studio Code** is used for this guide. It can be downloaded from the [Downloads](https://visualstudio.microsoft.com/downloads) page.

+* [Node.js](https://nodejs.org/en/download/).

+* Azure AD for customers tenant. If you don't already have one, <a href="https://aka.ms/ciam-free-trial?wt.mc_id=ciamcustomertenantfreetrial_linkclick_content_cnl" target="_blank">sign up for a free trial</a>.

+## Register the SPA in the Microsoft Entra admin center

+## Grant API permissions

+## Create a user flow

+## Associate the SPA with the user flow

+## Clone or download sample SPA

+To get the sample SPA, you can choose one of the following options:

+* Clone the repository using Git:

+ ```powershell

+ git clone https://github.com/Azure-Samples/ms-identity-ciam-javascript-tutorial.git

+ ```

+* [Download the sample](https://github.com/Azure-Samples/ms-identity-ciam-javascript-tutorial/archive/refs/heads/main.zip)

+If you choose to download the `.zip` file, extract the sample app file to a folder where the total length of the path is 260 or fewer characters.

+## Install project dependencies

+1. Open a terminal window in the root directory of the sample project, and enter the following snippet to navigate to the project folder:

+ ```powershell

+ cd 1-Authentication\2-sign-in-angular\SPA

+ ```

+1. Install the project dependencies:

+ ```powershell

+ npm install

+ ```

+## Configure the sample SPA

+1. Open `SPA\src\authConfig.js` and replace the following with the values obtained from the Microsoft Entra admin center

+ * `clientId` - The identifier of the application, also referred to as the client. Replace `Enter_the_Application_Id_Here` with the **Application (client) ID** value that was recorded earlier from the overview page of the registered application.

+ * `authority` - The identity provider instance and sign-in audience for the app. Replace `Enter_the_Tenant_Name_Here` with the name of your CIAM tenant.

+ * The *Tenant ID* is the identifier of the tenant where the application is registered. Replace the `_Enter_the_Tenant_Info_Here` with the **Directory (tenant) ID** value that was recorded earlier from the overview page of the registered application.

+1. Save the file.

+## Run your project and sign in

+All the required code snippets have been added, so the application can now be called and tested in a web browser.

+1. Open a new terminal by selecting **Terminal** > **New Terminal**.

+1. Run the following command to start your web server.

+ ```powershell

+ cd 1-Authentication\2-sign-in-angular\SPA

+ npm start

+ ```

+1. Open a web browser and navigate to `http://localhost:4200/`.

+1. Sign-in with an account registered to the Azure AD for customers tenant.

+1. Once you successfully sign-in, the display name is shown next to the **Sign out** button.

+## Next steps

+Learn how to use the Microsoft Authentication Library (MSAL) for JavaScript to sign in users and acquire tokens to call Microsoft Graph.

+ Title: Sign in users in a sample React single-page application

+description: Learn how to configure a sample React single-page app (SPA) to sign in and sign out users.

+#Customer intent: As a dev, devops, I want to learn about how to configure a sample React single-page app to sign in and sign out users with my Azure Active Directory (Azure AD) for customers tenant

+# Sign in users in a sample React single-page app (SPA)

+This guide uses a sample React single-page application (SPA) to demonstrate how to add authentication to a SPA. This SPA enables users to sign in and sign out by using you Azure Active Directory (Azure AD) for customers tenant. The sample uses the [Microsoft Authentication Library for JavaScript (MSAL.js)](https://github.com/AzureAD/microsoft-authentication-library-for-js) to handle authentication.

+## Prerequisites

+* Although any IDE that supports React applications can be used, **Visual Studio Code** is used for this guide. It can be downloaded from the [Downloads](https://visualstudio.microsoft.com/downloads) page.

+* [Node.js](https://nodejs.org/en/download/).

+* Azure AD for customers tenant. If you don't already have one, <a href="https://aka.ms/ciam-free-trial?wt.mc_id=ciamcustomertenantfreetrial_linkclick_content_cnl" target="_blank">sign up for a free trial</a>.

+## Register the SPA in the Microsoft Entra admin center

+## Grant API permissions

+## Create a user flow

+## Associate the SPA with the user flow

+## Clone or download sample SPA

+To get the sample SPA, you can choose one of the following options:

+* Clone the repository using Git:

+ ```powershell

+ git clone https://github.com/Azure-Samples/ms-identity-ciam-javascript-tutorial.git

+ ```

+* [Download the sample](https://github.com/Azure-Samples/ms-identity-ciam-javascript-tutorial/archive/refs/heads/main.zip)

+If you choose to download the `.zip` file, extract the sample app file to a folder where the total length of the path is 260 or fewer characters.

+## Install project dependencies

+1. Open a terminal window in the root directory of the sample project, and enter the following snippet to navigate to the project folder:

+ ```powershell

+ cd 1-Authentication\1-sign-in-react\SPA

+ ```

+1. Install the project dependencies:

+ ```powershell

+ npm install

+ ```

+## Configure the sample SPA

+1. Open _SPA\src\authConfig.js_ and replace the following with the values obtained from the Microsoft Entra admin center

+ * `clientId` - The identifier of the application, also referred to as the client. Replace `Enter_the_Application_Id_Here` with the **Application (client) ID** value that was recorded earlier from the overview page of the registered application.

+ * `authority` - The identity provider instance and sign-in audience for the app. Replace `Enter_the_Tenant_Name_Here` with the name of your Azure AD customer tenant.

+ * The *Tenant ID* is the identifier of the tenant where the application is registered. Replace the `_Enter_the_Tenant_Info_Here` with the **Directory (tenant) ID** value that was recorded earlier from the overview page of the registered application.

+1. Save the file.

+## Run your project and sign in

+All the required code snippets have been added, so the application can now be called and tested in a web browser.

+1. Open a new terminal by selecting **Terminal** > **New Terminal**.

+1. Run the following command to start your web server.

+ ```powershell

+ cd 1-Authentication\1-sign-in-react\SPA

+ npm start

+ ```

+1. Open a web browser and navigate to `http://localhost:3000/`.

+1. Sign-in with an account registered to the Azure AD customer tenant.

+1. Once signed in the display name is shown next to the **Sign out** button.

+## Next steps

+> [!div class="nextstepaction"]

+> [Enable self-service password reset](./how-to-enable-password-reset-customers.md)

+ Title: Sign in users to a sample ASP.NET web application

+description: Learn how to configure a sample ASP.NET web app to sign in and sign out users by using an Azure AD for customers tenant.

+#Customer intent: As a dev, devops, I want to learn about how to configure a sample ASP.NET web app to sign in and sign out users with my Azure Active Directory (Azure AD) for customers tenant

+# Sign in users for a sample ASP.NET web app in an Azure AD for customers tenant

+This how-to guide uses a sample ASP.NET web application to show the fundamentals of modern authentication using the [Microsoft Authentication Library for .NET](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet) and [Microsoft Identity Web](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node) for ASP.NET to handle authentication.

+In this article, you'll register a web application in the Microsoft Entra admin center and create a sign in and sign out user flow. You'll associate your web application with the user flow, download and update a sample ASP.NET web application using your own Azure Active Directory (Azure AD) for customers tenant details. Finally, you'll run and test the sample web application.

+## Prerequisites

+- Although any IDE that supports ASP.NET applications can be used, Visual Studio Code is used for this guide. It can be downloaded from the [Downloads](https://visualstudio.microsoft.com/downloads/) page.

+- [.NET 7.0 SDK](https://dotnet.microsoft.com/download/dotnet).

+- Azure AD for customers tenant. If you don't already have one, <a href="https://aka.ms/ciam-free-trial?wt.mc_id=ciamcustomertenantfreetrial_linkclick_content_cnl" target="_blank">sign up for a free trial</a>.

+## Register the web app

+## Define the platform and URLs

+## Add app client secret

+## Grant API permissions

+## Create a user flow

+## Associate the web application with the user flow

+## Clone or download sample web application

+To get the web app sample code, you can do either of the following tasks:

+- [Download the .zip file](https://github.com/Azure-Samples/ms-identity-ciam-dotnet-tutorial/archive/refs/heads/main.zip). Extract the sample app file to a folder where the total length of the path is 260 or fewer characters.

+- Clone the sample web application from GitHub by running the following command:

+ ```powershell

+ git clone https://github.com/Azure-Samples/ms-identity-ciam-dotnet-tutorial.git

+ ```

+## Configure the application

+1. Navigate to the root folder of the sample you have downloaded and directory that contains the ASP.NET sample app:

+ ```powershell

+ cd 1-Authentication\1-sign-in-aspnet-core-mvc

+ ```

+1. Open the *appsettings.json* file.

+1. In **Authority**, find `Enter_the_Tenant_Subdomain_Here` and replace it with the subdomain of your tenant. For example, if your tenant primary domain is *caseyjensen@onmicrosoft.com*, the value you should enter is *casyjensen*.

+1. Find the `Enter_the_Application_Id_Here` value and replace it with the application ID (clientId) of the app you registered in the Microsoft Entra admin center.

+1. Replace `Enter_the_Client_Secret_Here` with the client secret value you set up in [Add app client secret](#add-app-client-secret).

+## Run the code sample

+1. From your shell or command line, execute the following commands:

+ ```powershell

+ dotnet run

+ ```

+1. Open your web browser and navigate to `https://localhost:7274`.

+1. Sign-in with an account registered to the customer tenant.

+1. Once signed in the display name is shown next to the **Sign out** button as shown in the following screenshot.

+ :::image type="content" source="media/how-to-web-app-dotnet-sign-in-sign-in-out/display-aspnet-welcome.png" alt-text="Screenshot of sign in into a ASP.NET web app.":::

+1. To sign-out from the application, select the **Sign out** button.

+## Next steps

+- [Enable password reset](how-to-enable-password-reset-customers.md)

+- [Customize the default branding](how-to-customize-branding-customers.md)

+- [Configure sign-in with Google](how-to-google-federation-customers.md)

+- [Sign in users in your own ASP.NET web application by using an Azure AD for customers tenant](how-to-web-app-dotnet-sign-in-prepare-app.md)

+ Title: Sign in users and call an API in sample Node.js web application

+description: Learn how to configure a sample web app to sign in users and call an API.

+#Customer intent: As a dev, devops, I want to learn about how to configure a sample web app to sign in and sign out users with my CIAM tenant

+# Sign in users and call an API in sample Node.js web application

+This how-to guide uses a sample Node.js web application to show you how to add authentication and authorization. The sample application sign in users to a Node.js web app, which then calls a .NET API. You enable authentication and authorization by using your Azure Active Directory (Azure AD) for customers tenant details. The sample web application uses [Microsoft Authentication Library (MSAL)](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node) for Node to handle authentication.

+In this article, you complete the following tasks:

+- Register and configure a web API in the Microsoft Entra admin center.

+- Register and configure a client web application in the Microsoft Entra admin center.

+- Create a sign-up and sign-in user flow in the Microsoft Entra admin center, and then associate a client web app with it.

+- Update a sample Node web application and ASP.NET web API to use your Azure AD for customers tenant details.

+- Run and test the sample web application and API.

+## Prerequisites

+- [Node.js](https://nodejs.org).

+- [.NET 7.0](https://dotnet.microsoft.com/learn/dotnet/hello-world-tutorial/install) or later.

+- [Visual Studio Code](https://code.visualstudio.com/download) or another code editor.

+- Azure AD for customers tenant. If you don't already have one, <a href="https://aka.ms/ciam-free-trial?wt.mc_id=ciamcustomertenantfreetrial_linkclick_content_cnl" target="_blank">sign up for a free trial</a>.

+## Register a web application and a web API

+In this step, you create the web and the web API application registrations, and you specify the scopes of your web API.

+### Register a web API application

+### Configure API scopes

+This API needs to expose permissions, which a client needs to acquire for calling the API:

+### Configure app roles

+### Configure optional claims

+### Register the web app

+### Create a client secret

+### Grant API permissions to the web app

+## Create a user flow

+## Associate web application with the user flow

+## Clone or download sample web application and web API

+To get the web app and web API sample code, [download the .zip file](https://github.com/Azure-Samples/ms-identity-ciam-javascript-tutorial/archive/refs/heads/main.zip) or clone the sample web application from GitHub by running the following command:

+```powershell

+git clone https://github.com/Azure-Samples/ms-identity-ciam-javascript-tutorial.git

+```

+If you choose to download the `.zip` file, extract the sample app file to a folder where the total length of the path is 260 or fewer characters.

+## Install project dependencies

+1. Open a console window, and change to the directory that contains the Node.js/Express sample app:

+ ```powershell

+ cd 2-Authorization\4-call-api-express\App

+ ```

+1. Run the following commands to install web app dependencies:

+ ```powershell

+ npm install && npm update

+ ```

+## Configure the sample web app and API

+To use your app registration in the client web app sample:

+1. In your code editor, open `App\authConfig.js` file.

+1. Find the placeholder:

+ - `Enter_the_Application_Id_Here` and replace it with the Application (client) ID of the app you registered earlier.

+

+ - `Enter_the_Tenant_Subdomain_Here` and replace it with the Directory (tenant) subdomain. For example, if your tenant primary domain is `contoso.onmicrosoft.com`, use `contoso`. If you don't have your tenant name, learn how to [read your tenant details](how-to-create-customer-tenant-portal.md#get-the-customer-tenant-details).

+

+ - `Enter_the_Client_Secret_Here` and replace it with the app secret value you copied earlier.

+

+ - `Enter_the_Web_Api_Application_Id_Here` and replace it with the Application (client) ID of the web API you copied earlier.

+To use your app registration in the web API sample:

+1. In your code editor, open `API\ToDoListAPI\appsettings.json` file.

+1. Find the placeholder:

+

+ - `Enter_the_Application_Id_Here` and replace it with the Application (client) ID of the web API you copied.

+

+ - `Enter_the_Tenant_Id_Here` and replace it with the Directory (tenant) ID you copied earlier.

+

+ - `Enter_the_Tenant_Subdomain_Here` and replace it with the Directory (tenant) subdomain. For example, if your tenant primary domain is `contoso.onmicrosoft.com`, use `contoso`. If you don't have your tenant name, learn how to [read your tenant details](how-to-create-customer-tenant-portal.md#get-the-customer-tenant-details).

+## Run and test sample web app and API

+1. Open a console window, then run the web API by using the following commands:

+ ```powershell

+ cd 2-Authorization\4-call-api-express\API\ToDoListAPI

+ dotnet run

+ ```

+1. Run the web app client by using the following commands:

+ ```powershell

+ cd 2-Authorization\4-call-api-express\App

+ npm start

+ ```

+1. Open your browser, then go to http://localhost:3000.

+1. Select the **Sign In** button. You're prompted to sign in.

+ :::image type="content" source="media/how-to-web-app-node-sample-sign-in-call-api/web-app-node-sign-in.png" alt-text="Screenshot of sign in into a node web app.":::

+1. On the sign-in page, type your **Email address**, select **Next**, type your **Password**, then select **Sign in**. If you don't have an account, select **No account? Create one** link, which starts the sign-up flow.

+1. If you choose the sign-up option, after filling in your email, one-time passcode, new password and more account details, you complete the whole sign-up flow. You see a page similar to the following screenshot. You see a similar page if you choose the sign-in option.

+ :::image type="content" source="media/how-to-web-app-node-sample-sign-in-call-api/sign-in-call-api-view-to-do.png" alt-text="Screenshot of sign in into a node web app and call an API.":::

+### Call API

+1. To call the API, select the **View your todolist** link. You see a page similar to the following screenshot.

+

+ :::image type="content" source="media/how-to-web-app-node-sample-sign-in-call-api/sign-in-call-api-manipulate-to-do.png" alt-text="Screenshot of manipulate API to do list.":::

+1. Manipulate the to-do list by creating and removing items.

+### How it works

+You trigger an API call each time you view, add or remove a task. Each time you trigger an API call, the client web app acquires an access token with the required permissions (scopes) to call an API endpoint. For example, to read a task, the client web app must acquire an access token with `ToDoList.Read` permission/scope.

+On the web API side, the endpoint must validate that the permissions/scopes present in the access token, which the client app presents, is valid. If the access token is valid, the endpoint responds to the HTTP request, otherwise, it responds with a `401 Unauthorized` HTTP error.

+## Next steps

+Learn how to:

+- [Sign in users and call an API in your own Node.js web application](how-to-web-app-node-sign-in-call-api-overview.md). By completing these steps, you build a web app and web API similar to the sample you've run.

+- [Enable password reset](how-to-enable-password-reset-customers.md).

+- [Customize the default branding](how-to-customize-branding-customers.md).

+- [Configure sign-in with Google](how-to-google-federation-customers.md).

+ Title: Sign in users in a sample Node.js web application

+description: Learn how to configure a sample web app to sign in and sign out users.

+#Customer intent: As a dev, devops, I want to learn about how to configure a sample Node.js web app to sign in and sign out users with my Azure Active Directory (Azure AD) for customers tenant

+# Sign in users in a sample Node.js web application

+This how-to guide uses a sample Node.js web application to show you how to add authentication to a web application. The sample application enables users to sign in and sign out. The sample web application uses [Microsoft Authentication Library for Node (MSAL Node)](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-node) for Node to handle authentication.

+In this article, you do the following tasks:

+- Register a web application in the Microsoft Entra admin center.

+- Create a sign-in and sign-out user flow in Microsoft Entra admin center.

+- Associate your web application with the user flow.

+- Update a sample Node.js web application using your own Azure Active Directory (Azure AD) for customers tenant details.

+- Run and test the sample web application.

+## Prerequisites

+- [Node.js](https://nodejs.org).

+- [Visual Studio Code](https://code.visualstudio.com/download) or another code editor.

+- Azure AD for customers tenant. If you don't already have one, <a href="https://aka.ms/ciam-free-trial?wt.mc_id=ciamcustomertenantfreetrial_linkclick_content_cnl" target="_blank">sign up for a free trial</a>.

+<!--Awaiting this link http://developer.microsoft.com/identity/customers to go live on Developer hub-->

+## Register the web app

+## Add app client secret

+## Grant API permissions

+Since this app signs-in users, add delegated permissions:

+## Create a user flow

+## Associate the web application with the user flow

+## Clone or download sample web application

+To get the web app sample code, you can do either of the following tasks:

+- [Download the .zip file](https://github.com/Azure-Samples/ms-identity-ciam-javascript-tutorial/archive/refs/heads/main.zip) or clone the sample web application from GitHub by running the following command:

+ ```console

+ git clone https://github.com/Azure-Samples/ms-identity-ciam-javascript-tutorial.git

+ ```

+If you choose to download the *.zip* file, extract the sample app file to a folder where the total length of the path is 260 or fewer characters.

+## Install project dependencies

+1. Open a console window, and change to the directory that contains the Node.js sample app:

+ ```console

+ cd 1-Authentication\5-sign-in-express\App

+ ```

+1. Run the following commands to install app dependencies:

+ ```console

+ npm install && npm update

+ ```

+## Configure the sample web app

+1. In your code editor, open *App\authConfig.js* file.

+1. Find the placeholder:

+

+ 1. `Enter_the_Application_Id_Here` and replace it with the Application (client) ID of the app you registered earlier.

+

+ 1. `Enter_the_Tenant_Subdomain_Here` and replace it with the Directory (tenant) subdomain. For example, if your tenant primary domain is `contoso.onmicrosoft.com`, use `contoso`. If you don't have your tenant name, learn how to [read your tenant details](how-to-create-customer-tenant-portal.md#get-the-customer-tenant-details).

+

+ 1. `Enter_the_Client_Secret_Here` and replace it with the app secret value you copied earlier.

+## Run and test sample web app

+You can now test the sample Node.js web app. You need to start the Node.js server and access it through your browser at `http://localhost:3000`.

+1. In your terminal, run the following command:

+ ```console

+ npm start

+ ```

+1. Open your browser, then go to http://localhost:3000. You should see the page similar to the following screenshot:

+ :::image type="content" source="media/how-to-web-app-node-sample-sign-in/web-app-node-sign-in.png" alt-text="Screenshot of sign in into a node web app.":::

+1. After the page completes loading, select **Sign in** link. You're prompted to sign in.

+1. On the sign-in page, type your **Email address**, select **Next**, type your **Password**, then select **Sign in**. If you don't have an account, select **No account? Create one** link, which starts the sign-up flow.

+1. If you choose the sign-up option, after filling in your email, one-time passcode, new password and more account details, you complete the whole sign-up flow. You see a page similar to the following screenshot. You see a similar page if you choose the sign-in option.

+ :::image type="content" source="media/how-to-web-app-node-sample-sign-in/web-app-node-view-claims.png" alt-text="Screenshot of view ID token claims.":::

+1. Select **Sign out** to sign the user out of the web app or select **View ID token claims** to view ID token claims returned by Microsoft Entra.

+### How it works

+When users select the **Sign in** link, the app initiates an authentication request and redirects users to Azure AD for customers. On the sign-in or sign-up page that appears, once a user successfully signs in or creates an account, Azure AD for customers returns an ID token to the app. The app validates the ID token, reads the claims, and returns a secure page to the users.

+When the users select the **Sign out** link, the app clears its session, the redirect the user to Azure AD for customers sign-out endpoint to notify it that the user has signed out.

+If you want to build an app similar to the sample you've run, complete the steps in [Sign in users in your own Node.js web application](how-to-web-app-node-sign-in-overview.md) article.

+## Next steps

+You may want to:

+- [Enable password reset](how-to-enable-password-reset-customers.md)

+- [Customize the default branding](how-to-customize-branding-customers.md)

+

+- [Configure sign-in with Google](how-to-google-federation-customers.md)

+- [Sign in users in your own Node.js web application](how-to-web-app-node-sign-in-overview.md)

+|[Azure AD Graph API](https://aka.ms/aadgraphupdate)|Start of phased retirement|Jul 2023|

+ Title: Configure verified ID settings for an access package in entitlement management

+# Configure verified ID settings for an access package in entitlement management

+## Create an access package with verified ID requirements

+## Request an access package with verified ID requirements

+> [!VIDEO https://www.youtube.com/embed/9T6lKEloq0Q]

+To address this issue, we've bundled as many of these newer components into a new, single release, so you only have to update once. This release is Azure AD Connect V2. This release is a new version of the same software used to accomplish your hybrid identity goals, built using the latest foundational components.

+## Consider moving to Azure AD Connect cloud sync

+Azure AD Connect cloud sync is the future of synchronization for Microsoft. It replaces Azure AD Connect.

+> [!VIDEO https://www.youtube.com/embed/9T6lKEloq0Q]

+Before moving the Azure AD Connect V2.0, you should consider moving to cloud sync. You can see if cloud sync is right for you, by accessing the [Check sync tool](https://aka.ms/M365Wizard) from the portal or via the link provided.

+For more information, see [What is cloud sync?](../cloud-sync/what-is-cloud-sync.md)

+SQL Server 2019 requires the Visual C++ Redist 14 runtime, so we're updating the C++ runtime library to use this version. This Redistributable is installed with the Azure AD Connect V2 package, so you don't have to take any action for the C++ runtime update.

+TLS1.0 and TLS 1.1 are protocols that are deemed unsafe. Microsoft is deprecating them. This release of Azure AD Connect only supports TLS 1.2.

+Next year several of the components in your current Azure AD Connect server installations will no longer be supported. If you are using unsupported products, it will be harder for our support team to provide you with the support experience your organization requires. So we recommend all customers to upgrade to this newer version as soon as they can.

+ >[!IMPORTANT]

+ >Azure AD Connect V1 has been retired as of August 31, 2022 and is no longer supported. Azure AD Connect V1 installations may **stop working unexpectedly**. If you are still using a Azure AD Connect V1 you need to upgrade to Azure AD Connect V2 immediately.

+## Consider moving to Azure AD Connect cloud sync

+Azure AD Connect cloud sync is the future of synchronization for Microsoft. It will replace Azure AD Connect.

+> [!VIDEO https://www.youtube.com/embed/9T6lKEloq0Q]

+Before moving the Azure AD Connect V2.0, you should consider moving to cloud sync. You can see if cloud sync is right for you, by accessing the [Check sync tool](https://aka.ms/M365Wizard) from the portal or via the link provided.

+For more information see [What is cloud sync?](../cloud-sync/what-is-cloud-sync.md)

+## Azure AD Connect features

+* A live community in Funnel or at least a confirmation that all the required configuration is done on the Funnel side in preparation for a go-live date.

+Contact your Funnel Account Manager and let them know you want to enable Azure AD user provisioning, they will provide an authentication Bearer token.

+This section guides you through connecting your Azure AD to Funnel's user account provisioning API, and configuring the provisioning service to create, update, and disable assigned user accounts in Funnel based on user assignment in Azure AD.

+1. In the applications list, select **Funnel**.

+1. Under the **Admin Credentials** section, input `https://nestiolistings.com/scim/v2` as the **Tenant URL** and the **Secret Token** retrieved earlier from your Funnel Account Manager (the authentication Bearer token). Click **Test Connection** to ensure Azure AD can connect to Funnel. If the connection fails, ensure you have a valid authentication token with your Funnel Account Manager.

+## Role and Group Mappings

+To associate an Azure user to a Funnel role, or an Azure user to a Funnel employee group, Funnel uses a custom mapping functionality.

+- Which Azure fields are used?

+

+ For role mappings, Funnel looks at the SCIM `title` attribute by default. This SCIM attribute is mapped to the `jobTitle` Azure user attribute by default.

+

+ For group mappings, Funnel looks at the SCIM `userType` attribute by default. This SCIM attribute is mapped to the `department` Azure user attribute by default.

+

+ If you want to change which fields are used, you can edit the **Attribute Mappings** section and map your desired fields to `title` and `userType`.

+- Which values are used?

+

+ For initial setup, determine every value that you want to use for role and group mappings. Provide these values to your Funnel Account Manager to set up the configuration in Funnel.

+

+ For example, if you want to set the `jobTitle` field with an `agent` value, you will need to tell your Funnel Account Manager which Funnel role this value should be mapped.

+

+ If you need to update or add new values in the future, you will need to notify your Funnel Account Manager.

+- How do I associate a user to several roles and groups?

+

+ It is not possible to associate a user to several Funnel roles, but it is possible to associate a user to several Funnel employee groups.

+

+ To associate a user to several Funnel employee groups, you will need to specify multiple values in the `department` user attribute (or whichever attribute you mapped to `userType`).

+ Each value will need to be separated by a delimiter. By default the `-` character is used as the delimiter. To use another delimiter, you will need to notify your Funnel account manager.

+* SCIM-based user provisioning is available to Moqups customers on our [Unlimited Plan](https://moqups.com/pricing).

+To set up **SCIM** for **Azure**, you will first need to generate an **API Token** in Moqups, and then configure **Automatic Provisioning** in Azure itself.

+Generate an API Token:

+1. Go to the **Integrations** tab on your Moqups **Dashboard's Account** page.

+1. In the **SCIM Provisioning** section of your **Integration tab**, click the **Generate token** button.

+ 

+1. Copy the **API Token** to your clipboard. You'll need this to complete the process in **Azure**.

+ 

+1. In the **Admin Credentials** section, input your Moqups Tenant URL and Secret Token.

+ 1. Use `https://api.moqups.com/scim/v2` as the **Tenant URL**.

+ 1. Use the **API Token** generated in Step 2.1 as the **Secret Token**.

+ 1. Click **Test Connection** so that Azure AD can confirm that the supplied credentials can be used for provisioning. If the connection fails, double-check the **Tenant URL**, as well make sure the **API Token** is correct.

+## Step 2. Add Zoom from the Azure AD application gallery

+## Step 3. Define who will be in scope for provisioning

+## Step 4. Configure automatic user provisioning to Zoom

+1. Under the **Admin Credentials** section, select **OAuth2 Authorization Code Grant**. Enter `https://api.zoom.us/scim` in **Tenant URL**, click on **Authorize**, make sure that you enter your Zoom account's Admin credentials. Click **Test Connection** to ensure Azure AD can connect to Zoom. If the connection fails, ensure your Zoom account has Admin permissions and try again.

+ 

+ > [!NOTE]

+ > You will have two options for your Authentication Method: **Bearer Authentication** and **OAuth2 Authorization Code Grant**. Make sure that you select OAuth2 Authorization Code Grant. Zoom no longer supports the **Bearer Authentication** method

+## Step 5. Monitor your deployment

+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md).

+* [Zoom Support article](https://support.zoom.us/hc/en-us/articles/115005887566-Configuring-Zoom-with-Azure).

+--resource-group $resourceGroup \

+ Title: Integrate Azure HPC Cache with Azure Kubernetes Service (AKS)

+description: Learn how to integrate HPC Cache with Azure Kubernetes Service (AKS).

+# Integrate Azure HPC Cache with Azure Kubernetes Service (AKS)

+* This article assumes you have an existing AKS cluster. If you need an AKS cluster, you can create one using[Azure CLI][aks-quickstart-cli], [Azure PowerShell][aks-quickstart-powershell], or [Azure portal][aks-quickstart-portal].

+ > [!IMPORTANT]

+ > Your AKS cluster must be [in a region that supports Azure HPC Cache][hpc-cache-regions].

+* You need Azure CLI version 2.7 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli]. For more information on using HPC Cache with Azure CLI, see the [HPC Cache CLI prerequisites][hpc-cache-cli-prerequisites].

+* Install the `hpc-cache` Azure CLI extension using the [`az extension add --upgrade -n hpc-cache][az-extension-add]` command.

+* Review the [HPC Cache prerequisites][hpc-cache-prereqs]. You need to satisfy these prerequisites before you can run an HPC Cache. Important prerequisites include the following:

+ * The cache requires a *dedicated* subnet with at least 64 IP addresses available.

+ * The subnet must not host other VMs or containers.

+ * The subnet must be accessible from the AKS nodes.

+## Create the Azure HPC Cache

+1. Get the node resource group using the [`az aks show`][az-aks-show] command with the `--query nodeResourceGroup` query parameter.

+ ```azurecli-interactive

+ az aks show --resource-group myResourceGroup --name myAKSCluster --query nodeResourceGroup -o tsv

+ ```

+ Your output should look similar to the following example output:

+ ```output

+ MC_myResourceGroup_myAKSCluster_eastus

+ ```

+2. Create the dedicated HPC Cache subnet using the [`az network vnet subnet create`][az-network-vnet-subnet-create] command.

+ ```azurecli

+ RESOURCE_GROUP=MC_myResourceGroup_myAKSCluster_eastus

+ VNET_NAME=$(az network vnet list --resource-group $RESOURCE_GROUP --query [].name -o tsv)

+ VNET_ID=$(az network vnet show --resource-group $RESOURCE_GROUP --name $VNET_NAME --query "id" -o tsv)

+ SUBNET_NAME=MyHpcCacheSubnet

+ az network vnet subnet create \

+ --resource-group $RESOURCE_GROUP \

+ --vnet-name $VNET_NAME \

+ --name $SUBNET_NAME \

+ --address-prefixes 10.0.0.0/26

+ ```

+3. Register the *Microsoft.StorageCache* resource provider using the [`az provider register`][az-provider-register] command.

+ ```azurecli

+ az provider register --namespace Microsoft.StorageCache --wait

+ ```

+ > [!NOTE]

+ > The resource provider registration can take some time to complete.

+4. Create an HPC Cache in the same node resource group and region using the [`az hpc-cache create`][az-hpc-cache-create].

+ > [!NOTE]

+ > The HPC Cache takes approximately 20 minutes to be created.

+ ```azurecli

+ RESOURCE_GROUP=MC_myResourceGroup_myAKSCluster_eastus

+ VNET_NAME=$(az network vnet list --resource-group $RESOURCE_GROUP --query [].name -o tsv)

+ VNET_ID=$(az network vnet show --resource-group $RESOURCE_GROUP --name $VNET_NAME --query "id" -o tsv)

+ SUBNET_NAME=MyHpcCacheSubnet

+ SUBNET_ID=$(az network vnet subnet show --resource-group $RESOURCE_GROUP --vnet-name $VNET_NAME --name $SUBNET_NAME --query "id" -o tsv)

+ az hpc-cache create \

+ --resource-group $RESOURCE_GROUP \

+ --cache-size-gb "3072" \

+ --location eastus \

+ --subnet $SUBNET_ID \

+ --sku-name "Standard_2G" \

+ --name MyHpcCache

+ ```

+## Create and configure Azure storage

+> You need to select a unique storage account name. Replace `uniquestorageaccount` with something unique for you. Storage account names must be *between 3 and 24 characters in length* and *can contain only numbers and lowercase letters*.

+1. Create a storage account using the [`az storage account create`][az-storage-account-create] command.

+ ```azurecli

+ RESOURCE_GROUP=MC_myResourceGroup_myAKSCluster_eastus

+ STORAGE_ACCOUNT_NAME=uniquestorageaccount

+ az storage account create \

+ -n $STORAGE_ACCOUNT_NAME \

+ -g $RESOURCE_GROUP \

+ -l eastus \

+ --sku Standard_LRS

+ ```

+2. Assign the "Storage Blob Data Contributor Role" on your subscription using the [`az role assignment create`][az-role-assignment-create] command.

+ ```azurecli

+ STORAGE_ACCOUNT_NAME=uniquestorageaccount

+ STORAGE_ACCOUNT_ID=$(az storage account show --name $STORAGE_ACCOUNT_NAME --query "id" -o tsv)

+ AD_USER=$(az ad signed-in-user show --query objectId -o tsv)

+ CONTAINER_NAME=mystoragecontainer

+ az role assignment create --role "Storage Blob Data Contributor" --assignee $AD_USER --scope $STORAGE_ACCOUNT_ID

+ ```

+3. Create the Blob container within the storage account using the [`az storage container create`][az-storage-container-create] command.

+ ```azurecli

+ az storage container create --name $CONTAINER_NAME --account-name $STORAGE_ACCOUNT_NAME --auth-mode login

+ ```

+4. Provide permissions to the Azure HPC Cache service account to access your storage account and Blob container using the following [`az role assignment`][az-role-assignment-create] commands.

+ ```azurecli

+ HPC_CACHE_USER="StorageCache Resource Provider"

+ HPC_CACHE_ID=$(az ad sp list --display-name "${HPC_CACHE_USER}" --query "[].objectId" -o tsv)

+ az role assignment create --role "Storage Account Contributor" --assignee $HPC_CACHE_ID --scope $STORAGE_ACCOUNT_ID

+ az role assignment create --role "Storage Blob Data Contributor" --assignee $HPC_CACHE_ID --scope $STORAGE_ACCOUNT_ID

+ ```

+5. Add the blob container to your HPC Cache as a storage target using the [`az hpc-cache blob-storage-target add`][az-hpc-cache-blob-storage-target-add] command.

+ ```azurecli

+ CONTAINER_NAME=mystoragecontainer

+ az hpc-cache blob-storage-target add \

+ --resource-group $RESOURCE_GROUP \

+ --cache-name MyHpcCache \

+ --name MyStorageTarget \

+ --storage-account $STORAGE_ACCOUNT_ID \

+ --container-name $CONTAINER_NAME \

+ --virtual-namespace-path "/myfilepath"

+ ```

+## Set up client load balancing

+1. Create an Azure Private DNS Zone for the client-facing IP addresses using the [`az network private-dns zone create`][az-network-private-dns-zone-create] command.

+ ```azurecli

+ PRIVATE_DNS_ZONE="myhpccache.local"

+ az network private-dns zone create \

+ -g $RESOURCE_GROUP \

+ -n $PRIVATE_DNS_ZONE

+ ```

+2. Create a DNS link between the Azure Private DNS Zone and the VNet using the [`az network private-dns link vnet create`][az-network-private-dns-link-vnet-create] command.

+ ```azurecli

+ az network private-dns link vnet create \

+ -g $RESOURCE_GROUP \

+ -n MyDNSLink \

+ -z $PRIVATE_DNS_ZONE \

+ -v $VNET_NAME \

+ -e true

+ ```

+3. Create the round-robin DNS name for the client-facing IP addresses using the [`az network private-dns record-set a create`][az-network-private-dns-record-set-a-create] command.

+ ```azurecli

+ DNS_NAME="server"

+ HPC_MOUNTS0=$(az hpc-cache show --name "MyHpcCache" --resource-group $RESOURCE_GROUP --query "mountAddresses[0]" -o tsv | tr --delete '\r')

+ HPC_MOUNTS1=$(az hpc-cache show --name "MyHpcCache" --resource-group $RESOURCE_GROUP --query "mountAddresses[1]" -o tsv | tr --delete '\r')

+ HPC_MOUNTS2=$(az hpc-cache show --name "MyHpcCache" --resource-group $RESOURCE_GROUP --query "mountAddresses[2]" -o tsv | tr --delete '\r')

+ az network private-dns record-set a add-record -g $RESOURCE_GROUP -z $PRIVATE_DNS_ZONE -n $DNS_NAME -a $HPC_MOUNTS0

+ az network private-dns record-set a add-record -g $RESOURCE_GROUP -z $PRIVATE_DNS_ZONE -n $DNS_NAME -a $HPC_MOUNTS1

+ az network private-dns record-set a add-record -g $RESOURCE_GROUP -z $PRIVATE_DNS_ZONE -n $DNS_NAME -a $HPC_MOUNTS2

+ ```

+## Create a persistent volume

+1. Create a `pv-nfs.yaml` file to define a [persistent volume][persistent-volume].

+ ```yaml

+

+ apiVersion: v1

+ kind: PersistentVolume

+ metadata:

+ name: pv-nfs

+ spec:

+ capacity:

+ storage: 10000Gi

+ accessModes:

+ - ReadWriteMany

+ mountOptions:

+ - vers=3

+ nfs:

+ server: server.myhpccache.local

+ path: /

+ ```

+2. Get the credentials for your Kubernetes cluster using the [`az aks get-credentials`][az-aks-get-credentials] command.

+ ```azurecli-interactive

+ az aks get-credentials --resource-group myResourceGroup --name myAKSCluster

+ ```

+3. Update the *server* and *path* to the values of your NFS (Network File System) volume you created in the previous step.

+4. Create the persistent volume using the [`kubectl apply`][kubectl-apply] command.

+ ```console

+ kubectl apply -f pv-nfs.yaml

+ ```

+5. Verify the status of the persistent volume is **Available** using the [`kubectl describe`][kubectl-describe] command.

+ ```console

+ kubectl describe pv pv-nfs

+ ```

+1. Create a `pvc-nfs.yaml` to define a [persistent volume claim][persistent-volume-claim].

+ ```yaml

+ apiVersion: v1

+ kind: PersistentVolumeClaim

+ metadata:

+ name: pvc-nfs

+ spec:

+ accessModes:

+ - ReadWriteMany

+ storageClassName: ""

+ resources:

+ requests:

+ storage: 100Gi

+ ```

+2. Create the persistent volume claim using the [`kubectl apply`][kubectl-apply] command.

+ ```console

+ kubectl apply -f pvc-nfs.yaml

+ ```

+3. Verify the status of the persistent volume claim is **Bound** using the [`kubectl describe`][kubectl-describe] command.

+ ```console

+ kubectl describe pvc pvc-nfs

+ ```

+1. Create a `nginx-nfs.yaml` file to define a pod that uses the persistent volume claim.

+ ```yaml

+ kind: Pod

+ apiVersion: v1

+ metadata:

+ name: nginx-nfs

+ spec:

+ containers:

+ - image: mcr.microsoft.com/oss/nginx/nginx:1.15.5-alpine

+ name: nginx-nfs

+ command:

+ - "/bin/sh"

+ - "-c"

+ - while true; do echo $(date) >> /mnt/azure/myfilepath/outfile; sleep 1; done

+ volumeMounts:

+ - name: disk01

+ mountPath: /mnt/azure

+ volumes:

+ - name: disk01

+ persistentVolumeClaim:

+ claimName: pvc-nfs

+ ```

+2. Create the pod using the [`kubectl apply`][kubectl-apply] command.

+ ```console

+ kubectl apply -f nginx-nfs.yaml

+ ```

+3. Verify the pod is running using the [`kubectl describe`][kubectl-describe] command.

+ ```console

+ kubectl describe pod nginx-nfs

+ ```

+4. Verify your volume is mounted in the pod using the [`kubectl exec`][kubectl-exec] command to connect to the pod, then `df -h` to check if the volume is mounted.

+ ```console

+ kubectl exec -it nginx-nfs -- sh

+ ```

+ ```output

+ / # df -h

+ Filesystem Size Used Avail Use% Mounted on

+ ...

+ server.myhpccache.local:/myfilepath 8.0E 0 8.0E 0% /mnt/azure/myfilepath

+ ...

+ ```

+If you need to run an application as a non-root user, you may need to disable root squashing to chown a directory to another user. The non-root user needs to own a directory to access the file system. For the user to own a directory, the root user must chown a directory to that user, but if the HPC Cache is squashing root, this operation is denied because the root user (UID 0) is being mapped to the anonymous user. For more information about root squashing and client access policies, see [HPC Cache access policies][hpc-cache-access-policies].

+* For more information on Azure HPC Cache, see [HPC Cache overview][hpc-cache].

+* For more information on using NFS with AKS, see [Manually create and use a Network File System (NFS) Linux Server volume with AKS][aks-nfs].

+[az-network-vnet-subnet-create]: /cli/azure/network/vnet/subnet#az_network_vnet_subnet_create

+[az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials

+[az-provider-register]: /cli/azure/provider#az_provider_register

+[az-storage-account-create]: /cli/azure/storage/account#az_storage_account_create

+[az-role-assignment-create]: /cli/azure/role/assignment#az_role_assignment_create

+[az-storage-container-create]: /cli/azure/storage/container#az_storage_container_create

+[az-hpc-cache-blob-storage-target-add]: /cli/azure/hpc-cache/blob-storage-target#az_hpc_cache_blob_storage_target_add

+[az-network-private-dns-zone-create]: /cli/azure/network/private-dns/zone#az_network_private_dns_zone_create

+[az-network-private-dns-link-vnet-create]: /cli/azure/network/private-dns/link/vnet#az_network_private_dns_link_vnet_create

+[az-network-private-dns-record-set-a-create]: /cli/azure/network/private-dns/record-set/a#az_network_private_dns_record_set_a_create

+description: Learn how to configure a host-based encryption in an Azure Kubernetes Service (AKS) cluster.

+With host-based encryption, the data stored on the VM host of your AKS agent nodes' VMs is encrypted at rest and flows encrypted to the Storage service. This means the temp disks are encrypted at rest with platform-managed keys. The cache of OS and data disks is encrypted at rest with either platform-managed keys or customer-managed keys depending on the encryption type set on those disks.

+By default, when using AKS, OS and data disks use server-side encryption with platform-managed keys. The caches for these disks are encrypted at rest with platform-managed keys. You can specify your own managed keys following [Bring your own keys (BYOK) with Azure disks in Azure Kubernetes Service](azure-disk-customer-managed-keys.md). The caches for these disks are also encrypted using the key you specify.

+Before you begin, review the following prerequisites and limitations.

+- Ensure you have the CLI extension v2.23 or higher installed.

+- This feature can only be set at cluster or node pool creation time.

+- This feature can only be enabled in [Azure regions][supported-regions] that support server-side encryption of Azure managed disks and only with specific [supported VM sizes][supported-sizes].

+- This feature requires an AKS cluster and node pool based on Virtual Machine Scale Sets as *VM set type*.

+- Create a new cluster and configure the cluster agent nodes to use host-based encryption using the [`az aks create`][az-aks-create] command with the `--enable-encryption-at-host` flag.

+ ```azurecli-interactive

+ az aks create --name myAKSCluster --resource-group myResourceGroup -s Standard_DS2_v2 -l westus2 --enable-encryption-at-host

+ ```

+- Enable host-based encryption on an existing cluster by adding a new node pool using the [`az aks nodepool add`][az-aks-nodepool-add] command with the `--enable-encryption-at-host` flag.

+ ```azurecli

+ az aks nodepool add --name hostencrypt --cluster-name myAKSCluster --resource-group myResourceGroup -s Standard_DS2_v2 --enable-encryption-at-host

+ ```

+[az-aks-create]: /cli/azure/aks#az-aks-create

+[az-aks-nodepool-add]: /cli/azure/aks/nodepool#az-aks-nodepool-add

+* Create an AKS cluster with a new managed NAT gateway using the [`az aks create`][az-aks-create] command with the `--outbound-type managedNATGateway`, `--nat-gateway-managed-outbound-ip-count`, and `--nat-gateway-idle-timeout` parameters. If you want the NAT gateway to operate out of a specific availability zone, specify the zones using `--zones`.

+* A single NAT gateway resource cannot be used across multiple availability zones. To ensure zone-resiliency, it is recommended to deploy a NAT gateway resource to each availability zone and assign to subnets containing AKS clusters in each zone. For more information on this deployment model, see [NAT gateway for each zone](/azure/nat-gateway/nat-availability-zones#zonal-nat-gateway-resource-for-each-zone-in-a-region-to-create-zone-resiliency).

+ > If no zone is configured for NAT gateway, the default zone placement is "no zone", in which Azure places NAT gateway into a zone for you.

+ > [!Important]

+ > A single NAT gateway resource cannot be used across multiple availability zones. To ensure zone-resiliency, it is recommended to deploy a NAT gateway resource to each availability zone and assign to subnets containing AKS clusters in each zone. For more information on this deployment model, see [NAT gateway for each zone](/azure/nat-gateway/nat-availability-zones#zonal-nat-gateway-resource-for-each-zone-in-a-region-to-create-zone-resiliency).

+ > If no zone is configured for NAT gateway, the default zone placement is "no zone", in which Azure places NAT gateway into a zone for you.

+description: Use the Dapr cluster extension for Azure Kubernetes Service (AKS) or Arc-enabled Kubernetes to deploy an application.

+In this quickstart, you use the [Dapr cluster extension][dapr-overview] in an AKS or Arc-enabled Kubernetes cluster. You deploy a `hello world` example, which consists of a Python application that generates messages and a node application that consumes and persists the messages.

+1. Clone the [Dapr quickstarts repository][hello-world-gh] using the `git clone` command.

+ ```bash

+ git clone https://github.com/dapr/quickstarts.git

+ ```

+2. Change to the `hello-kubernetes` directory using `cd`.

+ ```bash

+ cd quickstarts/tutorials/hello-kubernetes/

+ ```

+3. Select **Create** to start the Redis instance deployment.

+5. Under **Settings**, navigate to **Access keys** to get your access keys.

+6. Create a Kubernetes secret to store your Redis password using the `kubectl create secret generic redis` command.

+ ```bash

+ kubectl create secret generic redis --from-literal=redis-password=<your-redis-password>

+ ```

+Once your store is created, you need to add the keys to the `redis.yaml` file in the deploy directory of the *Hello World* repository. You can learn more [here][dapr-component-secrets].

+1. Replace the `redisHost` value with your own Redis master address.

+2. Replace the `redisPassword` with your own Secret.

+3. Add the following two lines below `redisPassword` to enable connection over TLS

+ ```YAML

+ - name: redisPassword

+ secretKeyRef:

+ name: redis

+ key: redis-password

+ - name: enableTLS

+ value: true

+ ```

+1. Apply the `redis.yaml` file using the `kubectl apply` command.

+ ```bash

+ kubectl apply -f ./deploy/redis.yaml

+ ```

+2. Verify your state store was successfully configured using the `kubectl get components.redis` command.

+ ```bash

+ kubectl get components.redis -o yaml

+ ```

+ You should see output similar to the following example output:

+ ```output

+ component.dapr.io/statestore created

+ ```

+1. Apply the Node.js app deployment to your cluster using the `kubectl apply` command.

+ ```bash

+ kubectl apply -f ./deploy/node.yaml

+ ```

+ > [!NOTE]

+ > Kubernetes deployments are asynchronous, which means you need to wait for the deployment to complete before moving on to the next steps. You can do so with the following command:

+ >

+ > ```bash

+ > kubectl rollout status deploy/nodeapp

+ > ```

+ This deploys the Node.js app to Kubernetes. The Dapr control plane automatically injects the Dapr sidecar to the Pod. If you take a look at the `node.yaml` file, you see how Dapr is enabled for that deployment:

+ * `dapr.io/enabled: true`: tells the Dapr control plane to inject a sidecar to this deployment.

+ * `dapr.io/app-id: nodeapp`: assigns a unique ID or name to the Dapr application, so it can be sent messages to and communicated with by other Dapr apps.

+2. Access your service using the `kubectl get svc` command.

+ ```bash

+ kubectl get svc nodeapp

+ ```

+3. Make note of the `EXTERNAL-IP` in the output.

+1. Call the service using `curl` with your `EXTERNAL-IP`.

+ ```bash

+ curl $EXTERNAL_IP/ports

+ ```

+ You should see output similar to the following example output:

+ ```bash

+ {"DAPR_HTTP_PORT":"3500","DAPR_GRPC_PORT":"50001"}

+ ```

+2. Submit an order to the application using `curl`.

+ ```bash

+ curl --request POST --data "@sample.json" --header Content-Type:application/json $EXTERNAL_IP/neworder

+ ```

+3. Confirm the order has persisted by requesting it using `curl`.

+ ```bash

+ curl $EXTERNAL_IP/order

+ ```

+ You should see output similar to the following example output:

+ ```bash

+ { "orderId": "42" }

+ ```

+ > [!TIP]

+ > This is a good time to get familiar with the Dapr dashboard, a convenient interface to check status, information, and logs of applications running on Dapr. To access the dashboard at `http://localhost:8080/`, run the following command:

+ >

+ > ```bash

+ > kubectl port-forward svc/dapr-dashboard -n dapr-system 8080:8080

+ > ```

+1. Navigate to the Python app directory in the `hello-kubernetes` quickstart and open `app.py`.

+ This example is a basic Python app that posts JSON messages to `localhost:3500`, which is the default listening port for Dapr. You can invoke the Node.js application's `neworder` endpoint by posting to `v1.0/invoke/nodeapp/method/neworder`. The message contains some data with an `orderId` that increments once per second:

+ ```python

+ n = 0

+ while True:

+ n += 1

+ message = {"data": {"orderId": n}}

+ try:

+ response = requests.post(dapr_url, json=message)

+ except Exception as e:

+ print(e)

+ time.sleep(1)

+ ```

+2. Deploy the Python app to your Kubernetes cluster using the `kubectl apply` command.

+ ```bash

+ kubectl apply -f ./deploy/python.yaml

+ ```

+ > [!NOTE]

+ > As with the previous command, you need to wait for the deployment to complete before moving on to the next steps. You can do so with the following command:

+ >

+ > ```bash

+ > kubectl rollout status deploy/pythonapp

+ > ```

+Now that both the Node.js and Python applications are deployed, you watch messages come through.

+1. Get the logs of the Node.js app using the `kubectl logs` command.

+ ```bash

+ kubectl logs --selector=app=node -c node --tail=-1

+ ```

+ If the deployments were successful, you should see logs like the following example logs:

+ ```output

+ Got a new order! Order ID: 1

+ Successfully persisted state

+ Got a new order! Order ID: 2

+ Successfully persisted state

+ Got a new order! Order ID: 3

+ Successfully persisted state

+ ```

+2. Call the Node.js app's order endpoint to get the latest order using `curl`.

+ ```bash

+ curl $EXTERNAL_IP/order

+ {"orderID":"42"}

+ ```

+ You should see the latest JSON in the response.

+* Remove the resource group, cluster, namespace, and all related resources using the [`az group delete`][az-group-delete] command.

+ ```azurecli-interactive

+ az group delete --name MyResourceGroup

+ ```

+* Remove the resource group, cluster, namespace, and all related resources using the [`Remove-AzResourceGroup`][remove-azresourcegroup] command.

+ ```azurepowershell-interactive

+ Remove-AzResourceGroup -Name MyResourceGroup

+ ```

+> [Learn more about other cluster extensions][cluster-extensions].

+> You can use `kubectl get po -n kube-system` to verify the results show that a konnectivity-agent-xxx pod is running. If there is, it means the AKS cluster is using Konnectivity. When using VNet integration, you can run the command `az aks show -g -n` to verify the setting `enableVnetIntegration` is set to **true**.

+- [.NET and ASP.NET Core](https://aka.ms/dotnetrelease)

+- [.NET Framework and ASP.NET](https://aka.ms/aspnetrelease)

+- [PHP](https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/php_support.md#how-to-update-your-app-to-target-a-different-version-of-php)

+* If you import module Az.Accounts with version 2.12.3 or newer, ensure that you import the **Newtonsoft.Json** v10 module explicitly if PowerShell 5.1 runbooks have a dependency on this version of the module. The workaround for this issue is to use PowerShell 7.2 runbooks.

+- If you import module Az.Accounts with version 2.12.3 or newer, ensure that you import the **Newtonsoft.Json** v10 module explicitly if PowerShell 7.1 runbooks have a dependency on this version of the module. The workaround for this issue is to use PowerShell 7.2 runbooks.

+|Hitachi Virtual Storage Software Block software-defined storage (VSSB) | 1.24.12 | 1.20.0_2023-06-13 | 16.0.5100.7242 | 14.5 (Ubuntu 20.04)|

+|Hitachi Virtual Storage Platform (VSP) | 1.24.12 | 1.19.0_2023-05-09 | 16.0.937.6221 | 14.5 (Ubuntu 20.04)|

+| StackExchange.Redis | .NET | [StackExchange.Redis code sample](https://github.com/Azure/Microsoft.Azure.StackExchangeRedis) |

+| redis-py | Python | [redis-py code Sample](https://aka.ms/redis/aad/sample-code/python) |

+| node-redis | Node.js | [node-redis code sample](https://aka.ms/redis/aad/sample-code/js-noderedis) |

+When you create a function app, you either create a new storage account or link to an existing storage account. During function app creation, you can secure a new storage account behind a virtual network and integrate the function app with this network. At this time, you can't secure an existing storage account being used by your function app in the same way.

+For a list of all restrictions on storage accounts, see [Storage account requirements](storage-considerations.md#storage-account-requirements).

+ | `WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` | Storage connection string | This is the connection string for a secured storage account. This setting is required for Consumption and Premium plan apps on both Windows and Linux. It's not required for Dedicated plan apps, which aren't dynamically scaled by Functions. |

+ | `WEBSITE_CONTENTSHARE` | File share | The name of the file share created in the secured storage account where the project deployment files reside. This setting is required for Consumption and Premium plan apps on both Windows and Linux. It's not required for Dedicated plan apps, which aren't dynamically scaled by Functions. |

+```command

+dotnet add package Microsoft.Azure.WebJobs.Extensions.CosmosDB --version 3.0.10

+```command

+dotnet add package Microsoft.Azure.Functions.Worker.Extensions.CosmosDB --version 3.0.9

+In a C# class library project, the bindings are defined as binding attributes on the function method.

+Azure Functions supports two programming models for Python. The way that you define your bindings depends on your chosen programming model.

+# [v2](#tab/python-v2)

+The Python v2 programming model lets you define bindings using decorators directly in your Python function code. For more information, see the [Python developer guide](functions-reference-python.md?pivots=python-mode-decorators#programming-model).

+# [v1](#tab/python-v1)

+The Python v1 programming model requires you to define bindings in a separate *function.json* file in the function folder. For more information, see the [Python developer guide](functions-reference-python.md?pivots=python-mode-configuration#programming-model).

+This article supports both programming models.

+The following example shows a trigger binding and a Python function that uses the binding. It then sends in an event to the custom topic, as specified by the `topicEndpointUri`. The example depends on whether you use the [v1 or v2 Python programming model](functions-reference-python.md).

+# [v2](#tab/python-v2)

+Here's the function in the function_app.py file:

+```python

+import logging

+import azure.functions as func

+import datetime

+@app.function_name(name="eventgrid_output")

+@app.route(route="eventgrid_output")

+@app.event_grid_output(

+ arg_name="outputEvent",

+ topic_endpoint_uri="MyEventGridTopicUriSetting",

+ topic_key_setting="MyEventGridTopicKeySetting")

+def eventgrid_output(eventGridEvent: func.EventGridEvent,

+ outputEvent: func.Out[func.EventGridOutputEvent]) -> None:

+ logging.log("eventGridEvent: ", eventGridEvent)

+ outputEvent.set(

+ func.EventGridOutputEvent(

+ id="test-id",

+ data={"tag1": "value1", "tag2": "value2"},

+ subject="test-subject",

+ event_type="test-event-1",

+ event_time=datetime.datetime.utcnow(),

+ data_version="1.0"))

+```

+# [v1](#tab/python-v1)

+Azure Functions supports two programming models for Python. The way that you define your bindings depends on your chosen programming model.

+# [v2](#tab/python-v2)

+The Python v2 programming model lets you define bindings using decorators directly in your Python function code. For more information, see the [Python developer guide](functions-reference-python.md?pivots=python-mode-decorators#programming-model).

+# [v1](#tab/python-v1)

+The Python v1 programming model requires you to define bindings in a separate *function.json* file in the function folder. For more information, see the [Python developer guide](functions-reference-python.md?pivots=python-mode-configuration#programming-model).

+This article supports both programming models.

+The following example shows an Event Grid trigger binding and a Python function that uses the binding. The example depends on whether you use the [v1 or v2 Python programming model](functions-reference-python.md).

+# [v2](#tab/python-v2)

+```python

+import logging

+import json

+import azure.functions as func

+app = func.FunctionApp()

+@app.function_name(name="eventGridTrigger")

+@app.event_grid_trigger(arg_name="event")

+def eventGridTest(event: func.EventGridEvent):

+ result = json.dumps({

+ 'id': event.id,

+ 'data': event.get_json(),

+ 'topic': event.topic,

+ 'subject': event.subject,

+ 'event_type': event.event_type,

+ })

+ logging.info('Python EventGrid trigger processed an event: %s', result)

+```

+# [v1](#tab/python-v1)

+>[!NOTE]

+>If you're looking for a more general comparison between Azure Functions and other Azure compute options:

+>+ [Criteria for choosing an Azure compute service](/azure/architecture/guide/technology-choices/compute-comparison)

+>+ [Choosing an Azure compute option for microservices](/azure/architecture/microservices/design/compute-options)

+>

+>For a summary and comparison of automation service options in Azure:

+>+ [Choose the Automation services in Azure](../automation/automation-services.md)

+| **Application lifecycle management (ALM)** |Power Platform [provides tools](/power-platform/alm/tools-apps-used-alm) that integrate with DevOps and [GitHub Actions](/power-platform/alm/devops-github-actions) to let you build automated pipelines in the ALM cycle. |Azure DevOps: source control, testing, support, automation, and manageability in [Azure Resource Manager](../logic-apps/logic-apps-azure-resource-manager-templates-overview.md) |

+|**Package managers**|npm and NuGet|NuGet²|

+² WebJobs (without the WebJobs SDK) supports npm and NuGet.

+You don't have to choose just one of these services. They integrate with each other and with external services.

+| **`--enableAuth`** | Enable full authentication handling pipeline, with authorization requirements. |

+For compiled C# projects (both in-process and isolated worker process), instead use standard NuGet package installation methods, such as `dotnet add package`.

+No action is taken when an extension bundle is defined in your host.json file. When you need to manually install extensions, you must first remove the bundle definition. For more information, see [Install extensions](functions-run-local.md#install-extensions).

+> [!TIP]

+> The **Code + Test** functionality in the portal works even for functions that are read-only and can't be edited in the portal.

+| In-portal editing² |Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö³|Γ£ö³|

+¹ Deployment technology that requires [manual trigger syncing](#trigger-syncing).

+² In-portal editing is disabled when code is deployed to your function app from outside the portal. For more information, including language support details for in-portal editing, see [Language support details](supported-languages.md#language-support-details).

+³ In-portal editing is enabled only for HTTP and Timer triggered functions running on Linux in Premium and Dedicated plans.

+>__How to use it:__ To be able to edit your functions in the [Azure portal](https://portal.azure.com), you must have [created your functions in the portal](./functions-get-started.md). To preserve a single source of truth, using any other deployment method makes your function read-only and prevents continued portal editing. To return to a state in which you can edit your files in the Azure portal, you can manually turn the edit mode back to `Read/Write` and remove any deployment-related application settings (like [`WEBSITE_RUN_FROM_PACKAGE`](functions-app-settings.md#website_run_from_package).

+>__When to use it:__ The portal is a good way to get started with Azure Functions. For more advanced development work, we recommend that you use one of the following client tools:

+The following table shows the operating systems and languages that support in-portal editing:

+| JavaScript (Node.js) |Γ£ö|Γ£ö|Γ£ö| |Γ£ö¹|Γ£ö¹|

+| Python² | | | |Γ£ö |Γ£ö¹ |Γ£ö¹ |

+¹ In-portal editing is enabled only for HTTP and Timer triggers for Functions on Linux using Premium and Dedicated plans.

+² In-portal editing is only supported for the [v1 Python programming model](functions-reference-python.md?pivots=python-mode-configuration).

+zone_pivot_groups: programming-languages-set-functions

+Azure Functions Core Tools lets you develop and test your functions on your local computer. Core Tools includes a version of the same runtime that powers Azure Functions. This runtime means your local functions run as they would in Azure and can connect to live Azure services during local development and debugging. You can even deploy your code project to Azure using Core Tools.

+Core Tools can be used with all [supported languages](supported-languages.md). Select your language at the top of the article.

+If you want to get started right away, complete the [Core Tools quickstart article](create-first-function-cli-csharp.md).

+If you want to get started right away, complete the [Core Tools quickstart article](create-first-function-cli-java.md).

+If you want to get started right away, complete the [Core Tools quickstart article](create-first-function-cli-node.md).

+If you want to get started right away, complete the [Core Tools quickstart article](create-first-function-cli-powershell.md).

+If you want to get started right away, complete the [Core Tools quickstart article](create-first-function-cli-python.md).

+If you want to get started right away, complete the [Core Tools quickstart article](create-first-function-cli-typescript.md).

+Core Tools enables the integrated local development and debugging experience for your functions provided by both Visual Studio and Visual Studio Code.

+To be able to publish to Azure from Core Tools, you must have one of the following Azure tools installed locally:

+These tools are required to authenticate with your Azure account from your local computer.

+Major versions of Azure Functions Core Tools are linked to specific major versions of the Azure Functions runtime. For example, version 4.x of Core Tools supports version 4.x of the Functions runtime. This is the recommended major version of both the Functions runtime and Core Tools. You can find the latest Core Tools release version on [this release page](https://github.com/Azure/azure-functions-core-tools/releases/latest).

+Run the following command to determine the version of your current Core Tools installation:

+```command

+func --version

+```

+Unless otherwise noted, the examples in this article are for version 4.x.

+The following considerations apply to Core Tools versions:

+The recommended way to install Core Tools depends on the operating system of your local development computer.

+# [Windows](#tab/windows)

+If you previously used Windows installer (MSI) to install Core Tools on Windows, you should uninstall the old version from Add Remove Programs before installing the latest version.

+# [macOS](#tab/macos)

+# [Linux](#tab/linux)

+The following steps use [APT](https://wiki.debian.org/Apt) to install Core Tools on your Ubuntu/Debian Linux distribution. For other Linux distributions, see the [Core Tools readme](https://github.com/Azure/azure-functions-core-tools/blob/v4.x/README.md#linux).

+1. Install the Microsoft package repository GPG key, to validate package integrity:

+ curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg

+ sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/microsoft.gpg

+1. Set up the APT source list before doing an APT update.

+ ##### Ubuntu

+ sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-ubuntu-$(lsb_release -cs)-prod $(lsb_release -cs) main" > /etc/apt/sources.list.d/dotnetdev.list'

+ ##### Debian

+ sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/debian/$(lsb_release -rs | cut -d'.' -f 1)/prod $(lsb_release -cs) main" > /etc/apt/sources.list.d/dotnetdev.list'

+1. Check the `/etc/apt/sources.list.d/dotnetdev.list` file for one of the appropriate Linux version strings in the following table:

+ | Linux distribution | Version |

+ | -- | - |

+ | Debian 11 | `bullseye` |

+ | Debian 10 | `buster` |

+ | Debian 9 | `stretch` |

+ | Ubuntu 22.04 | `jammy` |

+ | Ubuntu 20.04 | `focal` |

+ | Ubuntu 19.04 | `disco` |

+ | Ubuntu 18.10 | `cosmic` |

+ | Ubuntu 18.04 | `bionic` |

+ | Ubuntu 17.04 | `zesty` |

+ | Ubuntu 16.04/Linux Mint 18 | `xenial` |

+1. Start the APT source update:

+ sudo apt-get update

+1. Install the Core Tools package:

+ sudo apt-get install azure-functions-core-tools-4

+When upgrading to the latest version of Core Tools, you should use the same package manager as the original installation to perform the upgrade. Visual Studio and Visual Studio Code may also install Azure Functions Core Tools, depending on your specific tools installation.

+## Binding extensions

+[Functions triggers and bindings](functions-triggers-bindings.md) are implemented as .NET extension (NuGet) packages. To be able to use a specific binding extension, that extension must be installed in the project.

+This section doesn't apply to version 1.x of the Functions runtime. In version 1.x, supported binding were included in the core product extension.

+For compiled C# project, add references to the specific NuGet packages for the binding extensions required by your functions. C# script (.csx) project should use [extension bundles](functions-bindings-register.md#extension-bundles).

+Functions provides _extension bundles_ to make is easy to work with binding extensions in your project. Extension bundles, which are versioned and defined in the host.json file, install a complete set of compatible binding extension packages for your app. Your host.json should already have extension bundles enabled. If for some reason you need to add or update the extension bundle in the host.json file, see [Extension bundles](functions-bindings-register.md#extension-bundles).

+If you must use a binding extension or an extension version not in a supported bundle, you'll need to manually install extension. For such rare scenarios, see [Install extensions](#install-extensions).

+The function app settings values can also be read in your code as environment variables. For more information, see [Environment variables](functions-dotnet-class-library.md#environment-variables).

+The function app settings values can also be read in your code as environment variables. For more information, see [Environment variables](functions-reference-java.md#environment-variables).

+The function app settings values can also be read in your code as environment variables. For more information, see [Environment variables](functions-reference-node.md#environment-variables).

+The function app settings values can also be read in your code as environment variables. For more information, see [Environment variables](functions-reference-powershell.md#environment-variables).

+The function app settings values can also be read in your code as environment variables. For more information, see [Environment variables](functions-reference-python.md#environment-variables).

+To run a Functions project, you run the Functions host from the root directory of your project. The host enables triggers for all functions in the project. Use the following command to run your functions locally:

+This command must be [run in a virtual environment](./create-first-function-cli-python.md).

+>By default, when running locally authorization isn't enforced for HTTP endpoints. This means that all local HTTP requests are handled as `authLevel = "anonymous"`. For more information, see the [HTTP binding article](functions-bindings-http-webhook-trigger.md#authorization-keys). You can use the `--enableAuth` option to require authorization when running locally. For more information, see [`func start`](./functions-core-tools-reference.md?tabs=v2#func-start)

+Make sure to use the same server name and port that the Functions host is listening on. You see an endpoint like this in the output generated when starting the Function host. You can call this URL using any HTTP method supported by the trigger.

+When running your functions in Core Tools, authentication and authorization is bypassed. However, when you try to call the same administrator endpoints on your function app in Azure, you must provide an access key. To learn more, see [Function access keys](functions-bindings-http-webhook-trigger.md#authorization-keys).

+You must have already [created a function app in your Azure subscription](functions-cli-samples.md#create), to which you can deploy your code. Projects that require compilation should be built so that the binaries can be deployed.

+> [!NOTE]

+> This section only applies to C# script (.csx) projects, which also rely on extension bundles. Compiled C# projects use NuGet extension packages in the regular way.

+In the rare event you aren't able to use [extension bundles](functions-bindings-register.md#extension-bundles), you can use Core Tools to install the specific extension packages required by your project. The following are some reasons why you might need to install extensions manually:

+The following considerations apply when manually installing extensions:

+## Important considerations

+You must strongly consider the following facts regarding the storage accounts used by your function apps:

+ + Audit and limit the access of apps and users to the storage account based on a least-privilege model. Permissions to the storage account can come from [data actions in the assigned role](../role-based-access-control/role-definitions.md#control-and-data-actions) or through permission to perform the [listKeys operation].

+ + Monitor both control plane activity (such as retrieving keys) and data plane operations (such as writing to a blob) in your storage account. Consider maintaining storage logs in a location other than Azure Storage. For more information, see [Storage logs](#storage-logs).

+## Storage account requirements

+Storage accounts created as part of the function app create flow in the Azure portal are guaranteed to work with the new function app. In the portal, unsupported accounts are filtered out when choosing an existing storage account while creating a function app. You can also use an existing storage account with your function app. The following restrictions apply to storage accounts used by your function app, so you must make sure an existing storage account meets these requirements:

+By default, function apps configure the `AzureWebJobsStorage` connection as a connection string stored in the [AzureWebJobsStorage application setting](./functions-app-settings.md#azurewebjobsstorage), but you can also [configure AzureWebJobsStorage to use an identity-based connection](functions-reference.md#connecting-to-host-storage-with-an-identity) without a secret.

+You shouldn't apply [lifecycle management policies](../storage/blobs/lifecycle-management-overview.md) to your Blob Storage account used by your function app. Functions uses Blob storage to persist important information, such as [function access keys](functions-bindings-http-webhook-trigger.md#authorization-keys), and policies may remove blobs (such as keys) needed by the Functions host. If you must use policies, exclude containers used by Functions, which are prefixed with `azure-webjobs` or `scm`.

+Because function code and keys may be persisted in the storage account, logging of activity against the storage account is a good way to monitor for unauthorized access. Azure Monitor resource logs can be used to track events against the storage data plane. See [Monitoring Azure Storage](../storage/blobs/monitor-blob-storage.md) for details on how to configure and examine these logs.

+The [Azure Monitor activity log](../azure-monitor/essentials/activity-log.md) shows control plane events, including the [listKeys operation]. However, you should also configure resource logs for the storage account to track subsequent use of keys or other identity-based data plane operations. You should have at least the [StorageWrite log category](../storage/blobs/monitor-blob-storage.md#collection-and-routing) enabled to be able to identify modifications to the data outside of normal Functions operations.

+To limit the potential impact of any broadly scoped storage permissions, consider using a nonstorage destination for these logs, such as Log Analytics. For more information, see [Monitoring Azure Blob Storage](../storage/blobs/monitor-blob-storage.md).

+| Description | Default trigger behavior, which relies on polling the container for updates. For more information, see the examples in the [Blob storage trigger reference](./functions-bindings-storage-blob-trigger.md#example). | Consumes blob storage events from an event subscription. Requires a `Source` parameter value of `EventGrid`. For more information, see [Tutorial: Trigger Azure Functions on blob containers using an event subscription](./functions-event-grid-blob-trigger.md). | Blob name string is manually added to a storage queue when a blob is added to the container. This value is passed directly by a Queue Storage trigger to a Blob Storage input binding on the same function. | Provides the flexibility of triggering on events besides those coming from a storage container. Use when need to also have nonstorage events trigger your function. For more information, see [How to work with Event Grid triggers and bindings in Azure Functions](event-grid-how-tos.md). |

+Functions uses a host ID value as a way to uniquely identify a particular function app in stored artifacts. By default, this ID is autogenerated from the name of the function app, truncated to the first 32 characters. This ID is then used when storing per-app correlation and tracking information in the linked storage account. When you have function apps with names longer than 32 characters and when the first 32 characters are identical, this truncation can result in duplicate host ID values. When two function apps with identical host IDs use the same storage account, you get a host ID collision because stored data can't be uniquely linked to the correct function app.

+[listKeys operation]: /rest/api/storagerp/storage-accounts/list-keys

+ Title: Web SDK supported browsers

+You might want to target older browsers that don't support WebGL or that have only limited support for it. In such cases, you can use Azure Maps services together with an open-source map control like [Leaflet](https://leafletjs.com/).

+The [Render Azure Maps in Leaflet] Azure Maps sample shows how to render Azure Maps Raster Tiles in the Leaflet JS map control. This sample uses the open source [Azure Maps Leaflet plugin]. For the source code for this sample, see [Render Azure Maps in Leaflet sample source code].

+<!-

+ (<a href='https://codepen.io/azuremaps'>@azuremaps</a>) on <a href='https://codepen.io'>CodePen</a>.</iframe>

+->

+For more code samples using Azure Maps in Leaflet, see [Azure Maps Samples].

+For a list of third-party map control plug-ins, see [Azure Maps community - Open-source projects].

+> [!div class="nextstepaction"]

+> [Map control](how-to-use-map-control.md)

+> [!div class="nextstepaction"]

+> [Services module](how-to-use-services-module.md)

+[Render Azure Maps in Leaflet]: https://samples.azuremaps.com/third-party-map-controls/render-azure-maps-in-leaflet

+[Render Azure Maps in Leaflet sample source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Third%20Party%20Map%20Controls/Render%20Azure%20Maps%20in%20Leaflet/Render%20Azure%20Maps%20in%20Leaflet.html

+[Azure Maps Leaflet plugin]: https://github.com/azure-samples/azure-maps-leaflet

+[Azure Maps Samples]: https://samples.azuremaps.com/?search=leaflet

+[Azure Maps community - Open-source projects]: open-source-projects.md#third-part-map-control-plugins

+* [Log4J, Logback, or java.util.logging](./opentelemetry-add-modify.md?tabs=java#logs)

+[autocollected dependencies](opentelemetry-add-modify.md?tabs=java#included-instrumentation-libraries).

+* Set up custom dependency tracking for [Java](opentelemetry-add-modify.md?tabs=java#add-custom-spans).

+You can apply extra configurations, and then based on your specific scenario you [add your own custom telemetry](./opentelemetry-add-modify.md?tabs=java#modify-telemetry) if needed.

+- Explore [Java trace logs in Application Insights](./opentelemetry-add-modify.md?tabs=java#logs).

+When you install the [Application Insights][start] SDK in your app, it sends telemetry about your app to the [cloud](create-workspace-resource.md). As a responsible developer, you want to know exactly what data is sent, what happens to the data, and how you can keep control of it. In particular, could sensitive data be sent, where is it stored, and how secure is it?

+To get this functionality, you install an Application Insights SDK in your application, which becomes part of its code. When your app is running, the SDK monitors its operation and sends telemetry to an [Application Insights Log Analytics workspace](create-workspace-resource.md), which is a cloud service hosted by [Microsoft Azure](https://azure.com). Application Insights also works for any applications, not just applications that are hosted in Azure.

+Raw data points (that is, items that you can query in Analytics and inspect in Search) are kept for up to 730 days. You can [select a retention duration](../logs/data-retention-archive.md#set-retention-and-archive-policy-by-table) of 30, 60, 90, 120, 180, 270, 365, 550, or 730 days. If you need to keep data longer than 730 days, you can use [diagnostic settings](../essentials/diagnostic-settings.md#diagnostic-settings-in-azure-monitor).

+* Capture log traces from your favorite logging framework in [.NET](./asp-net-trace-logs.md) or [Java](./opentelemetry-add-modify.md?tabs=java#logs). This means you can search through your log traces and correlate them with page views, exceptions, and other events.

+Also see: [Add a custom property to a Span](./opentelemetry-add-modify.md?tabs=java#add-a-custom-property-to-a-span).

+> [!TIP]

+> If you want to add a framework extension or you've already added one, see the [React, React Native, and Angular code samples for how to add the Click Analytics plug-in](./javascript-framework-extensions.md#2-add-the-extension-to-your-code).

+### 2. (Optional) Set the authenticated user context

+If you want to set this optional setting, see [Set the authenticated user context](https://github.com/microsoft/ApplicationInsights-JS/blob/master/API-reference.md#setauthenticatedusercontext).

+> [!NOTE]

+> If you're using a HEART workbook with the Click Analytics plug-in, you don't need to set the authenticated user context to see telemetry data. For more information, see the [HEART workbook documentation](./usage-heart.md#confirm-that-data-is-flowing).

+import { ReactPlugin } from '@microsoft/applicationinsights-react-js';

+// Add the Click Analytics plug-in.

+// import { ClickAnalyticsPlugin } from '@microsoft/applicationinsights-clickanalytics-js';

+// Add the Click Analytics plug-in.

+// import { ClickAnalyticsPlugin } from '@microsoft/applicationinsights-clickanalytics-js';

+### React router configuration

+| Name | Type | Required? | Default | Description |

+||--|--|||

+| history | object | Optional | null | Track router history. For more information, see the [React router package documentation](https://reactrouter.com/en/main).<br><br>To track router history, most users can use the `enableAutoRouteTracking` field in the [JavaScript SDK configuration](./javascript-sdk-configuration.md#sdk-configuration). This field collects the same data for page views as the `history` object. Use the `history` object when you're using a router implementation that doesn't update the browser URL, which is what the configuration listens to. You shouldn't enable both the `enableAutoRouteTracking` field and `history` object, because you'll get multiple page view events. |

+### React components usage tracking

+| enableAutoRouteTracking | boolean | false | Automatically track route changes in Single Page Applications (SPA). If true, each route change sends a new Pageview to Application Insights. Hash route changes (`example.com/foo#bar`) are also recorded as new page views.<br>***Note***: If you enable this field, you shouldn't also enable the `history` object for [React router configuration](./javascript-framework-extensions.md?tabs=react#react-router-configuration) because you'll get multiple page view events.

+ Title: Add and modify Azure Monitor OpenTelemetry for .NET, Java, Node.js, and Python applications

+description: This article provides guidance on how to add and modify OpenTelemetry for applications using Azure Monitor.

+ms.devlang: csharp, javascript, typescript, python

+# Add and modify OpenTelemetry

+This article provides guidance on how to add and modify OpenTelemetry for applications using [Azure Monitor Application Insights](app-insights-overview.md#application-insights-overview).

+To learn more about OpenTelemetry concepts, see the [OpenTelemetry overview](opentelemetry-overview.md) or [OpenTelemetry FAQ](/azure/azure-monitor/faq#opentelemetry).

+<!NOTE TO CONTRIBUTORS: PLEASE DO NOT SEPARATE OUT JAVASCRIPT AND TYPESCRIPT INTO DIFFERENT TABS.>

+## Automatic data collection

+The distros automatically collect data by bundling OpenTelemetry "instrumentation libraries".

+### Included instrumentation libraries

+#### [ASP.NET Core](#tab/aspnetcore)

+Requests

+- [ASP.NET

+ Core](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.AspNetCore/README.md) ^{[1](#FOOTNOTEONE)} ^{[2](#FOOTNOTETWO)}

+Dependencies

+- [HttpClient](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.Http/README.md) ^{[1](#FOOTNOTEONE)} ^{[2](#FOOTNOTETWO)}

+- [SqlClient](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.SqlClient/README.md) ^{[1](#FOOTNOTEONE)}

+Logging

+- ILogger

+

+For more information about ILogger, see [Logging in C# and .NET](/dotnet/core/extensions/logging) and [code examples](https://github.com/open-telemetry/opentelemetry-dotnet/tree/main/docs/logs).

+#### [.NET](#tab/net)

+The Azure Monitor Exporter doesn't include any instrumentation libraries.

+#### [Java](#tab/java)

+Requests

+* JMS consumers

+* Kafka consumers

+* Netty

+* Quartz

+* RabbitMQ

+* Servlets

+* Spring scheduling

+> [!NOTE]

+> Servlet and Netty autoinstrumentation covers the majority of Java HTTP services, including Java EE, Jakarta EE, Spring Boot, Quarkus, and Micronaut.

+Dependencies (plus downstream distributed trace propagation):

+* Apache HttpClient

+* Apache HttpAsyncClient

+* AsyncHttpClient

+* Google HttpClient

+* gRPC

+* java.net.HttpURLConnection

+* Java 11 HttpClient

+* JAX-RS client

+* Jetty HttpClient

+* JMS

+* Kafka

+* Netty client

+* OkHttp

+* RabbitMQ

+Dependencies (without downstream distributed trace propagation):

+* Cassandra

+* JDBC

+* MongoDB (async and sync)

+* Redis (Lettuce and Jedis)

+Metrics

+* Micrometer Metrics, including Spring Boot Actuator metrics

+* JMX Metrics

+Logs

+* Logback (including MDC properties) [1](#FOOTNOTEONE)</sup> ^{[3](#FOOTNOTETHREE)}

+* Log4j (including MDC/Thread Context properties) [1](#FOOTNOTEONE)</sup> ^{[3](#FOOTNOTETHREE)}

+* JBoss Logging (including MDC properties) [1](#FOOTNOTEONE)</sup> ^{[3](#FOOTNOTETHREE)}

+* java.util.logging [1](#FOOTNOTEONE)</sup> ^{[3](#FOOTNOTETHREE)}

+Telemetry emitted by these Azure SDKs is automatically collected by default:

+* [Azure App Configuration](/java/api/overview/azure/data-appconfiguration-readme) 1.1.10+

+* [Azure Cognitive Search](/java/api/overview/azure/search-documents-readme) 11.3.0+

+* [Azure Communication Chat](/java/api/overview/azure/communication-chat-readme) 1.0.0+

+* [Azure Communication Common](/java/api/overview/azure/communication-common-readme) 1.0.0+

+* [Azure Communication Identity](/java/api/overview/azure/communication-identity-readme) 1.0.0+

+* [Azure Communication Phone Numbers](/java/api/overview/azure/communication-phonenumbers-readme) 1.0.0+

+* [Azure Communication SMS](/java/api/overview/azure/communication-sms-readme) 1.0.0+

+* [Azure Cosmos DB](/java/api/overview/azure/cosmos-readme) 4.22.0+

+* [Azure Digital Twins - Core](/java/api/overview/azure/digitaltwins-core-readme) 1.1.0+

+* [Azure Event Grid](/java/api/overview/azure/messaging-eventgrid-readme) 4.0.0+

+* [Azure Event Hubs](/java/api/overview/azure/messaging-eventhubs-readme) 5.6.0+

+* [Azure Event Hubs - Azure Blob Storage Checkpoint Store](/java/api/overview/azure/messaging-eventhubs-checkpointstore-blob-readme) 1.5.1+

+* [Azure Form Recognizer](/java/api/overview/azure/ai-formrecognizer-readme) 3.0.6+

+* [Azure Identity](/java/api/overview/azure/identity-readme) 1.2.4+

+* [Azure Key Vault - Certificates](/java/api/overview/azure/security-keyvault-certificates-readme) 4.1.6+

+* [Azure Key Vault - Keys](/java/api/overview/azure/security-keyvault-keys-readme) 4.2.6+

+* [Azure Key Vault - Secrets](/java/api/overview/azure/security-keyvault-secrets-readme) 4.2.6+

+* [Azure Service Bus](/java/api/overview/azure/messaging-servicebus-readme) 7.1.0+

+* [Azure Storage - Blobs](/java/api/overview/azure/storage-blob-readme) 12.11.0+

+* [Azure Storage - Blobs Batch](/java/api/overview/azure/storage-blob-batch-readme) 12.9.0+

+* [Azure Storage - Blobs Cryptography](/java/api/overview/azure/storage-blob-cryptography-readme) 12.11.0+

+* [Azure Storage - Common](/java/api/overview/azure/storage-common-readme) 12.11.0+

+* [Azure Storage - Files Data Lake](/java/api/overview/azure/storage-file-datalake-readme) 12.5.0+

+* [Azure Storage - Files Shares](/java/api/overview/azure/storage-file-share-readme) 12.9.0+

+* [Azure Storage - Queues](/java/api/overview/azure/storage-queue-readme) 12.9.0+

+* [Azure Text Analytics](/java/api/overview/azure/ai-textanalytics-readme) 5.0.4+

+[//]: # "Azure Cosmos DB 4.22.0+ due to https://github.com/Azure/azure-sdk-for-java/pull/25571"

+[//]: # "the remaining above names and links scraped from https://azure.github.io/azure-sdk/releases/latest/java.html"

+[//]: # "and version synched manually against the oldest version in maven central built on azure-core 1.14.0"

+[//]: # ""

+[//]: # "var table = document.querySelector('#tg-sb-content > div > table')"

+[//]: # "var str = ''"

+[//]: # "for (var i = 1, row; row = table.rows[i]; i++) {"

+[//]: # " var name = row.cells[0].getElementsByTagName('div')[0].textContent.trim()"

+[//]: # " var stableRow = row.cells[1]"

+[//]: # " var versionBadge = stableRow.querySelector('.badge')"

+[//]: # " if (!versionBadge) {"

+[//]: # " continue"

+[//]: # " }"

+[//]: # " var version = versionBadge.textContent.trim()"

+[//]: # " var link = stableRow.querySelectorAll('a')[2].href"

+[//]: # " str += '* [' + name + '](' + link + ') ' + version + '\n'"

+[//]: # "}"

+[//]: # "console.log(str)"

+#### [Node.js](#tab/nodejs)

+The following OpenTelemetry Instrumentation libraries are included as part of Azure Monitor Application Insights Distro.

+Requests

+- [HTTP/HTTPS](https://github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation-http) ^{[2](#FOOTNOTETWO)}

+Dependencies

+- [MongoDB](https://github.com/open-telemetry/opentelemetry-js-contrib/tree/main/plugins/node/opentelemetry-instrumentation-mongodb)

+- [MySQL](https://github.com/open-telemetry/opentelemetry-js-contrib/tree/main/plugins/node/opentelemetry-instrumentation-mysql)

+- [Postgres](https://github.com/open-telemetry/opentelemetry-js-contrib/tree/main/plugins/node/opentelemetry-instrumentation-pg)

+- [Redis](https://github.com/open-telemetry/opentelemetry-js-contrib/tree/main/plugins/node/opentelemetry-instrumentation-redis)

+- [Redis-4](https://github.com/open-telemetry/opentelemetry-js-contrib/tree/main/plugins/node/opentelemetry-instrumentation-redis-4)

+- [Azure SDK](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/instrumentation/opentelemetry-instrumentation-azure-sdk)

+Logs

+- [Node.js console](https://nodejs.org/api/console.html)

+- [Bunyan](https://github.com/trentm/node-bunyan#readme)

+- [Winston](https://github.com/winstonjs/winston#readme)

+#### [Python](#tab/python)

+Requests

+- [Django](https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-django) ^{[1](#FOOTNOTEONE)} ^{[2](#FOOTNOTETWO)}

+- [FastApi](https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-fastapi) ^{[1](#FOOTNOTEONE)} ^{[2](#FOOTNOTETWO)}

+- [Flask](https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-flask) ^{[1](#FOOTNOTEONE)} ^{[2](#FOOTNOTETWO)}

+Dependencies

+- [Psycopg2](https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-psycopg2)

+- [Requests](https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-requests) ^{[1](#FOOTNOTEONE)} ^{[2](#FOOTNOTETWO)}

+- [Urllib](https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-urllib) ^{[1](#FOOTNOTEONE)} ^{[2](#FOOTNOTETWO)}

+- [Urllib3](https://github.com/open-telemetry/opentelemetry-python-contrib/tree/main/instrumentation/opentelemetry-instrumentation-urllib3) ^{[1](#FOOTNOTEONE)} ^{[2](#FOOTNOTETWO)}

+Logs

+- [Python logging library](https://docs.python.org/3/howto/logging.html) ^{[4](#FOOTNOTEFOUR)}

+Examples of using the Python logging library can be found on [GitHub](https://github.com/microsoft/ApplicationInsights-Python/tree/main/azure-monitor-opentelemetry/samples/logging).

+**Footnotes**

+- <a name="FOOTNOTEONE">1</a>: Supports automatic reporting of *unhandled/uncaught* exceptions

+- <a name="FOOTNOTETWO">2</a>: Supports OpenTelemetry Metrics

+- <a name="FOOTNOTETHREE">3</a>: By default, logging is only collected at INFO level or higher. To change this setting, see the [configuration options](./java-standalone-config.md#autocollected-logging).

+- <a name="FOOTNOTEFOUR">4</a>: By default, logging is only collected at WARNING level or higher.

+> [!NOTE]

+> The Azure Monitor OpenTelemetry Distros include custom mapping and logic to automatically emit [Application Insights standard metrics](standard-metrics.md).

+> [!TIP]

+> The OpenTelemetry-based offerings currently emit all OpenTelemetry metrics as [Custom Metrics](opentelemetry-add-modify.md#add-custom-metrics) and [Performance Counters](standard-metrics.md#performance-counters) in Metrics Explorer. For .NET, Node.js, and Python, whatever you set as the meter name becomes the metrics namespace.

+### Add a community instrumentation library

+You can collect more data automatically when you include instrumentation libraries from the OpenTelemetry community.

+> [!NOTE]

+> We don't support and cannot guarantee the quality of community instrumentation libraries. If you would like to suggest a community instrumentation library us to include in our distro, post or up-vote an idea in our [feedback community](https://feedback.azure.com/d365community/forum/3887dc70-2025-ec11-b6e6-000d3a4f09d0).

+> [!CAUTION]

+> Some instrumentation libraries are based on experimental OpenTelemetry semantic specifications. Adding them may leave you vulnerable to future breaking changes.

+### [ASP.NET Core](#tab/aspnetcore)

+To add a community library, use the `ConfigureOpenTelemetryMeterProvider` or `ConfigureOpenTelemetryTraceProvider` methods.

+The following example demonstrates how the [Runtime Instrumentation](https://www.nuget.org/packages/OpenTelemetry.Instrumentation.Runtime) can be added to collect extra metrics.

+```csharp

+var builder = WebApplication.CreateBuilder(args);

+builder.Services.ConfigureOpenTelemetryMeterProvider((sp, builder) => builder.AddRuntimeInstrumentation());

+builder.Services.AddOpenTelemetry().UseAzureMonitor();

+var app = builder.Build();

+app.Run();

+```

+### [.NET](#tab/net)

+The following example demonstrates how the [Runtime Instrumentation](https://www.nuget.org/packages/OpenTelemetry.Instrumentation.Runtime) can be added to collect extra metrics.

+```csharp

+var metricsProvider = Sdk.CreateMeterProviderBuilder()

+ .AddRuntimeInstrumentation()

+ .AddAzureMonitorMetricExporter();

+```

+### [Java](#tab/java)

+You can't extend the Java Distro with community instrumentation libraries. To request that we include another instrumentation library, open an issue on our GitHub page. You can find a link to our GitHub page in [Next Steps](#next-steps).

+### [Node.js](#tab/nodejs)

+Other OpenTelemetry Instrumentations are available [here](https://github.com/open-telemetry/opentelemetry-js-contrib/tree/main/plugins/node) and could be added using TraceHandler in ApplicationInsightsClient.

+ ```javascript

+ const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

+ const { ExpressInstrumentation } = require('@opentelemetry/instrumentation-express');

+ const appInsights = new ApplicationInsightsClient(new ApplicationInsightsConfig());

+ const traceHandler = appInsights.getTraceHandler();

+ traceHandler.addInstrumentation(new ExpressInstrumentation());

+```

+### [Python](#tab/python)

+Currently unavailable.

+## Collect custom telemetry

+This section explains how to collect custom telemetry from your application.

+

+Depending on your language and signal type, there are different ways to collect custom telemetry, including:

+

+- OpenTelemetry API

+- Language-specific logging/metrics libraries

+- Application Insights [Classic API](api-custom-events-metrics.md)

+

+The following table represents the currently supported custom telemetry types:

+| Language | Custom Events | Custom Metrics | Dependencies | Exceptions | Page Views | Requests | Traces |

+|-||-|--|||-|--|

+| **ASP.NET Core** | | | | | | | |

+| &nbsp;&nbsp;&nbsp;OpenTelemetry API | | Yes | Yes | Yes | | Yes | |

+| &nbsp;&nbsp;&nbsp;iLogger API | | | | | | | Yes |

+| &nbsp;&nbsp;&nbsp;AI Classic API | | | | | | | |

+| | | | | | | | |

+| **Java** | | | | | | | |

+| &nbsp;&nbsp;&nbsp;OpenTelemetry API | | Yes | Yes | Yes | | Yes | |

+| &nbsp;&nbsp;&nbsp;Logback, Log4j, JUL | | | | Yes | | | Yes |

+| &nbsp;&nbsp;&nbsp;Micrometer Metrics | | Yes | | | | | |

+| &nbsp;&nbsp;&nbsp;AI Classic API | Yes | Yes | Yes | Yes | Yes | Yes | Yes |

+| | | | | | | | |

+| **Node.js** | | | | | | | |

+| &nbsp;&nbsp;&nbsp;OpenTelemetry API | | Yes | Yes | Yes | | Yes | |

+| &nbsp;&nbsp;&nbsp;Console, Winston, Bunyan| | | | | | | Yes |

+| &nbsp;&nbsp;&nbsp;AI Classic API | Yes | Yes | Yes | Yes | Yes | Yes | Yes |

+| | | | | | | | |

+| **Python** | | | | | | | |

+| &nbsp;&nbsp;&nbsp;OpenTelemetry API | | Yes | Yes | Yes | | Yes | |

+| &nbsp;&nbsp;&nbsp;Python Logging Module | | | | | | | Yes |

+> [!NOTE]

+> Application Insights Java 3.x listens for telemetry that's sent to the Application Insights [Classic API](api-custom-events-metrics.md). Similarly, Application Insights Node.js 3.x collects events created with the Application Insights [Classic API](api-custom-events-metrics.md). This makes upgrading easier and fills a gap in our custom telemetry support until all custom telemetry types are supported via the OpenTelemetry API.

+### Add custom metrics

+> [!NOTE]

+> Custom Metrics are under preview in Azure Monitor Application Insights. Custom metrics without dimensions are available by default. To view and alert on dimensions, you need to [opt-in](pre-aggregated-metrics-log-metrics.md#custom-metrics-dimensions-and-pre-aggregation).

+Consider collecting more metrics beyond what's provided by the instrumentation libraries.

+The OpenTelemetry API offers six metric "instruments" to cover various metric scenarios and you need to pick the correct "Aggregation Type" when visualizing metrics in Metrics Explorer. This requirement is true when using the OpenTelemetry Metric API to send metrics and when using an instrumentation library.

+The following table shows the recommended [aggregation types](../essentials/metrics-aggregation-explained.md#aggregation-types) for each of the OpenTelemetry Metric Instruments.

+| OpenTelemetry Instrument | Azure Monitor Aggregation Type |

+|||

+| Counter | Sum |

+| Asynchronous Counter | Sum |

+| Histogram | Min, Max, Average, Sum and Count |

+| Asynchronous Gauge | Average |

+| UpDownCounter | Sum |

+| Asynchronous UpDownCounter | Sum |

+> [!CAUTION]

+> Aggregation types beyond what's shown in the table typically aren't meaningful.

+The [OpenTelemetry Specification](https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/metrics/api.md#instrument)

+describes the instruments and provides examples of when you might use each one.

+> [!TIP]

+> The histogram is the most versatile and most closely equivalent to the Application Insights GetMetric [Classic API](api-custom-events-metrics.md). Azure Monitor currently flattens the histogram instrument into our five supported aggregation types, and support for percentiles is underway. Although less versatile, other OpenTelemetry instruments have a lesser impact on your application's performance.

+#### Histogram example

+#### [ASP.NET Core](#tab/aspnetcore)

+Application startup must subscribe to a Meter by name.

+```csharp

+var builder = WebApplication.CreateBuilder(args);

+builder.Services.ConfigureOpenTelemetryMeterProvider((sp, builder) => builder.AddMeter("OTel.AzureMonitor.Demo"));

+builder.Services.AddOpenTelemetry().UseAzureMonitor();

+var app = builder.Build();

+app.Run();

+```

+The `Meter` must be initialized using that same name.

+```csharp

+var meter = new Meter("OTel.AzureMonitor.Demo");

+Histogram<long> myFruitSalePrice = meter.CreateHistogram<long>("FruitSalePrice");

+var rand = new Random();

+myFruitSalePrice.Record(rand.Next(1, 1000), new("name", "apple"), new("color", "red"));

+myFruitSalePrice.Record(rand.Next(1, 1000), new("name", "lemon"), new("color", "yellow"));

+myFruitSalePrice.Record(rand.Next(1, 1000), new("name", "lemon"), new("color", "yellow"));

+myFruitSalePrice.Record(rand.Next(1, 1000), new("name", "apple"), new("color", "green"));

+myFruitSalePrice.Record(rand.Next(1, 1000), new("name", "apple"), new("color", "red"));

+myFruitSalePrice.Record(rand.Next(1, 1000), new("name", "lemon"), new("color", "yellow"));

+```

+#### [.NET](#tab/net)

+```csharp

+public class Program

+{

+ private static readonly Meter meter = new("OTel.AzureMonitor.Demo");

+ public static void Main()

+ {

+ using var meterProvider = Sdk.CreateMeterProviderBuilder()

+ .AddMeter("OTel.AzureMonitor.Demo")

+ .AddAzureMonitorMetricExporter()

+ .Build();

+ Histogram<long> myFruitSalePrice = meter.CreateHistogram<long>("FruitSalePrice");

+ var rand = new Random();

+ myFruitSalePrice.Record(rand.Next(1, 1000), new("name", "apple"), new("color", "red"));

+ myFruitSalePrice.Record(rand.Next(1, 1000), new("name", "lemon"), new("color", "yellow"));

+ myFruitSalePrice.Record(rand.Next(1, 1000), new("name", "lemon"), new("color", "yellow"));

+ myFruitSalePrice.Record(rand.Next(1, 1000), new("name", "apple"), new("color", "green"));

+ myFruitSalePrice.Record(rand.Next(1, 1000), new("name", "apple"), new("color", "red"));

+ myFruitSalePrice.Record(rand.Next(1, 1000), new("name", "lemon"), new("color", "yellow"));

+ System.Console.WriteLine("Press Enter key to exit.");

+ System.Console.ReadLine();

+ }

+}

+```

+#### [Java](#tab/java)

+```java

+import io.opentelemetry.api.GlobalOpenTelemetry;

+import io.opentelemetry.api.metrics.DoubleHistogram;

+import io.opentelemetry.api.metrics.Meter;

+public class Program {

+ public static void main(String[] args) {

+ Meter meter = GlobalOpenTelemetry.getMeter("OTEL.AzureMonitor.Demo");

+ DoubleHistogram histogram = meter.histogramBuilder("histogram").build();

+ histogram.record(1.0);

+ histogram.record(100.0);

+ histogram.record(30.0);

+ }

+}

+```

+#### [Node.js](#tab/nodejs)

+ ```javascript

+ const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

+ const appInsights = new ApplicationInsightsClient(new ApplicationInsightsConfig());

+ const customMetricsHandler = appInsights.getMetricHandler().getCustomMetricsHandler();

+ const meter = customMetricsHandler.getMeter();

+ let histogram = meter.createHistogram("histogram");

+ histogram.record(1, { "testKey": "testValue" });

+ histogram.record(30, { "testKey": "testValue2" });

+ histogram.record(100, { "testKey2": "testValue" });

+```

+#### [Python](#tab/python)

+```python

+from azure.monitor.opentelemetry import configure_azure_monitor

+from opentelemetry import metrics

+configure_azure_monitor(

+ connection_string="<your-connection-string>",

+)

+meter = metrics.get_meter_provider().get_meter("otel_azure_monitor_histogram_demo")

+histogram = meter.create_histogram("histogram")

+histogram.record(1.0, {"test_key": "test_value"})

+histogram.record(100.0, {"test_key2": "test_value"})

+histogram.record(30.0, {"test_key": "test_value2"})

+input()

+```

+#### Counter example

+#### [ASP.NET Core](#tab/aspnetcore)

+Application startup must subscribe to a Meter by name.

+```csharp

+var builder = WebApplication.CreateBuilder(args);

+builder.Services.ConfigureOpenTelemetryMeterProvider((sp, builder) => builder.AddMeter("OTel.AzureMonitor.Demo"));

+builder.Services.AddOpenTelemetry().UseAzureMonitor();

+var app = builder.Build();

+app.Run();

+```

+The `Meter` must be initialized using that same name.

+```csharp

+var meter = new Meter("OTel.AzureMonitor.Demo");

+Counter<long> myFruitCounter = meter.CreateCounter<long>("MyFruitCounter");

+myFruitCounter.Add(1, new("name", "apple"), new("color", "red"));

+myFruitCounter.Add(2, new("name", "lemon"), new("color", "yellow"));

+myFruitCounter.Add(1, new("name", "lemon"), new("color", "yellow"));

+myFruitCounter.Add(2, new("name", "apple"), new("color", "green"));

+myFruitCounter.Add(5, new("name", "apple"), new("color", "red"));

+myFruitCounter.Add(4, new("name", "lemon"), new("color", "yellow"));

+```

+#### [.NET](#tab/net)

+```csharp

+public class Program

+{

+ private static readonly Meter meter = new("OTel.AzureMonitor.Demo");

+ public static void Main()

+ {

+ using var meterProvider = Sdk.CreateMeterProviderBuilder()

+ .AddMeter("OTel.AzureMonitor.Demo")

+ .AddAzureMonitorMetricExporter()

+ .Build();

+ Counter<long> myFruitCounter = meter.CreateCounter<long>("MyFruitCounter");

+ myFruitCounter.Add(1, new("name", "apple"), new("color", "red"));

+ myFruitCounter.Add(2, new("name", "lemon"), new("color", "yellow"));

+ myFruitCounter.Add(1, new("name", "lemon"), new("color", "yellow"));

+ myFruitCounter.Add(2, new("name", "apple"), new("color", "green"));

+ myFruitCounter.Add(5, new("name", "apple"), new("color", "red"));

+ myFruitCounter.Add(4, new("name", "lemon"), new("color", "yellow"));

+ System.Console.WriteLine("Press Enter key to exit.");

+ System.Console.ReadLine();

+ }

+}

+```

+#### [Java](#tab/java)

+```Java

+import io.opentelemetry.api.GlobalOpenTelemetry;

+import io.opentelemetry.api.common.AttributeKey;

+import io.opentelemetry.api.common.Attributes;

+import io.opentelemetry.api.metrics.LongCounter;

+import io.opentelemetry.api.metrics.Meter;

+public class Program {

+ public static void main(String[] args) {

+ Meter meter = GlobalOpenTelemetry.getMeter("OTEL.AzureMonitor.Demo");

+ LongCounter myFruitCounter = meter

+ .counterBuilder("MyFruitCounter")

+ .build();

+ myFruitCounter.add(1, Attributes.of(AttributeKey.stringKey("name"), "apple", AttributeKey.stringKey("color"), "red"));

+ myFruitCounter.add(2, Attributes.of(AttributeKey.stringKey("name"), "lemon", AttributeKey.stringKey("color"), "yellow"));

+ myFruitCounter.add(1, Attributes.of(AttributeKey.stringKey("name"), "lemon", AttributeKey.stringKey("color"), "yellow"));

+ myFruitCounter.add(2, Attributes.of(AttributeKey.stringKey("name"), "apple", AttributeKey.stringKey("color"), "green"));

+ myFruitCounter.add(5, Attributes.of(AttributeKey.stringKey("name"), "apple", AttributeKey.stringKey("color"), "red"));

+ myFruitCounter.add(4, Attributes.of(AttributeKey.stringKey("name"), "lemon", AttributeKey.stringKey("color"), "yellow"));

+ }

+}

+```

+#### [Node.js](#tab/nodejs)

+```javascript

+ const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

+ const appInsights = new ApplicationInsightsClient(new ApplicationInsightsConfig());

+ const customMetricsHandler = appInsights.getMetricHandler().getCustomMetricsHandler();

+ const meter = customMetricsHandler.getMeter();

+ let counter = meter.createCounter("counter");

+ counter.add(1, { "testKey": "testValue" });

+ counter.add(5, { "testKey2": "testValue" });

+ counter.add(3, { "testKey": "testValue2" });

+```

+#### [Python](#tab/python)

+```python

+from azure.monitor.opentelemetry import configure_azure_monitor

+from opentelemetry import metrics

+configure_azure_monitor(

+ connection_string="<your-connection-string>",

+)

+meter = metrics.get_meter_provider().get_meter("otel_azure_monitor_counter_demo")

+counter = meter.create_counter("counter")

+counter.add(1.0, {"test_key": "test_value"})

+counter.add(5.0, {"test_key2": "test_value"})

+counter.add(3.0, {"test_key": "test_value2"})

+input()

+```

+#### Gauge Example

+#### [ASP.NET Core](#tab/aspnetcore)

+Application startup must subscribe to a Meter by name.

+```csharp

+var builder = WebApplication.CreateBuilder(args);

+builder.Services.ConfigureOpenTelemetryMeterProvider((sp, builder) => builder.AddMeter("OTel.AzureMonitor.Demo"));

+builder.Services.AddOpenTelemetry().UseAzureMonitor();

+var app = builder.Build();

+app.Run();

+```

+The `Meter` must be initialized using that same name.

+```csharp

+var process = Process.GetCurrentProcess();

+var meter = new Meter("OTel.AzureMonitor.Demo");

+ObservableGauge<int> myObservableGauge = meter.CreateObservableGauge("Thread.State", () => GetThreadState(process));

+private static IEnumerable<Measurement<int>> GetThreadState(Process process)

+{

+ foreach (ProcessThread thread in process.Threads)

+ {

+ yield return new((int)thread.ThreadState, new("ProcessId", process.Id), new("ThreadId", thread.Id));

+ }

+}

+```

+#### [.NET](#tab/net)

+```csharp

+public class Program

+{

+ private static readonly Meter meter = new("OTel.AzureMonitor.Demo");

+ public static void Main()

+ {

+ using var meterProvider = Sdk.CreateMeterProviderBuilder()

+ .AddMeter("OTel.AzureMonitor.Demo")

+ .AddAzureMonitorMetricExporter()

+ .Build();

+ var process = Process.GetCurrentProcess();

+

+ ObservableGauge<int> myObservableGauge = meter.CreateObservableGauge("Thread.State", () => GetThreadState(process));

+ System.Console.WriteLine("Press Enter key to exit.");

+ System.Console.ReadLine();

+ }

+

+ private static IEnumerable<Measurement<int>> GetThreadState(Process process)

+ {

+ foreach (ProcessThread thread in process.Threads)

+ {

+ yield return new((int)thread.ThreadState, new("ProcessId", process.Id), new("ThreadId", thread.Id));

+ }

+ }

+}

+```

+#### [Java](#tab/java)

+```Java

+import io.opentelemetry.api.GlobalOpenTelemetry;

+import io.opentelemetry.api.common.AttributeKey;

+import io.opentelemetry.api.common.Attributes;

+import io.opentelemetry.api.metrics.Meter;

+public class Program {

+ public static void main(String[] args) {

+ Meter meter = GlobalOpenTelemetry.getMeter("OTEL.AzureMonitor.Demo");

+ meter.gaugeBuilder("gauge")

+ .buildWithCallback(

+ observableMeasurement -> {

+ double randomNumber = Math.floor(Math.random() * 100);

+ observableMeasurement.record(randomNumber, Attributes.of(AttributeKey.stringKey("testKey"), "testValue"));

+ });

+ }

+}

+```

+#### [Node.js](#tab/nodejs)

+```typescript

+ const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

+ const appInsights = new ApplicationInsightsClient(new ApplicationInsightsConfig());

+ const customMetricsHandler = appInsights.getMetricHandler().getCustomMetricsHandler();

+ const meter = customMetricsHandler.getMeter();

+ let gauge = meter.createObservableGauge("gauge");

+ gauge.addCallback((observableResult: ObservableResult) => {

+ let randomNumber = Math.floor(Math.random() * 100);

+ observableResult.observe(randomNumber, {"testKey": "testValue"});

+ });

+```

+#### [Python](#tab/python)

+```python

+from typing import Iterable

+from azure.monitor.opentelemetry import configure_azure_monitor

+from opentelemetry import metrics

+from opentelemetry.metrics import CallbackOptions, Observation

+configure_azure_monitor(

+ connection_string="<your-connection-string>",

+)

+meter = metrics.get_meter_provider().get_meter("otel_azure_monitor_gauge_demo")

+def observable_gauge_generator(options: CallbackOptions) -> Iterable[Observation]:

+ yield Observation(9, {"test_key": "test_value"})

+def observable_gauge_sequence(options: CallbackOptions) -> Iterable[Observation]:

+ observations = []

+ for i in range(10):

+ observations.append(

+ Observation(9, {"test_key": i})

+ )

+ return observations

+gauge = meter.create_observable_gauge("gauge", [observable_gauge_generator])

+gauge2 = meter.create_observable_gauge("gauge2", [observable_gauge_sequence])

+input()

+```

+### Add custom exceptions

+Select instrumentation libraries automatically report exceptions to Application Insights.

+However, you may want to manually report exceptions beyond what instrumentation libraries report.

+For instance, exceptions caught by your code aren't ordinarily reported. You may wish to report them

+to draw attention in relevant experiences including the failures section and end-to-end transaction views.

+#### [ASP.NET Core](#tab/aspnetcore)

+- To log an Exception using an Activity:

+ ```csharp

+ using (var activity = activitySource.StartActivity("ExceptionExample"))

+ {

+ try

+ {

+ throw new Exception("Test exception");

+ }

+ catch (Exception ex)

+ {

+ activity?.SetStatus(ActivityStatusCode.Error);

+ activity?.RecordException(ex);

+ }

+ }

+ ```

+- To log an Exception using ILogger:

+ ```csharp

+ var logger = loggerFactory.CreateLogger(logCategoryName);

+ try

+ {

+ throw new Exception("Test Exception");

+ }

+ catch (Exception ex)

+ {

+ logger.Log(

+ logLevel: LogLevel.Error,

+ eventId: 0,

+ exception: ex,

+ message: "Hello {name}.",

+ args: new object[] { "World" });

+ }

+ ```

+#### [.NET](#tab/net)

+- To log an Exception using an Activity:

+ ```csharp

+ using (var activity = activitySource.StartActivity("ExceptionExample"))

+ {

+ try

+ {

+ throw new Exception("Test exception");

+ }

+ catch (Exception ex)

+ {

+ activity?.SetStatus(ActivityStatusCode.Error);

+ activity?.RecordException(ex);

+ }

+ }

+ ```

+- To log an Exception using ILogger:

+ ```csharp

+ var logger = loggerFactory.CreateLogger("ExceptionExample");

+ try

+ {

+ throw new Exception("Test Exception");

+ }

+ catch (Exception ex)

+ {

+ logger.Log(

+ logLevel: LogLevel.Error,

+ eventId: 0,

+ exception: ex,

+ message: "Hello {name}.",

+ args: new object[] { "World" });

+ }

+ ```

+#### [Java](#tab/java)

+You can use `opentelemetry-api` to update the status of a span and record exceptions.

+1. Add `opentelemetry-api-1.0.0.jar` (or later) to your application:

+ ```xml

+ <dependency>

+ <groupId>io.opentelemetry.instrumentation</groupId>

+ <artifactId>opentelemetry-api</artifactId>

+ <version>1.0.0</version>

+ </dependency>

+ ```

+1. Set status to `error` and record an exception in your code:

+ ```java

+ import io.opentelemetry.api.trace.Span;

+ import io.opentelemetry.api.trace.StatusCode;

+ Span span = Span.current();

+ span.setStatus(StatusCode.ERROR, "errorMessage");

+ span.recordException(e);

+ ```

+#### [Node.js](#tab/nodejs)

+```javascript

+const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

+const appInsights = new ApplicationInsightsClient(new ApplicationInsightsConfig());

+const tracer = appInsights.getTraceHandler().getTracer();

+let span = tracer.startSpan("hello");

+try{

+ throw new Error("Test Error");

+}

+catch(error){

+ span.recordException(error);

+}

+```

+#### [Python](#tab/python)

+The OpenTelemetry Python SDK is implemented in such a way that exceptions thrown are automatically captured and recorded. See the following code sample for an example of this behavior.

+```python

+from azure.monitor.opentelemetry import configure_azure_monitor

+from opentelemetry import trace

+configure_azure_monitor(

+ connection_string="<your-connection-string>",

+)

+tracer = trace.get_tracer("otel_azure_monitor_exception_demo")

+# Exception events

+try:

+ with tracer.start_as_current_span("hello") as span:

+ # This exception will be automatically recorded

+ raise Exception("Custom exception message.")

+except Exception:

+ print("Exception raised")

+```

+If you would like to record exceptions manually, you can disable that option

+within the context manager and use `record_exception()` directly as shown in the following example:

+```python

+...

+with tracer.start_as_current_span("hello", record_exception=False) as span:

+ try:

+ raise Exception("Custom exception message.")

+ except Exception as ex:

+ # Manually record exception

+ span.record_exception(ex)

+...

+```

+### Add custom spans

+You may want to add a custom span in two scenarios. First, when there's a dependency request not already collected by an instrumentation library. Second, when you wish to model an application process as a span on the end-to-end transaction view.

+

+#### [ASP.NET Core](#tab/aspnetcore)

+> [!NOTE]

+> The `Activity` and `ActivitySource` classes from the `System.Diagnostics` namespace represent the OpenTelemetry concepts of `Span` and `Tracer`, respectively. You create `ActivitySource` directly by using its constructor instead of by using `TracerProvider`. Each [`ActivitySource`](https://github.com/open-telemetry/opentelemetry-dotnet/tree/main/docs/trace/customizing-the-sdk#activity-source) class must be explicitly connected to `TracerProvider` by using `AddSource()`. That's because parts of the OpenTelemetry tracing API are incorporated directly into the .NET runtime. To learn more, see [Introduction to OpenTelemetry .NET Tracing API](https://github.com/open-telemetry/opentelemetry-dotnet/blob/main/src/OpenTelemetry.Api/README.md#introduction-to-opentelemetry-net-tracing-api).

+```csharp

+internal static readonly ActivitySource activitySource = new("ActivitySourceName");

+var builder = WebApplication.CreateBuilder(args);

+builder.Services.ConfigureOpenTelemetryTracerProvider((sp, builder) => builder.AddSource("ActivitySourceName"));

+builder.Services.AddOpenTelemetry().UseAzureMonitor();

+var app = builder.Build();

+app.MapGet("/", () =>

+{

+ using (var activity = activitySource.StartActivity("CustomActivity"))

+ {

+ // your code here

+ }

+ return $"Hello World!";

+});

+app.Run();

+```

+When calling `StartActivity`, it defaults to `ActivityKind.Internal` but you can provide any other `ActivityKind`.

+`ActivityKind.Client`, `ActivityKind.Producer`, and `ActivityKind.Internal` are mapped to Application Insights `dependencies`.

+`ActivityKind.Server` and `ActivityKind.Consumer` are mapped to Application Insights `requests`.

+#### [.NET](#tab/net)

+> [!NOTE]

+> The `Activity` and `ActivitySource` classes from the `System.Diagnostics` namespace represent the OpenTelemetry concepts of `Span` and `Tracer`, respectively. You create `ActivitySource` directly by using its constructor instead of by using `TracerProvider`. Each [`ActivitySource`](https://github.com/open-telemetry/opentelemetry-dotnet/tree/main/docs/trace/customizing-the-sdk#activity-source) class must be explicitly connected to `TracerProvider` by using `AddSource()`. That's because parts of the OpenTelemetry tracing API are incorporated directly into the .NET runtime. To learn more, see [Introduction to OpenTelemetry .NET Tracing API](https://github.com/open-telemetry/opentelemetry-dotnet/blob/main/src/OpenTelemetry.Api/README.md#introduction-to-opentelemetry-net-tracing-api).

+```csharp

+using var tracerProvider = Sdk.CreateTracerProviderBuilder()

+ .AddSource("ActivitySourceName")

+ .AddAzureMonitorTraceExporter()

+ .Build();

+var activitySource = new ActivitySource("ActivitySourceName");

+using (var activity = activitySource.StartActivity("CustomActivity"))

+{

+ // your code here

+}

+```

+When calling `StartActivity`, it defaults to `ActivityKind.Internal` but you can provide any other `ActivityKind`.

+`ActivityKind.Client`, `ActivityKind.Producer`, and `ActivityKind.Internal` are mapped to Application Insights `dependencies`.

+`ActivityKind.Server` and `ActivityKind.Consumer` are mapped to Application Insights `requests`.

+#### [Java](#tab/java)

+

+##### Use the OpenTelemetry annotation

+The simplest way to add your own spans is by using OpenTelemetry's `@WithSpan` annotation.

+Spans populate the `requests` and `dependencies` tables in Application Insights.

+1. Add `opentelemetry-instrumentation-annotations-1.21.0.jar` (or later) to your application:

+ ```xml

+ <dependency>

+ <groupId>io.opentelemetry.instrumentation</groupId>

+ <artifactId>opentelemetry-instrumentation-annotations</artifactId>

+ <version>1.21.0</version>

+ </dependency>

+ ```

+1. Use the `@WithSpan` annotation to emit a span each time your method is executed:

+ ```java

+ import io.opentelemetry.instrumentation.annotations.WithSpan;

+ @WithSpan(value = "your span name")

+ public void yourMethod() {

+ }

+ ```

+By default, the span ends up in the `dependencies` table with dependency type `InProc`.

+For methods representing a background job not captured by autoinstrumentation, we recommend applying the attribute `kind = SpanKind.SERVER` to the `@WithSpan` annotation to ensure they appear in the Application Insights `requests` table.

+##### Use the OpenTelemetry API

+If the preceding OpenTelemetry `@WithSpan` annotation doesn't meet your needs,

+you can add your spans by using the OpenTelemetry API.

+1. Add `opentelemetry-api-1.0.0.jar` (or later) to your application:

+ ```xml

+ <dependency>

+ <groupId>io.opentelemetry.instrumentation</groupId>

+ <artifactId>opentelemetry-api</artifactId>

+ <version>1.0.0</version>

+ </dependency>

+ ```

+1. Use the `GlobalOpenTelemetry` class to create a `Tracer`:

+ ```java

+ import io.opentelemetry.api.GlobalOpenTelemetry;

+ import io.opentelemetry.api.trace.Tracer;

+ static final Tracer tracer = GlobalOpenTelemetry.getTracer("com.example");

+ ```

+1. Create a span, make it current, and then end it:

+ ```java

+ Span span = tracer.spanBuilder("my first span").startSpan();

+ try (Scope ignored = span.makeCurrent()) {

+ // do stuff within the context of this

+ } catch (Throwable t) {

+ span.recordException(t);

+ } finally {

+ span.end();

+ }

+ ```

+#### [Node.js](#tab/nodejs)

+```javascript

+const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

+const appInsights = new ApplicationInsightsClient(new ApplicationInsightsConfig());

+const tracer = appInsights.getTraceHandler().getTracer();

+let span = tracer.startSpan("hello");

+span.end();

+```

+#### [Python](#tab/python)

+The OpenTelemetry API can be used to add your own spans, which appear in the `requests` and `dependencies` tables in Application Insights.

+The code example shows how to use the `tracer.start_as_current_span()` method to start, make the span current, and end the span within its context.

+```python

+...

+from opentelemetry import trace

+tracer = trace.get_tracer(__name__)

+# The "with" context manager starts, makes the span current, and ends the span within it's context

+with tracer.start_as_current_span("my first span") as span:

+ try:

+ # Do stuff within the context of this

+ except Exception as ex:

+ span.record_exception(ex)

+...

+```

+By default, the span is in the `dependencies` table with a dependency type of `InProc`.

+If your method represents a background job not already captured by autoinstrumentation, we recommend setting the attribute `kind = SpanKind.SERVER` to ensure it appears in the Application Insights `requests` table.

+```python

+...

+from opentelemetry import trace

+from opentelemetry.trace import SpanKind

+tracer = trace.get_tracer(__name__)

+with tracer.start_as_current_span("my request span", kind=SpanKind.SERVER) as span:

+...

+```

+<!--

+### Add Custom Events

+#### Span Events

+The OpenTelemetry Logs/Events API is still under development. In the meantime, you can use the OpenTelemetry Span API to create "Span Events", which populate the traces table in Application Insights. The string passed in to addEvent() is saved to the message field within the trace.

+> [!CAUTION]

+> Span Events are only recommended for when you need additional diagnostic metadata associated with your span. For other scenarios, such as describing business events, we recommend you wait for the release of the OpenTelemetry Events API.

+#### [ASP.NET Core](#tab/aspnetcore)

+

+Currently unavailable.

+

+#### [.NET](#tab/net)

+Currently unavailable.

+#### [Java](#tab/java)

+You can use `opentelemetry-api` to create span events, which populate the `traces` table in Application Insights. The string passed in to `addEvent()` is saved to the `message` field within the trace.

+1. Add `opentelemetry-api-1.0.0.jar` (or later) to your application:

+ ```xml

+ <dependency>

+ <groupId>io.opentelemetry.instrumentation</groupId>

+ <artifactId>opentelemetry-api</artifactId>

+ <version>1.0.0</version>

+ </dependency>

+ ```

+1. Add span events in your code:

+ ```java

+ import io.opentelemetry.api.trace.Span;

+ Span.current().addEvent("eventName");

+ ```

+#### [Node.js](#tab/nodejs)

+Currently unavailable.

+

+#### [Python](#tab/python)

+Currently unavailable.

+-->

+

+### Send custom telemetry using the Application Insights Classic API

+We recommend you use the OpenTelemetry APIs whenever possible, but there may be some scenarios when you have to use the Application Insights [Classic API](api-custom-events-metrics.md)s.

+

+#### [ASP.NET Core](#tab/aspnetcore)

+

+Not available in .NET.

+#### [.NET](#tab/net)

+Not available in .NET.

+#### [Java](#tab/java)

+1. Add `applicationinsights-core` to your application:

+ ```xml

+ <dependency>

+ <groupId>com.microsoft.azure</groupId>

+ <artifactId>applicationinsights-core</artifactId>

+ <version>3.4.14</version>

+ </dependency>

+ ```

+1. Create a `TelemetryClient` instance:

+

+ ```java

+ static final TelemetryClient telemetryClient = new TelemetryClient();

+ ```

+1. Use the client to send custom telemetry:

+ ##### Events

+

+ ```java

+ telemetryClient.trackEvent("WinGame");

+ ```

+

+ ##### Metrics

+

+ ```java

+ telemetryClient.trackMetric("queueLength", 42.0);

+ ```

+

+ ##### Dependencies

+

+ ```java

+ boolean success = false;

+ long startTime = System.currentTimeMillis();

+ try {

+ success = dependency.call();

+ } finally {

+ long endTime = System.currentTimeMillis();

+ RemoteDependencyTelemetry telemetry = new RemoteDependencyTelemetry();

+ telemetry.setSuccess(success);

+ telemetry.setTimestamp(new Date(startTime));

+ telemetry.setDuration(new Duration(endTime - startTime));

+ telemetryClient.trackDependency(telemetry);

+ }

+ ```

+

+ ##### Logs

+

+ ```java

+ telemetryClient.trackTrace(message, SeverityLevel.Warning, properties);

+ ```

+

+ ##### Exceptions

+

+ ```java

+ try {

+ ...

+ } catch (Exception e) {

+ telemetryClient.trackException(e);

+ }

+ ```

+#### [Node.js](#tab/nodejs)

+First, get the `LogHandler`:

+```javascript

+const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

+const appInsights = new ApplicationInsightsClient(new ApplicationInsightsConfig());

+const logHandler = appInsights.getLogHandler();

+```

+Then use the `LogHandler` to send custom telemetry:

+##### Events

+```javascript

+let eventTelemetry = {

+ name: "testEvent"

+};

+logHandler.trackEvent(eventTelemetry);

+```

+##### Logs

+```javascript

+let traceTelemetry = {

+ message: "testMessage",

+ severity: "Information"

+};

+logHandler.trackTrace(traceTelemetry);

+```

+

+##### Exceptions

+```javascript

+try {

+ ...

+} catch (error) {

+ let exceptionTelemetry = {

+ exception: error,

+ severity: "Critical"

+ };

+ logHandler.trackException(exceptionTelemetry);

+}

+```

+#### [Python](#tab/python)

+

+It isn't available in Python.

+## Modify telemetry

+This section explains how to modify telemetry.

+### Add span attributes

+These attributes might include adding a custom property to your telemetry. You might also use attributes to set optional fields in the Application Insights schema, like Client IP.

+#### Add a custom property to a Span

+Any [attributes](#add-span-attributes) you add to spans are exported as custom properties. They populate the _customDimensions_ field in the requests, dependencies, traces, or exceptions table.

+##### [ASP.NET Core](#tab/aspnetcore)

+To add span attributes, use either of the following two ways:

+* Use options provided by [instrumentation libraries](opentelemetry-enable.md#install-the-client-library).

+* Add a custom span processor.

+> [!TIP]

+> The advantage of using options provided by instrumentation libraries, when they're available, is that the entire context is available. As a result, users can select to add or filter more attributes. For example, the enrich option in the HttpClient instrumentation library gives users access to the [HttpRequestMessage](/dotnet/api/system.net.http.httprequestmessage) and the [HttpResponseMessage](/dotnet/api/system.net.http.httpresponsemessage) itself. They can select anything from it and store it as an attribute.

+1. Many instrumentation libraries provide an enrich option. For guidance, see the readme files of individual instrumentation libraries:

+ - [ASP.NET Core](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.AspNetCore/README.md#enrich)

+ - [HttpClient](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.Http/README.md#enrich)

+1. Use a custom processor:

+> [!TIP]

+> Add the processor shown here *before* adding Azure Monitor.

+```csharp

+var builder = WebApplication.CreateBuilder(args);

+builder.Services.ConfigureOpenTelemetryTracerProvider((sp, builder) => builder.AddProcessor(new ActivityEnrichingProcessor()));

+builder.Services.AddOpenTelemetry().UseAzureMonitor();

+var app = builder.Build();

+app.Run();

+```

+Add `ActivityEnrichingProcessor.cs` to your project with the following code:

+```csharp

+public class ActivityEnrichingProcessor : BaseProcessor<Activity>

+{

+ public override void OnEnd(Activity activity)

+ {

+ // The updated activity will be available to all processors which are called after this processor.

+ activity.DisplayName = "Updated-" + activity.DisplayName;

+ activity.SetTag("CustomDimension1", "Value1");

+ activity.SetTag("CustomDimension2", "Value2");

+ }

+}

+```

+#### [.NET](#tab/net)

+To add span attributes, use either of the following two ways:

+* Use options provided by instrumentation libraries.

+* Add a custom span processor.

+> [!TIP]

+> The advantage of using options provided by instrumentation libraries, when they're available, is that the entire context is available. As a result, users can select to add or filter more attributes. For example, the enrich option in the HttpClient instrumentation library gives users access to the httpRequestMessage itself. They can select anything from it and store it as an attribute.

+1. Many instrumentation libraries provide an enrich option. For guidance, see the readme files of individual instrumentation libraries:

+ - [ASP.NET](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/blob/Instrumentation.AspNet-1.0.0-rc9.8/src/OpenTelemetry.Instrumentation.AspNet/README.md#enrich)

+ - [ASP.NET Core](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.AspNetCore/README.md#enrich)

+ - [HttpClient](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.Http/README.md#enrich)

+1. Use a custom processor:

+> [!TIP]

+> Add the processor shown here *before* the Azure Monitor Exporter.

+```csharp

+using var tracerProvider = Sdk.CreateTracerProviderBuilder()

+ .AddSource("OTel.AzureMonitor.Demo")

+ .AddProcessor(new ActivityEnrichingProcessor())

+ .AddAzureMonitorTraceExporter()

+ .Build();

+```

+Add `ActivityEnrichingProcessor.cs` to your project with the following code:

+```csharp

+public class ActivityEnrichingProcessor : BaseProcessor<Activity>

+{

+ public override void OnEnd(Activity activity)

+ {

+ // The updated activity will be available to all processors which are called after this processor.

+ activity.DisplayName = "Updated-" + activity.DisplayName;

+ activity.SetTag("CustomDimension1", "Value1");

+ activity.SetTag("CustomDimension2", "Value2");

+ }

+}

+```

+##### [Java](#tab/java)

+You can use `opentelemetry-api` to add attributes to spans.

+Adding one or more span attributes populates the `customDimensions` field in the `requests`, `dependencies`, `traces`, or `exceptions` table.

+1. Add `opentelemetry-api-1.0.0.jar` (or later) to your application:

+ ```xml

+ <dependency>

+ <groupId>io.opentelemetry.instrumentation</groupId>

+ <artifactId>opentelemetry-api</artifactId>

+ <version>1.0.0</version>

+ </dependency>

+ ```

+1. Add custom dimensions in your code:

+ ```java

+ import io.opentelemetry.api.trace.Span;

+ import io.opentelemetry.api.common.AttributeKey;

+ AttributeKey attributeKey = AttributeKey.stringKey("mycustomdimension");

+ Span.current().setAttribute(attributeKey, "myvalue1");

+ ```

+##### [Node.js](#tab/nodejs)

+```typescript

+const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

+const { ReadableSpan, Span, SpanProcessor } = require("@opentelemetry/sdk-trace-base");

+const { SemanticAttributes } = require("@opentelemetry/semantic-conventions");

+const appInsights = new ApplicationInsightsClient(new ApplicationInsightsConfig());

+class SpanEnrichingProcessor implements SpanProcessor{

+ forceFlush(): Promise<void>{

+ return Promise.resolve();

+ }

+ shutdown(): Promise<void>{

+ return Promise.resolve();

+ }

+ onStart(_span: Span): void{}

+ onEnd(span: ReadableSpan){

+ span.attributes["CustomDimension1"] = "value1";

+ span.attributes["CustomDimension2"] = "value2";

+ }

+}

+appInsights.getTraceHandler().addSpanProcessor(new SpanEnrichingProcessor());

+```

+##### [Python](#tab/python)

+Use a custom processor:

+```python

+...

+from azure.monitor.opentelemetry import configure_azure_monitor

+from opentelemetry import trace

+configure_azure_monitor(

+ connection_string="<your-connection-string>",

+)

+span_enrich_processor = SpanEnrichingProcessor()

+# Add the processor shown below to the current `TracerProvider`

+trace.get_tracer_provider().add_span_processor(span_enrich_processor)

+...

+```

+Add `SpanEnrichingProcessor.py` to your project with the following code:

+```python

+from opentelemetry.sdk.trace import SpanProcessor

+class SpanEnrichingProcessor(SpanProcessor):

+ def on_end(self, span):

+ span._name = "Updated-" + span.name

+ span._attributes["CustomDimension1"] = "Value1"

+ span._attributes["CustomDimension2"] = "Value2"

+```

+#### Set the user IP

+You can populate the _client_IP_ field for requests by setting the `http.client_ip` attribute on the span. Application Insights uses the IP address to generate user location attributes and then [discards it by default](ip-collection.md#default-behavior).

+##### [ASP.NET Core](#tab/aspnetcore)

+Use the add [custom property example](#add-a-custom-property-to-a-span), but replace the following lines of code in `ActivityEnrichingProcessor.cs`:

+```C#

+// only applicable in case of activity.Kind == Server

+activity.SetTag("http.client_ip", "<IP Address>");

+```

+#### [.NET](#tab/net)

+Use the add [custom property example](#add-a-custom-property-to-a-span), but replace the following lines of code in `ActivityEnrichingProcessor.cs`:

+```C#

+// only applicable in case of activity.Kind == Server

+activity.SetTag("http.client_ip", "<IP Address>");

+```

+##### [Java](#tab/java)

+Java automatically populates this field.

+##### [Node.js](#tab/nodejs)

+Use the add [custom property example](#add-a-custom-property-to-a-span), but replace the following lines of code:

+```typescript

+...

+const { SemanticAttributes } = require("@opentelemetry/semantic-conventions");

+class SpanEnrichingProcessor implements SpanProcessor{

+ ...

+ onEnd(span){

+ span.attributes[SemanticAttributes.HTTP_CLIENT_IP] = "<IP Address>";

+ }

+}

+```

+##### [Python](#tab/python)

+Use the add [custom property example](#add-a-custom-property-to-a-span), but replace the following lines of code in `SpanEnrichingProcessor.py`:

+```python

+span._attributes["http.client_ip"] = "<IP Address>"

+```

+#### Set the user ID or authenticated user ID

+You can populate the _user_Id_ or _user_AuthenticatedId_ field for requests by using the following guidance. User ID is an anonymous user identifier. Authenticated User ID is a known user identifier.

+> [!IMPORTANT]

+> Consult applicable privacy laws before you set the Authenticated User ID.

+##### [ASP.NET Core](#tab/aspnetcore)

+Use the add [custom property example](#add-a-custom-property-to-a-span).

+```csharp

+activity?.SetTag("enduser.id", "<User Id>");

+```

+##### [.NET](#tab/net)

+Use the add [custom property example](#add-a-custom-property-to-a-span).

+```csharp

+activity?.SetTag("enduser.id", "<User Id>");

+```

+##### [Java](#tab/java)

+Populate the `user ID` field in the `requests`, `dependencies`, or `exceptions` table.

+1. Add `opentelemetry-api-1.0.0.jar` (or later) to your application:

+ ```xml

+ <dependency>

+ <groupId>io.opentelemetry.instrumentation</groupId>

+ <artifactId>opentelemetry-api</artifactId>

+ <version>1.0.0</version>

+ </dependency>

+ ```

+1. Set `user_Id` in your code:

+ ```java

+ import io.opentelemetry.api.trace.Span;

+ Span.current().setAttribute("enduser.id", "myuser");

+ ```

+#### [Node.js](#tab/nodejs)

+Use the add [custom property example](#add-a-custom-property-to-a-span), but replace the following lines of code:

+```typescript

+...

+import { SemanticAttributes } from "@opentelemetry/semantic-conventions";

+class SpanEnrichingProcessor implements SpanProcessor{

+ ...

+ onEnd(span: ReadableSpan){

+ span.attributes[SemanticAttributes.ENDUSER_ID] = "<User ID>";

+ }

+}

+```

+##### [Python](#tab/python)

+Use the add [custom property example](#add-a-custom-property-to-a-span), but replace the following lines of code:

+```python

+span._attributes["enduser.id"] = "<User ID>"

+```

+### Add log attributes

+

+#### [ASP.NET Core](#tab/aspnetcore)

+OpenTelemetry uses .NET's ILogger.

+Attaching custom dimensions to logs can be accomplished using a [message template](/dotnet/core/extensions/logging?tabs=command-line#log-message-template).

+#### [.NET](#tab/net)

+OpenTelemetry uses .NET's ILogger.

+Attaching custom dimensions to logs can be accomplished using a [message template](/dotnet/core/extensions/logging?tabs=command-line#log-message-template).

+#### [Java](#tab/java)

+Logback, Log4j, and java.util.logging are [autoinstrumented](#logs). Attaching custom dimensions to your logs can be accomplished in these ways:

+* [Log4j 2 MapMessage](https://logging.apache.org/log4j/2.x/log4j-api/apidocs/org/apache/logging/log4j/message/MapMessage.html) (a `MapMessage` key of `"message"` is captured as the log message)

+* [Log4j 2 Thread Context](https://logging.apache.org/log4j/2.x/manual/thread-context.html)

+* [Log4j 1.2 MDC](https://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/MDC.html)

+#### [Node.js](#tab/nodejs)

+

+Attributes could be added only when calling manual track APIs only. Log attributes for console, bunyan and winston are currently not supported.

+```javascript

+const config = new ApplicationInsightsConfig();

+config.instrumentations.http = httpInstrumentationConfig;

+const appInsights = new ApplicationInsightsClient(config);

+const logHandler = appInsights.getLogHandler();

+const attributes = {

+ "testAttribute1": "testValue1",

+ "testAttribute2": "testValue2",

+ "testAttribute3": "testValue3"

+};

+logHandler.trackEvent({

+ name: "testEvent",

+ properties: attributes

+});

+```

+#### [Python](#tab/python)

+

+The Python [logging](https://docs.python.org/3/howto/logging.html) library is [autoinstrumented](#logs). You can attach custom dimensions to your logs by passing a dictionary into the `extra` argument of your logs.

+```python

+...

+logger.warning("WARNING: Warning log with properties", extra={"key1": "value1"})

+...

+```

+### Filter telemetry

+You might use the following ways to filter out telemetry before it leaves your application.

+#### [ASP.NET Core](#tab/aspnetcore)

+1. Many instrumentation libraries provide a filter option. For guidance, see the readme files of individual instrumentation libraries:

+ - [ASP.NET Core](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.AspNetCore/README.md#filter)

+ - [HttpClient](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.Http/README.md#filter)

+1. Use a custom processor:

+

+ > [!TIP]

+ > Add the processor shown here *before* adding Azure Monitor.

+ ```csharp

+ var builder = WebApplication.CreateBuilder(args);

+ builder.Services.ConfigureOpenTelemetryTracerProvider((sp, builder) => builder.AddProcessor(new ActivityFilteringProcessor()));

+ builder.Services.ConfigureOpenTelemetryTracerProvider((sp, builder) => builder.AddSource("ActivitySourceName"));

+ builder.Services.AddOpenTelemetry().UseAzureMonitor();

+ var app = builder.Build();

+ app.Run();

+ ```

+

+ Add `ActivityFilteringProcessor.cs` to your project with the following code:

+

+ ```csharp

+ public class ActivityFilteringProcessor : BaseProcessor<Activity>

+ {

+ public override void OnStart(Activity activity)

+ {

+ // prevents all exporters from exporting internal activities

+ if (activity.Kind == ActivityKind.Internal)

+ {

+ activity.IsAllDataRequested = false;

+ }

+ }

+ }

+ ```

+1. If a particular source isn't explicitly added by using `AddSource("ActivitySourceName")`, then none of the activities created by using that source are exported.

+#### [.NET](#tab/net)

+1. Many instrumentation libraries provide a filter option. For guidance, see the readme files of individual instrumentation libraries:

+ - [ASP.NET](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/blob/Instrumentation.AspNet-1.0.0-rc9.8/src/OpenTelemetry.Instrumentation.AspNet/README.md#filter)

+ - [ASP.NET Core](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.AspNetCore/README.md#filter)

+ - [HttpClient](https://github.com/open-telemetry/opentelemetry-dotnet/blob/1.0.0-rc9.14/src/OpenTelemetry.Instrumentation.Http/README.md#filter)

+1. Use a custom processor:

+

+ ```csharp

+ using var tracerProvider = Sdk.CreateTracerProviderBuilder()

+ .AddSource("OTel.AzureMonitor.Demo")

+ .AddProcessor(new ActivityFilteringProcessor())

+ .AddAzureMonitorTraceExporter()

+ .Build();

+ ```

+

+ Add `ActivityFilteringProcessor.cs` to your project with the following code:

+

+ ```csharp

+ public class ActivityFilteringProcessor : BaseProcessor<Activity>

+ {

+ public override void OnStart(Activity activity)

+ {

+ // prevents all exporters from exporting internal activities

+ if (activity.Kind == ActivityKind.Internal)

+ {

+ activity.IsAllDataRequested = false;

+ }

+ }

+ }

+ ```

+1. If a particular source isn't explicitly added by using `AddSource("ActivitySourceName")`, then none of the activities created by using that source are exported.

+#### [Java](#tab/java)

+See [sampling overrides](java-standalone-config.md#sampling-overrides-preview) and [telemetry processors](java-standalone-telemetry-processors.md).

+#### [Node.js](#tab/nodejs)

+1. Exclude the URL option provided by many HTTP instrumentation libraries.

+ The following example shows how to exclude a certain URL from being tracked by using the [HTTP/HTTPS instrumentation library](https://github.com/open-telemetry/opentelemetry-js/tree/main/experimental/packages/opentelemetry-instrumentation-http):

+

+ ```typescript

+ const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

+ const { IncomingMessage } = require("http");

+ const { RequestOptions } = require("https");

+ const { HttpInstrumentationConfig }= require("@opentelemetry/instrumentation-http");

+ const httpInstrumentationConfig: HttpInstrumentationConfig = {

+ enabled: true,

+ ignoreIncomingRequestHook: (request: IncomingMessage) => {

+ // Ignore OPTIONS incoming requests

+ if (request.method === 'OPTIONS') {

+ return true;

+ }

+ return false;

+ },

+ ignoreOutgoingRequestHook: (options: RequestOptions) => {

+ // Ignore outgoing requests with /test path

+ if (options.path === '/test') {

+ return true;

+ }

+ return false;

+ }

+ };

+ const config = new ApplicationInsightsConfig();

+ config.instrumentations.http = httpInstrumentationConfig;

+ const appInsights = new ApplicationInsightsClient(config);

+ ```

+2. Use a custom processor. You can use a custom span processor to exclude certain spans from being exported. To mark spans to not be exported, set `TraceFlag` to `DEFAULT`.

+Use the add [custom property example](#add-a-custom-property-to-a-span), but replace the following lines of code:

+ ```typescript

+ const { SpanKind, TraceFlags } = require("@opentelemetry/api");

+ class SpanEnrichingProcessor {

+ ...

+ onEnd(span) {

+ if(span.kind == SpanKind.INTERNAL){

+ span.spanContext().traceFlags = TraceFlags.NONE;

+ }

+ }

+ }

+ ```

+#### [Python](#tab/python)

+1. Exclude the URL with the `OTEL_PYTHON_EXCLUDED_URLS` environment variable:

+ ```

+ export OTEL_PYTHON_EXCLUDED_URLS="http://localhost:8080/ignore"

+ ```

+ Doing so excludes the endpoint shown in the following Flask example:

+

+ ```python

+ ...

+ import flask

+ from azure.monitor.opentelemetry import configure_azure_monitor

+

+ # Configure Azure monitor collection telemetry pipeline

+ configure_azure_monitor(

+ connection_string="<your-connection-string>",

+ )

+ app = flask.Flask(__name__)

+ # Requests sent to this endpoint will not be tracked due to

+ # flask_config configuration

+ @app.route("/ignore")

+ def ignore():

+ return "Request received but not tracked."

+ ...

+ ```

+1. Use a custom processor. You can use a custom span processor to exclude certain spans from being exported. To mark spans to not be exported, set `TraceFlag` to `DEFAULT`.

+

+ ```python

+ ...

+ from azure.monitor.opentelemetry import configure_azure_monitor

+ from opentelemetry import trace

+ configure_azure_monitor(

+ connection_string="<your-connection-string>",

+ )

+ trace.get_tracer_provider().add_span_processor(SpanFilteringProcessor())

+ ...

+ ```

+

+ Add `SpanFilteringProcessor.py` to your project with the following code:

+

+ ```python

+ from opentelemetry.trace import SpanContext, SpanKind, TraceFlags

+ from opentelemetry.sdk.trace import SpanProcessor

+

+ class SpanFilteringProcessor(SpanProcessor):

+

+ # prevents exporting spans from internal activities

+ def on_start(self, span):

+ if span._kind is SpanKind.INTERNAL:

+ span._context = SpanContext(

+ span.context.trace_id,

+ span.context.span_id,

+ span.context.is_remote,

+ TraceFlags.DEFAULT,

+ span.context.trace_state,

+ )

+

+ ```

+

+<!-- For more information, see [GitHub Repo](link). -->

+### Get the trace ID or span ID

+

+You might want to get the trace ID or span ID. If you have logs sent to a destination other than Application Insights, consider adding the trace ID or span ID. Doing so enables better correlation when debugging and diagnosing issues.

+#### [ASP.NET Core](#tab/aspnetcore)

+> [!NOTE]

+> The `Activity` and `ActivitySource` classes from the `System.Diagnostics` namespace represent the OpenTelemetry concepts of `Span` and `Tracer`, respectively. That's because parts of the OpenTelemetry tracing API are incorporated directly into the .NET runtime. To learn more, see [Introduction to OpenTelemetry .NET Tracing API](https://github.com/open-telemetry/opentelemetry-dotnet/blob/main/src/OpenTelemetry.Api/README.md#introduction-to-opentelemetry-net-tracing-api).

+```csharp

+Activity activity = Activity.Current;

+string traceId = activity?.TraceId.ToHexString();

+string spanId = activity?.SpanId.ToHexString();

+```

+#### [.NET](#tab/net)

+> [!NOTE]

+> The `Activity` and `ActivitySource` classes from the `System.Diagnostics` namespace represent the OpenTelemetry concepts of `Span` and `Tracer`, respectively. That's because parts of the OpenTelemetry tracing API are incorporated directly into the .NET runtime. To learn more, see [Introduction to OpenTelemetry .NET Tracing API](https://github.com/open-telemetry/opentelemetry-dotnet/blob/main/src/OpenTelemetry.Api/README.md#introduction-to-opentelemetry-net-tracing-api).

+```csharp

+Activity activity = Activity.Current;

+string traceId = activity?.TraceId.ToHexString();

+string spanId = activity?.SpanId.ToHexString();

+```

+#### [Java](#tab/java)

+You can use `opentelemetry-api` to get the trace ID or span ID.

+1. Add `opentelemetry-api-1.0.0.jar` (or later) to your application:

+ ```xml

+ <dependency>

+ <groupId>io.opentelemetry.instrumentation</groupId>

+ <artifactId>opentelemetry-api</artifactId>

+ <version>1.0.0</version>

+ </dependency>

+ ```

+1. Get the request trace ID and the span ID in your code:

+ ```java

+ import io.opentelemetry.api.trace.Span;

+ Span span = Span.current();

+ String traceId = span.getSpanContext().getTraceId();

+ String spanId = span.getSpanContext().getSpanId();

+ ```

+#### [Node.js](#tab/nodejs)

+Get the request trace ID and the span ID in your code:

+ ```javascript

+ const { trace } = require("@opentelemetry/api");

+ let spanId = trace.getActiveSpan().spanContext().spanId;

+ let traceId = trace.getActiveSpan().spanContext().traceId;

+ ```

+#### [Python](#tab/python)

+Get the request trace ID and the span ID in your code:

+ ```python

+ from opentelemetry import trace

+ trace_id = trace.get_current_span().get_span_context().trace_id

+ span_id = trace.get_current_span().get_span_context().span_id

+ ```

+## Next steps

+### [ASP.NET Core](#tab/aspnetcore)

+- To further configure the OpenTelemetry distro, see [Azure Monitor OpenTelemetry configuration](opentelemetry-configuration.md)

+- To review the source code, see the [Azure Monitor AspNetCore GitHub repository](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/monitor/Azure.Monitor.OpenTelemetry.AspNetCore).

+- To install the NuGet package, check for updates, or view release notes, see the [Azure Monitor AspNetCore NuGet Package](https://www.nuget.org/packages/Azure.Monitor.OpenTelemetry.AspNetCore) page.

+- To become more familiar with Azure Monitor and OpenTelemetry, see the [Azure Monitor Example Application](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/monitor/Azure.Monitor.OpenTelemetry.AspNetCore/tests/Azure.Monitor.OpenTelemetry.AspNetCore.Demo).

+- To learn more about OpenTelemetry and its community, see the [OpenTelemetry .NET GitHub repository](https://github.com/open-telemetry/opentelemetry-dotnet).

+- To enable usage experiences, [enable web or browser user monitoring](javascript.md).

+#### [.NET](#tab/net)

+- To further configure the OpenTelemetry distro, see [Azure Monitor OpenTelemetry configuration](opentelemetry-configuration.md)

+- To review the source code, see the [Azure Monitor Exporter GitHub repository](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/monitor/Azure.Monitor.OpenTelemetry.Exporter).

+- To install the NuGet package, check for updates, or view release notes, see the [Azure Monitor Exporter NuGet Package](https://www.nuget.org/packages/Azure.Monitor.OpenTelemetry.Exporter) page.

+- To become more familiar with Azure Monitor and OpenTelemetry, see the [Azure Monitor Example Application](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/monitor/Azure.Monitor.OpenTelemetry.Exporter/tests/Azure.Monitor.OpenTelemetry.Exporter.Demo).

+- To learn more about OpenTelemetry and its community, see the [OpenTelemetry .NET GitHub repository](https://github.com/open-telemetry/opentelemetry-dotnet).

+- To enable usage experiences, [enable web or browser user monitoring](javascript.md).

+### [Java](#tab/java)

+- Review [Java autoinstrumentation configuration options](java-standalone-config.md).

+- To review the source code, see the [Azure Monitor Java autoinstrumentation GitHub repository](https://github.com/Microsoft/ApplicationInsights-Java).

+- To learn more about OpenTelemetry and its community, see the [OpenTelemetry Java GitHub repository](https://github.com/open-telemetry/opentelemetry-java-instrumentation).

+- To enable usage experiences, see [Enable web or browser user monitoring](javascript.md).

+- See the [release notes](https://github.com/microsoft/ApplicationInsights-Java/releases) on GitHub.

+### [Node.js](#tab/nodejs)

+- To review the source code, see the [Application Insights Beta GitHub repository](https://github.com/microsoft/ApplicationInsights-node.js/tree/beta).

+- To install the npm package and check for updates see the [applicationinsights npm Package](https://www.npmjs.com/package/applicationinsights/v/beta) page.

+- To become more familiar with Azure Monitor Application Insights and OpenTelemetry, see the [Azure Monitor Example Application](https://github.com/Azure-Samples/azure-monitor-opentelemetry-node.js).

+- To learn more about OpenTelemetry and its community, see the [OpenTelemetry JavaScript GitHub repository](https://github.com/open-telemetry/opentelemetry-js).

+- To enable usage experiences, [enable web or browser user monitoring](javascript.md).

+### [Python](#tab/python)

+- To review the source code and extra documentation, see the [Azure Monitor Distro GitHub repository](https://github.com/microsoft/ApplicationInsights-Python/blob/main/azure-monitor-opentelemetry/README.md).

+- To see extra samples and use cases, see [Azure Monitor Distro samples](https://github.com/microsoft/ApplicationInsights-Python/tree/main/azure-monitor-opentelemetry/samples).

+- See the [release notes](https://github.com/microsoft/ApplicationInsights-Python/releases) on GitHub.

+- To install the PyPI package, check for updates, or view release notes, see the [Azure Monitor Distro PyPI Package](https://pypi.org/project/azure-monitor-opentelemetry/) page.

+- To become more familiar with Azure Monitor Application Insights and OpenTelemetry, see the [Azure Monitor Example Application](https://github.com/Azure-Samples/azure-monitor-opentelemetry-python).

+- To learn more about OpenTelemetry and its community, see the [OpenTelemetry Python GitHub repository](https://github.com/open-telemetry/opentelemetry-python).

+- To see available OpenTelemetry instrumentations and components, see the [OpenTelemetry Contributor Python GitHub repository](https://github.com/open-telemetry/opentelemetry-python-contrib).

+- To enable usage experiences, [enable web or browser user monitoring](javascript.md).

+> When using fixed-rate/percentage sampling and you aren't sure what to set the sampling rate as, start at 5% (i.e., 0.05 sampling ratio) and adjust the rate based on the accuracy of the operations shown in the failures and performance blades. A higher rate generally results in higher accuracy. However, ANY sampling will affect accuracy so we recommend alerting on [OpenTelemetry metrics](opentelemetry-add-modify.md#metrics), which are unaffected by sampling.

+This article describes how to enable and configure OpenTelemetry-based data collection to power the experiences within [Azure Monitor Application Insights](app-insights-overview.md#application-insights-overview). We walk through how to install the "Azure Monitor OpenTelemetry Distro". To learn more about OpenTelemetry concepts, see the [OpenTelemetry overview](opentelemetry-overview.md) or [OpenTelemetry FAQ](/azure/azure-monitor/faq#opentelemetry).

+To enable Azure Monitor Application Insights, you make a minor modification to your application and set your "Connection String". The Connection String tells your application where to send the telemetry the Distro collects, and it's unique to you.

+Add `UseAzureMonitor()` to your application startup. Depending on your version of .NET, it is in either your `startup.cs` or `program.cs` class.

+Add the Azure Monitor Exporter to each OpenTelemetry signal in application startup. Depending on your version of .NET, it is in either your `startup.cs` or `program.cs` class.

+To paste your Connection String, select from the following options:

+That's it. Your application is now monitored by Application Insights. Everything else below is optional and available for further customization.

+- For details on adding and modifying Azure Monitor OpenTelemetry, see [Add and modify Azure Monitor OpenTelemetry](opentelemetry-add-modify.md)

+- For details on adding and modifying Azure Monitor OpenTelemetry, see [Add and modify Azure Monitor OpenTelemetry](opentelemetry-add-modify.md)

+- For details on adding and modifying Azure Monitor OpenTelemetry, see [Add and modify Azure Monitor OpenTelemetry](opentelemetry-add-modify.md)

+- For details on adding and modifying Azure Monitor OpenTelemetry, see [Add and modify Azure Monitor OpenTelemetry](opentelemetry-add-modify.md)

+- For details on adding and modifying Azure Monitor OpenTelemetry, see [Add and modify Azure Monitor OpenTelemetry](opentelemetry-add-modify.md)

+| Java | Not supported | Not supported | [Supported](opentelemetry-add-modify.md?tabs=java#metrics) |

+> Unless you [set the authenticated user context](./javascript-feature-extensions.md#2-optional-set-the-authenticated-user-context), you must select **Anonymous Users** from the **ConversionScope** dropdown to see telemetry data.

+* The **Users** report counts the numbers of unique users that access your pages within your chosen time periods. For web apps, users are counted by using cookies. If someone accesses your site with different browsers or client machines, or clears their cookies, they're counted more than once.

+* The **Sessions** report tabulates the number of user sessions that access your site. A session represents a period of activity initiated by a user and concludes with a period of inactivity exceeding half an hour.

+To understand user interactions in your app, insert code lines to log custom events. These events track various user actions, like button selections, or important business events, such as purchases or game victories.

+You can also use the [Click Analytics Autocollection plug-in](javascript-feature-extensions.md) to collect custom events.

+Whenever youΓÇÖre in any usage experience, select the **Open the last run query** icon to take you back to the underlying query.

+If you're unsure which feature variant is more successful, release both and let different users access each variant. Measure the success of each variant, and then transition to a unified version.

+In this technique, you attach unique property values to all the telemetry sent by each version of your app. You can do it by defining properties in the active TelemetryContext. These default properties get included in every telemetry message sent by the application. It includes both custom messages and standard telemetry.

+You should measure events that represent significant business activities to get the most useful retention analysis.

+For more information and example code, see [Custom business events](usage-overview.md#custom-business-events).

+To learn more, see [writing custom events](./api-custom-events-metrics.md#trackevent).

+|PEBytesIn |No |Bytes In |Count |Total |Total number of Bytes Out |No Dimensions |

+|PEBytesOut |No |Bytes Out |Count |Total |Total number of Bytes Out |No Dimensions |

+In addition to the pay-as-you-go model, Log Analytics has *commitment tiers*, which can save you as much as 30 percent compared to the pay-as-you-go price. With commitment tier pricing, you can commit to buy data ingestion for a workspace, starting at 100 GB per day, at a lower price than pay-as-you-go pricing. Any usage above the commitment level (overage) is billed at that same price per GB as provided by the current commitment tier. (Overage is billed using the same commitment tier billing meter. For example if a workspace is in the 200 GB/day commitment tier and ingests 300 GB in a day, that usage will be billed as 1.5 units of the 200 GB/day commitment tier.) The commitment tiers have a 31-day commitment period from the time a commitment tier is selected.

+* Central India

+* Central India

+For a list of regions that that currently support availability zones, see [Azure regions with availability zone support](../reliability/availability-zones-service-support.md).

+1. Select **Settings > Secrets and variables > Actions > New repository secret**.

+ "apiVersion": "2022-11-01",

+ "apiVersion": "2022-11-01",

+ "apiVersion": "2022-11-01",

+ "apiVersion": "2022-11-01",

+ },

+ "location": {

+ "type": "string",

+ "defaultValue": "[resourceGroup().location]"

+ "baseName": "[format('storage{0}', uniqueString(resourceGroup().id))]"

+ "copy": {

+ "name": "storagecopy",

+ "count": "[parameters('storageCount')]"

+ },

+ "apiVersion": "2022-09-01",

+ "name": "[format('{0}{1}', copyIndex(), variables('baseName'))]",

+ "location": "[parameters('location')]",

+ "properties": {}

+ "input": "[reference(format('{0}{1}', copyIndex(), variables('baseName'))).primaryEndpoints.blob]"

+ },

+ "location": {

+ "type": "string",

+ "defaultValue": "[resourceGroup().location]"

+ "baseName": "[format('storage{0}', uniqueString(resourceGroup().id))]"

+ "copy": {

+ "name": "storagecopy",

+ "count": "[length(range(0, parameters('storageCount')))]"

+ },

+ "apiVersion": "2022-09-01",

+ "name": "[format('{0}{1}', range(0, parameters('storageCount'))[copyIndex()], variables('baseName'))]",

+ "location": "[parameters('location')]",

+ "properties": {}

+ "count": "[length(range(0, parameters('storageCount')))]",

+ "id": "[resourceId('Microsoft.Storage/storageAccounts', format('{0}{1}', copyIndex(), variables('baseName')))]",

+ "blobEndpoint": "[reference(format('{0}{1}', copyIndex(), variables('baseName'))).primaryEndpoints.blob]",

+ "status": "[reference(format('{0}{1}', copyIndex(), variables('baseName'))).statusOfPrimary]"

+ "id": "/subscriptions/00000000/resourceGroups/demoGroup/providers/Microsoft.Storage/storageAccounts/0storagecfrbqnnmpeudi",

+ "id": "/subscriptions/00000000/resourceGroups/demoGroup/providers/Microsoft.Storage/storageAccounts/1storagecfrbqnnmpeudi",

+ :::image type="content" source="./media/create-templates-use-intellij/resource-manager-create-deployment-right-click.png" alt-text="Screenshot of Resource Manager template right click to create deployment.":::

+ :::image type="content" source="./media/create-templates-use-intellij/resource-manager-create-deployment-select-files.png" alt-text="Screenshot of Resource Manager template select files to create deployment.":::

+ :::image type="content" source="./media/create-templates-use-intellij/resource-manager-create-deployment-status.png" alt-text="Resource Manager template deployment status.":::

+ :::image type="content" source="./media/create-templates-use-intellij/resource-manager-deployment-browse.png" alt-text="Screenshot of Resource Manager template browse deployment.":::

+ :::image type="content" source="./media/create-templates-use-intellij/resource-manager-deployment-show-properties.png" alt-text="Screenshot of Resource Manager template show deployment properties.":::

+ :::image type="content" source="./media/create-templates-use-intellij/resource-manager-edit-deployment.png" alt-text="Screenshot of Resource Manager template edit deployment.":::

+ :::image type="content" source="./media/create-templates-use-intellij/resource-manager-edit-deployment-update.png" alt-text="Screenshot shows the Resource Manager template with the Update Deployment prompt displayed.":::

+ :::image type="content" source="./media/create-templates-use-intellij/delete-resource-group.png" alt-text="Screenshot of Delete resource group in Azure Explorer from IntelliJ IDEA.":::

+ "apiVersion": "2022-09-01",

+ "location": "centralus",

+ "kind": "StorageV2"

+ },

+ :::image type="content" source="media/stretch-clusters/diagram-2-secondary-site-power-off-workload.png" alt-text="Diagram shows vSphere high availability powering off the workload virtual machines on the secondary site." border="false" lightbox="media/stretch-clusters/diagram-2-secondary-site-power-off-workload.png":::

+ :::image type="content" source="media/stretch-clusters/diagram-3-restart-workload-secondary-site.png" alt-text="Diagram shows vSphere high availability trying to restart the workload virtual machines on the secondary site when preferred site failure occurs." border="false" lightbox="media/stretch-clusters/diagram-3-restart-workload-secondary-site.png":::

+No. Customers won't see a charge for the witness node and the inter-AZ traffic. The witness node is entirely service managed, and Azure VMware Solution provides the required lifecycle management of the witness node. As the entire solution is service managed, the customer only needs to identify the appropriate SPBM policy to set for the workload virtual machines. The rest is managed by Microsoft.

+# Back up and restore Azure VMs using Azure PowerShell

+This article describes how to back up and restore an Azure VM in an [Azure Backup](backup-overview.md) Recovery Services vault using PowerShell cmdlets.

+Azure Backup provides independent and isolated backups to guard against unintended destruction of the data on your VMs. Backups are stored in a Recovery Services vault with built-in management of recovery points. Configuration and scaling are simple, backups are optimized, and you can easily restore as needed.

+

+ 

+3. Specify the type of storage redundancy to use. You can use [Locally Redundant Storage (LRS)](../storage/common/storage-redundancy.md#locally-redundant-storage), [Geo-redundant Storage (GRS)](../storage/common/storage-redundancy.md#geo-redundant-storage), or [Zone-redundant storage (ZRS)](../storage/common/storage-redundancy.md#zone-redundant-storage). The following example shows the **-BackupStorageRedundancy** option for `testvault` set to **GeoRedundant**.

+Before enabling protection on a VM, use [Set-AzRecoveryServicesVaultContext](/powershell/module/az.recoveryservices/set-azrecoveryservicesvaultcontext) to set the vault context. Once the vault context is set, it applies to all subsequent cmdlets. The following example sets the vault context for the vault, `testvault`.

+The following graphic shows the object hierarchy from the `RecoveryServicesVault` down to the `BackupRecoveryPoint`.

+

+The following section lists steps necessary to create a VM using `VMConfig` file.

+This article describes how to back up Azure VMs with the [Azure Backup](backup-overview.md) service.

+Azure Backup provides independent and isolated backups to guard against unintended destruction of the data on your VMs. Backups are stored in a Recovery Services vault with built-in management of recovery points. Configuration and scaling are simple, backups are optimized, and you can easily restore as needed. You can back up Azure VMs using a couple of methods:

+1. [Learn](backup-architecture.md#how-does-azure-backup-work) how Azure Backup works, and [verify](backup-support-matrix.md#azure-vm-backup-support) support requirements.

+Follow these steps:

+ 

+ 

+ 

+ 

+10. After enabling backup, an initial backup run. You can start the initial backup immediately, or wait until it starts in accordance with the backup schedule.

+Follow these steps:

+ 

+ 

+This article describes how to back up Windows machines by using the [Azure Backup](backup-overview.md) service and the Microsoft Azure Recovery Services (MARS) agent. MARS is also known as the Azure Backup agent.

+To create a backup policy, follow these steps:

+ [  ](./media/backup-configure-vault/schedule-first-backup.png#lightbox)

+ [  ](./media/backup-azure-manage-mars/select-item-to-backup.png#lightbox)

+ [  ](./media/backup-azure-manage-mars/selected-items-to-backup.png#lightbox)

+ [  ](./media/backup-configure-vault/day-schedule.png#lightbox)

+ [  ](./media/backup-configure-vault/week-schedule.png#lightbox)

+ * Retention for daily and weekly recovery points usually coincides with the backup schedule. So when the schedule triggers a backup, the recovery point (that the backup operation creates) is stored for the duration that the daily or weekly retention policy specifies.

+ [  ](./media/backup-configure-vault/retention-example.png#lightbox)

+ [  ](./media/backup-azure-manage-mars/choose-initial-backup-type.png#lightbox)

+ [  ](./media/backup-azure-manage-mars/confirm-backup-type.png#lightbox)

+ [  ](./media/backup-azure-manage-mars/confirm-modify-backup-process.png#lightbox)

+### Run the initial backup offline

+You can run an initial backup automatically over the network, or you can back up offline. Offline seeding for an initial backup is useful if you've large amounts of data that will require a lot of network bandwidths to transfer.

+To do an offline transfer, follow these steps:

+ [  ](./media/backup-configure-vault/throttling-dialog.png#lightbox)

+To run an on-demand backup, follow these steps:

+ [  ](./media/backup-configure-vault/backup-now.png#lightbox)

+ [  ](./media/backup-configure-vault/mars-ondemand.png#lightbox)

+The following table shows the data retention duration for various backup schedules:

+| Day | **Default retention**: Equivalent to the "retention in days for daily backups." <br/><br/> **Exception**: If a daily scheduled backup that's set for long-term retention (weeks, months, or years) fails, an on-demand backup that's triggered right after the failure is considered for long-term retention. Otherwise, the next scheduled backup is considered for long-term retention.<br/><br/> **Example scenario**: The scheduled backup on Thursday at 8:00 AM failed. This backup was to be considered for weekly, monthly, or yearly retention. So the first on-demand backup triggered before the next scheduled backup on Friday at 8:00 AM is automatically tagged for weekly, monthly, or yearly retention. This backup substitute for the Thursday 8:00 AM backup.

+| Week | **Default retention**: One day. On-demand backups that are taken for a data source that has a weekly backup policy are deleted the next day. They're deleted even if they're the most recent backups for the data source. <br/><br/> **Exception**: If a weekly scheduled backup that's set for long-term retention (weeks, months, or years) fails, an on-demand backup that's triggered right after the failure is considered for long-term retention. Otherwise, the next scheduled backup is considered for long-term retention. <br/><br/> **Example scenario**: The scheduled backup on Thursday at 8:00 AM failed. This backup was to be considered for monthly or yearly retention. So the first on-demand backup that's triggered before the next scheduled backup on Thursday at 8:00 AM is automatically tagged for monthly or yearly retention. This backup substitute for the Thursday 8:00 AM backup.

+> [!NOTE]

+> This information applies only to MARS agent versions that are older than 2.0.9169.0.

+Read the [Bastion FAQ](bastion-faq.md).

+This article helps you connect via Azure Bastion to a VM in VNet using the native client on your local Linux computer. The native client feature lets you connect to your target VMs via Bastion using Azure CLI, and expands your sign-in options to include local SSH key pair and Azure Active Directory (Azure AD). For more information and steps to configure Bastion for native client connections, see [Configure Bastion for native client connections](native-client.md). Connections via native client require the Bastion Standard SKU.

+After you've configured Bastion for native client support, you can connect to a VM using a native Linux client. The method you use to connect depends on both the client you're connecting from, and the VM you're connecting to. The following list shows some of the available ways you can connect from a Linux native client. See [Connect to VMs](native-client.md#connect) for the full list showing available client connection/feature combinations.

+* Connect to a Linux VM using **az network bastion ssh**.

+* Connect to a Windows VM using **az network bastion tunnel**.

+* Connect to any VM using **az network bastion tunnel**.

+* [Upload files](vm-upload-download-native.md#tunnel-command) to your target VM over SSH using **az network bastion tunnel**. File download from the target VM to the local client is currently not supported for this command.

+## Prerequisites

+## Verify roles and ports

+## <a name="ssh"></a>Connect to a Linux VM

+The steps in the following sections help you connect to a Linux VM from a Linux native client using the **az network bastion** command. This extension can be installed by running, `az extension add --name ssh`.

+When you connect using this command, file transfers aren't supported. If you want to upload files, connect using the [az network bastion tunnel](#tunnel) command instead.

+This command lets you do the following:

+* Connect to a Linux VM using SSH.

+* Authenticate via Azure Active Directory

+* Connect to concurrent VM sessions within the virtual network.

+To sign in, use one of the following examples. Once you sign in to your target VM, the native client on your computer opens up with your VM session.

+**SSH key pair**

+To sign in to your VM using an SSH key pair, use the following example.

+```azurecli

+az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>" --auth-type "ssh-key" --username "<Username>" --ssh-key "<Filepath>"

+```

+**Azure AD authentication**

+If youΓÇÖre signing in to an Azure AD login-enabled VM, use the following example. For more information, see [Azure Linux VMs and Azure AD](../active-directory/devices/howto-vm-sign-in-azure-ad-linux.md).

+```azurecli

+az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --auth-type "AAD"

+```

+**Username/password**

+If youΓÇÖre signing in to your VM using a local username and password, use the following example. YouΓÇÖll then be prompted for the password for the target VM.

+```azurecli

+az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --auth-type "password" --username "<Username>"

+```

+#### <a name="VM-IP"></a>SSH to a Linux VM IP address

+You can connect to a VM private IP address instead of the resource ID. Be aware that Azure AD authentication, and custom ports and protocols aren't supported when using this type of connection. For more information about IP-based connections, see [Connect to a VM - IP address](connect-ip-address.md).

+Using the `az network bastion` command, replace `--target-resource-id` with `--target-ip-address` and the specified IP address to connect to your VM. The following example uses --ssh-key for the authentication method.

+```azurecli

+az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-ip-addres "<VMIPAddress>" --auth-type "ssh-key" --username "<Username>" --ssh-key "<Filepath>"

+```

+## <a name="tunnel"></a>Connect to a VM - tunnel command

+### <a name="tunnel-IP"></a>Tunnel to a VM IP address

+After you've configured Bastion for native client support, you can connect to a VM using a native Windows client. The method you use to connect depends on both the client you're connecting from, and the VM you're connecting to. The following list shows some of the available ways you can connect from a Windows native client. See [Connect to VMs](native-client.md#connect) for the full list showing available client connection/feature combinations.

+* Connect to a Windows VM using **az network bastion rdp**.

+* Connect to a Linux VM using **az network bastion ssh**.

+* Connect to a VM using **az network bastion tunnel**.

+* [Upload and download files](vm-upload-download-native.md#rdp) over RDP.

+* Upload files over SSH using **az network bastion tunnel**.

+## Connect to a VM

+The steps in the following sections help you connect to a VM from a Windows native client using the **az network bastion** command.

+### <a name="connect-windows"></a>RDP to a Windows VM

+1. Sign in to your Azure account using `az login`. If you have more than one subscription, you can view them using `az account list` and select the subscription containing your Bastion resource using `az account set --subscription "<subscription ID>"`.

+1. To connect via RDP, use the following example.

+1. After running the command, you're prompted to input your credentials. You can use either a local username and password, or your Azure AD credentials. Once you sign in to your target VM, the native client on your computer opens up with your VM session via **MSTSC**.

+ > Remote connection to VMs that are joined to Azure AD is allowed only from Windows 10 or later PCs that are Azure AD registered (starting with Windows 10 20H1), Azure AD joined, or hybrid Azure AD joined to the *same* directory as the VM.

+#### Specify authentication method

+Optionally, you can also specify the authentication method as part of the command.

+* **Azure AD authentication:** `--auth-type "AAD"` For more information, see [Azure Windows VMs and Azure AD](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md).

+* **User name and password:** `--auth-type "password" --username "<Username>"`

+#### Specify a custom port

+You can specify a custom port when you connect to a Windows VM via RDP.

+One scenario where this could be especially useful would be connecting to a Windows VM via port 22. This is a potential workaround for the limitation with the *az network bastion ssh* command, which can't be used by a Windows native client to connect to a Windows VM.

+To specify a custom port, include the field **--resource-port** in the sign-in command, as shown in the following example.

+```azurecli

+az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>" --resource-port "22"

+```

+#### RDP to a Windows VM IP address

+You can also connect to a VM private IP address, instead of the resource ID. Azure AD authentication, and custom ports and protocols aren't supported when using this type of connection. For more information about IP-based connections, see [Connect to a VM - IP address](connect-ip-address.md).

+Using the `az network bastion` command, replace `--target-resource-id` with `--target-ip-address` and the specified IP address to connect to your VM.

+```azurecli

+az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-ip-address "<VMIPAddress>"

+```

+### <a name="connect-linux"></a>SSH to a Linux VM

+1. Sign in to your Azure account using `az login`. If you have more than one subscription, you can view them using `az account list` and select the subscription containing your Bastion resource using `az account set --subscription "<subscription ID>"`.

+1. Sign in to your target Linux VM using one of the following example options. If you want to specify a custom port value, include the field **--resource-port** in the sign-in command.

+ az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --auth-type "AAD"

+ **SSH key pair:**

+1. Once you sign in to your target VM, the native client on your computer opens up with your VM session using **SSH CLI extension (az ssh)**.

+#### SSH to a Linux VM IP address

+You can also connect to a VM private IP address, instead of the resource ID. Azure AD authentication, and custom ports and protocols aren't supported when using this type of connection. For more information about IP-based connections, see [Connect to a VM - IP address](connect-ip-address.md).

+Using the `az network bastion` command, replace `--target-resource-id` with `--target-ip-address` and the specified IP address to connect to your VM.

+```azurecli

+az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-ip-address "<VMIPAddress>" --auth-type "ssh-key" --username "<Username>" --ssh-key "<Filepath>"

+```

+## Connect to a VM - tunnel command

+### <a name="tunnel-IP"></a>Tunnel to a VM IP address

+# Configure Bastion for Kerberos authentication using the Azure portal

+* The Kerberos setting for Azure Bastion can be configured in the Azure portal only and not with native client.

+## <a name="secure"></a>Secure your native client connection

+## <a name="connect"></a>Connecting to VMs

+After you deploy this feature, there are different connection instructions, depending on the host computer you're connecting from, and the client VM to which you're connecting.

+Use the following table to understand how to connect from native clients. Notice that different supported combinations of native client and target VMs allow for different features and require specific commands.

+| Client | Target VM | Method | Azure Active Directory authentication | File transfer | Concurrent VM sessions | Custom port |

+||||| |||

+| Windows native client | Windows VM | [RDP](connect-vm-native-client-windows.md) | Yes | [Upload/Download](vm-upload-download-native.md#rdp) | Yes | Yes |

+| | Linux VM | [SSH](connect-vm-native-client-windows.md) | Yes |No | Yes | Yes |

+| | Any VM|[az network bastion tunnel](connect-vm-native-client-windows.md) |No |[Upload](vm-upload-download-native.md#tunnel-command)| No | No |

+| Linux native client | Linux VM |[SSH](connect-vm-native-client-linux.md#ssh)| Yes | No | Yes | Yes |

+| | Windows or any VM| [az network bastion tunnel](connect-vm-native-client-linux.md) | No | [Upload](vm-upload-download-native.md#tunnel-command) | No | No |

+| Other native client (putty) | Any VM | [az network bastion tunnel](connect-vm-native-client-linux.md) | No | [Upload](vm-upload-download-native.md#tunnel-command) | No | No |

+**Limitations:**

+description: This article describes a scenario for using Azure Cloud Shell in a private virtual network.

+ Title: Using Cloud Shell in an Azure virtual network

+# Using Cloud Shell in an Azure virtual network

+By default, Cloud Shell sessions run in a container in a Microsoft network that's separate from your

+resources. Commands run inside the container can't access resources in a private virtual network.

+For example, you can't use SSH to connect from Cloud Shell to a virtual machine that only has a

+private IP address, or use `kubectl` to connect to a Kubernetes cluster that has locked down access.

+To provide access to your private resources, you can deploy Cloud Shell into an Azure Virtual

+Network that you control. This is referred to as _VNET isolation_.

+## Benefits to VNET isolation with Azure Cloud Shell

+Deploying Azure Cloud Shell in a private VNET offers several benefits:

+- The resources you want to manage don't have to have public IP addresses.

+- You can use command line tools, SSH, and PowerShell remoting from the Cloud Shell container to

+ manage your resources.

+- The storage account that Cloud Shell uses doesn't have to be publicly accessible.

+## Things to consider before deploying Azure Cloud Shell in a VNET

+- VNET isolation requires you to use [Azure Relay][01], which is a paid service. In the Cloud Shell

+ scenario, one hybrid connection is used for each administrator while they're using Cloud Shell.

+ The connection is automatically closed when the Cloud Shell session ends.

+## Architecture

+The following diagram shows the resource architecture that you must build to enable this scenario.

+![Illustration of Cloud Shell isolated VNET architecture.][03]

+- **Customer Client Network** - Client users can be located anywhere on the Internet to securely

+ access and authenticate to the Azure portal and use Cloud Shell to manage resources contained in

+ the customers subscription. For stricter security, you can allow users to launch Cloud Shell only

+ from the virtual network contained in your subscription.

+- **Microsoft Network** - Customers connect to the Azure portal on Microsoft's network to

+ authenticate and launch Cloud Shell.

+- **Customer Virtual Network** - This is the network that contains the subnets to support VNET

+ isolation. Resources such as virtual machines and services are directly accessible from Cloud

+ Shell without the need to assign a public IP address.

+- **Azure Relay** - An [Azure Relay][01] allows two endpoints that aren't directly reachable to

+ communicate. In this case, it's used to allow the administrator's browser to communicate with the

+ container in the private network.

+- **File share** - Cloud Shell requires a storage account that is accessible from the virtual

+ network. The storage account provides the file share used by Cloud Shell users.

+## Related links

+For more information, see the [pricing][02] guide.

+[02]: https://azure.microsoft.com/pricing/details/service-bus/

+[03]: media/private-vnet/data-diagram.png

+description: This article provides step-by-step instructions to deploy Azure Cloud Shell in a private virtual network.

+ms.contributor: jahelmic

+ Title: Deploy Azure Cloud Shell in a VNET with quickstart templates

+# Deploy Azure Cloud Shell in a VNET with quickstart templates

+Before you can deploy Azure Cloud Shell in a virtual network (VNET) configuration using the

+quickstart templates, there are several prerequisites to complete before running the templates.

+This document guides you through the process to complete the configuration.

+## Steps to deploy Azure Cloud Shell in a VNET

+This article walks you through the following steps to deploy Azure Cloud Shell in a VNET:

+1. Collect the required information

+1. Provision the virtual networks using the **Azure Cloud Shell - VNet** ARM template

+1. Provision the VNET storage account using the **Azure Cloud Shell - VNet storage** ARM template

+1. Configure and use Azure Cloud Shell in a VNET

+## 1. Collect the required information

+There are several pieces of information that you need to collect before you can deploy Azure Cloud.

+You can use the default Azure Cloud Shell instance to gather the required information and create the

+necessary resources. You should create dedicated resources for the Azure Cloud Shell VNET

+deployment. All resources must be in the same Azure region and contained in the same resource group.

+- **Subscription** - The name of your subscription containing the resource group used for the Azure

+ Cloud Shell VNET deployment

+- **Resource Group** - The name of the resource group used for the Azure Cloud Shell VNET deployment

+- **Region** - The location of the resource group

+- **Virtual Network** - The name of the virtual network created for Azure Cloud Shell VNET

+- **Azure Container Instance ID** - The ID of the Azure Container Instance for your resource group

+- **Azure Relay Namespace** - The name that you want to assign to the Relay resource created by the

+ template

+### Create a resource group

+You can create the resource group using the Azure portal, Azure CLI, or Azure PowerShell. For more

+information, see the following articles:

+- [Manage Azure resource groups by using the Azure portal][02]

+- [Manage Azure resource groups by using Azure CLI][01]

+- [Manage Azure resource groups by using Azure PowerShell][03]

+### Create a virtual network

+You can create the virtual network using the Azure portal, Azure CLI, or Azure PowerShell. For more

+information, see the following articles:

+- [Use the Azure portal to create a virtual network][05]

+- [Use Azure PowerShell to create a virtual network][06]

+- [Use Azure CLI to create a virtual network][04]

+### Register the resource provider

+Azure Cloud Shell runs in a container. The **Microsoft.ContainerInstances** resource provider needs

+to be registered in the subscription that holds the virtual network for your deployment. Depending

+when your tenant was created, the provider may already be registered.

+Use the following commands to check the registration status.

+```powershell

+Set-AzContext -Subscription MySubscriptionName

+Get-AzResourceProvider -ProviderNamespace Microsoft.ContainerInstance |

+ Select-Object ResourceTypes, RegistrationState

+```

+```Output

+ResourceTypes RegistrationState

+- --

+{containerGroups} Registered

+{serviceAssociationLinks} Registered

+{locations} Registered

+{locations/capabilities} Registered

+{locations/usages} Registered

+{locations/operations} Registered

+{locations/operationresults} Registered

+{operations} Registered

+{locations/cachedImages} Registered

+{locations/validateDeleteVirtualNetworkOrSubnets} Registered

+{locations/deleteVirtualNetworkOrSubnets} Registered

+```

+If **RegistrationState** for `{containerGroups}` is `NotRegistered`, run the following command to

+register the provider:

+```powershell

+Register-AzResourceProvider -ProviderNamespace Microsoft.ContainerInstance

+```

+### Azure Container Instance Id

+To configure the VNET for Cloud Shell using the quickstarts, retrieve the `Azure Container Instance`

+ID for your organization.

+```powershell

+Get-AzADServicePrincipal -DisplayNameBeginsWith 'Azure Container Instance'

+```

+```Output

+DisplayName Id AppId

+-- -- --

+Azure Container Instance Service 8fe7fd25-33fe-4f89-ade3-0e705fcf4370 34fbe509-d6cb-4813-99df-52d944bfd95a

+```

+Take note of the **Id** value for the `Azure Container Instance` service principal. It's needed for

+the **Azure Cloud Shell - VNet storage** template.

+## 2. Provision the virtual network using the ARM template

+Use the [Azure Cloud Shell - VNet][07] template to create Cloud Shell resources in a virtual

+network. The template creates three subnets under the virtual network created earlier. You may

+choose to change the supplied names of the subnets or use the defaults. The virtual network, along

+with the subnets, require valid IP address assignments.

+The ARM template requires specific information about the resources you created earlier, along with

+naming information for new resources. This information is filled out along with the prefilled

+information in the form.

+Information needed for the template:

+- **Subscription** - The name of your subscription containing the resource group for Azure Cloud

+ Shell VNET

+- **Resource Group** - The resource group name of either an existing or newly created resource group

+- **Region** - Location of the resource group

+- **Virtual Network** - The name of the virtual network created for Azure Cloud Shell VNET

+- **Azure Container Instance OID** - The ID of the Azure Container Instance for your resource group

+Fill out the form with the following information:

+| Project details | Value |

+| | -- |

+| Subscription | Defaults to the current subscription context.<br>For this example, we're using `MyCompany Subscription` |

+| Resource group | Enter the name of the resource group from the prerequisite information.<br>For this example, we're using `rg-cloudshell-eastus`. |

+| Instance details | Value |

+| - | - |

+| Region | Prefilled with your default region.<br>For this example, we're using `East US`. |

+| Existing VNET Name | Fill in the value from the prerequisite information you gathered.<br>For this example, we're using `vnet-cloudshell-eastus`. |

+| Relay Namespace Name | Create a name that you want to assign to the Relay resource created by the template.<br>For this example, we're using `arn-cloudshell-eastus`. |

+| Azure Container Instance OID | Fill in the value from the prerequisite information you gathered.<br>For this example, we're using `8fe7fd25-33fe-4f89-ade3-0e705fcf4370`. |

+| Container Subnet Name | Defaults to `cloudshellsubnet`. Enter the name of the subnet containing your container. |

+| Container Subnet Address Prefix | For this example, we use `10.0.1.0/24`. |

+| Relay Subnet Name | Defaults to `relaysubnet`. Enter the name of the subnet containing your relay. |

+| Relay Subnet Address Prefix | For this example, we use `10.0.2.0/24`. |

+| Storage Subnet Name | Defaults to `storagesubnet`. Enter the name of the subnet containing your storage. |

+| Storage Subnet Address Prefix | For this example, we use `10.0.3.0/24`. |

+| Private Endpoint Name | Defaults to `cloudshellRelayEndpoint`. Enter the name of the subnet containing your container. |

+| Tag Name | Defaults to `{"Environment":"cloudshell"}`. Leave unchanged or add more tags. |

+| Location | Defaults to `[resourceGroup().location]`. Leave unchanged. |

+Once the form is complete, select **Review + Create** and deploy the network ARM template to your

+subscription.

+## 3. Provision the VNET storage using the ARM template

+Use the [Azure Cloud Shell - VNet storage][08] template to create Cloud Shell resources in a virtual

+network. The template creates the storage account and assigns it to the private VNET.

+The ARM template requires specific information about the resources you created earlier, along

+with naming information for new resources.

+Information needed for the template:

+- **Subscription** - The name of the subscription containing the resource group for Azure Cloud

+ Shell VNET.

+- **Resource Group** - The resource group name of either an existing or newly created resource group

+- **Region** - Location of the resource group

+- **Existing VNET name** - The name of the virtual network created earlier

+- **Existing Storage Subnet Name** - The name of the storage subnet created with the Network

+ quickstart template

+- **Existing Container Subnet Name** - The name of the container subnet created with the Network

+ quickstart template

+Fill out the form with the following information:

+| Project details | Value |

+| | -- |

+| Subscription | Defaults to the current subscription context.<br>For this example, we're using `MyCompany Subscription` |

+| Resource group | Enter the name of the resource group from the prerequisite information.<br>For this example, we're using `rg-cloudshell-eastus`. |

+| Instance details | Value |

+| | -- |

+| Region | Prefilled with your default region.<br>For this example, we're using `East US`. |

+| Existing VNET Name | For this example, we're using `vnet-cloudshell-eastus`. |

+| Existing Storage Subnet Name | Fill in the name of the resource created by the network template. |

+| Existing Container Subnet Name | Fill in the name of the resource created by the network template. |

+| Storage Account Name | Create a name for the new storage account.<br>For this example, we're using `MyVnetStorage`. |

+| File Share Name | Defaults to `acsshare`. Enter the name of the file share want to create. |

+| Resource Tags | Defaults to `{"Environment":"cloudshell"}`. Leave unchanged or add more tags. |

+| Location | Defaults to `[resourceGroup().location]`. Leave unchanged. |

+Once the form is complete, select **Review + Create** and deploy the network ARM template to your

+subscription.

+## 4. Configuring Cloud Shell to use a virtual network

+After deploying your private Cloud Shell instance, each Cloud Shell user must change their

+configuration to use the new private instance.

+If you have used the default Cloud Shell before deploying the private instance, you must reset your

+user settings.

+1. Open Cloud Shell

+1. Select **Cloud Shell settings** from the menu bar (gear icon).

+1. Select **Reset user settings** then select **Reset**

+Resetting the user settings triggers the first-time user experience the next time you start Cloud

+Shell.

+[  ](media/quickstart-deploy-vnet/setup-cloud-shell-storage.png#lightbox)

+1. Choose your preferred shell experience (Bash or PowerShell)

+1. Select **Show advanced settings**

+1. Select the **Show VNET isolation settings** checkbox.

+1. Choose the **Subscription** containing your private Cloud Shell instance.

+1. Choose the **Region** containing your private Cloud Shell instance.

+1. Select the **Resource group** name containing your private Cloud Shell instance. If you have

+ selected the correct resource group, the **Virtual network**, **Network profile**, and **Relay

+ namespace** should be automatically populated with the correct values.

+1. Enter the name for the **File share** you created with the storage template.

+1. Select **Create storage**.

+## Next steps

+You must complete the Cloud Shell configuration steps for each user that needs to use the new

+private Cloud Shell instance.

+<!-- link references -->

+[01]: /azure/azure-resource-manager/management/manage-resource-groups-cli

+[02]: /azure/azure-resource-manager/management/manage-resource-groups-portal

+[03]: /azure/azure-resource-manager/management/manage-resource-groups-powershell

+[04]: /azure/virtual-network/quick-create-cli

+[05]: /azure/virtual-network/quick-create-portal

+[06]: /azure/virtual-network/quick-create-powershell

+[07]: https://aka.ms/cloudshell/docs/vnet/template

+[08]: https://azure.microsoft.com/resources/templates/cloud-shell-vnet-storage/

+**Inbound calling with Azure Communication Services Call Automation SDK**

+Regulations around the maintenance of personal data require the ability to export user data. In order to support these requirements, recording metadata files include the participantId for each call participant in the `participants` array. You can cross-reference the Azure Communication Services User Identity in the `participants` array with your internal user identities to identify participants in a call.

+3. Navigate to "Add a custom Domain."

+12. Add the above TXT record to your domain's registrar or DNS hosting provider. Refer to the [adding DNS records in popular domain registrars table](#txt-records) for information on how to add a TXT record for your DNS provider.

+Click **Next** once you've completed this step.

+2. You can add SPF and DKIM by clicking **Configure**. Add the following TXT record and CNAME records to your domain's registrar or DNS hosting provider. Refer to the [adding DNS records in popular domain registrars table](#cname-records) for information on how to add a TXT & CNAME record for your DNS provider.

+Click **Next** once you've completed this step.

+## Adding DNS records in popular domain registrars

+### TXT records

+The following links provide additional information on how to add a TXT record using many of the popular domain registrars.

+| Registrar Name | Documentation Link |

+| | |

+| IONOS by 1 & 1 | [Steps 1-7](/microsoft-365/admin/dns/create-dns-records-at-1-1-internet?view=o365-worldwide#:~:text=Add%20a%20TXT%20record%20for%20verification,created%20can%20update%20across%20the%20Internet.&preserve-view=true)

+| 123-reg.co.uk | [Steps 1-6](/microsoft-365/admin/dns/create-dns-records-at-123-reg-co-uk?view=o365-worldwide#:~:text=DNS%20records.-,Add%20a%20TXT%20record%20for%20verification,that%20the%20record%20you%20just%20created%20can%20update%20across%20the%20Internet.,-Now%20that%20you%27ve&preserve-view=true)

+| Amazon Web Services (AWS) | [Steps 1-8](/microsoft-365/admin/dns/create-dns-records-at-aws?view=o365-worldwide#:~:text=DNS%20records.-,Add%20a%20TXT%20record%20for%20verification,that%20the%20record%20you%20just%20created%20can%20update%20across%20the%20Internet.,-Now%20that%20you%27ve&preserve-view=true)

+| Cloudflare | [Steps 1-6](/microsoft-365/admin/dns/create-dns-records-at-cloudflare?view=o365-worldwide#:~:text=Add%20a%20TXT,across%20the%20Internet.&preserve-view=true)

+| GoDaddy | [Steps 1-6](/microsoft-365/admin/dns/create-dns-records-at-godaddy?view=o365-worldwide#:~:text=Add%20a%20TXT,across%20the%20Internet.&preserve-view=true)

+| Namecheap | [Steps 1-9](/microsoft-365/admin/dns/create-dns-records-at-namecheap?view=o365-worldwide#:~:text=DNS%20records.-,Add%20a%20TXT%20record%20for%20verification,that%20the%20record%20you%20just%20created%20can%20update%20across%20the%20Internet.,-Now%20that%20you%27ve&preserve-view=true)

+| Network Solutions | [Steps 1-9](/microsoft-365/admin/dns/create-dns-records-at-network-solutions?view=o365-worldwide#:~:text=DNS%20records.-,Add%20a%20TXT%20record%20for%20verification,that%20the%20record%20you%20just%20created%20can%20update%20across%20the%20Internet,-.&preserve-view=true)

+| OVH | [Steps 1-9](/microsoft-365/admin/dns/create-dns-records-at-ovh?view=o365-worldwide#:~:text=DNS%20records.-,Add%20a%20TXT%20record%20for%20verification,that%20the%20record%20you%20just%20created%20can%20update%20across%20the%20Internet.,-Now%20that%20you%27ve&preserve-view=true)

+| web.com | [Steps 1-8](/microsoft-365/admin/dns/create-dns-records-at-web-com?view=o365-worldwide#:~:text=with%20your%20domain.-,Add%20a%20TXT%20record%20for%20verification,that%20the%20record%20you%20just%20created%20can%20update%20across%20the%20Internet,-.&preserve-view=true)

+| Wix | [Steps 1-5](/microsoft-365/admin/dns/create-dns-records-at-wix?view=o365-worldwide#:~:text=DNS%20records.-,Add%20a%20TXT%20record%20for%20verification,that%20the%20record%20you%20just%20created%20can%20update%20across%20the%20Internet,-.&preserve-view=true)

+| Other (General) | [Steps 1-4](/microsoft-365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider?view=o365-worldwide#:~:text=Recommended%3A%20Verify%20with,domain%20is%20verified.&preserve-view=true)

+### CNAME records

+The following links provide additional information on how to add a CNAME record using many of the popular domain registrars (Make sure to use the values from the configuration window rather than the ones in the documentation link.)

+| Registrar Name | Documentation Link |

+| | |

+| IONOS by 1 & 1 | [Steps 1-10](/microsoft-365/admin/dns/create-dns-records-at-1-1-internet?view=o365-worldwide#:~:text=Add%20the%20CNAME,Select%20Save.&preserve-view=true)

+| 123-reg.co.uk | [Steps 1-6](/microsoft-365/admin/dns/create-dns-records-at-123-reg-co-uk?view=o365-worldwide#:~:text=for%20that%20record.-,Add%20the%20CNAME%20record%20required%20for%20Microsoft,Select%20Add.,-Add%20a%20TXT&preserve-view=true)

+| Amazon Web Services (AWS) | [Steps 1-8](/microsoft-365/admin/dns/create-dns-records-at-aws?view=o365-worldwide#:~:text=selecting%20Delete.-,Add%20the%20CNAME%20record%20required%20for%20Microsoft%20365,Select%20Create%20records.,-Add%20a%20TXT&preserve-view=true)

+| Cloudflare | [Steps 1-6](/microsoft-365/admin/dns/create-dns-records-at-cloudflare?view=o365-worldwide#:~:text=Add%20the%20CNAME,Select%20Save.&preserve-view=true)

+| GoDaddy | [Steps 1-6](/microsoft-365/admin/dns/create-dns-records-at-godaddy?view=o365-worldwide#:~:text=Add%20the%20CNAME,Select%20Save.&preserve-view=true)

+| Namecheap | [Steps 1-8](/microsoft-365/admin/dns/create-dns-records-at-namecheap?view=o365-worldwide#:~:text=in%20this%20procedure.-,Add%20the%20CNAME%20record%20required%20for%20Microsoft,Select%20the%20Save%20Changes%20(check%20mark)%20control.,-Add%20a%20TXT&preserve-view=true)

+| Network Solutions | [Steps 1-9](/microsoft-365/admin/dns/create-dns-records-at-network-solutions?view=o365-worldwide#:~:text=for%20each%20record.-,Add%20the%20CNAME%20record%20required%20for%20Microsoft,View%20in%20the%20upper%20right%20to%20view%20the%20record%20you%20created.,-Add%20a%20TXT&preserve-view=true)

+| OVH | [Steps 1-8](/microsoft-365/admin/dns/create-dns-records-at-ovh?view=o365-worldwide#add-the-cname-record-required-for-microsoft:~:text=Select%20Confirm.-,Add%20the%20CNAME%20record%20required%20for%20Microsoft,Select%20Confirm.,-Add%20a%20TXT&preserve-view=true)

+| web.com | [Steps 1-8](/microsoft-365/admin/dns/create-dns-records-at-web-com?view=o365-worldwide#add-the-cname-record-required-for-microsoft:~:text=for%20each%20record.-,Add%20the%20CNAME%20record%20required%20for%20Microsoft,Select%20ADD.,-Add%20a%20TXT&preserve-view=true)

+| Wix | [Steps 1-5](/microsoft-365/admin/dns/create-dns-records-at-wix?view=o365-worldwide#add-the-cname-record-required-for-microsoft:~:text=Select%20Save.-,Add%20the%20CNAME%20record%20required%20for%20Microsoft,that%20the%20record%20you%20just%20created%20can%20update%20across%20the%20Internet.,-Add%20a%20TXT&preserve-view=true)

+| Other (General) | [Guide](/microsoft-365/admin/dns/create-dns-records-using-windows-based-dns?view=o365-worldwide#add-cname-records:~:text=%3E%20OK.-,Add%20CNAME%20records,Select%20OK.,-Add%20the%20SIP&preserve-view=true)

+This how-to guide shows how to access your Azure Blob Storage account and container from a workflow in Azure Logic Apps using the Azure Blob Storage connector. This connector provides triggers and actions that your workflow can use for blob operations. You can then create automated workflows that run when triggered by events in your storage container or in other systems, and run actions to work with data in your storage container. For example, you can access and manage files stored as blobs in your Azure storage account.

+1. In the [Azure portal](https://portal.azure.com), open your Consumption logic app and blank workflow in the designer.

+1. In the designer, under the search box, select **Standard**, and then [follow these general steps to add the Azure Blob Storage managed trigger you want](../logic-apps/create-workflow-with-trigger-or-action.md?tabs=consumption#add-trigger).

+ | **Azure Storage Account name** | Yes, but only for access key authentication | <*storage-account-name*> | The name for the Azure storage account where your blob container exists. <br><br>**Note**: To find the storage account name, open your storage account resource in the Azure portal. In the resource menu, under **Security + networking**, select **Access keys**. Under **Storage account name**, copy and save the name. |

+ [](./media/connectors-create-api-azureblobstorage/consumption-trigger-create-connection.png#lightbox)

+ [](./media/connectors-create-api-azureblobstorage/consumption-trigger-information.png#lightbox)

+1. In the [Azure portal](https://portal.azure.com), open your Standard logic app and blank workflow in the designer.

+1. In the designer, [follow these general steps to find and add the Azure Blob Storage built-in trigger you want](../logic-apps/create-workflow-with-trigger-or-action.md?tabs=standard#add-trigger).

+ [](./media/connectors-create-api-azureblobstorage/standard-built-in-trigger-create-connection.png#lightbox)

+ [](./media/connectors-create-api-azureblobstorage/standard-built-in-trigger-root-folder.png#lightbox)

+ [](./media/connectors-create-api-azureblobstorage/standard-built-in-trigger-subfolder-existing-blob.png#lightbox)

+1. In the [Azure portal](https://portal.azure.com), open your Standard logic app and blank workflow in the designer.

+1. In the designer, [follow these general steps to find and add the Azure Blob Storage managed trigger you want](../logic-apps/create-workflow-with-trigger-or-action.md?tabs=standard#add-trigger).

+ [](./media/connectors-create-api-azureblobstorage/standard-managed-trigger-create-connection.png#lightbox)

+ [](./media/connectors-create-api-azureblobstorage/standard-managed-trigger.png#lightbox)

+1. In the [Azure portal](https://portal.azure.com), open your Consumption logic app and workflow in the designer.

+1. If your workflow is blank, add the trigger that your scenario requires.

+1. In the designer, [follow these general steps to find and add the Azure Blob Storage managed action you want](../logic-apps/create-workflow-with-trigger-or-action.md?tabs=consumption#add-action).

+ [](./media/connectors-create-api-azureblobstorage/consumption-action-create-connection.png#lightbox)

+ [](./media/connectors-create-api-azureblobstorage/consumption-action-root-folder.png#lightbox)

+ [](./media/connectors-create-api-azureblobstorage/consumption-action-sub-folder.png#lightbox)

+1. In the [Azure portal](https://portal.azure.com), open your Standard logic app and workflow in the designer.

+1. If your workflow is blank, add the trigger that your scenario requires.

+1. In the designer, [follow these general steps to find and add the Azure Blob Storage built-in action you want](../logic-apps/create-workflow-with-trigger-or-action.md?tabs=standard#add-action).

+ [](./media/connectors-create-api-azureblobstorage/standard-built-in-trigger-create-connection.png#lightbox)

+1. In the [Azure portal](https://portal.azure.com), open your Standard logic app and workflow in the designer.

+1. If your workflow is blank, add the trigger that your scenario requires.

+1. In the designer, [follow these general steps to find and add the Azure Blob Storage managed action you want](../logic-apps/create-workflow-with-trigger-or-action.md?tabs=standard#add-action).

+ [](./media/connectors-create-api-azureblobstorage/standard-managed-action-create-connection.png#lightbox)

+ [](./media/connectors-create-api-azureblobstorage/standard-managed-action-root-folder.png#lightbox)

+ [](./media/connectors-create-api-azureblobstorage/standard-managed-action-sub-folder.png#lightbox)

+ [](./media/connectors-create-api-azureblobstorage/storage-ip-configure.png#lightbox)

+ [](./media/connectors-create-api-azureblobstorage/storage-networking-configure.png#lightbox)

+ [](./media/connectors-create-api-azureblobstorage/role-assignment-add-1.png#lightbox)

+ [](./media/connectors-create-api-azureblobstorage/role-assignment-add-2.png#lightbox)

+ [](./media/connectors-create-api-azureblobstorage/role-assignment-configure.png#lightbox)

+ --replica-timeout 1800 --replica-retry-limit 1 --replica-completion-count 1 --parallelism 1 \

+ --replica-timeout 1800 --replica-retry-limit 1 --replica-completion-count 1 --parallelism 1 \

+ --replica-timeout 1800 --replica-retry-limit 1 --replica-completion-count 1 --parallelism 1 \

+ "replicaTimeout": 1800,

+ --replica-timeout 1800 --replica-retry-limit 1 --replica-completion-count 1 --parallelism 1 \

+ "replicaTimeout": 1800,

+ --replica-timeout 1800 --replica-retry-limit 1 --replica-completion-count 1 --parallelism 1 \

+ "replicaTimeout": 1800,

+ --replica-timeout 1800 \

+ --replica-timeout 1800 `

+ --replica-timeout 1800 \

+ --replica-timeout 1800 \

+ --replica-timeout "1800" \

+ --context https://github.com/$GIT_USER/acr-build-helloworld-node.git#master \

+| `Text Index` | :::image type="icon" source="media/compatibility/yes-icon.svg"::: Yes |

+* Preview: Audit logging of database activities in Azure Cosmos DB for PostgreSQL is available through the PostgreSQL Audit extension.

+ *See [details](./how-to-enable-audit.md).

+| Allow no files found | If true, an error isn't thrown if no files are found | no | `true` or `false` | ignoreNoFilesFound |

+Delta is only available as an inline dataset and, by default, doesn't have an associated schema. To get column metadata, click the **Import schema** button in the **Projection** tab. This allows you to reference the column names and data types specified by the corpus. To import the schema, a [data flow debug session](concepts-data-flow-debug-mode.md) must be active, and you must have an existing CDM entity definition file to point to.

+| Vacuum | Deletes files older than the specified duration that is no longer relevant to the current table version. When a value of 0 or less is specified, the vacuum operation isn't performed. | yes | Integer | vacuum |

+| Update method | When you select "Allow insert" alone or when you write to a new delta table, the target receives all incoming rows regardless of the Row policies set. If your data contains rows of other Row policies, they need to be excluded using a preceding Filter transform. <br><br> When all Update methods are selected a Merge is performed, where rows are inserted/deleted/upserted/updated as per the Row Policies set using a preceding Alter Row transform. | yes | `true` or `false` | insertable <br> deletable <br> upsertable <br> updateable |

+With this option under Update method above (i.e. update/upsert/delete), you can limit the number of partitions that are inspected. Only partitions satisfying this condition is fetched from the target store. You can specify fixed set of values that a partition column may take.

+In Settings tab, you find three more options to optimize delta sink transformation.

+* When **Merge schema** option is enabled, it allows schema evolution, i.e. any columns that are present in the current incoming stream but not in the target Delta table is automatically added to its schema. This option is supported across all update methods.

+* When **Optimize write** is enabled, sink transformation dynamically optimizes partition sizes based on the actual data by attempting to write out 128 MB files for each table partition. This is an approximate size and can vary depending on dataset characteristics. Optimized writes improve the overall efficiency of the *writes and subsequent reads*. It organizes partitions such that the performance of subsequent reads improve.

+When you write to a delta sink, there's a known limitation where the numbers of rows written won't show-up in the monitoring output.

+# QuickStart: Create and configure Azure DDoS IP Protection using Azure CLI

+In this QuickStart, you'll enable DDoS IP protection and link it to a public IP address.

+# QuickStart: Create and configure Azure DDoS Network Protection using Azure CLI

+In this QuickStart, you'll create a DDoS protection plan and link it to a virtual network.

+# QuickStart: Create and configure Azure DDoS IP Protection using Azure PowerShell

+In this QuickStart, you'll enable DDoS IP protection and link it to a public IP address utilizing PowerShell.

+# QuickStart: Create and configure Azure DDoS Network Protection using Azure PowerShell

+In this QuickStart, you'll create a DDoS protection plan and link it to a virtual network.

+You can also use the Microsoft Graph PowerShell cmdlets that include [Get-MgUser](/powershell/module/microsoft.graph.users/get-mguser?view=graph-powershell-1.0&preserve-view=true), [Get-MgGroup](/powershell/module/microsoft.graph.groups/get-mggroup?view=graph-powershell-1.0&preserve-view=true), and [Get-MgServicePrincipal](/powershell/module/microsoft.graph.applications/get-mgserviceprincipal?view=graph-powershell-1.0&preserve-view=true).

+> - Event Hubs capture supports any Storage account with support for block blobs.

+Despite AKS being a fully managed solution, it doesn't offer a built-in solution to secure ingress and egress traffic between the cluster and external networks. Azure Firewall offers a solution to this.

+However, in a production environment, communications with a Kubernetes cluster should be protected to prevent against data exfiltration along with other vulnerabilities. All incoming and outgoing network traffic must be monitored and controlled based on a set of security rules. If you want to do this, you'll have to restrict egress traffic, but a limited number of ports and addresses must remain accessible to maintain healthy cluster maintenance tasks and satisfy those outbound dependencies previously mentioned.

+The simplest solution uses a firewall device that can control outbound traffic based on domain names. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet. Azure Firewall, for example, can restrict outbound HTTP and HTTPS traffic based on the FQDN of the destination, giving you fine-grained egress traffic control, but at the same time allows you to provide access to the FQDNs encompassing an AKS clusterΓÇÖs outbound dependencies (something that NSGs can't do). Likewise, you can control ingress traffic and improve security by enabling threat intelligence-based filtering on an Azure Firewall deployed to a shared perimeter network. This filtering can provide alerts, and deny traffic to and from known malicious IP addresses and domains.

+There's one difference between the script and the following guide. The script uses managed identities, but the guide uses a service principal. This shows you two different ways to create an identity to manage and create cluster resources.

+Create a virtual network with two subnets to host the AKS cluster and the Azure Firewall. Each has their own subnet. Let's start with the AKS network.

+Create a standard SKU public IP resource that is used as the Azure Firewall frontend address.

+Finally, we add a third network rule opening port 123 to an Internet time server FQDN (for example:`ntp.ubuntu.com`) via UDP. Adding an FQDN as a network rule is one of the specific features of Azure Firewall, and you need to adapt it when using your own options.

+After setting the network rules, we'll also add an application rule using the `AzureKubernetesService` that covers the needed FQDNs accessible through TCP port 443 and port 80. In addition, you may need to configure additional network and application rules based on your deployment. For more information, see [Outbound network and FQDN rules for Azure Kubernetes Service (AKS) clusters](../aks/outbound-rules-control-egress.md#required-outbound-network-rules-and-fqdns-for-aks-clusters).

+```azurecli

+#### Add FW Network Rules

+#### Add FW Application Rules

+Now an AKS cluster can be deployed into the existing virtual network. We'll also use [outbound type `userDefinedRouting`](../aks/egress-outboundtype.md), this feature ensures any outbound traffic is forced through the firewall and no other egress paths exist (by default the Load Balancer outbound type could be used).

+You define the outbound type to use the UDR that already exists on the subnet. This configuration enables AKS to skip the setup and IP provisioning for the load balancer.

+You can now start exposing services and deploying applications to this cluster. In this example, we expose a public service, but you may also choose to expose an internal service via [internal load balancer](../aks/internal-lb.md).

+You need to specify the internal IP address assigned to the load balancer created by the Kubernetes service. Retrieve the address by running:

+* **sample-device**: the sample app from the [Azure IoT Samples for IoS Platform repository](https://github.com/Azure-Samples/azure-iot-samples-ios), which connects to your IoT hub and receives cloud-to-device messages.

+* The latest version of [XCode](https://developer.apple.com/xcode/), running the latest version of the iOS SDK. This article was tested with XCode 9.3 and iOS 11.3.

+* **SimulatedDevice.py**: simulates a device that connects to your IoT hub and receives cloud-to-device messages.

+* An IoT hub. Create one with the [CLI](iot-hub-create-using-cli.md) or the [Azure portal](iot-hub-create-through-portal.md).

+1. Add the following code to **SimulatedDevice.py** file. Replace the `{deviceConnectionString}` placeholder value with the connection string for the registered device in [Prerequisites](#prerequisites):

+ :::image type="content" source="./media/device-management-cli/cloud-shell-button.png" alt-text="Screenshot of the global controls from the page header of the Azure portal, highlighting the Cloud Shell icon.":::

+ :::image type="content" source="./media/device-management-cli/cloud-shell-environment.png" alt-text="Screenshot of an Azure Cloud Shell window, highlighting the environment selector in the toolbar.":::

+ :::image type="content" source="media/device-management-cli/cloud-shell-new-session.png" alt-text="Screenshot of an Azure Cloud Shell window, highlighting the Open New Session icon in the toolbar.":::

+* An IoT hub. Create one with the [CLI](iot-hub-create-using-cli.md) or the [Azure portal](iot-hub-create-through-portal.md).

+* An IoT hub. Create one with the [CLI](iot-hub-create-using-cli.md) or the [Azure portal](iot-hub-create-through-portal.md).

+* An IoT hub. Create one with the [CLI](iot-hub-create-using-cli.md) or the [Azure portal](iot-hub-create-through-portal.md).

+* An IoT hub. Create one with the [CLI](iot-hub-create-using-cli.md) or the [Azure portal](iot-hub-create-through-portal.md).

+ :::image type="content" source="./media/device-twins-cli/cloud-shell-button.png" alt-text="Screenshot of the global controls from the page header of the Azure portal, highlighting the Cloud Shell icon.":::

+ :::image type="content" source="./media/device-twins-cli/cloud-shell-environment.png" alt-text="Screenshot of an Azure Cloud Shell window, highlighting the environment selector in the toolbar.":::

+ :::image type="content" source="media/device-twins-cli/cloud-shell-new-session.png" alt-text="Screenshot of an Azure Cloud Shell window, highlighting the Open New Session icon in the toolbar.":::

+* An IoT hub. Create one with the [CLI](iot-hub-create-using-cli.md) or the [Azure portal](iot-hub-create-through-portal.md).

+* An IoT hub. Create one with the [CLI](iot-hub-create-using-cli.md) or the [Azure portal](iot-hub-create-through-portal.md).

+* An IoT hub. Create one with the [CLI](iot-hub-create-using-cli.md) or the [Azure portal](iot-hub-create-through-portal.md).

+* An IoT hub. Create one with the [CLI](iot-hub-create-using-cli.md) or the [Azure portal](iot-hub-create-through-portal.md).

+4. Add the following code. Replace `[IoTHub Connection String]` with the IoT hub connection string you copied in [Get the IoT hub connection string](#get-the-iot-hub-connection-string). Replace `[Device Id]` with the device ID (the name) from your registered device in the IoT hub.

+* An IoT hub. Create one with the [CLI](iot-hub-create-using-cli.md) or the [Azure portal](iot-hub-create-through-portal.md).

+1. Next, run the device app to upload the file to Azure storage. Open a new command prompt and change folders to the **azure-iot-sdk-csharp\iothub\device\samples\getting started\FileUploadSample** under the folder where you expanded the Azure IoT C# SDK. Run the following commands. Replace the `{Your device connection string}` placeholder value in the second command with the device connection string you saw when you registered a device in the IoT hub.

+* An IoT hub. Create one with the [CLI](iot-hub-create-using-cli.md) or the [Azure portal](iot-hub-create-through-portal.md).

+* An IoT hub. Create one with the [CLI](iot-hub-create-using-cli.md) or the [Azure portal](iot-hub-create-through-portal.md).

+1. Add environment variables for your device connection string and the path to the file that you want to upload. You got the device connection string when you registered a device in the IoT hub.

+* An IoT hub. Create one with the [CLI](iot-hub-create-using-cli.md) or the [Azure portal](iot-hub-create-through-portal.md).

+# Quickstart: Deploy an Azure IoT hub and a storage account using an ARM template

+In this quickstart, you use an Azure Resource Manager template (ARM template) to create an IoT hub that will route messages to Azure Storage, and a storage account to hold the messages. After manually adding a virtual IoT device to the hub to submit the messages, you configure that connection information in an application called *arm-read-write* to submit messages from the device to the hub. The hub is configured so the messages sent to the hub are automatically routed to the storage account. At the end of this quickstart, you can open the storage account and see the messages sent.

+You have deployed an ARM template to create an IoT hub and a storage account, and run a program to send messages to the hub. The messages are then automatically stored in the storage account where they can be viewed.

+- [Quickstart: Control a device connected to an IoT hub](quickstart-control-device.md)

+ Title: Import and export Azure IoT Hub device identities

+Each IoT hub has an identity registry you can use to create per-device resources in the service. The identity registry also enables you to control access to the device-facing endpoints. This article describes how to import and export device identities in bulk to and from an identity registry, using the ImportExportDeviceSample sample included with the [Microsoft Azure IoT SDK for .NET](https://github.com/Azure/azure-iot-sdk-csharp/tree/main). For more information about how you can use this capability when migrating an IoT hub to a different region, see [How to manually migrate an Azure IoT hub using an Azure Resource Manager template](migrate-hub-arm.md).

+The **RegistryManager** class in the SDK includes the **ExportDevicesAsync** and **ImportDevicesAsync** methods that use the **Job** framework. These methods enable you to export, import, and synchronize the entirety of an IoT hub identity registry.

+> [!NOTE]

+> Some of the code snippets in this article are included from the ImportExportDevicesSample service sample provided with the [Microsoft Azure IoT SDK for .NET](https://github.com/Azure/azure-iot-sdk-csharp/tree/main). The sample is located in the `/iothub/service/samples/how to guides/ImportExportDevicesSample` folder of the SDK and, where specified, code snippets are included from the `ImportExportDevicesSample.cs` file for that SDK sample. For more information about the ImportExportDevicesSample sample and other service samples included in the Azure IoT SDK for.NET, see [Azure IoT hub service samples for C#](https://github.com/Azure/azure-iot-sdk-csharp/tree/main/iothub/service/samples/how%20to%20guides).

+- Copy the connection string from the panel on the right-hand side of the screen.

+The following C# code snippet, from the **WaitForJobAsync** method in the SDK sample, shows how to poll every five seconds to see if the job has finished executing:

+while (true)

+ job = await registryManager.GetJobAsync(job.JobId);

+ if (job.Status == JobStatus.Completed

+ || job.Status == JobStatus.Failed

+ || job.Status == JobStatus.Cancelled)

+ {

+ // Job has finished executing

+ break;

+ }

+ Console.WriteLine($"\tJob status is {job.Status}...");

+ await Task.Delay(TimeSpan.FromSeconds(5));

+Only one active device import or export job is allowed at a time for all IoT Hub tiers. IoT Hub also has limits for rate of jobs operations. To learn more, see [IoT Hub quotas and throttling](iot-hub-devguide-quotas-throttling.md).

+You can find similar code in the **ExportDevicesAsync** method from the SDK sample. The job stores its output in the provided blob container as a block blob with the name **devices.txt**. The output data consists of JSON serialized device data, with one device per line.

+If you need access to this data in code, you can easily deserialize this data using the **ExportImportDevice** class. The following C# code snippet, from the **ReadFromBlobAsync** method in the SDK sample, shows how to read device information that was previously exported from **ExportImportDevice** into a **BlobClient** instance:

+private static async Task<List<string>> ReadFromBlobAsync(BlobClient blobClient)

+ // Read the blob file of devices, import each row into a list.

+ var contents = new List<string>();

+ using Stream blobStream = await blobClient.OpenReadAsync();

+ using var streamReader = new StreamReader(blobStream, Encoding.UTF8);

+ while (streamReader.Peek() != -1)

+ {

+ string line = await streamReader.ReadLineAsync();

+ contents.Add(line);

+ }

+ return contents;

+* Bulk automatic regeneration of device authentication keys

+If the import file includes twin metadata, then this metadata overwrites the existing twin metadata. If the import file doesn't include twin metadata, then only the `lastUpdateTime` metadata is updated using the current time.

+| **Create** |If a device doesn't exist with the specified **ID**, it's newly registered. If the device already exists, an error is written to the log file. |

+| **CreateOrUpdate** |If a device doesn't exist with the specified **ID**, it's newly registered. If the device already exists, existing information is overwritten with the provided input data without regard to the **ETag** value. |

+| **CreateOrUpdateIfMatchETag** |If a device doesn't exist with the specified **ID**, it's newly registered. If the device already exists, existing information is overwritten with the provided input data only if there's an **ETag** match. If there's an **ETag** mismatch, an error is written to the log file. |

+| **Delete** |If a device already exists with the specified **ID**, it's deleted without regard to the **ETag** value. If the device doesn't exist, an error is written to the log file. |

+| **DeleteIfMatchETag** |If a device already exists with the specified **ID**, it's deleted only if there's an **ETag** match. If the device doesn't exist, an error is written to the log file. If there's an ETag mismatch, an error is written to the log file. |

+| **Update** |If a device already exists with the specified **ID**, existing information is overwritten with the provided input data without regard to the **ETag** value. If the device doesn't exist, an error is written to the log file. |

+| **UpdateIfMatchETag** |If a device already exists with the specified **ID**, existing information is overwritten with the provided input data only if there's an **ETag** match. If the device doesn't exist or there's an **ETag** mismatch, an error is written to the log file. |

+| **UpdateTwinIfMatchETag** |If a twin already exists with the specified **ID**, existing information is overwritten with the provided input data only if there's a match on the twin's **ETag** value. The twin's **ETag** is processed independently from the device's **ETag**. If there's a mismatch with the existing twin's **ETag**, an error is written to the log file. |

+> If the serialization data doesn't explicitly define an **importMode** flag for a device, it defaults to **createOrUpdate** during the import operation.

+Using an import job to create devices may fail with a quota issue when it's close to the device count limit of the IoT hub. This failure can happen even if the total device count is still lower than the quota limit. The **IotHubQuotaExceeded (403002)** error is returned with the following error message: "Total number of devices on IotHub exceeded the allocated quota.ΓÇ¥

+If there's still quota available, you can examine the job output blob for devices that failed with the **IotHubQuotaExceeded (403002)** error. You can then try adding these devices individually to the IoT hub. For example, you can use the **AddDeviceAsync** or **AddDeviceWithTwinAsync** methods. Don't try to add the devices using another job as you may likely encounter the same error.

+The following C# code snippet, from the **GenerateDevicesAsync** method in the SDK sample, illustrates how to generate multiple device identities that:

+private async Task GenerateDevicesAsync(RegistryManager registryManager, int numToAdd)

+ var stopwatch = Stopwatch.StartNew();

+ Console.WriteLine($"Creating {numToAdd} devices for the source IoT hub.");

+ int interimProgressCount = 0;

+ int displayProgressCount = 1000;

+ int totalProgressCount = 0;

+ // generate reference for list of new devices we're going to add, will write list to this blob

+ BlobClient generateDevicesBlob = _blobContainerClient.GetBlobClient(_generateDevicesBlobName);

+ // define serializedDevices as a generic list<string>

+ var serializedDevices = new List<string>(numToAdd);

+ for (int i = 1; i <= numToAdd; i++)

+ // Create device name with this format: Hub_00000000 + a new guid.

+ // This should be large enough to display the largest number (1 million).

+ string deviceName = $"Hub_{i:D8}_{Guid.NewGuid()}";

+ Debug.Print($"Adding device '{deviceName}'");

+ // Create a new ExportImportDevice.

+ var deviceToAdd = new ExportImportDevice

+ {

+ Id = deviceName,

+ Status = DeviceStatus.Enabled,

+ Authentication = new AuthenticationMechanism

+ {

+ SymmetricKey = new SymmetricKey

+ {

+ PrimaryKey = GenerateKey(32),

+ SecondaryKey = GenerateKey(32),

+ }

+ },

+ // This indicates that the entry should be added as a new device.

+ ImportMode = ImportMode.Create,

+ };

+ // Add device to the list as a serialized object.

+ serializedDevices.Add(JsonConvert.SerializeObject(deviceToAdd));

+ // Not real progress as you write the new devices, but will at least show *some* progress.

+ interimProgressCount++;

+ totalProgressCount++;

+ if (interimProgressCount >= displayProgressCount)

+ {

+ Console.WriteLine($"Added {totalProgressCount}/{numToAdd} devices.");

+ interimProgressCount = 0;

+ }

+ }

+ // Now have a list of devices to be added, each one has been serialized.

+ // Write the list to the blob.

+ var sb = new StringBuilder();

+ serializedDevices.ForEach(serializedDevice => sb.AppendLine(serializedDevice));

+ // Write list of serialized objects to the blob.

+ using Stream stream = await generateDevicesBlob.OpenWriteAsync(overwrite: true);

+ byte[] bytes = Encoding.UTF8.GetBytes(sb.ToString());

+ for (int i = 0; i < bytes.Length; i += BlobWriteBytes)

+ {

+ int length = Math.Min(bytes.Length - i, BlobWriteBytes);

+ await stream.WriteAsync(bytes.AsMemory(i, length));

+ }

+ await stream.FlushAsync();

+ Console.WriteLine("Running a registry manager job to add the devices.");

+ // Should now have a file with all the new devices in it as serialized objects in blob storage.

+ // generatedListBlob has the list of devices to be added as serialized objects.

+ // Call import using the blob to add the new devices.

+ // Log information related to the job is written to the same container.

+ // This normally takes 1 minute per 100 devices (according to the docs).

+ // First, initiate an import job.

+ // This reads in the rows from the text file and writes them to IoT Devices.

+ // If you want to add devices from a file, you can create a file and use this to import it.

+ // They have to be in the exact right format.

+ try

+ {

+ // The first URI is the container to import from; the file defaults to devices.txt, but may be specified.

+ // The second URI points to the container to write errors to as a blob.

+ // This lets you import the devices from any file name. Since we wrote the new

+ // devices to [devicesToAdd], need to read the list from there as well.

+ var importGeneratedDevicesJob = JobProperties.CreateForImportJob(

+ _containerUri,

+ _containerUri,

+ _generateDevicesBlobName);

+ importGeneratedDevicesJob = await registryManager.ImportDevicesAsync(importGeneratedDevicesJob);

+ await WaitForJobAsync(registryManager, importGeneratedDevicesJob);

+ }

+ catch (Exception ex)

+ {

+ Console.WriteLine($"Adding devices failed due to {ex.Message}");

+ }

+ stopwatch.Stop();

+ Console.WriteLine($"GenerateDevices, time elapsed = {stopwatch.Elapsed}.");

+

+The following C# code snippet, from the **DeleteFromHubAsync** method in the SDK sample, shows you how to delete all of the devices from an IoT hub:

+private async Task DeleteFromHubAsync(RegistryManager registryManager, bool includeConfigurations)

+ var stopwatch = Stopwatch.StartNew();

+ Console.WriteLine("Deleting all devices from an IoT hub.");

+ Console.WriteLine("Exporting a list of devices from IoT hub to blob storage.");

+ // Read from storage, which contains serialized objects.

+ // Write each line to the serializedDevices list.

+ BlobClient devicesBlobClient = _blobContainerClient.GetBlobClient(_destHubDevicesImportBlobName);

+ Console.WriteLine("Reading the list of devices in from blob storage.");

+ List<string> serializedDevices = await ReadFromBlobAsync(devicesBlobClient);

+ // Step 1: Update each device's ImportMode to be Delete

+ Console.WriteLine("Updating ImportMode to be 'Delete' for each device and writing back to the blob.");

+ var sb = new StringBuilder();

+ serializedDevices.ForEach(serializedEntity =>

+ {

+ // Deserialize back to an ExportImportDevice and change import mode.

+ ExportImportDevice device = JsonConvert.DeserializeObject<ExportImportDevice>(serializedEntity);

+ device.ImportMode = ImportMode.Delete;

+ // Reserialize the object now that we've updated the property.

+ sb.AppendLine(JsonConvert.SerializeObject(device));

+ });

+ // Step 2: Write the list in memory to the blob.

+ BlobClient deleteDevicesBlobClient = _blobContainerClient.GetBlobClient(_hubDevicesCleanupBlobName);

+ await WriteToBlobAsync(deleteDevicesBlobClient, sb.ToString());

+ // Step 3: Call import using the same blob to delete all devices.

+ Console.WriteLine("Running a registry manager job to delete the devices from the IoT hub.");

+ var importJob = JobProperties.CreateForImportJob(

+ _containerUri,

+ _containerUri,

+ _hubDevicesCleanupBlobName);

+ importJob = await registryManager.ImportDevicesAsync(importJob);

+ await WaitForJobAsync(registryManager, importJob);

+ // Step 4: delete configurations

+ if (includeConfigurations)

+ {

+ BlobClient configsBlobClient = _blobContainerClient.GetBlobClient(_srcHubConfigsExportBlobName);

+ List<string> serializedConfigs = await ReadFromBlobAsync(configsBlobClient);

+ foreach (string serializedConfig in serializedConfigs)

+ {

+ try

+ {

+ Configuration config = JsonConvert.DeserializeObject<Configuration>(serializedConfig);

+ await registryManager.RemoveConfigurationAsync(config.Id);

+ }

+ catch (Exception ex)

+ {

+ Console.WriteLine($"Failed to deserialize or remove a config.\n\t{serializedConfig}\n\n{ex.Message}");

+ }

+ }

+ }

+ stopwatch.Stop();

+ Console.WriteLine($"Deleted IoT hub devices and configs: time elapsed = {stopwatch.Elapsed}");

+In this article, you learned how to perform bulk operations against the identity registry in an IoT hub. Many of these operations, including how to move devices from one hub to another, are used in the **Manage devices registered to the IoT hub** section of [How to manually migrate an Azure IoT hub using an Azure Resource Manager template](migrate-hub-arm.md#manage-the-devices-registered-to-the-iot-hub).

+ Title: Create an IoT hub using the Azure portal

+ Title: Create an IoT hub using the Azure CLI

+## Create an IoT hub

+## Remove an IoT hub

+* [Quickstart: Control a device connected to an IoT hub](quickstart-control-device.md)

+* [Quickstart: Control a device connected to an IoT hub](quickstart-control-device.md)

+Device identities can also be exported and imported from an IoT hub by using the Service API through either the [REST API](/rest/api/iothub/service/jobs/createimportexportjob) or one of the IoT Hub [Service SDKs](./iot-hub-devguide-sdks.md#azure-iot-hub-service-sdks).

+This article explains the quotas for an IoT hub, and provides information to help you understand how throttling works.

+- This article assumes that you're familiar with sending telemetry messages to your IoT hub.

+* [Quickstart: Send telemetry from an IoT Plug and Play device to Azure IoT Hub](../iot-develop/quickstart-send-telemetry-iot-hub.md?pivots=programming-language-csharp)

+* An Azure subscription. If you don't have an Azure subscription, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+* An IoT hub under your Azure subscription. Create one with the [CLI](iot-hub-create-using-cli.md) or the [Azure portal](iot-hub-create-through-portal.md).

+* An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps to create an IoT hub using the [CLI](iot-hub-create-using-cli.md) or the [Azure portal](iot-hub-create-through-portal.md).

+* A device registered in your IoT hub. If you haven't registered a device yet, register one in the [Azure portal](iot-hub-create-through-portal.md#register-a-new-device-in-the-iot-hub).

+* A simulated device that sends telemetry messages to your IoT hub. Use the [Raspberry Pi online simulator](iot-hub-raspberry-pi-web-simulator-get-started.md) to get a simulated device that sends temperature data to IoT Hub.

+Once created, an IoT hub in preview mode always shows this banner, letting you know to use this IoT hub for preview purposes only:

+To get access to the IoT hub, request permission from your IT administrator to add your IP address in the IP address range or to enable public network access to all networks. If that fails to resolve the issue, check your local network settings or contact your local network administrator to fix connectivity to the IoT hub. For example, sometimes a proxy in the local network can interfere with access to IoT Hub.

+1. Enter your hub name and click **Delete** again to confirm permanently deleting the IoT hub.

+1. Enter your hub name and click **Delete** again to confirm permanently deleting the IoT hub.

+description: Learn how to use the resource provider C# REST API to create and manage an IoT hub programmatically.

+ Title: Create an Azure IoT hub using a template (PowerShell)

+description: How to use an Azure Resource Manager template to create an IoT hub with Azure PowerShell.

+* An IoT hub. Create one with the [CLI](iot-hub-create-using-cli.md) or the [Azure portal](iot-hub-create-through-portal.md).

+ :::image type="content" source="./media/migrate-hub-arm/iot-hub-export-template.png" alt-text="Screenshot showing the command for exporting the template for the IoT hub." border="true":::

+ :::image type="content" source="./media/migrate-hub-arm/iot-hub-download-template.png" alt-text="Screenshot showing the command for downloading the template for the IoT hub." border="true":::

+You have migrated an IoT hub into a new hub in a new region, complete with the devices. For more information about performing bulk operations against the identity registry in an IoT hub, see [Import and export IoT Hub device identities in bulk](iot-hub-bulk-identity-mgmt.md).

+* An IoT hub. Create one with the [CLI](iot-hub-create-using-cli.md) or the [Azure portal](iot-hub-create-through-portal.md).

+* An IoT hub. Create one with the [CLI](iot-hub-create-using-cli.md) or the [Azure portal](iot-hub-create-through-portal.md).

+ :::image type="content" source="./media/module-twins-cli/cloud-shell-button.png" alt-text="Screenshot of the global controls from the page header of the Azure portal, highlighting the Cloud Shell icon.":::

+ :::image type="content" source="./media/module-twins-cli/cloud-shell-environment.png" alt-text="Screenshot of an Azure Cloud Shell window, highlighting the environment selector in the toolbar.":::

+* An IoT hub. Create one with the [CLI](iot-hub-create-using-cli.md) or the [Azure portal](iot-hub-create-through-portal.md).

+* An IoT hub. Create one with the [CLI](iot-hub-create-using-cli.md) or the [Azure portal](iot-hub-create-through-portal.md).

+* An IoT hub. Create one with the [CLI](iot-hub-create-using-cli.md) or the [Azure portal](iot-hub-create-through-portal.md).