-* [Python](https://nodejs.org/en/download/) 2.7+ or 3+

-To create the web app registration, do the following:

- 

-In the project's root directory, do the following:

- ```console

- pip install -r requirements.txt

- flask run --host localhost --port 5000

- 

-

- 

-> Azure AD uses device authentication to evaluate device filter rules. For devices that are unregistered with Azure AD, all device properties are considered as null values.

-An applicationΓÇÖs publisher domain is displayed to users on the [applicationΓÇÖs consent prompt](application-consent-experience.md) to let users know where their information is being sent. Multi-tenant applications that are registered after May 21, 2019 that don't have a publisher domain show up as **unverified**. Multi-tenant applications are applications that support accounts outside of a single organizational directory; for example, support all Azure AD accounts, or support all Azure AD accounts and personal Microsoft accounts.

-If a multi-tenant application's publisher domain isn't set, or if it's set to a domain that ends in .onmicrosoft.com, the app's consent prompt will show **unverified** in place of the publisher domain.

-If your app was registered before May 21, 2019, your application's consent prompt will not show **unverified** if you have not set a publisher domain. We recommend that you set the publisher domain value so that users can see this information on your app's consent prompt.

-

-The behavior for new applications created after May 21, 2019 will depend on the publisher domain and the type of application. The following table describes the changes you should expect to see with the different combinations of configurations.

-

- - In Partner Center this user must have of the following [roles](/partner-center/permissions-overview): MPN Admin, Accounts Admin, or a Global Admin (this is a shared role mastered in Azure AD).

-3. In the `Configure` method in *Startup.cs*, enable authentication with a call to `app.UseAuthentication();`

-| **DSREG_AUTOJOIN_ADCONFIG_READ_FAILED** (0x801c001d/-2145648611) | Unable to read the service connection point (SCP) object and get the Azure AD tenant information. | Refer to the [Configure a service connection point](hybrid-azuread-join-federated-domains.md#configure-hybrid-azure-ad-join) section. |

-When technology projects fail, itΓÇÖs typically because of mismatched expectations on impact, outcomes, and responsibilities. To avoid these pitfalls, [ensure that youΓÇÖre engaging the right stakeholders](../fundamentals/active-directory-deployment-plans.md#include-the-right-stakeholders) and that stakeholder roles in the project are well understood.

-During this four-hour window, you may prompt users for credentials repeatedly when reauthenticating to applications that use legacy authentication. Although the user can still successfully authenticate against AD FS, Azure AD no longer accepts the userΓÇÖs issued token because that federation trust is now removed.

-Existing Legacy clients (Exchange ActiveSync, Outlook 2010/2013) aren't affected because Exchange Online keeps a cache of their credentials for a set period of time. The cache is used to silently reauthenticate the user. The user doesnΓÇÖt have to return to AD FS. Credentials stored on the device for these clients are used to silently reauthenticate themselves after the cached is cleared. Users arenΓÇÖt expected to receive any password prompts as a result of the domain conversion process.

-Evaluate if youΓÇÖre currently using conditional access for authentication, or if you use access control policies in AD FS.

- *Available if you didnΓÇÖt initially configure your federated domains by using Azure AD Connect or if you're using third-party federation services*.

- If AD FS isnΓÇÖt listed in the current settings, you must manually convert your domains from federated identity to managed identity by using PowerShell.

- - The computer accountΓÇÖs Kerberos decryption key is securely shared with Azure AD.

-> PTA requires deploying lightweight agents on the Azure AD Connect server and on your on-premises computer thatΓÇÖs running Windows server. To reduce latency, install the agents as close as possible to your Active Directory domain controllers.

-*Available if you didnΓÇÖt initially configure your federated domains by using Azure AD Connect or if you're using third-party federation services.*

- If the authentication agent isnΓÇÖt active, complete these [troubleshooting steps](tshoot-connect-pass-through-authentication.md) before you continue with the domain conversion process in the next step. You risk causing an authentication outage if you convert your domains before you validate that your PTA agents are successfully installed and that their status is **Active** in the Azure portal.

-> You donΓÇÖt have to convert all domains at the same time. You might choose to start with a test domain on your production tenant or start with your domain that has the lowest number of users.

-When your tenant used federated identity, users were redirected from the Azure AD sign-in page to your AD FS environment. Now that the tenant is configured to use the new sign-in method instead of federated authentication, users arenΓÇÖt redirected to AD FS.

- - The user hasnΓÇÖt been assigned a license.

-If you plan to keep using AD FS with on-premises & SaaS Applications using SAML / WS-FED or Oauth protocol, youΓÇÖll use both AD FS and Azure AD after you convert the domains for user authentication. In this case, you can protect your on-premises applications and resources with Secure Hybrid Access (SHA) through [Azure AD Application Proxy](../app-proxy/what-is-application-proxy.md) or one of [Azure AD partner integrations](../manage-apps/secure-hybrid-access.md). Using Application Proxy or one of our partners can provide secure remote access to your on-premises applications. Users benefit by easily connecting to their applications from any device after a [single sign-on](../manage-apps/add-application-portal-setup-sso.md).

-If you have Azure AD Connect Health, you can [monitor usage](how-to-connect-health-adfs.md) from the Azure portal. In case the usage shows no new auth req and you validate that all users and clients are successfully authenticating via Azure AD, itΓÇÖs safe to remove the Microsoft 365 relying party trust.

-If you donΓÇÖt use AD FS for other purposes (that is, for other relying party trusts), you can decommission AD FS at this point.

-## Temporary Access Pass (Preview)

-description: Learn how to automatically provision and de-provision user accounts from Azure AD to LinkedIn Learning.

-writer: twimmers

-# Tutorial: Configure LinkedIn Learning for automatic user provisioning

-This tutorial describes the steps you need to perform in both LinkedIn Learning and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [LinkedIn Learning](https://learning.linkedin.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

-## Capabilities supported

-> [!div class="checklist"]

-> * Create users in LinkedIn Learning

-> * Remove users in LinkedIn Learning when they do not require access anymore

-> * Keep user attributes synchronized between Azure AD and LinkedIn Learning

-> * Provision groups and group memberships in LinkedIn Learning

-> * [Single sign-on](linkedinlearning-tutorial.md) to LinkedIn Learning (recommended)

-## Prerequisites

-The scenario outlined in this tutorial assumes that you already have the following prerequisites:

-* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)

-* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (e.g. Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).

-* Approval and SCIM enabled for LinkedIn Learning (contact by email).

-## Step 1. Plan your provisioning deployment

-1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).

-2. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

-3. Determine what data to [map between Azure AD and LinkedIn Learning](../app-provisioning/customize-application-attributes.md).

-## Step 2. Configure LinkedIn Learning to support provisioning with Azure AD

-1. Sign into [LinkedIn Learning Settings](https://www.linkedin.com/learning-admin/settings/global). Select **SCIM Setup** then select **Add new SCIM configuration**.

- 

-2. Enter a name for the configuration, and set **Auto-assign licenses** to On. Then click **Generate token**.

- 

-3. After the configuration is created, an **Access token** should be generated. Keep this copied for later.

- 

-4. You may reissue any existing configurations (which will generate a new token) or remove them.

-## Step 3. Add LinkedIn Learning from the Azure AD application gallery

-Add LinkedIn Learning from the Azure AD application gallery to start managing provisioning to LinkedIn Learning. If you have previously setup LinkedIn Learning for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).

-## Step 4. Define who will be in scope for provisioning

-The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

-* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

-* If you need additional roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles.

-## Step 5. Configure automatic user provisioning to LinkedIn Learning

-This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in TestApp based on user and/or group assignments in Azure AD.

-### To configure automatic user provisioning for LinkedIn Learning in Azure AD:

-1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.

- 

-2. In the applications list, select **LinkedIn Learning**.

- 

-3. Select the **Provisioning** tab.

- 

-4. Set the **Provisioning Mode** to **Automatic**.

- 

-5. Under the **Admin Credentials** section, input `https://api.linkedin.com/scim` in **Tenant URL**. Input the access token value retrieved earlier in **Secret Token**. Click **Test Connection** to ensure Azure AD can connect to LinkedIn Learning. If the connection fails, ensure your LinkedIn Learning account has Admin permissions and try again.

- 

-6. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.

- 

-7. Select **Save**.

-8. Under the **Mappings** section, select **Provision Azure Active Directory Users**.

-9. Review the user attributes that are synchronized from Azure AD to LinkedIn Learning in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in LinkedIn Learning for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the LinkedIn Learning API supports filtering users based on that attribute. Select the **Save** button to commit any changes.

- |Attribute|Type|Supported for filtering|

- ||||

- |externalId|String|✓|

- |userName|String|

- |name.givenName|String|

- |name.familyName|String|

- |displayName|String|

- |addresses[type eq "work"].locality|String|

- |title|String|

- |emails[type eq "work"].value|String|

- |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager|Reference|

- |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department|String|

-10. Under the **Mappings** section, select **Provision Azure Active Directory Groups**.

-11. Review the group attributes that are synchronized from Azure AD to LinkedIn Learning in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in LinkedIn Learning for update operations. Select the **Save** button to commit any changes.

- |Attribute|Type|Supported for filtering|

- ||||

- |displayName|String|✓|

- |members|Reference|

- |externalId|String|

-12. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).

-13. To enable the Azure AD provisioning service for LinkedIn Learning, change the **Provisioning Status** to **On** in the **Settings** section.

- 

-14. Define the users and/or groups that you would like to provision to LinkedIn Learning by choosing the desired values in **Scope** in the **Settings** section.

- 

-15. When you are ready to provision, click **Save**.

- 

-This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.

-## Step 6. Monitor your deployment

-Once you've configured provisioning, use the following resources to monitor your deployment:

-1. Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully

-2. Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion

-3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).

-## Additional resources

-* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)

-* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

-## Next steps

-* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

-* LinkedIn Learning supports [Automated user provisioning](linkedin-learning-provisioning-tutorial.md).

-1. LinkedIn Learning application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes, where as **nameidentifier** is mapped with **user.userprincipalname**. LinkedIn Learning application expects **nameidentifier** to be mapped with **user.mail**, so you need to edit the attribute mapping by clicking on **Edit** icon and change the attribute mapping.

-### Recommendations

-Tableau Cloud will only store the highest privileged role that is assigned to a user. In other words, if a user is assigned to two groups, the userΓÇÖs role will reflect the highest privileged role.

-To keep track of role assignments, you can create two purpose-specific groups for role assignments. For example, you can create groups such as Tableau ΓÇô Creator, and Tableau ΓÇô Explorer, etc. Assignment would then look like:

-* Tableau ΓÇô Creator: Creator

-* Tableau ΓÇô Explorer: Explorer

-* Etc.

-Once provisioning is set up, you will want to edit role changes directly in Azure Active Directory. Otherwise, you may end up with role inconsistencies between Tableau Cloud and Azure Active Directory.

-### Valid Tableau site role values

-On the **Select a Role** page in your Azure Active Directory portal, the Tableau Site Role values that are valid include the following: **Creator, SiteAdministratorCreator, Explorer, SiteAdministratorExplorer, ExplorerCanPublish, Viewer, or Unlicensed**.

-If you select a role that is not in the above list, such as a legacy (pre-v2018.1) role, you will experience an error.

-[az account](/cli/azure/account) command.

- ```azurecli-interactive

- If they are not registered, register *Microsoft.OperationsManagement* and *Microsoft.OperationalInsights* using:

- ```azurecli-interactive

-An [Azure resource group](../../azure-resource-manager/management/overview.md) is a logical group in which Azure resources are deployed and managed. When you create a resource group, you are prompted to specify a location. This location is:

-Create an AKS cluster using the [az aks create][az-aks-create] command with the *--enable-addons monitoring* parameter to enable [Container insights][azure-monitor-containers]. The following example creates a cluster named *myAKSCluster* with one node:

-az aks create --resource-group myResourceGroup --name myAKSCluster --node-count 1 --enable-addons monitoring --generate-ssh-keys

-2. Configure `kubectl` to connect to your Kubernetes cluster using the [az aks get-credentials][az-aks-get-credentials] command. The following command:

- * Downloads credentials and configures the Kubernetes CLI to use them.

- * Uses `~/.kube/config`, the default location for the [Kubernetes configuration file][kubeconfig-file]. Specify a different location for your Kubernetes configuration file using *--file* argument.

-1. Create a file named `azure-vote.yaml`.

- * If you use the Azure Cloud Shell, this file can be created using `code`, `vi`, or `nano` as if working on a virtual or physical system

-1. Copy in the following YAML definition:

-First, get the subnet used by your Windows Server node pool. To get the subnet id, you need the name of the subnet. To get the name of the subnet, you need the name of the vnet. Get the vnet name by querying your cluster for its list of networks. To query the cluster, you need its name. You can get all of these by running the following in the Azure Cloud Shell:

-First, get the resource group and nsg name of the nsg to add the rule to:

-```azurecli-interactive

-The follow example output shows the internal IP addresses of all the nodes in the cluster, including the Windows Server nodes.

-[view-master-logs]: view-master-logs.md

-The following example shows an Azure Resource Manager template that contains the following steps:

-1. Create an API Management instance with a managed identity.

-2. Update the access policies of an Azure Key Vault instance and allow the API Management instance to obtain secrets from it.

-3. Update the API Management instance by setting a custom domain name through a certificate from the Key Vault instance.

- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {

- "publisherEmail": {

- "type": "string",

- "minLength": 1,

- "metadata": {

- "description": "The email address of the owner of the service"

- }

- },

- "publisherName": {

- "defaultValue": "Contoso",

- "minLength": 1,

- "metadata": {

- "description": "The name of the owner of the service"

- }

- },

- "sku": {

- "type": "string",

- "allowedValues": ["Developer",

- "Standard",

- "Premium"],

- "defaultValue": "Developer",

- "metadata": {

- "description": "The pricing tier of this API Management instance"

- }

- },

- "skuCount": {

- "type": "int",

- "defaultValue": 1,

- "metadata": {

- "description": "The instance size of this API Management instance."

- "description": "Name of the vault"

- }

- },

- "proxyCustomHostname1": {

- "type": "string",

- "metadata": {

- "description": "Gateway custom hostname."

- "keyVaultIdToCertificate": {

- "type": "string",

- "metadata": {

- "description": "Reference to the Key Vault certificate. https://contoso.vault.azure.net/secrets/contosogatewaycertificate."

- }

- }

- },

- "variables": {

- "apiManagementServiceName": "[concat('apiservice', uniqueString(resourceGroup().id))]",

- "apimServiceIdentityResourceId": "[concat(resourceId('Microsoft.ApiManagement/service', variables('apiManagementServiceName')),'/providers/Microsoft.ManagedIdentity/Identities/default')]"

- },

- "resources": [{

- "name": "[variables('apiManagementServiceName')]",

- "apiVersion": "2015-06-01",

- "dependsOn": [

- "[resourceId('Microsoft.ApiManagement/service', variables('apiManagementServiceName'))]"

- ],

- "tenantId": "[reference(variables('apimServiceIdentityResourceId'), '2015-08-31-PREVIEW').tenantId]",

- "objectId": "[reference(variables('apimServiceIdentityResourceId'), '2015-08-31-PREVIEW').principalId]",

- {

- "apiVersion": "2017-05-10",

- "type": "Microsoft.Resources/deployments",

- "dependsOn": [

- "[resourceId('Microsoft.ApiManagement/service', variables('apiManagementServiceName'))]"

- "templateLink": {

- "uri": "https://raw.githubusercontent.com/solankisamir/arm-templates/master/basicapim.keyvault.json",

- "contentVersion": "1.0.0.0"

- },

- "parameters": {

- "publisherEmail": { "value": "[parameters('publisherEmail')]"},

- "publisherName": { "value": "[parameters('publisherName')]"},

- "sku": { "value": "[parameters('sku')]"},

- "skuCount": { "value": "[parameters('skuCount')]"},

- "proxyCustomHostname1": {"value" : "[parameters('proxyCustomHostname1')]"},

- "keyVaultIdToCertificate": {"value" : "[parameters('keyVaultIdToCertificate')]"}

- }

- }

- }]

-|Azure Event Hub | [Trused-access-to-azure-event-hub](../event-hubs/event-hubs-ip-filtering.md#trusted-microsoft-services)|

-In this template, you will deploy:

-To run the deployment automatically, click the following button:

- * The schema element

- <set-method>HTTP method</set-method>

- [...]

- [...]

-| `http-request` | Specifies a URL and child policies to configure the resolver's HTTP request. Each of the following policies can be specified at most once in the element. <br/><br/>Required policy: [set-method](api-management-advanced-policies.md#SetRequestMethod)<br/><br/>Optional policies: [set-header](api-management-transformation-policies.md#SetHTTPheader), [set-body](api-management-transformation-policies.md#SetBody), [authentication-certificate](api-management-authentication-policies.md#ClientCertificate) | Yes |

-| `set-url` | The URL of the resolver's HTTP request. | Yes |

-| `http-response` | Optionally specifies child policies to configure the resolver's HTTP response. If not specified, the response is returned as a raw string. Each of the following policies can be specified at most once. <br/><br/>Optional policies: [set-body](api-management-transformation-policies.md#SetBody), [json-to-xml](api-management-transformation-policies.md#ConvertJSONtoXML), [xml-to-json](api-management-transformation-policies.md#ConvertXMLtoJSON), [find-and-replace](api-management-transformation-policies.md#Findandreplacestringinbody) | No |

-9. Execute the command. The command instructs your Docker environment to run the container using a [container image](https://aka.ms/apim/sputnik/registry-portal) from the Microsoft Artifact Registry, and to map the container's HTTP (8080) and HTTPS (8081) ports to ports 80 and 443 on the host.

-9. Run the commands to create the necessary Kubernetes objects in the [default namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) and start self-hosted gateway pods from the [container image](https://aka.ms/apim/sputnik/registry-portal) downloaded from the Microsoft Artifact Registry.

-The self-hosted gateway is a containerized, functionally equivalent version of the managed gateway deployed to Azure as part of every API Management service. The self-hosted gateway is available as a Linux-based Docker [container image](https://aka.ms/apim/sputnik/registry-portal) from the Microsoft Artifact Registry. It can be deployed to Docker, Kubernetes, or any other container orchestration solution running on a server cluster on premises, cloud infrastructure, or for evaluation and development purposes, on a personal computer. You can also deploy the self-hosted gateway as a cluster extension to an [Azure Arc-enabled Kubernetes cluster](./how-to-deploy-self-hosted-gateway-azure-arc.md).

-| Donwloadable | No. | Yes, as Azure Storage blobs. |

-2. If you use a custom domain, [bind it preemptively to the target app](manage-custom-dns-migrate-domain.md#bind-the-domain-name-preemptively) with `awverify.` and [enable the domain in the target app](manage-custom-dns-migrate-domain.md#enable-the-domain-for-your-app).

-### [Azure portal](#tab/azure-portal)

-Sign in to the [Azure portal](https://portal.azure.com/) and follow these steps to create your Azure App Service resources.

-| Instructions | Screenshot |

-|:-|--:|

-| [!INCLUDE [Create app service step 1](<./includes/quickstart-python/create-app-service-azure-portal-1.md>)] | :::image type="content" source="./media/quickstart-python/create-app-service-azure-portal-1-240px.png" alt-text="A screenshot of how to use the search box in the top tool bar to find App Services in Azure." lightbox="./media/quickstart-python/create-app-service-azure-portal-1.png"::: |

-| [!INCLUDE [Create app service step 1](<./includes/quickstart-python/create-app-service-azure-portal-2.md>)] | :::image type="content" source="./media/quickstart-python/create-app-service-azure-portal-2-240px.png" alt-text="A screenshot of the location of the Create button on the App Services page in the Azure portal." lightbox="./media/quickstart-python/create-app-service-azure-portal-2.png"::: |

-| [!INCLUDE [Create app service step 1](<./includes/quickstart-python/create-app-service-azure-portal-3.md>)] | :::image type="content" source="./media/quickstart-python/create-app-service-azure-portal-3-240px.png" alt-text="A screenshot of how to fill out the form to create a new App Service in the Azure portal." lightbox="./media/quickstart-python/create-app-service-azure-portal-3.png"::: |

-| [!INCLUDE [Create app service step 1](<./includes/quickstart-python/create-app-service-azure-portal-4.md>)] | :::image type="content" source="./media/quickstart-python/create-app-service-azure-portal-4-240px.png" alt-text="A screenshot of how to select the basic app service plan in the Azure portal." lightbox="./media/quickstart-python/create-app-service-azure-portal-4.png"::: |

-| [!INCLUDE [Create app service step 1](<./includes/quickstart-python/create-app-service-azure-portal-5.md>)] | :::image type="content" source="./media/quickstart-python/create-app-service-azure-portal-5-240px.png" alt-text="A screenshot of the location of the Review plus Create button in the Azure portal." lightbox="./media/quickstart-python/create-app-service-azure-portal-5.png"::: |

-### [Azure CLI](#tab/azure-cli)

-* An Azure Storage blob container that contains a set of training data. Make sure all the training documents are of the same format. If you have forms in multiple formats, organize them into subfolders based on common format. For this project, you can use our [sample data set](https://github.com/Azure-Samples/cognitive-services-REST-api-samples/blob/master/curl/form-recognizer/sample_data_without_labels.zip). If you don't know how to create an Azure storage account with a container, follow the [Azure Storage quickstart for Azure portal](../../../storage/blobs/storage-quickstart-blobs-portal.md).

-1. Select the Analyze command to run analysis on the sample document or try your document by using the Add command.

-* 🆕 Read—Analyze and extract printed (typeface) and handwritten text lines, words, locations, and detected languages.

-* 🆕 W-2—Analyze and extract fields from W-2 tax documents, using a pre-trained W-2 model.

-* [cURL](https://curl.haxx.se/windows/) installed.

-* A Cognitive Services or Form Recognizer resource. Once you have your Azure subscription, create a [single-service](https://portal.azure.com/#create/Microsoft.CognitiveServicesFormRecognizer) or [multi-service](https://portal.azure.com/#create/Microsoft.CognitiveServicesAllInOne) Form Recognizer resource in the Azure portal to get your key and endpoint. You can use the free pricing tier (`F0`) to try the service, and upgrade later to a paid tier for production.

-

- Form Recognizer v3.0 consolidates the analyze document (POST) and get result (GET) requests into single operations. The `modelId` is used for POST and `resultId` for GET operations.

-#### Operation-Location

-You'll receive a `202 (Success)` response that includes an **Operation-Location** header. The value of this header contains a `resultID` that can be queried to get the status of the asynchronous operation:

-1. Replace `{endpoint}` with the endpoint value from your Form Recognizer instance in the Azure portal.

-1. Replace `{modelID}` with the same modelID you used to analyze your document.

-1. Replace `{resultID}` with the result ID from the [Operation-Location](#operation-location) header.

-curl -v -X GET "{endpoint}/formrecognizer/documentModels/{modelID}/analyzeResults/{resultId}?api-version=2022-06-30-preview" -H "Ocp-Apim-Subscription-Key: {key}"

- <sup>1</sup> To enable Auto Sync when configuring source control integration with Azure DevOps, you must be a Project Administrator.

-> The login for your source control repository might be different from your login for the Azure portal. Ensure that you are logged in with the correct account for your source control repository when configuring source control. If there is a doubt, open a new tab in your browser, log out from **dev.azure.com**, **visualstudio.com**, or **github.com**, and try reconnecting to source control.

-description: Create a Data Controller using Kubernetes tools

-# Create Azure Arc data controller using Kubernetes tools

-To create the Azure Arc data controller using Kubernetes tools you will need to have the Kubernetes tools installed. The examples in this article will use `kubectl`, but similar approaches could be used with other Kubernetes tools such as the Kubernetes dashboard, `oc`, or `helm` if you are familiar with those tools and Kubernetes yaml/json.

-> Some of the steps to create the Azure Arc data controller that are indicated below require Kubernetes cluster administrator permissions. If you are not a Kubernetes cluster administrator, you will need to have the Kubernetes cluster administrator perform these steps on your behalf.

-If you installed the Azure Arc data controller in the past on the same cluster and deleted the Azure Arc data controller, there may be some cluster level objects that would still need to be deleted.

-Run the following commands to delete the Azure Arc data controller cluster level objects:

-Creating the Azure Arc data controller has the following high level steps:

- > [!IMPORTANT]

- > Some of the steps below require Kubernetes cluster administrator permissions.

-1. Create the custom resource definitions for the Arc data controller, Azure SQL managed instance, and PostgreSQL Hyperscale.

-1. Create a namespace in which the data controller will be created.

-1. Create the webhook deployment job, cluster role and cluster role binding.

-## Create the custom resource definitions

-Run the following command to create the custom resource definitions.

- > [!IMPORTANT]

- > Requires Kubernetes cluster administrator permissions.

-```console

-kubectl create -f https://raw.githubusercontent.com/microsoft/azure_arc/main/arc_data_services/deploy/yaml/custom-resource-definitions.yaml

-```

-If other people will be using this namespace that are not cluster administrators, we recommend creating a namespace admin role and granting that role to those users through a role binding. The namespace admin should have full permissions on the namespace. More granular roles and example role bindings can be found on the [Azure Arc GitHub repository](https://github.com/microsoft/azure_arc/tree/main/arc_data_services/deploy/yaml/rbac).

-The bootstrapper service handles incoming requests for creating, editing, and deleting custom resources such as a data controller, SQL managed instances, or PostgreSQL Hyperscale server groups.

-Run the following command to create a bootstrapper service, a service account for the bootstrapper service, and a role and role binding for the bootstrapper service account.

-kubectl create --namespace arc -f https://raw.githubusercontent.com/microsoft/azure_arc/main/arc_data_services/deploy/yaml/bootstrapper.yaml

-Verify that the bootstrapper pod is running using the following command. You may need to run it a few times until the status changes to `Running`.

-kubectl get pod --namespace arc

-The bootstrapper.yaml template file defaults to pulling the bootstrapper container image from the Microsoft Container Registry (MCR). If your environment does not have access directly to the Microsoft Container Registry, you can do the following:

-The example below assumes that you created a image pull secret name `arc-private-registry`.

-```yaml

-#Just showing only the relevant part of the bootstrapper.yaml template file here

- spec:

- serviceAccountName: sa-bootstrapper

- nodeSelector:

- kubernetes.io/os: linux

- imagePullSecrets:

- - name: arc-private-registry #Create this image pull secret if you are using a private container registry

- containers:

- - name: bootstrapper

- image: mcr.microsoft.com/arcdata/arc-bootstrapper:v1.1.0_2021-11-02 #Change this registry location if you are using a private container registry.

- imagePullPolicy: Always

-```

-## Create the webhook deployment job, cluster role and cluster role binding

-First, create a copy of the [template file](https://raw.githubusercontent.com/microsoft/azure_arc/main/arc_data_services/deploy/yaml/web-hook.yaml) locally on your computer so that you can modify some of the settings.

-Edit the file and replace `{{namespace}}` in all places with the name of the namespace you created in the previous step. **Save the file.**

-Run the following command to create the cluster role and cluster role bindings.

- > [!IMPORTANT]

- > Requires Kubernetes cluster administrator permissions.

-```console

-kubectl create -n arc -f <path to the edited template file on your computer>

-```

-First, create a copy of the [template file](https://raw.githubusercontent.com/microsoft/azure_arc/main/arc_data_services/deploy/yaml/data-controller.yaml) locally on your computer so that you can modify some of the settings.

-> [!VIDEO https://docs.microsoft.com/Shows//Inside-Azure-for-IT/Choose-the-right-data-solution-for-your-hybrid-environment/player?format=ny]

-description: Article describes how to upgrade an indirectly connected Azure Arc data controller using Kubernetes tools

-# Upgrade an indirectly connected Azure Arc data controller using Kubernetes tools

-1. Specify a service account.

-1. Set the cluster roles.

-1. Set the cluster role bindings.

-1. Set the job.

-Prior to beginning the upgrade of the Azure Arc data controller, you'll need:

-To upgrade the Azure Arc data controller using Kubernetes tools, you need to have the Kubernetes tools installed.

-## Create or download .yaml file

-To upgrade the data controller, you'll apply a yaml file to the Kubernetes cluster. The example file for the upgrade is available in GitHub at <https://github.com/microsoft/azure_arc/blob/main/arc_data_services/upgrade/yaml/upgrade-indirect-k8s.yaml>.

-You can download the file - and other Azure Arc related demonstration files - by cloning the repository. For example:

-```azurecli

-git clone https://github.com/microsoft/azure-arc

-```

-For more information, see [Cloning a repository](https://docs.github.com/en/repositories/creating-and-managing-repositories/cloning-a-repository) in the GitHub docs.

-The following steps use files from the repository.

-In the yaml file, you'll replace ```{{namespace}}``` with your namespace.

-You'll need to connect and authenticate to a Kubernetes cluster and have an existing Kubernetes context selected prior to beginning the upgrade of the Azure Arc data controller.

-### Specify the service account

-The upgrade requires an elevated service account for the upgrade job.

-To specify the service account:

-1. Describe the service account in a .yaml file. The following example sets a name for `ServiceAccount` as `sa-arc-upgrade-worker`:

- :::code language="yaml" source="~/azure_arc_sample/arc_data_services/upgrade/yaml/upgrade-indirect-k8s.yaml" range="2-4":::

-1. Edit the file as needed.

-### Set the cluster roles

-A cluster role (`ClusterRole`) grants the service account permission to perform the upgrade.

-1. Describe the cluster role and rules in a .yaml file. The following example defines a cluster role for `arc:cr-upgrade-worker` and allows all API groups, resources, and verbs.

- :::code language="yaml" source="~/azure_arc_sample/arc_data_services/upgrade/yaml/upgrade-indirect-k8s.yaml" range="7-9":::

-1. Edit the file as needed.

-### Set the cluster role binding

-A cluster role binding (`ClusterRoleBinding`) links the service account and the cluster role.

-1. Describe the cluster role binding in a .yaml file. The following example describes a cluster role binding for the service account.

- :::code language="yaml" source="~/azure_arc_sample/arc_data_services/upgrade/yaml/upgrade-indirect-k8s.yaml" range="20-21":::

-1. Edit the file as needed.

-### Specify the job

-A job creates a pod to execute the upgrade.

-1. Describe the job in a .yaml file. The following example creates a job called `arc-bootstrapper-upgrade-job`.

- :::code language="yaml" source="~/azure_arc_sample/arc_data_services/upgrade/yaml/upgrade-indirect-k8s.yaml" range="31-48":::

-1. Edit the file for your environment.

-Specify the image tag to upgrade the data controller to.

- :::code language="yaml" source="~/azure_arc_sample/arc_data_services/upgrade/yaml/upgrade-indirect-k8s.yaml" range="50-56":::

-### Apply the resources

-Run the following kubectl command to apply the resources to your cluster.

-``` bash

-kubectl apply -n <namespace> -f upgrade-indirect-k8s.yaml

-## Logs

-## `az arcappliance prepare` fails when deploying to VMware

-The `arcappliance` extension for Azure CLI enables a [prepare](/cli/azure/arcappliance/prepare) command, which enables you to download an OVA template to your vSphere environment. This OVA file is used to deploy the Azure Arc resource bridge. The `az arcappliance prepare` command uses the vSphere SDK and can result in the following error:

-$ az arcappliance prepare vmware --config-file <path to config>

-Error: Error in reading OVA file: failed to parse ovf: strconv.ParseInt: parsing "3670409216":

-value out of range.

-### Cause

-This error occurs when you run the Azure CLI commands in a 32-bit context, which is the default behavior. The vSphere SDK only supports running in a 64-bit context. The specific error returned from the vSphere SDK is `Unable to import ova of size 6GB using govc`. When you install the Azure CLI, it's a 32-bit Windows Installer package. However, the Azure CLI `az arcappliance` extension needs to run in a 64-bit context.

-### Resolution

-Perform the following steps to configure your client machine with the Azure CLI 64-bit version.

-1. Uninstall the current version of the Azure CLI on Windows following these [steps](/cli/azure/install-azure-cli-windows#uninstall).

-1. Install version 3.6 or higher of [Python](https://www.python.org/downloads/windows/) (64-bit).

- > [!NOTE]

- > It is important after installing Python to confirm that its path is added to the PATH environmental variable.

-1. Install the [pip](https://pypi.org/project/pip/) package installer for Python.

-1. Verify Python is installed correctly by running `py` in a Command Prompt.

-1. From an elevated PowerShell console, run `pip install azure-cli` to install the Azure CLI from PyPI.

-After you complete these steps, in a new PowerShell console you can get started using the Azure Arc appliance CLI extension.

-## Azure Arc resource bridge (preview) is unreachable

-Another possible cause is slow disk access. Azure Arc resource bridge uses etcd which requires 10ms latency or less per [recommendation](https://docs.openshift.com/container-platform/4.6/scalability_and_performance/recommended-host-practices.html#recommended-etcd-practices_). If the underlying disk has low performance, it can impact the operations, and causing failures.

-### Resolution

-Reboot the resource bridge (preview) VM and it should recover its IP address. If the address is assigned from a DHCP server, reserve the IP address associated with the resource bridge (preview).

-## Resource bridge cannot be updated

-In this release, all the parameters are specified at time of creation. To update the Azure Arc resource bridge, you must delete it and redeploy it again.

-For example, if you specified the wrong location, or subscription during deployment, later the resource creation fails. If you only try to recreate the resource without redeploying the resource bridge VM, you'll see the status stuck at `WaitForHeartBeat`.

-### Resolution

-Delete the appliance, update the appliance YAML file, then redeploy and create the resource bridge.

-## Token refresh error

-When you run the Azure CLI commands, the following error may be returned: *The refresh token has expired or is invalid due to sign-in frequency checks by conditional access.* The error occurs because when you sign into Azure, the token has a maximum lifetime. When that lifetime is exceeded, you need to sign in to Azure again.

-### Resolution

-Sign into Azure again using the `az login` command.

-No, this feature is not available yet. Keep an eye out for more updates on this.

- npm run build:production

-If multiple function apps share a storage account, each function app *must* be configured with a separate task hub name. A storage account can contain multiple task hubs. This restriction generally applies to other storage providers as well.

-> Python language support for the SQL bindings extension is only available for v4 of the [functions runtime](./set-runtime-version.md#view-and-update-the-current-runtime-version) and requires runtime v4.5.0 or greater for deployment in Azure. Learn more about determining the runtime in the [functions runtime](./set-runtime-version.md#view-and-update-the-current-runtime-version) documentation. Please see the tracking [GitHub issue](https://github.com/Azure/azure-functions-sql-extension/issues/250) for the latest update on availability.

-The functions runtime required for local development and testing of Python functions isn't included in the current release of functions core tools and must be installed independently. The latest instructions on installing a preview version of functions core tools are available in the tracking [GitHub issue](https://github.com/Azure/azure-functions-sql-extension/issues/250).

-Alternatively, a VS Code [development container](https://code.visualstudio.com/docs/remote/containers) definition can be used to expedite your environment setup. The definition components are available in the SQL bindings [GitHub repository](https://github.com/Azure/azure-functions-sql-extension/tree/main/samples/samples-python/.devcontainer).

-This article helps you use Azure Pipelines to set up continuous integration (CI) and continuous deployment (CD) of your web app running in Azure Government. CI/CD automates the build of your code from a repo along with the deployment (release) of the built code artifacts to a service or set of services in Azure Government. In this tutorial, you'll build a web app and deploy it to an Azure Governments app service. This build and release process is triggered by a change to a code file in the repo.

-[Azure Pipelines](/azure/devops/pipelines/get-started/what-is-azure-pipelines) is used by teams to configure continuous deployment for applications hosted in Azure subscriptions. We can use this service for applications running in Azure Government by defining [service connections](/azure/devops/pipelines/library/service-endpoints) for Azure Government.

-Before starting this tutorial, you must complete the following prerequisites:

-+ [Create an organization in Azure DevOps](/azure/devops/organizations/accounts/create-organization)

-+ [Create and add a project to the Azure DevOps organization](/azure/devops/organizations/projects/create-project?;bc=%2fazure%2fdevops%2fuser-guide%2fbreadcrumb%2ftoc.json&tabs=new-nav&toc=%2fazure%2fdevops%2fuser-guide%2ftoc.json)

-+ Install and set up [Azure PowerShell](/powershell/azure/install-az-ps)

-## Create Azure Government app service

-[Create an App service in your Azure Government subscription](documentation-government-howto-deploy-webandmobile.md).

-The following steps will set up a CD process to deploy to this Web App.

-## Set up Build and Source control integration

-Follow through one of the quickstarts below to set up a Build for your specific type of app:

-## Generate a service principal

-1. Download or copy and paste the [service principal creation](https://github.com/yujhongmicrosoft/spncreationn/blob/master/spncreation.ps1) PowerShell script into an IDE or editor.

- > [!NOTE]

- > This script will be updated to use the Azure Az PowerShell module instead of the deprecated AzureRM PowerShell module.

-2. Open up the file and navigate to the `param` parameter. Replace the `$environmentName` variable with

-AzureUSGovernment." This action sets the service principal to be created in Azure Government.

-3. Open your PowerShell window and run the following command. This command sets a policy that enables running local files.

- When you're asked whether you want to change the execution policy, enter "A" (for "Yes to All").

-4. Navigate to the directory that has the edited script above.

-5. Edit the following command with the name of your script and run:

-6. The "subscriptionName" parameter can be found by logging into your Azure Government subscription via `Connect-AzAccount -EnvironmentName AzureUSGovernment` and then running `Get-AzureSubscription`.

-7. When prompted for the "password" parameter, enter your desired password.

-8. After providing your Azure Government subscription credentials, you should see the following message:

- > [!NOTE]

- > The Environment variable should be `AzureUSGovernment`.

-9. After the script has run, you should see your service connection values. Copy these values as we'll need them when setting up our endpoint.

- 

-Follow the instructions in [Service connections for builds and releases](/azure/devops/pipelines/library/service-endpoints) to set up the Azure Pipelines service connection.

-Make one change specific to Azure Government: In step #3 of [Service connections for builds and releases](/azure/devops/pipelines/library/service-endpoints), click on "use the full version of the service connection catalog" and set **Environment** to **AzureUSGovernment**.

-Follow [Deploy a web app to Azure App Services](/azure/devops/pipelines/apps/cd/deploy-webdeploy-webapps) instructions to set up your release pipeline and deploy to your application in Azure Government.

-You need at least one [agent](/azure/devops/pipelines/agents/agents) to run your deployments. By default, the build and deployment processes are configured to use the [hosted agents](/azure/devops/pipelines/agents/agents#microsoft-hosted-agents). Configuring a private agent would limit data sharing outside of Azure Government.

-**I use Team Foundation Server on premises. Can I configure CD on my server to target Azure Government?** <br/>

-Currently, Team Foundation Server can't be used to deploy to an Azure Government Cloud.

-description: This document provides a comparison of features and guidance on developing applications for Azure Government

-cloud: gov

-This article explains the baseline configuration of an App Service Environment (ASE) with an internal load balancer (ILB) for customers who use the DISA CAP to connect to Azure Government.

-The customer has deployed an ASE with an ILB and has implemented an ExpressRoute connection to the DISA Cloud Access Point (CAP).

-When creating the ASE via the portal, a route table with a default route of 0.0.0.0/0 and next hop ΓÇ£InternetΓÇ¥ is created.

-However, since DISA advertises a default route out the ExpressRoute circuit, the User Defined Route (UDR) should either be deleted, or remove the default route to internet.

-You will need to create new routes in the UDR for the management addresses in order to keep the ASE healthy. For Azure Government ranges, see [App Service Environment management addresses](../app-service/environment/management-addresses.md).

-The ASE will be created with inbound and outbound security rules as shown below. The inbound security rules MUST allow ports 454-455 with an ephemeral source port range (*).

-The images below describe the default NSG rules created during the ASE creation. For more information, see [Networking considerations for an App Service Environment](../app-service/environment/network-info.md#network-security-groups)

-

-

-### Service Endpoints

-Depending on the storage you use, you will be required to enable Service Endpoints for SQL and Azure Storage to access them without going back down to the DISA BCAP. You also need to enable EventHub Service Endpoint for ASE logs. [Learn more](../app-service/environment/network-info.md#service-endpoints).

-Some configuration changes may take some time to take effect. Allow for several hours for changes to routing, NSGs, ASE Health, etc. to propagate and take effect, or optionally you can reboot the ASE.

-## Resource manager template sample

-> In order to deploy non-RFC 1918 IP addresses in the portal you must pre-stage the VNet and Subnet for the ASE. You can use a Resource Manager Template to deploy the ASE with non-RFC1918 IPs as well.

-

-This template deploys an **ILB ASE** into the Azure Government or Azure DoD regions.

-[Azure Government overview](documentation-government-welcome.md)

-description: Not seeing data in Azure Application Insights? Try here.

-# Troubleshooting no data - Application Insights for .NET/.NET Core

-## Some of my telemetry is missing

-*In Application Insights, I only see a fraction of the events that are being generated by my app.*

-* If you're consistently seeing the same fraction, it's probably because of adaptive [sampling](../../azure-monitor/app/sampling.md). To confirm this, open Search (from the **Overview** in the portal on the left) and look at an instance of a Request or other event. To see the full property details, select the ellipsis (**...**) at the bottom of the **Properties** section. If Request Count > 1, sampling is in operation.

-* It's possible that you're hitting a [data rate limit](../service-limits.md#application-insights) for your pricing plan. These limits are applied per minute.

-*I'm randomly experiencing data loss.*

-* Check whether you're experiencing data loss at [Telemetry Channel](telemetry-channels.md#does-the-application-insights-channel-guarantee-telemetry-delivery-if-not-what-are-the-scenarios-in-which-telemetry-can-be-lost).

-* Check for any known issues in Telemetry Channel [GitHub repo](https://github.com/Microsoft/ApplicationInsights-dotnet/issues).

-*I'm experiencing data loss in Console App or on Web App when app is about to stop.*

-* SDK channel keeps telemetry in buffer, and sends them in batches. If the application is shutting down, you might need to explicitly call [Flush()](api-custom-events-metrics.md#flushing-data). Behavior of `Flush()` depends on the actual [channel](telemetry-channels.md#built-in-telemetry-channels) used.

-* Per [.NET Core/.NET Framework Console application](worker-service.md#net-corenet-framework-console-application), explicitly calling Flush() followed by sleep is required in Console Apps.

-## Request count collected by Application Insights SDK doesn't match the IIS log count for my application

-Internet Information Services (IIS) logs counts of all request reaching IIS and inherently could differ from the total request reaching an application. Due to this behavior, it isn't guaranteed that the request count collected by the SDKs will match the total IIS log count.

-## No data from my server

-* I installed my app on my web server, and now I don't see any telemetry from it. It worked OK on my dev machine.*

-* A firewall issue is most likely the cause. [Set firewall exceptions for Application Insights to send data](../../azure-monitor/app/ip-addresses.md).

-*I [installed Azure Monitor Application Insights Agent](./status-monitor-v2-overview.md) on my web server to monitor existing apps. I don't see any results.*

-* See [Troubleshooting Status Monitor](./status-monitor-v2-troubleshoot.md).

-## <a id="SSL"></a>Check TLS/SSL client settings (ASP.NET)

-If you have an ASP.NET application hosted in Azure App Service or in IIS on a virtual machine, your application could fail to connect to the Snapshot Debugger service due to a missing SSL security protocol.

-[The Snapshot Debugger endpoint requires TLS version 1.2](snapshot-debugger-upgrade.md). The set of SSL security protocols is one of the quirks enabled by the httpRuntime targetFramework value in the system.web section of web.config.

-If the httpRuntime targetFramework is 4.5.2 or lower, then TLS 1.2 isn't included by default.

-> [!NOTE]

-> The httpRuntime targetFramework value is independent of the target framework used when building your application.

-To check the setting, open your web.config file and find the system.web section. Ensure that the `targetFramework` for `httpRuntime` is set to 4.6 or above.

- ```xml

- <system.web>

- ...

- <httpRuntime targetFramework="4.7.2" />

- ...

- </system.web>

- ```

-> [!NOTE]

-> Modifying the httpRuntime targetFramework value changes the runtime quirks applied to your application and can cause other, subtle behavior changes. Be sure to test your application thoroughly after making this change. For a full list of compatibility changes, see [Retargeting changes](/dotnet/framework/migration-guide/application-compatibility#retargeting-changes).

-> [!NOTE]

-> If the targetFramework is 4.7 or above then Windows determines the available protocols. In Azure App Service, TLS 1.2 is available. However, if you are using your own virtual machine, you may need to enable TLS 1.2 in the OS.

-## FileNotFoundException: "Could not load file or assembly Microsoft.AspNet TelemetryCorrelation"

-For more information on this error, see [GitHub issue 1610 ]

-(https://github.com/microsoft/ApplicationInsights-dotnet/issues/1610).

-When upgrading from SDKs older than (2.4), you need to make sure the following changes applied to `web.config` and `ApplicationInsights.config`:

-1. Two http modules instead of one. In `web.config`, you should have two http modules. Order is important for some scenarios:

- ``` xml

- <system.webServer>

- <modules>

- <add name="TelemetryCorrelationHttpModule" type="Microsoft.AspNet.TelemetryCorrelation.TelemetryCorrelationHttpModule, Microsoft.AspNet.TelemetryCorrelation" preCondition="integratedMode,managedHandler" />

- <add name="ApplicationInsightsHttpModule" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" preCondition="managedHandler" />

- </modules>

- </system.webServer>

- ```

-2. In `ApplicationInsights.config` in addition to `RequestTrackingTelemetryModule` you should have the following telemetry module:

- ``` xml

- <TelemetryModules>

- <Add Type="Microsoft.ApplicationInsights.Web.AspNetDiagnosticTelemetryModule, Microsoft.AI.Web"/>

- </TelemetryModules>

- ```

-***Failure to upgrade properly may lead to unexpected exceptions or telemetry not being collected.***

-## <a name="q01"></a>No 'Add Application Insights' option in Visual Studio

-*When I right-click an existing project in Solution Explorer, I don't see any Application Insights options.*

-* Not all types of .NET project are supported by the tools. Web and WCF projects are supported. For other project types such as desktop or service applications, you can still [add an Application Insights SDK to your project manually](./windows-desktop.md).

-* Make sure you have [Visual Studio 2013 Update 3 or later](/visualstudio/releasenotes/vs2013-update3-rtm-vs). It comes pre-installed with Developer Analytics tools, which provide the Application Insights SDK.

-* Select **Tools**, **Extensions and Updates** and check that **Developer Analytics Tools** is installed and enabled. If so, select **Updates** to see if there's an update available.

-* Open the New Project dialog and choose ASP.NET Web application. If you see the Application Insights option there, then the tools are installed. If not, try uninstalling and then reinstalling the Developer Analytics Tools.

-## <a name="q02"></a>Adding Application Insights failed

-*When I try to add Application Insights to an existing project, I see an error message.*

-Likely causes:

-* Communication with the Application Insights portal failed; or

-* There's a problem with your Azure account;

-* You only have [read access to the subscription or group where you were trying to create the new resource](./resources-roles-access-control.md).

-Fix:

-* Check that you provided sign-in credentials for the right Azure account.

-* In your browser, check that you have access to the [Azure portal](https://portal.azure.com). Open Settings and see if there's any restriction.

-* [Add Application Insights to your existing project](./asp-net.md): In Solution Explorer, right select your project and choose "Add Application Insights."

-## <a name="NuGetBuild"></a> "NuGet package(s) are missing" on my build server

-*Everything builds OK when I'm debugging on my development machine, but I get a NuGet error on the build server.*

-See [NuGet Package Restore](https://docs.nuget.org/Consume/Package-Restore)

-and [Automatic Package Restore](https://docs.nuget.org/Consume/package-restore/migrating-to-automatic-package-restore).

-## Missing menu command to open Application Insights from Visual Studio

-*When I right-click my project Solution Explorer, I don't see any Application Insights commands, or I don't see an Open Application Insights command.*

-Likely causes:

-* You created the Application Insights resource manually.

-* The project is of a type that isn't supported by the Application Insights tools.

-* The Developer Analytics tools are disabled in your Visual Studio.

-* Your Visual Studio is older than 2013 Update 3.

-Fix:

-* Make sure your Visual Studio version is 2013 update 3 or later.

-* Select **Tools**, **Extensions and Updates** and check that **Developer Analytics tools** is installed and enabled. If so, select **Updates** to see if there's an update available.

-* Right-click your project in Solution Explorer. If you see the command **Application Insights > Configure Application Insights**, use it to connect your project to the resource in the Application Insights service.

-Otherwise, your project type isn't directly supported by the Developer Analytics tools. To see your telemetry, sign in to the [Azure portal](https://portal.azure.com), choose Application Insights on the left navigation bar, and select your application.

-## 'Access denied' on opening Application Insights from Visual Studio

-*The 'Open Application Insights' menu command takes me to the Azure portal, but I get an 'access denied' error.*

-The Microsoft sign-in that you last used on your default browser doesn't have access to [the resource that was created when Application Insights was added to this app](./asp-net.md). There are two likely reasons:

-More than one Microsoft account - maybe a work and a personal Microsoft account? The sign-in that you last used on your default browser was for a different account than the one that has access to [add Application Insights to the project](./asp-net.md).

- * Fix: Select your name at top right of the browser window, and sign out. Then sign in with the account that has access. Then on the left navigation bar, select Application Insights and select your app.

-* Someone else added Application Insights to the project, and they forgot to give you [access to the resource group](./resources-roles-access-control.md) in which it was created.

- * Fix: If they used an organizational account, they can add you to the team; or they can grant you individual access to the resource group.

-## 'Asset not found' on opening Application Insights from Visual Studio

-*The 'Open Application Insights' menu command takes me to the Azure portal, but I get an 'asset not found' error.*

-Likely causes:

-* The Application Insights resource for your application has been deleted; or

-* The [connection string](./sdk-connection-string.md) was set or changed in ApplicationInsights.config by editing it directly, without updating the project file.

-The [connection string](./sdk-connection-string.md) in ApplicationInsights.config controls where the telemetry is sent. A line in the project file controls which resource is opened when you use the command in Visual Studio.

-Fix:

-* In Solution Explorer, right-click the project and choose Application Insights, Configure Application Insights. In the dialog, you can either choose to send telemetry to an existing resource, or create a new one. Or:

-* Open the resource directly. Sign in to [the Azure portal](https://portal.azure.com), select Application Insights on the left navigation bar, and then select your app.

-## Where do I find my telemetry?

-*I signed in to the [Microsoft Azure portal](https://portal.azure.com), and I'm looking at the Azure home dashboard. So where do I find my Application Insights data?*

-* On the left navigation bar, select Application Insights, then your app name. If you don't have any projects there, you need to [add or configure Application Insights in your web project](./asp-net.md).

- There you'll see some summary charts. You can select through them to see more detail.

-* In Visual Studio, while you're debugging your app, select the Application Insights button.

-## <a name="q03"></a> No server data (or no data at all)

-*I ran my app and then opened the Application Insights service in Microsoft Azure, but all the charts show 'Learn how to collect...' or 'Not configured.'* Or, *only Page View and user data, but no server data.*

-* Run your application in debug mode in Visual Studio (F5). Use the application so as to generate some telemetry. Check that you can see events logged in the Visual Studio output window.

- 

-* In the Application Insights portal, open [Diagnostic Search](./diagnostic-search.md). Data usually appears here first.

-* Select the Refresh button. The blade refreshes itself periodically, but you can also do it manually. The refresh interval is longer for larger time ranges.

-* Verify the [connection strings](./sdk-connection-string.md) match. On the main blade for your app in the Application Insights portal, in the **Essentials** drop-down, look at **Connection string**. Then, in your project in Visual Studio, open ApplicationInsights.config and find the `<ConnectionString>`. Check that the two strings are equal. If not:

- * In the portal, select Application Insights and look for the app resource with the right string; or

- * In Visual Studio Solution Explorer, right-click the project and choose Application Insights, Configure. Reset the app to send telemetry to the right resource.

- * If you can't find the matching strings, check that you're using the same sign-in credentials in Visual Studio as in to the portal.

-* In the [Microsoft Azure home dashboard](https://portal.azure.com), look at the Service Health map. If there are some alert indications, wait until they've returned to OK and then close and reopen your Application Insights application blade.

-* Check also [our status blog](https://techcommunity.microsoft.com/t5/azure-monitor-status/bg-p/AzureMonitorStatusBlog).

-* Did you write any code for the [server-side SDK](./api-custom-events-metrics.md) that might change the [connection string](./sdk-connection-string.md) in `TelemetryClient` instances or in `TelemetryContext`? Or did you write a [filter or sampling configuration](./api-filtering-sampling.md) that might be filtering out too much?

-* If you edited ApplicationInsights.config, carefully check the configuration of [TelemetryInitializers and TelemetryProcessors](./api-filtering-sampling.md). An incorrectly named type or parameter can cause the SDK to send no data.

-## <a name="q04"></a>No data on Page Views, Browsers, Usage

-*I see data in Server Response Time and Server Requests charts, but no data in Page View Load time, or in the Browser or Usage blades.*

-The data comes from scripts in the web pages.

-* If you added Application Insights to an existing web project, [you have to add the scripts by hand](./javascript.md).

-* Make sure Internet Explorer isn't displaying your site in Compatibility mode.

-* Use the browser's debug feature (F12 on some browsers, then choose Network) to verify that data is being sent to `dc.services.visualstudio.com`.

-## No dependency or exception data

-See [dependency telemetry](./asp-net-dependencies.md) and [exception telemetry](asp-net-exceptions.md).

-## No performance data

-Performance data (CPU, IO rate, and so on) is available for [Java web services](java-2x-collectd.md), [Windows desktop apps](./windows-desktop.md), [IIS web apps and services if you install Application Insights Agent](./status-monitor-v2-overview.md), and [Azure Cloud Services](./app-insights-overview.md). you'll find it under Settings, Servers.

-## No (server) data since I published the app to my server

-* Check that you copied all the Microsoft. ApplicationInsights DLLs to the server, together with Microsoft.Diagnostics.Instrumentation.Extensions.Intercept.dll

-* In your firewall, you might have to [open some TCP ports](./ip-addresses.md).

-* If you have to use a proxy to send out of your corporate network, set [defaultProxy](/previous-versions/dotnet/netframework-1.1/aa903360(v=vs.71)) in Web.config

-* Windows Server 2008: Make sure you've installed the following updates: [KB2468871](https://support.microsoft.com/kb/2468871), [KB2533523](https://support.microsoft.com/kb/2533523), [KB2600217](https://www.microsoft.com/download/details.aspx?id=28936).

-## I used to see data, but it has stopped

-* Have you hit your monthly quota of data points? Open the Settings/Quota and Pricing to find out. If so, you can upgrade your plan, or pay for more capacity. See the [pricing scheme](https://azure.microsoft.com/pricing/details/application-insights/).

-## I don't see all the data I'm expecting

-If your application sends considerable data and you're using the Application Insights SDK for ASP.NET version 2.0.0-beta3 or later, the [adaptive sampling](./sampling.md) feature may operate and send only a percentage of your telemetry.

-You can disable it, but doing so isn't recommended. Sampling is designed so that related telemetry is correctly transmitted, for diagnostic purposes.

-## Client IP address is 0.0.0.0

-On February 5 2018, we announced that we removed logging of the Client IP address. This recommendation doesn't affect Geo Location.

-> [!NOTE]

-> If you need the first 3 octets of the IP address, you can use a [telemetry initializer](./api-filtering-sampling.md#addmodify-properties-itelemetryinitializer) to add a custom attribute.

-> This does not affect data collected prior to February 5, 2018.

-## Wrong geographical data in user telemetry

-The city, region, and country dimensions are derived from IP addresses and aren't always accurate. These IP addresses are processed for location first and then changed to 0.0.0.0 to be stored.

-## Exception "method not found" on running in Azure Cloud Services

-Did you build for .NET [LTS](https://dotnet.microsoft.com/platform/support/policy/dotnet-core)? Earlier versions aren't automatically supported in Azure Cloud Services roles. [Install LTS on each role](../../cloud-services/cloud-services-dotnet-install-dotnet.md) before running your app.

-## Troubleshooting Logs

-Follow these instructions to capture troubleshooting logs for your framework.

-### .NET Framework

-> [!NOTE]

-> Starting in version 2.14, the [Microsoft.AspNet.ApplicationInsights.HostingStartup](https://www.nuget.org/packages/Microsoft.AspNet.ApplicationInsights.HostingStartup) package is no longer necessary, SDK logs are now collected with the [Microsoft.ApplicationInsights](https://www.nuget.org/packages/Microsoft.ApplicationInsights/) package. No additional package is required.

-1. Modify your applicationinsights.config file to include the following XML:

- ```xml

- <TelemetryModules>

- <Add Type="Microsoft.ApplicationInsights.Extensibility.Implementation.Tracing.FileDiagnosticsTelemetryModule, Microsoft.ApplicationInsights">

- <Severity>Verbose</Severity>

- <LogFileName>mylog.txt</LogFileName>

- <LogFilePath>C:\\SDKLOGS</LogFilePath>

- </Add>

- </TelemetryModules>

- ```

- Your application must have Write permissions to the configured location

-2. Restart process so that these new settings are picked up by SDK

-3. Revert these changes when you're finished.

-### .NET Core

-1. Install the [Application Insights SDK NuGet package for ASP.NET Core](https://nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore) package from NuGet. The version you install must match the current installed version of `Microsoft.ApplicationInsights`.

- The latest version of Microsoft.ApplicationInsights.AspNetCore is 2.14.0, and it refers to Microsoft.ApplicationInsights version 2.14.0. Hence the version of Microsoft.ApplicationInsights.AspNetCore to be installed should be 2.14.0.

-2. Modify `ConfigureServices` method in your `Startup.cs` class.:

- ```csharp

- services.AddSingleton<ITelemetryModule, FileDiagnosticsTelemetryModule>();

- services.ConfigureTelemetryModule<FileDiagnosticsTelemetryModule>( (module, options) => {

- module.LogFilePath = "C:\\SDKLOGS";

- module.LogFileName = "mylog.txt";

- module.Severity = "Verbose";

- } );

- ```

- Your application must have Write permissions to the configured location

-3. Restart process so that these new settings are picked up by SDK

-4. Revert these changes when you're finished.

-## <a name="PerfView"></a> Collect logs with PerfView

-[PerfView](https://github.com/Microsoft/perfview) is a free tool that helps isolate CPU, memory, and other issues.

-The Application Insights SDK log EventSource self-troubleshooting logs that can be captured by PerfView.

-To collect logs, download PerfView and run this command:

-```cmd

-PerfView.exe collect -MaxCollectSec:300 -NoGui /onlyProviders=*Microsoft-ApplicationInsights-Core,*Microsoft-ApplicationInsights-Data,*Microsoft-ApplicationInsights-WindowsServer-TelemetryChannel,*Microsoft-ApplicationInsights-Extensibility-AppMapCorrelation-Dependency,*Microsoft-ApplicationInsights-Extensibility-AppMapCorrelation-Web,*Microsoft-ApplicationInsights-Extensibility-DependencyCollector,*Microsoft-ApplicationInsights-Extensibility-HostingStartup,*Microsoft-ApplicationInsights-Extensibility-PerformanceCollector,*Microsoft-ApplicationInsights-Extensibility-EventCounterCollector,*Microsoft-ApplicationInsights-Extensibility-PerformanceCollector-QuickPulse,*Microsoft-ApplicationInsights-Extensibility-Web,*Microsoft-ApplicationInsights-Extensibility-WindowsServer,*Microsoft-ApplicationInsights-WindowsServer-Core,*Microsoft-ApplicationInsights-LoggerProvider,*Microsoft-ApplicationInsights-Extensibility-EventSourceListener,*Microsoft-ApplicationInsights-AspNetCore,*Redfield-Microsoft-ApplicationInsights-Core,*Redfield-Microsoft-ApplicationInsights-Data,*Redfield-Microsoft-ApplicationInsights-WindowsServer-TelemetryChannel,*Redfield-Microsoft-ApplicationInsights-Extensibility-AppMapCorrelation-Dependency,*Redfield-Microsoft-ApplicationInsights-Extensibility-AppMapCorrelation-Web,*Redfield-Microsoft-ApplicationInsights-Extensibility-DependencyCollector,*Redfield-Microsoft-ApplicationInsights-Extensibility-PerformanceCollector,*Redfield-Microsoft-ApplicationInsights-Extensibility-EventCounterCollector,*Redfield-Microsoft-ApplicationInsights-Extensibility-PerformanceCollector-QuickPulse,*Redfield-Microsoft-ApplicationInsights-Extensibility-Web,*Redfield-Microsoft-ApplicationInsights-Extensibility-WindowsServer,*Redfield-Microsoft-ApplicationInsights-LoggerProvider,*Redfield-Microsoft-ApplicationInsights-Extensibility-EventSourceListener,*Redfield-Microsoft-ApplicationInsights-AspNetCore

-```

-You can modify these parameters as needed:

-For more information,

-## Collect logs with dotnet-trace

-Alternatively, customers can also use a cross-platform .NET Core tool, [`dotnet-trace`](/dotnet/core/diagnostics/dotnet-trace) for collecting logs that can further help in troubleshooting. This tool may be helpful for linux-based environments.

-After installation of [`dotnet-trace`](/dotnet/core/diagnostics/dotnet-trace), execute the command below in bash.

-```bash

-dotnet-trace collect --process-id <PID> --providers Microsoft-ApplicationInsights-Core,Microsoft-ApplicationInsights-Data,Microsoft-ApplicationInsights-WindowsServer-TelemetryChannel,Microsoft-ApplicationInsights-Extensibility-AppMapCorrelation-Dependency,Microsoft-ApplicationInsights-Extensibility-AppMapCorrelation-Web,Microsoft-ApplicationInsights-Extensibility-DependencyCollector,Microsoft-ApplicationInsights-Extensibility-HostingStartup,Microsoft-ApplicationInsights-Extensibility-PerformanceCollector,Microsoft-ApplicationInsights-Extensibility-EventCounterCollector,Microsoft-ApplicationInsights-Extensibility-PerformanceCollector-QuickPulse,Microsoft-ApplicationInsights-Extensibility-Web,Microsoft-ApplicationInsights-Extensibility-WindowsServer,Microsoft-ApplicationInsights-WindowsServer-Core,Microsoft-ApplicationInsights-LoggerProvider,Microsoft-ApplicationInsights-Extensibility-EventSourceListener,Microsoft-ApplicationInsights-AspNetCore,Redfield-Microsoft-ApplicationInsights-Core,Redfield-Microsoft-ApplicationInsights-Data,Redfield-Microsoft-ApplicationInsights-WindowsServer-TelemetryChannel,Redfield-Microsoft-ApplicationInsights-Extensibility-AppMapCorrelation-Dependency,Redfield-Microsoft-ApplicationInsights-Extensibility-AppMapCorrelation-Web,Redfield-Microsoft-ApplicationInsights-Extensibility-DependencyCollector,Redfield-Microsoft-ApplicationInsights-Extensibility-PerformanceCollector,Redfield-Microsoft-ApplicationInsights-Extensibility-EventCounterCollector,Redfield-Microsoft-ApplicationInsights-Extensibility-PerformanceCollector-QuickPulse,Redfield-Microsoft-ApplicationInsights-Extensibility-Web,Redfield-Microsoft-ApplicationInsights-Extensibility-WindowsServer,Redfield-Microsoft-ApplicationInsights-LoggerProvider,Redfield-Microsoft-ApplicationInsights-Extensibility-EventSourceListener,Redfield-Microsoft-ApplicationInsights-AspNetCore

-```

-## How to remove Application Insights

-Learn how to remove Application Insights in Visual Studio by following the steps provide in the [remove Application Insights article](./remove-application-insights.md).

-## Still not working...

-* [Microsoft Q&A question page for Application Insights](/answers/topics/azure-monitor.html)

-* [Configure sampling](sampling.md) to help reduce telemetry traffic and data storage costs.

-See the dedicated [troubleshooting article](troubleshoot-availability.md).

-This persisted data is not encrypted locally. If this is a concern, review the data and restrict the collection of private data. (For more information, see [How to export and delete private data](../logs/personal-data-mgmt.md#how-to-export-and-delete-private-data).)

-To insure the security of data in transit to the Application Insights endpoints, we strongly encourage customers to configure their application to use at least Transport Layer Security (TLS) 1.2. Older versions of TLS/Secure Sockets Layer (SSL) have been found to be vulnerable and while they still currently work to allow backwards compatibility, they are **not recommended**, and the industry is quickly moving to abandon support for these older protocols.

-## Questions? Problems?

-[Troubleshooting Java](java-2x-troubleshoot.md)

-description: Troubleshooting guide - monitoring live Java apps with Application Insights.

-# Troubleshooting and Q and A for Application Insights for Java SDK

-> [!CAUTION]

-> This document applies to Application Insights Java 2.x which is no longer recommended.

->

-> Documentation for the latest version can be found at [Application Insights Java 3.x](./java-in-process-agent.md).

-Questions or problems with [Azure Application Insights in Java][java]? Here are some tips.

-## Build errors

-**In Eclipse or Intellij Idea, when adding the Application Insights SDK via Maven or Gradle, I get build or checksum validation errors.**

-* If the dependency `<version>` element is using a pattern with wildcard characters (e.g. (Maven) `<version>[2.0,)</version>` or (Gradle) `version:'2.+'`), try specifying a specific version instead like `2.6.4`.

-## No data

-**I added Application Insights successfully and ran my app, but I've never seen data in the portal.**

-* Wait a minute and click Refresh. The charts refresh themselves periodically, but you can also refresh manually. The refresh interval depends on the time range of the chart.

-* Check that you have an instrumentation key defined in the ApplicationInsights.xml file (in the resources folder in your project) or configured as Environment variable.

-* Verify that there is no `<DisableTelemetry>true</DisableTelemetry>` node in the xml file.

-* In your firewall, you might have to open TCP ports 80 and 443 for outgoing traffic to dc.services.visualstudio.com. See the [full list of firewall exceptions](./ip-addresses.md)

-* In the Microsoft Azure start board, look at the service status map. If there are some alert indications, wait until they have returned to OK and then close and re-open your Application Insights application blade.

-* [Turn on logging](#debug-data-from-the-sdk) by adding an `<SDKLogger />` element under the root node in the ApplicationInsights.xml file (in the resources folder in your project), and check for entries prefaced with AI: INFO/WARN/ERROR for any suspicious logs.

-* Make sure that the correct ApplicationInsights.xml file has been successfully loaded by the Java SDK, by looking at the console's output messages for a "Configuration file has been successfully found" statement.

-* If the config file is not found, check the output messages to see where the config file is being searched for, and make sure that the ApplicationInsights.xml is located in one of those search locations. As a rule of thumb, you can place the config file near the Application Insights SDK JARs. For example: in Tomcat, this would mean the WEB-INF/classes folder. During development you can place ApplicationInsights.xml in resources folder of your web project.

-* Please also look at [GitHub issues page](https://github.com/microsoft/ApplicationInsights-Java/issues) for known issues with the SDK.

-* Please ensure to use same version of Application Insights core, web, agent and logging appenders to avoid any version conflict issues.

-#### I used to see data, but it has stopped

-* Have you hit your monthly quota of data points? Open Settings/Quota and Pricing to find out. If so, you can upgrade your plan, or pay for additional capacity. See the [pricing scheme](https://azure.microsoft.com/pricing/details/application-insights/).

-* Have you recently upgraded your SDK? Please ensure that only Unique SDK jars are present inside the project directory. There should not be two different versions of SDK present.

-* Are you looking at the correct AI resource? Please match the iKey of your application to the resource where you are expecting telemetry. They should be the same.

-#### I don't see all the data I'm expecting

-* Open the Usage and estimated cost page and check whether [sampling](./sampling.md) is in operation. (100% transmission means that sampling isn't in operation.) The Application Insights service can be set to accept only a fraction of the telemetry that arrives from your app. This helps you keep within your monthly quota of telemetry.

-* Do you have SDK Sampling turned on? If yes, data would be sampled at the rate specified for all the applicable types.

-* Are you running an older version of Java SDK? Starting with version 2.0.1, we have introduced fault tolerance mechanism to handle intermittent network and backend failures as well as data persistence on local drives.

-* Are you getting throttled due to excessive telemetry? If you turn on INFO logging, you will see a log message "App is throttled". Our current limit is 32k telemetry items/second.

-### Java Agent cannot capture dependency data

-* Have you configured Java agent by following [Configure Java Agent](java-2x-agent.md) ?

-* Make sure both the Java agent jar and the AI-Agent.xml file are placed in the same folder.

-* Make sure that the dependency you are trying to auto-collect is supported for auto collection. Currently we only support MySQL, MsSQL, Oracle DB and Azure Cache for Redis dependency collection.

-## No usage data

-**I see data about requests and response times, but no page view, browser, or user data.**

-You successfully set up your app to send telemetry from the server. Now your next step is to [set up your web pages to send telemetry from the web browser][usage].

-Alternatively, if your client is an app in a [phone or other device][platforms], you can send telemetry from there.

-Use the same instrumentation key to set up both your client and server telemetry. The data will appear in the same Application Insights resource, and you'll be able to correlate events from client and server.

-## Disabling telemetry

-**How can I disable telemetry collection?**

-In code:

-```Java

- TelemetryConfiguration config = TelemetryConfiguration.getActive();

- config.setTrackingIsDisabled(true);

-```

-**Or**

-Update ApplicationInsights.xml (in the resources folder in your project). Add the following under the root node:

-```xml

- <DisableTelemetry>true</DisableTelemetry>

-```

-Using the XML method, you have to restart the application when you change the value.

-## Changing the target

-**How can I change which Azure resource my project sends data to?**

-* [Get the instrumentation key of the new resource.][java]

-* If you added Application Insights to your project using the Azure Toolkit for Eclipse, right click your web project, select **Azure**, **Configure Application Insights**, and change the key.

-* If you had configured the Instrumentation Key as environment variable please update the value of the environment variable with new iKey.

-* Otherwise, update the key in ApplicationInsights.xml in the resources folder in your project.

-## Debug data from the SDK

-**How can I find out what the SDK is doing?**

-To get more information about what's happening in the API, add `<SDKLogger/>` under the root node of the ApplicationInsights.xml configuration file.

-### ApplicationInsights.xml

-You can also instruct the logger to output to a file:

-```xml

- <SDKLogger type="FILE"><!-- or "CONSOLE" to print to stderr -->

- <Level>TRACE</Level>

- <UniquePrefix>AI</UniquePrefix>

- <BaseFolderPath>C:/agent/AISDK</BaseFolderPath>

-</SDKLogger>

-```

-### Spring Boot Starter

-To enable SDK logging with Spring Boot Apps using the Application Insights Spring Boot Starter, add the following to the `application.properties` file:

-```yaml

-azure.application-insights.logger.type=file

-azure.application-insights.logger.base-folder-path=C:/agent/AISDK

-azure.application-insights.logger.level=trace

-```

-or to print to standard error:

-```yaml

-azure.application-insights.logger.type=console

-azure.application-insights.logger.level=trace

-```

-### Java Agent

-To enable JVM Agent Logging update the [AI-Agent.xml file](java-2x-agent.md):

-```xml

-<AgentLogger type="FILE"><!-- or "CONSOLE" to print to stderr -->

- <Level>TRACE</Level>

- <UniquePrefix>AI</UniquePrefix>

- <BaseFolderPath>C:/agent/AIAGENT</BaseFolderPath>

-</AgentLogger>

-```

-### Java Command Line Properties

-_Since version 2.4.0_

-To enable logging using command line options, without changing configuration files:

-```

-java -Dapplicationinsights.logger.file.level=trace -Dapplicationinsights.logger.file.uniquePrefix=AI -Dapplicationinsights.logger.baseFolderPath="C:/my/log/dir" -jar MyApp.jar

-```

-or to print to standard error:

-```

-java -Dapplicationinsights.logger.console.level=trace -jar MyApp.jar

-```

-## The Azure start screen

-**I'm looking at [the Azure portal](https://portal.azure.com). Does the map tell me something about my app?**

-No, it shows the health of Azure servers around the world.

-*From the Azure start board (home screen), how do I find data about my app?*

-Assuming you [set up your app for Application Insights][java], click Browse, select Application Insights, and select the app resource you created for your app. To get there faster in future, you can pin your app to the start board.

-## Intranet servers

-**Can I monitor a server on my intranet?**

-Yes, provided your server can send telemetry to the Application Insights portal through the public internet.

-You may need to [open some outgoing ports in your server's firewall](./ip-addresses.md#outgoing-ports)

-to allow the SDK to send data to the portal.

-## Data retention

-**How long is data retained in the portal? Is it secure?**

-See [Data retention and privacy][data].

-## Debug logging

-Application Insights uses `org.apache.http`. This is relocated within Application Insights core jars under the namespace `com.microsoft.applicationinsights.core.dependencies.http`. This enables Application Insights to handle scenarios where different versions of the same `org.apache.http` exist in one code base.

->[!NOTE]

->If you enable DEBUG level logging for all namespaces in the app, it will be honored by all executing modules including `org.apache.http` renamed as `com.microsoft.applicationinsights.core.dependencies.http`. Application Insights will not be able to apply filtering for these calls because the log call is being made by the Apache library. DEBUG level logging produce a considerable amount of log data and is not recommended for live production instances.

-## Next steps

-**I set up Application Insights for my Java server app. What else can I do?**

-* [Monitor availability of your web pages][availability]

-* [Monitor web page usage][usage]

-* [Track usage and diagnose issues in your device apps][platforms]

-* [Write code to track usage of your app][track]

-* [Capture diagnostic logs][javalogs]

-## Get help

-* [Stack Overflow](https://stackoverflow.com/questions/tagged/ms-application-insights)

-* [File an issue on GitHub](https://github.com/microsoft/ApplicationInsights-Java/issues)

-<!--Link references-->

-[availability]: ./monitor-web-app-availability.md

-[data]: ./data-retention-privacy.md

-[java]: java-2x-get-started.md

-[javalogs]: java-2x-trace-logs.md

-[platforms]: ./platforms.md

-[track]: ./api-custom-events-metrics.md

-[usage]: javascript.md

-For help with troubleshooting, see [Troubleshooting](java-standalone-troubleshoot.md).

-description: Learn how to troubleshoot the Java agent for Azure Monitor Application Insights

-# Troubleshooting guide: Azure Monitor Application Insights for Java

-In this article, we cover some of the common issues that you might face while instrumenting a Java application by using the Java agent for Application Insights. We also cover the steps to resolve these issues. Application Insights is a feature of the Azure Monitor platform service.

-## Check the self-diagnostic log file

-By default, Application Insights Java 3.x produces a log file named `applicationinsights.log` in the same directory

-that holds the `applicationinsights-agent-3.3.0.jar` file.

-This log file is the first place to check for hints to any issues you might be experiencing.

-If no log file is generated, check that your Java application has write permission to the directory that holds the

-`applicationinsights-agent-3.3.0.jar` file.

-If still no log file is generated, check the stdout log from your Java application. Application Insights Java 3.x

-should log any errors to stdout that would prevent it from logging to its normal location.

-## JVM fails to start

-If the JVM fails to start with "Error opening zip file or JAR manifest missing",

-try re-downloading the agent jar file because it may have been corrupted during file transfer.

-## Upgrade from the Application Insights Java 2.x SDK

-If you're already using the Application Insights Java 2.x SDK in your application, you can keep using it.

-The Application Insights Java 3.x agent will detect it,

-and capture and correlate any custom telemetry you're sending via the 2.x SDK,

-while suppressing any auto-collection performed by the 2.x SDK to prevent duplicate telemetry.

-For more information, see [Upgrade from the Java 2.x SDK](./java-standalone-upgrade-from-2x.md).

-## Upgrade from Application Insights Java 3.0 Preview

-If you're upgrading from the Java 3.0 Preview agent, review all of the [configuration options](./java-standalone-config.md) carefully. The JSON structure has completely changed in the 3.0 general availability (GA) release.

-These changes include:

-## Some logging is not auto-collected

-Logging is only captured if it first meets the level that is configured for the logging framework,

-and second, also meets the level that is configured for Application Insights.

-For example, if your logging framework is configured to log `WARN` (and above) from package `com.example`,

-and Application Insights is configured to capture `INFO` (and above),

-then Application Insights will only capture `WARN` (and above) from package `com.example`.

-The best way to know if a particular logging statement meets the logging frameworks' configured threshold

-is to confirm that it is showing up in your normal application log (e.g. file or console).

-Also note that if an exception object is passed to the logger, then the log message (and exception object details)

-will show up in the Azure portal under the `exceptions` table instead of the `traces` table.

-See the [auto-collected logging configuration](./java-standalone-config.md#auto-collected-logging) for more details.

-## Import SSL certificates

-This section helps you to troubleshoot and possibly fix the exceptions related to SSL certificates when using the Java agent.

-There are two different paths below for resolving this issue:

-* If using a default Java keystore

-* If using a custom Java keystore

-If you aren't sure which path to follow, check to see if you have a JVM arg `-Djavax.net.ssl.trustStore=...`.

-If you _don't_ have such a JVM arg, then you are probably using the default Java keystore.

-If you _do_ have such a JVM arg, then you are probably using a custom keystore,

-and the JVM arg will point you to your custom keystore.

-### If using the default Java keystore:

-Typically the default Java keystore will already have all of the CA root certificates. However there might be some exceptions, such as the ingestion endpoint certificate might be signed by a different root certificate. So we recommend the following three steps to resolve this issue:

-1. Check if the SSL certificate that was used to sign the Application Insights endpoint is already present in the default keystore. The trusted CA certificates, by default, are stored in `$JAVA_HOME/jre/lib/security/cacerts`. To list certificates in a Java keystore use the following command:

- > `keytool -list -v -keystore $PATH_TO_KEYSTORE_FILE`

-

- You can redirect the output to a temp file like this (will be easy to search later)

- > `keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts > temp.txt`

-2. Once you have the list of certificates, follow these [steps](#steps-to-download-ssl-certificate) to download the SSL certificate that was used to sign the Application Insights endpoint.

- Once you have the certificate downloaded, generate an SHA-1 hash on the certificate using the below command:

- > `keytool -printcert -v -file "your_downloaded_ssl_certificate.cer"`

-

- Copy the SHA-1 value and check if this value is present in "temp.txt" file you saved previously. If you are not able to find the SHA-1 value in the temp file, it indicates that the downloaded SSL cert is missing in default Java keystore.

-3. Import the SSL certificate to the default Java keystore using the following command:

- > `keytool -import -file "the cert file" -alias "some meaningful name" -keystore "path to cacerts file"`

-

- In this case it will be

-

- > `keytool -import -file "your downloaded ssl cert file" -alias "some meaningful name" $JAVA_HOME/jre/lib/security/cacerts`

-### If using a custom Java keystore:

-If you are using a custom Java keystore, you may need to import the Application Insights endpoint(s) SSL certificate(s) into it.

-We recommend the following two steps to resolve this issue:

-1. Follow these [steps](#steps-to-download-ssl-certificate) to download the SSL certificate from the Application Insights endpoint.

-2. Use the following command to import the SSL certificate to the custom Java keystore:

- > `keytool -importcert -alias your_ssl_certificate -file "your downloaded SSL certificate name.cer" -keystore "Your KeyStore name" -storepass "Your keystore password" -noprompt`

-### Steps to download SSL certificate

-1. Open your favorite browser and go to the URL from which you want to download the SSL certificate.

-2. Select the **View site information** (lock) icon in the browser, and then select the **Certificate** option.

- :::image type="content" source="media/java-ipa/troubleshooting/certificate-icon-capture.png" alt-text="Screenshot of the Certificate option in site information." lightbox="media/java-ipa/troubleshooting/certificate-icon-capture.png":::

-3. Later, you have to click on the "Certificate Path" -> Select the root Certificate -> Click on 'View Certificate'. This will pop up a new certificate menu and you can download the certificate, from the new menu.

- :::image type="content" source="media/java-ipa/troubleshooting/root-certificate.png" alt-text="Screenshot of how to select the root certificate." lightbox="media/java-ipa/troubleshooting/root-certificate.png":::

-4. Go to the **Details** tab and select **Copy to file**.

-5. Select the **Next** button, select **Base-64 encoded X.509 (.CER)** format, and then select **Next** again.

- :::image type="content" source="media/java-ipa/troubleshooting/certificate-export-wizard.png" alt-text="Screenshot of the Certificate Export Wizard, with a format selected." lightbox="media/java-ipa/troubleshooting/certificate-export-wizard.png":::

-6. Specify the file where you want to save the SSL certificate. Then select **Next** > **Finish**. You should see a "The export was successful" message.

-> [!WARNING]

-> You'll need to repeat these steps to get the new certificate before the current certificate expires. You can find the expiration information on the **Details** tab of the **Certificate** dialog box.

->

-> :::image type="content" source="media/java-ipa/troubleshooting/certificate-details.png" alt-text="Screenshot that shows SSL certificate details." lightbox="media/java-ipa/troubleshooting/certificate-details.png":::

-## Understanding UnknownHostException

-If you see this exception after upgrading to Java agent version greater than 3.2.0, upgrading your network to resolve the new endpoint shown in the exception might resolve the exception. The reason for the difference between Application Insights versions is that versions greater than 3.2.0 point to the new ingestion endpoint `v2.1/track` compared to the older `v2/track`. The new ingestion endpoint automatically redirects you to the ingestion endpoint (new endpoint shown in exception) nearest to the storage for your Application Insights resource.

-## Missing cipher suites

-If the Application Insights Java agent detects that you do not have any of the cipher suites that are supported by the endpoints it connects to, it will alert you and link you here.

-### Background on cipher suites:

-Cipher suites come into play before a client application and server exchange information over an SSL/TLS connection. The client application initiates an SSL handshake. Part of that process involves notifying the server which cipher suites it supports. The server receives that information and compares the cipher suites supported by the client application with the algorithms it supports. If it finds a match, the server notifies the client application and a secure connection is established. If it does not find a match, the server refuses the connection.

-#### How to determine client side cipher suites:

-In this case, the client is the JVM on which your instrumented application is running. Starting from 3.2.5, Application Insights Java will log a warning message if missing cipher suites could be causing connection failures to one of the service endpoints.

-If using an earlier version of Application Insights Java, compile and run the following Java program to get the list of supported cipher suites in your JVM:

-```

-import javax.net.ssl.SSLServerSocketFactory;

-public class Ciphers {

- public static void main(String[] args) {

- SSLServerSocketFactory ssf = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();

- String[] defaultCiphers = ssf.getDefaultCipherSuites();

- System.out.println("Default\tCipher");

- for (int i = 0; i < defaultCiphers.length; ++i) {

- System.out.print('*');

- System.out.print('\t');

- System.out.println(defaultCiphers[i]);

- }

- }

-}

-```

-Following are the cipher suites that are generally supported by the Application Insights endpoints:

-#### How to determine server side cipher suites:

-In this case, the server side is the Application Insights ingestion endpoint or the Application Insights Live metrics endpoint. You can use an online tool like [SSLLABS](https://www.ssllabs.com/ssltest/analyze.html) to determine the expected cipher suites based on the endpoint url.

-#### How to add the missing cipher suites:

-If using Java 9 or later, please check if the JVM has `jdk.crypto.cryptoki` module included in the jmods folder. Also if you are building a custom Java runtime using `jlink` please make sure to include the same module.

-Otherwise, these cipher suites should already be part of modern Java 8+ distributions,

-so it is recommended to check where you installed your Java distribution from, and investigate why the security

-providers in that Java distribution's `java.security` configuration file differ from standard Java distributions.

-description: The known issues of Application Insights Agent and troubleshooting examples. Monitor website performance without redeploying the website. Works with ASP.NET web apps hosted on-premises, in VMs, or on Azure.

-# Troubleshooting Application Insights Agent (formerly named Status Monitor v2)

-When you enable monitoring, you might experience issues that prevent data collection.

-This article lists all known issues and provides troubleshooting examples.

-## Known issues

-### Conflicting DLLs in an app's bin directory

-If any of these DLLs are present in the bin directory, monitoring might fail:

-Some of these DLLs are included in the Visual Studio default app templates, even if your app doesn't use them.

-You can use troubleshooting tools to see symptomatic behavior:

- ```

- ThreadID="7,500"

- ProcessorNumber="0"

- msg="Found 'System.Diagnostics.DiagnosticSource, Version=4.0.2.1, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51' assembly, skipping attaching redfield binaries"

- ExtVer="2.8.13.5972"

- SubscriptionId=""

- AppName=""

- FormattedMessage="Found 'System.Diagnostics.DiagnosticSource, Version=4.0.2.1, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51' assembly, skipping attaching redfield binaries"

- ```

- ```

- .\handle64.exe -p w3wp | findstr /I "InstrumentationEngine AI. ApplicationInsights"

- E54: File (R-D) C:\Program Files\WindowsPowerShell\Modules\Az.ApplicationMonitor\content\Runtime\Microsoft.ApplicationInsights.RedfieldIISModule.dll

- .\Listdlls64.exe w3wp | findstr /I "InstrumentationEngine AI ApplicationInsights"

- 0x0000000009be0000 0x127000 C:\Program Files\WindowsPowerShell\Modules\Az.ApplicationMonitor\content\Instrumentation64\MicrosoftInstrumentationEngine_x64.dll

- 0x0000000009b90000 0x4f000 C:\Program Files\WindowsPowerShell\Modules\Az.ApplicationMonitor\content\Instrumentation64\Microsoft.ApplicationInsights.ExtensionsHost_x64.dll

- 0x0000000004d20000 0xb2000 C:\Program Files\WindowsPowerShell\Modules\Az.ApplicationMonitor\content\Instrumentation64\Microsoft.ApplicationInsights.Extensions.Base_x64.dll

- ```

-### PowerShell Versions

-This product was written and tested using PowerShell v5.1.

-This module isn't compatible with PowerShell versions 6 or 7.

-We recommend using PowerShell v5.1 alongside newer versions.

-For more information, see [Using PowerShell 7 side by side with PowerShell 5.1](/powershell/scripting/install/migrating-from-windows-powershell-51-to-powershell-7#using-powershell-7-side-by-side-with-windows-powershell-51).

-### Conflict with IIS shared configuration

-If you have a cluster of web servers, you might be using a [shared configuration](/iis/web-hosting/configuring-servers-in-the-windows-web-platform/shared-configuration_211).

-The HttpModule can't be injected into this shared configuration.

-Run the Enable command on each web server to install the DLL into each server's GAC.

-After you run the Enable command, complete these steps:

-1. Go to the shared configuration directory and find the applicationHost.config file.

-2. Add this line to the modules section of your configuration:

- ```

- <modules>

- <!-- Registered global managed http module handler. The 'Microsoft.AppInsights.IIS.ManagedHttpModuleHelper.dll' must be installed in the GAC before this config is applied. -->

- <add name="ManagedHttpModuleHelper" type="Microsoft.AppInsights.IIS.ManagedHttpModuleHelper.ManagedHttpModuleHelper, Microsoft.AppInsights.IIS.ManagedHttpModuleHelper, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler,runtimeVersionv4.0" />

- </modules>

- ```

-### IIS Nested Applications

-We don't instrument nested applications in IIS in version 1.0.

-### Advanced SDK Configuration isn't available.

-The SDK configuration isn't exposed to the end user in version 1.0.

-

-

-## Troubleshooting

-

-### Troubleshooting PowerShell

-#### Determine which modules are available

-You can use the `Get-Module -ListAvailable` command to determine which modules are installed.

-#### Import a module into the current session

-If a module hasn't been loaded into a PowerShell session, you can manually load it by using the `Import-Module <path to psd1>` command.

-### Troubleshooting the Application Insights Agent module

-#### List the commands available in the Application Insights Agent module

-Run the command `Get-Command -Module Az.ApplicationMonitor` to get the available commands:

-```

-CommandType Name Version Source

-Cmdlet Disable-ApplicationInsightsMonitoring 0.4.0 Az.ApplicationMonitor

-Cmdlet Disable-InstrumentationEngine 0.4.0 Az.ApplicationMonitor

-Cmdlet Enable-ApplicationInsightsMonitoring 0.4.0 Az.ApplicationMonitor

-Cmdlet Enable-InstrumentationEngine 0.4.0 Az.ApplicationMonitor

-Cmdlet Get-ApplicationInsightsMonitoringConfig 0.4.0 Az.ApplicationMonitor

-Cmdlet Get-ApplicationInsightsMonitoringStatus 0.4.0 Az.ApplicationMonitor

-Cmdlet Set-ApplicationInsightsMonitoringConfig 0.4.0 Az.ApplicationMonitor

-Cmdlet Start-ApplicationInsightsMonitoringTrace 0.4.0 Az.ApplicationMonitor

-```

-#### Determine the current version of the Application Insights Agent module

-Run the `Get-ApplicationInsightsMonitoringStatus -PowerShellModule` command to display the following information about the module:

- - PowerShell module version

- - Application Insights SDK version

- - File paths of the PowerShell module

-

-Review the [API reference](status-monitor-v2-api-reference.md) for a detailed description of how to use this cmdlet.

-### Troubleshooting running processes

-You can inspect the processes on the instrumented computer to determine if all DLLs are loaded and environment variables are set.

-If monitoring is working, at least 12 DLLs should be loaded.

-* Use the `Get-ApplicationInsightsMonitoringStatus -InspectProcess` command to check the DLLs.

-* Use the `(Get-Process -id {PID}).StartInfo.EnvironmentVariables` command to check the environment variables. Following are the environment varibles set in the worker process or dotnet core process:

-```

-COR_ENABLE_PROFILING=1

-COR_PROFILER={324F817A-7420-4E6D-B3C1-143FBED6D855}

-COR_PROFILER_PATH_32=Path to MicrosoftInstrumentationEngine_x86.dll

-COR_PROFILER_PATH_64=Path to MicrosoftInstrumentationEngine_x64.dll

-MicrosoftInstrumentationEngine_Host={CA487940-57D2-10BF-11B2-A3AD5A13CBC0}

-MicrosoftInstrumentationEngine_HostPath_32=Path to Microsoft.ApplicationInsights.ExtensionsHost_x86.dll

-MicrosoftInstrumentationEngine_HostPath_64=Path to Microsoft.ApplicationInsights.ExtensionsHost_x64.dll

-MicrosoftInstrumentationEngine_ConfigPath32_Private=Path to Microsoft.InstrumentationEngine.Extensions.config

-MicrosoftInstrumentationEngine_ConfigPath64_Private=Path to Microsoft.InstrumentationEngine.Extensions.config

-MicrosoftAppInsights_ManagedHttpModulePath=Path to Microsoft.ApplicationInsights.RedfieldIISModule.dll

-MicrosoftAppInsights_ManagedHttpModuleType=Microsoft.ApplicationInsights.RedfieldIISModule.RedfieldIISModule

-ASPNETCORE_HOSTINGSTARTUPASSEMBLIES=Microsoft.ApplicationInsights.StartupBootstrapper

-DOTNET_STARTUP_HOOKS=Path to Microsoft.ApplicationInsights.StartupHook.dll

-```

-Review the [API reference](status-monitor-v2-api-reference.md) for a detailed description of how to use this cmdlet.

-### Collect ETW logs by using PerfView

-#### Setup

-1. Download PerfView.exe and PerfView64.exe from [GitHub](https://github.com/Microsoft/perfview/releases).

-2. Start PerfView64.exe.

-3. Expand **Advanced Options**.

-4. Clear these check boxes:

- - **Zip**

- - **Merge**

- - **.NET Symbol Collection**

-5. Set these **Additional Providers**: `61f6ca3b-4b5f-5602-fa60-759a2a2d1fbd,323adc25-e39b-5c87-8658-2c1af1a92dc5,925fa42b-9ef6-5fa7-10b8-56449d7a2040,f7d60e07-e910-5aca-bdd2-9de45b46c560,7c739bb9-7861-412e-ba50-bf30d95eae36,252e28f4-43f9-5771-197a-e8c7e750a984,f9c04365-1d1f-5177-1cdc-a0b0554b6903`

-#### Collecting logs

-1. In a command console with Admin privileges, run the `iisreset /stop` command to turn off IIS and all web apps.

-2. In PerfView, select **Start Collection**.

-3. In a command console with Admin privileges, run the `iisreset /start` command to start IIS.

-4. Try to browse to your app.

-5. After your app is loaded, return to PerfView and select **Stop Collection**.

-## Next steps

-description: Troubleshoot web tests in Azure Application Insights. Get alerts if a website becomes unavailable or responds slowly.

-# Troubleshooting

-This article will help you to troubleshoot common issues that may occur when using availability monitoring.

-## Troubleshooting report steps for ping tests

-The Troubleshooting Report allows you to easily diagnose common problems that cause your **ping tests** to fail.

-

-1. On the availability tab of your Application Insights resource, select overall or one of the availability tests.

-2. Either select **Failed** then a test under "Drill into" on the left or select one of the points on the scatter plot.

-3. On the end-to-end transaction detail page, select an event then under "Troubleshooting report summary" select **[Go to step]** to see the troubleshooting report.

-> [!NOTE]

-> If the connection re-use step is present, then DNS resolution, connection establishment, and TLS transport steps will not be present.

-|Step | Error message | Possible cause |

-|--||-|

-| Connection reuse | n/a | Usually dependent on a previously established connection meaning the web test step is dependent. So there would be no DNS, connection or SSL step required. |

-| DNS resolution | The remote name could not be resolved: "your URL" | The DNS resolution process failed, most likely due to misconfigured DNS records or temporary DNS server failures. |

-| Connection establishment | A connection attempt failed because the connected party did not properly respond after a period of time. | In general, it means your server is not responding to the HTTP request. A common cause is that our test agents are being blocked by a firewall on your server. If you would like to test within an Azure Virtual Network, you should add the Availability service tag to your environment.|

-| TLS transport | The client and server cannot communicate because they do not possess a common algorithm.| Only TLS 1.0, 1.1, and 1.2 are supported. SSL is not supported. This step does not validate SSL certificates and only establishes a secure connection. This step will only shows up when an error occurs. |

-| Receiving response header | Unable to read data from the transport connection. The connection was closed. | Your server committed a protocol error in the response header. For example, connection closed by your server when the response is not fully. |

-| Receiving response body | Unable to read data from the transport connection: The connection was closed. | Your server committed a protocol error in response body. For example, Connection closed by your server when the response is not fully read or the chunk size is wrong in chunked response body. |

-| Redirect limit validation | This webpage has too many redirects. This loop will be terminated here since this request exceeded the limit for auto redirects. | There's a limit of 10 redirects per test. |

-| Status code validation | `200 - OK` does not match the expected status `400 - BadRequest`. | The returned status code that is counted as a success. 200 is the code that indicates that a normal web page has been returned. |

-| Content validation | The required text 'hello' did not appear in the response. | The string is not an exact case-sensitive match in the response, for example the string "Welcome!". It must be a plain string, without wildcard characters (for example an asterisk). If your page content changes you might have to update the string. Only English characters are supported with content match. |

-

-## Common troubleshooting questions

-### Site looks okay but I see test failures? Why is Application Insights alerting me?

- * Does your test have **Parse dependent requests** enabled? That results in a strict check on resources such as scripts, images etc. These types of failures may not be noticeable on a browser. Check all the images, scripts, style sheets, and any other files loaded by the page. If any of them fails, the test is reported as failed, even if the main HTML page loads without issue. To desensitize the test to such resource failures, simply uncheck the Parse Dependent Requests from the test configuration.

- * To reduce odds of noise from transient network blips etc., ensure Enable retries for test failures configuration is checked. You can also test from more locations and manage alert rule threshold accordingly to prevent location-specific issues causing undue alerts.

- * Click on any of the red dots from the Availability scatter plot experience experience, or any availability failure from the Search explorer to see the details of why we reported the failure. The test result, along with the correlated server-side telemetry (if enabled) should help understand why the test failed. Common causes of transient issues are network or connection issues.

- * Did the test time-out? We abort tests after 2 minutes. If your ping or multi-step test takes longer than 2 minutes, we will report it as a failure. Consider breaking the test into multiple ones that can complete in shorter durations.

- * Did all locations report failure, or only some of them? If only some reported failures, it may be due to network/CDN issues. Again, clicking on the red dots should help understand why the location reported failures.

-### I did not get an email when the alert triggered, or resolved or both?

-Check the alerts' action group configuration to confirm your email is directly listed, or a distribution list you are on is configured to receive notifications. If it is, then check the distribution list configuration to confirm it can receive external emails. Also check if your mail administrator may have any policies configured that may cause this issue.

-### I did not receive the webhook notification?

-Check to ensure the application receiving the webhook notification is available, and successfully processes the webhook requests. See [this](../alerts/alerts-log-webhook.md) for more information.

-### I am getting 403 Forbidden errors, what does this mean?

-This error indicates that you need to add firewall exceptions to allow the availability agents to test your target url. For a full list of agent IP addresses to allow, consult the [IP exception article](./ip-addresses.md#availability-tests).

-### Intermittent test failure with a protocol violation error?

-The error ("protocol violation..CR must be followed by LF") indicates an issue with the server (or dependencies). This happens when malformed headers are set in the response. It can be caused by load balancers or CDNs. Specifically, some headers might not be using CRLF to indicate end of line, which violates the HTTP specification and therefore fail validation at the .NET WebRequest level. Inspect the response to spot headers, which might be in violation.

-> [!NOTE]

-> The URL may not fail on browsers that have a relaxed validation of HTTP headers. See this blog post for a detailed explanation of this issue: http://mehdi.me/a-tale-of-debugging-the-linkedin-api-net-and-http-protocol-violations/

-### I don't see any related server-side telemetry to diagnose test failures?*

-If you have Application Insights set up for your server-side application, that may be because [sampling](./sampling.md) is in operation. Select a different availability result.

-### Can I call code from my web test?

-No. The steps of the test must be in the .webtest file. And you can't call other web tests or use loops. But there are several plug-ins that you might find helpful.

-### Is there a difference between "web tests" and "availability tests"?

-The two terms may be referenced interchangeably. Availability tests is a more generic term that includes the single URL ping tests in addition to the multi-step web tests.

-### I'd like to use availability tests on our internal server that runs behind a firewall.

- There are two possible solutions:

- * Configure your firewall to permit incoming requests from the [IP addresses

- of our web test agents](./ip-addresses.md).

- * Write your own code to periodically test your internal server. Run the code as a background process on a test server behind your firewall. Your test process can send its results to Application Insights by using [TrackAvailability()](/dotnet/api/microsoft.applicationinsights.telemetryclient.trackavailability) API in the core SDK package. This requires your test server to have outgoing access to the Application Insights ingestion endpoint, but that is a much smaller security risk than the alternative of permitting incoming requests. The results will appear in the availability web tests blades though the experience will be slightly simplified from what is available for tests created via the portal. Custom availability tests will also appear as availability results in Analytics, Search, and Metrics.

-### Uploading a multi-step web test fails

-Some reasons this might happen:

- * There's a size limit of 300 K.

- * Loops aren't supported.

- * References to other web tests aren't supported.

- * Data sources aren't supported.

-### My multi-step test doesn't complete

-There's a limit of 100 requests per test. Also, the test is stopped if it runs longer than two minutes.

-### How can I run a test with client certificates?

-This is currently not supported.

-## Next steps

-* [Multi-step web testing](availability-multistep.md)

-* [URL ping tests](monitor-web-app-availability.md)

-description: Troubleshooting guide - analyzing site and app usage with Application Insights.

-# Troubleshoot user behavior analytics tools in Application Insights

-Have questions about the [user behavior analytics tools in Application Insights](usage-overview.md): [Users, Sessions, Events](usage-segmentation.md), [Funnels](usage-funnels.md), [User Flows](usage-flows.md), [Retention](usage-retention.md), or Cohorts? Here are some answers.

-## Counting Users

-**The user behavior analytics tools show that my app has one user/session, but I know my app has many users/sessions. How can I fix these incorrect counts?**

-All telemetry events in Application Insights have an [anonymous user ID](./data-model-context.md#anonymous-user-id) and a [session ID](./data-model-context.md#session-id) as two of their standard properties. By default, all of the usage analytics tools count users and sessions based on these IDs. If these standard properties aren't being populated with unique IDs for each user and session of your app, you'll see an incorrect count of users and sessions in the usage analytics tools.

-If you're monitoring a web app, the easiest solution is to add the [Application Insights JavaScript SDK](./javascript.md) to your app, and make sure the script snippet is loaded on each page you want to monitor. The JavaScript SDK automatically generates anonymous user and session IDs, then populates telemetry events with these IDs as they're sent from your app.

-If you're monitoring a web service (no user interface), [create a telemetry initializer that populates the anonymous user ID and session ID properties](./usage-overview.md) according to your service's notions of unique users and sessions.

-If your app is sending [authenticated user IDs](./api-custom-events-metrics.md#authenticated-users), you can count based on authenticated user IDs in the Users tool. In the "Show" dropdown, choose "Authenticated users."

-The user behavior analytics tools don't currently support counting users or sessions based on properties other than anonymous user ID, authenticated user ID, or session ID.

-## Naming Events

-**My app has thousands of different page view and custom event names. It's hard to distinguish between them, and the user behavior analytics tools often become unresponsive. How can I fix these naming issues?**

-Page view and custom event names are used throughout the user behavior analytics tools. Naming events well is critical to getting value from these tools. The goal is a balance between having too few, overly generic names ("Button clicked") and having too many, overly specific names ("Edit button clicked on http:\//www.contoso.com/index").

-To make any changes to the page view and custom event names your app is sending, you need to change your app's source code and redeploy. **All telemetry data in Application Insights is stored for 90 days and cannot be deleted**, so changes you make to event names will take 90 days to fully manifest. For the 90 days after making name changes, both the old and new event names will show up in your telemetry, so adjust queries and communicate within your teams, accordingly.

-If your app is sending too many page view names, check whether these page view names are specified manually in code or if they're being sent automatically by the Application Insights JavaScript SDK:

-* If the page view names are manually specified in code using the [`trackPageView` API](https://github.com/Microsoft/ApplicationInsights-JS/blob/master/API-reference.md), change the name to be less specific. Avoid common mistakes like putting the URL in the name of the page view. Instead, use the URL parameter of the `trackPageView` API. Move other details from the page view name into custom properties.

-* If the Application Insights JavaScript SDK is automatically sending page view names, you can either change your pages' titles or switch to manually sending page view names. The SDK sends the [title](https://developer.mozilla.org/docs/Web/HTML/Element/title) of each page as the page view name, by default. You could change your titles to be more general, but be mindful of SEO and other impacts this change could have. Manually specifying page view names with the `trackPageView` API overrides the automatically collected names, so you could send more general names in telemetry without changing page titles.

-If your app is sending too many custom event names, change the name in the code to be less specific. Again, avoid putting URLs and other per-page or dynamic information in the custom event names directly. Instead, move these details into custom properties of the custom event with the `trackEvent` API. For example, instead of `appInsights.trackEvent("Edit button clicked on http://www.contoso.com/index")`, we suggest something like `appInsights.trackEvent("Edit button clicked", { "Source URL": "http://www.contoso.com/index" })`.

-## Next steps

-* [User behavior analytics tools overview](usage-overview.md)

-## Get help

-* [Stack Overflow](https://stackoverflow.com/questions/tagged/ms-application-insights)

-description: Switch your ContainerLog table to the ContainerLogv2 schema

-# Enable ContainerLogV2 schema (preview)

-Azure Monitor Container Insights is now in Public Preview of new schema for container logs called ContainerLogV2. As part of this schema, there are new fields to make common queries to view AKS (Azure Kubernetes Service) and Azure Arc enabled Kubernetes data. In addition, this schema is compatible as a part of [Basic Logs](../logs/basic-logs-configure.md), which offer a low cost alternative to standard analytics logs.

-> [!NOTE]

-> The ContainerLogv2 schema is currently a preview feature, Container Insights does not yet support the "View in Analytics" option, however the data is still available when queried directly from the [Log Analytics](./container-insights-log-query.md) interface.

->[!NOTE]

->The new fields are:

->* ContainerName

->* PodName

->* PodNamespace

-## Enable ContainerLogV2 schema

-1. Customers can enable ContainerLogV2 schema at cluster level.

-2. To enable ContainerLogV2 schema, configure the cluster's configmap, Learn more about [configmap](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/) in Kubernetes documentation & [Azure Monitor configmap](./container-insights-agent-config.md#configmap-file-settings-overview).

-3. Follow the instructions accordingly when configuring an existing ConfigMap or using a new one.

-### Configuring an existing ConfigMap

-If your ConfigMap doesn't yet have the "[log_collection_settings.schema]" field, you'll need to append the following section in your existing ConfigMap yaml file:

- # In the absence of this configmap, default value for containerlog_schema_version is "v1"

-### Configuring a new ConfigMap

-1. Download the new ConfigMap from [here](https://aka.ms/container-azm-ms-agentconfig). For the newly downloaded configmapdefault, the value for containerlog_schema_version is "v1"

-1. Update the "containerlog_schema_version = "v2""

-```yaml

-[log_collection_settings.schema]

- # In the absence of this configmap, default value for containerlog_schema_version is "v1"

- # Supported values for this setting are "v1","v2"

- # See documentation at https://aka.ms/ContainerLogv2 for benefits of v2 schema over v1 schema before opting for "v2" schema

- containerlog_schema_version = "v2"

-```

-1. Once you have finished configuring the configmap, run the following kubectl command: kubectl apply -f `<configname>`

->[!TIP]

->Example: kubectl apply -f container-azm-ms-agentconfig.yaml.

->* The configuration change can take a few minutes to complete before taking effect, all omsagent pods in the cluster will restart.

->* The restart is a rolling restart for all omsagent pods, it will not restart all of them at the same time.

-* Configure [Basic Logs](../logs/basic-logs-configure.md) for ContainerLogv2

-description: View the Azure Activity log and send it to Azure Monitor Logs, Azure Event Hubs, and Azure Storage.

-# Azure Activity log

-The Activity log is a [platform log](./platform-logs-overview.md) in Azure that provides insight into subscription-level events. Activity log includes such information as when a resource is modified or when a virtual machine is started. You can view the Activity log in the Azure portal or retrieve entries with PowerShell and CLI. This article provides details on viewing the Activity log and sending it to different destinations.

-For more functionality, you should create a diagnostic setting to send the Activity log to one or more of these locations for the following reasons:

-See [Create diagnostic settings to send platform logs and metrics to different destinations](./diagnostic-settings.md) for details on creating a diagnostic setting.

-> Entries in the Activity Log are system generated and cannot be changed or deleted.

-## Retention Period

-Activity log events are retained in Azure for **90 days** and then deleted. There's no charge for entries during this time regardless of volume. For more functionality such as longer retention, you should create a diagnostic setting and route the entires to another location based on your needs. See the criteria in the earlier section of this article.

-## View the Activity log

-You can access the Activity log from most menus in the Azure portal. The menu that you open it from determines its initial filter. If you open it from the **Monitor** menu, then the only filter will be on the subscription. If you open it from a resource's menu, then the filter is set to that resource. You can always change the filter though to view all other entries. Select **Add Filter** to add more properties to the filter.

-

-For a description of Activity log categories see [Azure Activity Log event schema](activity-log-schema.md#categories).

-## Download the Activity log

-

-For some events, you can view the Change history, which shows what changes happened during that event time. Select an event from the Activity Log you want to look deeper into. Select the **Change history (Preview)** tab to view any associated changes with that event.

-

-If there are any associated changes with the event, you'll see a list of changes that you can select. This opens up the **Change history (Preview)** page. On this page, you see the changes to the resource. In the following example, you can see not only that the VM changed sizes, but what the previous VM size was before the change and what it was changed to. To learn more about change history, see [Get resource changes](../../governance/resource-graph/how-to/get-resource-changes.md).

-

-### Other methods to retrieve Activity log events

-You can also access Activity log events using the following methods:

- Send the Activity log to a Log Analytics workspace to enable the features of [Azure Monitor Logs](../logs/data-platform-logs.md) which includes the following:

- Select **Export Activity Logs**.

- 

-to send the Activity log to a Log Analytics workspace. You can send the Activity log from any single subscription to up to five workspaces.

-Activity log data in a Log Analytics workspace is stored in a table called *AzureActivity* that you can retrieve with a [log query](../logs/log-query-overview.md) in [Log Analytics](../logs/log-analytics-tutorial.md). The structure of this table varies depending on the [category of the log entry](activity-log-schema.md). For a description of the table properties, see the [Azure Monitor data reference](/azure/azure-monitor/reference/tables/azureactivity).

-For example, to view a count of Activity log records for each category, use the following query:

-Send the Activity Log to Azure Event Hubs to send entries outside of Azure, for example to a third-party SIEM or other log analytics solutions. Activity log events from Event Hubs are consumed in JSON format with a `records` element containing the records in each payload. The schema depends on the category and is described in [Schema from Storage Account and Event Hubs](activity-log-schema.md).

-Following is sample output data from Event Hubs for an Activity log:

-## Send to Azure storage

-Send the Activity Log to an Azure Storage Account if you want to retain your log data longer than 90 days for audit, static analysis, or backup. If you only must retain your events for 90 days or less you don't need to set up archival to a Storage Account, since Activity Log events are retained in the Azure platform for 90 days.

-When you send the Activity log to Azure, a storage container is created in the Storage Account as soon as an event occurs. The blobs in the container use the following naming convention:

-For example, a particular blob might have a name similar to the following:

-Each PT1H.json blob contains a JSON blob of events that occurred within the hour specified in the blob URL (for example, h=12). During the present hour, events are appended to the PT1H.json file as they occur. The minute value (m=00) is always 00, since resource log events are broken into individual blobs per hour.

-Each event is stored in the PT1H.json file with the following format that uses a common top-level schema but is otherwise unique for each category as described in [Activity log schema](activity-log-schema.md).

-This section describes legacy methods for collecting the Activity log that were used prior to diagnostic settings. If you're using these methods, you should consider transitioning to diagnostic settings that provide better functionality and consistency with resource logs.

-Log profiles are the legacy method for sending the Activity log to Azure storage or Event Hubs. Use the following procedure to continue working with a log profile or to disable it in preparation for migrating to a diagnostic setting.

-1. From the **Azure Monitor** menu in the Azure portal, select **Activity log**.

-3. Select **Export Activity Logs**.

- 

-4. Select the purple banner for the legacy experience.

- 

-### Configure log profile using PowerShell

-If a log profile already exists, you first must remove the existing log profile and then create new one.

-1. Use `Get-AzLogProfile` to identify if a log profile exists. If a log profile does exist, note the *name* property.

-1. Use `Remove-AzLogProfile` to remove the log profile using the value from the *name* property.

-3. Use `Add-AzLogProfile` to create a new log profile:

- | StorageAccountId |No |Resource ID of the Storage Account where the Activity Log should be saved. |

- | serviceBusRuleId |No |Service Bus Rule ID for the Service Bus namespace you would like to have Event Hubs created in. This is a string with the format: `{service bus resource ID}/authorizationrules/{key name}`. |

- | Location |Yes |Comma-separated list of regions for which you would like to collect Activity Log events. |

- | RetentionInDays |Yes |Number of days for which events should be retained in the Storage Account, from 1 through 365. A value of zero stores the logs indefinitely. |

- | Category |No |Comma-separated list of event categories that should be collected. Possible values are _Write_, _Delete_, and _Action_. |

-Following is a sample PowerShell script to create a log profile that writes the Activity Log to both a Storage Account and an Event Hub.

-### Configure log profile using Azure CLI

-2. Use `az monitor log-profiles delete --name "<log profile name>` to remove the log profile using the value from the *name* property.

-3. Use `az monitor log-profiles create` to create a log profile:

- | storage-account-id |Yes |Resource ID of the Storage Account to which Activity Logs should be saved. |

- | locations |Yes |Space-separated list of regions for which you would like to collect Activity Log events. You can view a list of all regions for your subscription using `az account list-locations --query [].name`. |

- | days |Yes |Number of days for which events should be retained, from 1 through 365. A value of zero will store the logs indefinitely (forever). If zero, then the enabled parameter should be set to false. |

- |enabled | Yes |True or False. Used to enable or disable the retention policy. If True, then the days parameter must be a value greater than 0.

-The legacy method for sending the Activity log into a Log Analytics workspace is connecting the sign in the workspace configuration.

-1. From the **Log Analytics workspaces** menu in the Azure portal, select the workspace to collect the Activity Log.

-1. In the **Workspace Data Sources** section of the workspace's menu, select **Azure Activity log**.

-1. Select the subscription that you want to connect.

- 

-2. Select **Connect** to connect the Activity sign in the subscription to the selected workspace. If the subscription is already connected to another workspace, select **Disconnect** first to disconnect it.

- 

-To disable the setting, perform the same procedure and select **Disconnect** to remove the subscription from the workspace.

-The Export activity logs experience, sends the same data as the legacy method used to send the Activity log with some changes to the structure of the *AzureActivity* table.

-The columns in the following table have been deprecated in the updated schema. They still exist in *AzureActivity* but they have no data. The replacements for these columns aren't new, but they contain the same data as the deprecated column. They are in a different format, so you might need to modify log queries that use them.

-|Activity Log JSON | Log Analytics column name<br/>*(older deprecated)* | New Log Analytics column name | Notes |

-|status<br/><br/>*values are (success, start, accept, failure)* |ActivityStatus <br/><br/>*values same as JSON* |ActivityStatusValue<br/><br/>*values change to (succeeded, started, accepted, failed)* |The valid values change as shown|

-|operationName | OperationName | OperationNameValue |REST API localizes operation name value. Log Analytics UI always shows English. |

-> In some cases, the values in these columns may be in all uppercase. If you have a query that includes these columns, you should use the [=~ operator](/azure/kusto/query/datatypes-string-operators) to do a case insensitive comparison.

-The following columns have been added to *AzureActivity* in the updated schema:

-Activity log insights let you view information about changes to resources and resource groups in a subscription. The dashboards also present data about which users or services performed activities in the subscription and the activities' status. This article explains how to view Activity log insights in the Azure portal.

-Before using Activity log insights, you'll have to [enable sending logs to your Log Analytics workspace](./diagnostic-settings.md).

-### How does Activity log insights work?

-Activity logs you send to a [Log Analytics workspace](../logs/log-analytics-workspace-overview.md) are stored in a table called AzureActivity.

-Activity log insights are a curated [Log Analytics workbook](../visualize/workbooks-overview.md) with dashboards that visualize the data in the AzureActivity table. For example, which administrators deleted, updated or created resources, and whether the activities failed or succeeded.

-### View Activity log insights - Resource group / Subscription level

-To view Activity log insights on a resource group or a subscription level:

-1. Select **Activity Logs Insights** in the **Insights** section.

- :::image type="content" source="media/activity-log/open-activity-log-insights-workbook.png" lightbox= "media/activity-log/open-activity-log-insights-workbook.png" alt-text="A screenshot showing how to locate and open the Activity logs insights workbook on a scale level.":::

-### View Activity log insights on any Azure resource

-> * Currently Applications Insights resources are not supported for this workbook.

-To view Activity log insights on a resource level:

-1. In the Azure portal, go to your resource, select **Workbooks**.

-1. Select **Activity Logs Insights** in the **Activity Logs Insights** section.

- :::image type="content" source="media/activity-log/activity-log-resource-level.png" lightbox= "media/activity-log/activity-log-resource-level.png" alt-text="A screenshot showing how to locate and open the Activity logs insights workbook on a resource level.":::

-1. At the top of the **Activity Logs Insights** page, select:

-

- 1. A time range for which to view data from the **TimeRange** dropdown.

- * **Azure Activity Log Entries** shows the count of Activity log records in each activity log category.

- :::image type="content" source="media/activity-log/activity-logs-insights-category-value.png" lightbox= "media/activity-log/activity-logs-insights-category-value.png" alt-text="Screenshot of Azure Activity Logs by Category Value":::

- * **Activity Logs by Status** shows the count of Activity log records in each status.

- :::image type="content" source="media/activity-log/activity-logs-insights-status.png" lightbox= "media/activity-log/activity-logs-insights-status.png" alt-text="Screenshot of Azure Activity Logs by Status":::

- * At the subscription and resource group level, **Activity Logs by Resource** and **Activity Logs by Resource Provider** show the count of Activity log records for each resource and resource provider.

-

- :::image type="content" source="media/activity-log/activity-logs-insights-resource.png" lightbox= "media/activity-log/activity-logs-insights-resource.png" alt-text="Screenshot of Azure Activity Logs by Resource":::

-* [Review Activity log event schema](activity-log-schema.md)

-* [Create diagnostic setting to send Activity logs to other destinations](./diagnostic-settings.md)

-Azure Monitor Metrics is a feature of Azure Monitor that collects numeric data from [monitored resources](../monitor-reference.md) into a time series database. Metrics are numerical values that are collected at regular intervals and describe some aspect of a system at a particular time.

-Metrics in Azure Monitor are lightweight and capable of supporting near real-time scenarios, so they're useful for alerting and fast detection of issues. You can analyze them interactively by using Metrics Explorer, be proactively notified with an alert when a value crosses a threshold, or visualize them in a workbook or dashboard.

-> Azure Monitor Metrics is one half of the data platform that supports Azure Monitor. The other is [Azure Monitor Logs](../logs/data-platform-logs.md), which collects and organizes log and performance data and allows that data to be analyzed with a rich query language.

-> The Metrics feature can only store numeric data in a particular structure, whereas the Logs feature can store a variety of datatypes (each with its own structure). You can also perform complex analysis on log data by using log queries, which you can't use for analysis of metric data.

-The following table lists the ways that you can use the Metrics feature in Azure Monitor.

-| | Description |

-| **Analyze** | Use [Metrics Explorer](metrics-charts.md) to analyze collected metrics on a chart and compare metrics from various resources. |

-| **Alert** | Configure a [metric alert rule](../alerts/alerts-metric.md) that sends a notification or takes [automated action](../alerts/action-groups.md) when the metric value crosses a threshold. |

-| **Visualize** | Pin a chart from Metrics Explorer to an [Azure dashboard](../app/tutorial-app-dashboards.md).<br>Create a [workbook](../visualize/workbooks-overview.md) to combine with multiple sets of data in an interactive report. Export the results of a query to [Grafana](../visualize/grafana-plugin.md) to use its dashboarding and combine with other data sources. |

-| **Automate** | Use [Autoscale](../autoscale/autoscale-overview.md) to increase or decrease resources based on a metric value crossing a threshold. |

-| **Retrieve** | Access metric values from a:<ul><li>Command line via the [Azure CLI](/cli/azure/monitor/metrics) or [Azure PowerShell cmdlets](/powershell/module/az.monitor).</li><li>Custom app via the [REST API](./rest-api-walkthrough.md) or client library for [.NET](/dotnet/api/overview/azure/Monitor.Query-readme), [Java](/java/api/overview/azure/monitor-query-readme), [JavaScript](/javascript/api/overview/azure/monitor-query-readme), or [Python](/python/api/overview/azure/monitor-query-readme).</li></ul> |

-| **Export** | [Route metrics to logs](./resource-logs.md#send-to-azure-storage) to analyze data in Azure Monitor Metrics together with data in Azure Monitor Logs and to store metric values for longer than 93 days.<br>Stream metrics to an [event hub](./stream-monitoring-data-event-hubs.md) to route them to external systems. |

-| **Archive** | [Archive](./platform-logs-overview.md) the performance or health history of your resource for compliance, auditing, or offline reporting purposes. |

-Azure Monitor collects metrics from the following sources. After these metrics are collected in the Azure Monitor metric database, they can be evaluated together regardless of their source.

-

-* The time that the value was collected.

-* [Multiple dimensions](#multi-dimensional-metrics) when they're present. Note that custom metrics are limited to 10 dimensions.

-One of the challenges to metric data is that it often has limited information to provide context for collected values. Azure Monitor addresses this challenge with multi-dimensional metrics.

-Dimensions of a metric are name/value pairs that carry additional data to describe the metric value. For example, a metric called _Available disk space_ might have a dimension called _Drive_ with values _C:_ and _D:_. That dimension would allow viewing available disk space across all drives or for each drive individually.

-| Timestamp | Metric Value |

-| Timestamp | Dimension "IP" | Dimension "Direction" | Metric Value|

-This metric can answer questions such as "What was the network throughput for each IP address?" and "How much data was sent versus received?" Multi-dimensional metrics carry additional analytical and diagnostic value compared to nondimensional metrics.

-### Viewing multi-dimensional performance counter metrics in Metrics Explorer

-2. Select the **Performance counters** tab.

-3. Select **Custom** to configure the performance counters that you want to collect.

- 

-4. Select **Sinks**. Then select **Enabled** to send your data to Azure Monitor.

- 

-5. To view your metric in Azure Monitor, select **Virtual Machine Guest** in the **Metric Namespace** dropdown list.

- 

-6. Select **Apply splitting** and fill in the details to split the metric by instance. You can then see the metric broken down by each of the possible values represented by the asterisk in the configuration. In this example, the asterisk represents the logical disk volumes plus the total.

- 

- For performance reasons, the portal limits how much data it displays based on volume. Therefore, the actual number of days that the portal retrieves can be longer than 14 days if the volume of data being written is not large.

-> [!NOTE]

-> As mentioned earlier, for most resources in Azure, platform metrics are stored for 93 days. However, you can only query (in the **Metrics** tile) for a maximum of 30 days worth of data on any single chart. This limitation doesn't apply to log-based metrics.

->

-> If you see a blank chart or your chart displays only part of metric data, verify that the difference between start and end dates in the time picker doesn't exceed the 30-day interval. After you've selected a 30-day interval, you can [pan](./metrics-charts.md#pan) the chart to view the full retention window.

-description: Describes how to collect and analyze monitoring data from resources in Azure using Azure Monitor.

-When you have critical applications and business processes relying on Azure resources, you want to monitor those resources for their availability, performance, and operation. This monitoring is provided by Azure Monitor, which is a full stack monitoring service in Azure that provides a complete set of features to monitor your Azure resources in addition to resources in other clouds and on-premises.

-In this tutorial, you learn:

-> * What Azure Monitor is and how it's integrated into the portal for other Azure services

-> * The types of data collected by Azure Monitor for Azure resources

-> * Azure Monitor tools used to collect and analyze data

-As soon as you create an Azure resource, Azure Monitor is enabled and starts collecting metrics and activity logs. With some configuration, you can gather additional monitoring data and enable additional features. The Azure Monitor data platform is made up of Metrics and Logs. Each collects different kinds of data and enables different Azure Monitor features.

-While you can access Azure Monitor features from the **Monitor** menu in the Azure portal, Azure Monitor features can be accessed directly from the menu for different Azure services. While different Azure services may have slightly different experiences, they share a common set of monitoring options in the Azure portal. This includes **Overview** and **Activity log** and multiple options in the **Monitoring** section of the menu.

-The **Overview** page includes details about the resource and often its current state. For example, a virtual machine will show its current running state. Many Azure services will have a **Monitoring** tab that includes charts for a set of key metrics. This is a quick way to view the operation of the resource, and you can click on any of the charts to open them in metrics explorer for more detailed analysis.

-See [Tutorial: Analyze metrics for an Azure resource](../essentials/tutorial-metrics.md) for a tutorial on using metrics explorer.

-

-### Activity log

-The **Activity log** menu item lets you view entries in the [activity log](../essentials/activity-log.md) for the current resource.

-The **Alerts** page will show you any recent alerts that have been fired for the resource. Alerts proactively notify you when important conditions are found in your monitoring data and can use data from either Metrics or Logs.

-See [Tutorial: Create a metric alert for an Azure resource](../alerts/tutorial-metric-alert.md) or [Tutorial: Create a log query alert for an Azure resource](../alerts/tutorial-log-alert.md) for tutorials on create alert rules and viewing alerts.

-The **Metrics** menu item opens [metrics explorer](./metrics-getting-started.md) which allows you to work with individual metrics or combine multiple to identify correlations and trends. This is the same metrics explorer that's opened when you click on one of the charts in the **Overview** page.

-See [Tutorial: Analyze metrics for an Azure resource](../essentials/tutorial-metrics.md) for a tutorial on using metrics explorer.

-The **Diagnostic settings** page lets you create a [diagnostic setting](../essentials/diagnostic-settings.md) to collect the resource logs for your resource. You can send them to multiple locations, but the most common is to send to a Log Analytics workspace so you can analyze them with Log Analytics.

-See [Tutorial: Collect and analyze resource logs from an Azure resource](../essentials/tutorial-resource-logs.md) for a tutorial on creating a diagnostic setting.

-## Insights

-The **Insights** menu item opens the insight for the resource if the Azure service has one. [Insights](../monitor-reference.md) provide a customized monitoring experience built on the Azure Monitor data platform and standard features.

-See [Insights and Core solutions](../monitor-reference.md#insights-and-curated-visualizations) for a list of insights that are available and links to their documentation.

-Now that you have a basic understanding of Azure Monitor, get start analyzing some metrics for an Azure resource.

-description: Overview of logs in Azure Monitor which provide rich, frequent data about the operation of an Azure resource.

-Platform logs provide detailed diagnostic and auditing information for Azure resources and the Azure platform they depend on. They are automatically generated although you need to configure certain platform logs to be forwarded to one or more destinations to be retained. This article provides an overview of platform logs including what information they provide and how you can configure them for collection and analysis.

-| [Resource logs](./resource-logs.md) | Azure Resources | Provide insight into operations that were performed within an Azure resource (the *data plane*), for example getting a secret from a Key Vault or making a request to a database. The content of resource logs varies by the Azure service and resource type.<br><br>*Resource logs were previously referred to as diagnostic logs.* |

-| [Activity log](../essentials/activity-log.md) | Azure Subscription | Provides insight into the operations on each Azure resource in the subscription from the outside (*the management plane*) in addition to updates on Service Health events. Use the Activity Log, to determine the _what_, _who_, and _when_ for any write operations (PUT, POST, DELETE) taken on the resources in your subscription. There is a single Activity log for each Azure subscription. |

-| [Azure Active Directory logs](../../active-directory/reports-monitoring/overview-reports.md) | Azure Tenant | Contains the history of sign-in activity and audit trail of changes made in the Azure Active Directory for a particular tenant. |

-> The Azure Activity Log is primarily for activities that occur in Azure Resource Manager. It does not track resources using the Classic/RDFE model. Some Classic resource types have a proxy resource provider in Azure Resource Manager (for example, Microsoft.ClassicCompute). If you interact with a Classic resource type through Azure Resource Manager using these proxy resource providers, the operations appear in the Activity Log. If you interact with a Classic resource type outside of the Azure Resource Manager proxies, your actions are only recorded in the Operation Log. The Operation Log can be browsed in a separate section of the portal.

-

-## Viewing platform logs

-There are different options for viewing and analyzing the different Azure platform logs.

-Create a [diagnostic setting](../essentials/diagnostic-settings.md) to send platform logs to one of the following destinations for analysis or other purposes. Resource logs must have a diagnostic setting be used since they have no other way of being viewed.

-| Log Analytics workspace | Analyze the logs of all your Azure resources together and take advantage of all the features available to [Azure Monitor Logs](../logs/data-platform-logs.md) including [log queries](../logs/log-query-overview.md) and [log alerts](../alerts/alerts-log.md). Pin the results of a log query to an Azure dashboard or include it in a workbook as part of an interactive report. |

-| Event hub | Send platform log data outside of Azure, for example to a third-party SIEM or custom telemetry platform. |

-| Azure storage | Archive the logs for audit or backup. |

-| [Azure Monitor partner integrations](../../partner-solutions/overview.md)| Specialized integrations between Azure Monitor and other non-Microsoft monitoring platforms. Useful when you are already using one of the partners. |

- - [Tutorial: Stream Azure Active Directory logs to an Azure event hub](../../active-directory/reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md)

- - [Tutorial: Archive Azure AD logs to an Azure storage account](../../active-directory/reports-monitoring/quickstart-azure-monitor-route-logs-to-storage-account.md)

-Processing data to stream logs is charged for [certain services](resource-logs-categories.md#costs) when sent to destinations other than a Log Analytics workspace. There's no direct charge when this data is sent to a Log Analytics workspace, but there is a Log Analytics charge for ingesting the data into a workspace.

-The charge is based on the number of bytes in the exported JSON formatted log data, measured in GB (10^9 bytes).

-Pricing is available on the [Azure Monitor pricing page](https://azure.microsoft.com/pricing/details/monitor/).

-* [Read more details about the Activity log](../essentials/activity-log.md)

-Azure resource logs are [platform logs](../essentials/platform-logs-overview.md) that provide insight into operations that were performed within an Azure resource. The content of resource logs varies by the Azure service and resource type. Resource logs are not collected by default. This article describes the [diagnostic setting](diagnostic-settings.md) required for each Azure resource to send its resource logs to different destinations.

- Send resource logs to a Log Analytics workspace to enable the features of [Azure Monitor Logs](../logs/data-platform-logs.md) which includes the following:

-In this mode, individual tables in the selected workspace are created for each category selected in the diagnostic setting. This method is recommended since it makes it much easier to work with the data in log queries, provides better discoverability of schemas and their structure, improves performance across both ingestion latency and query times, and the ability to grant Azure RBAC rights on a specific table. All Azure services will eventually migrate to the Resource-Specific mode.

-The example above would result in three tables being created:

-

- | Resource Provider | Category | A | B | C |

- | Resource Provider | Category | D | E | F |

- | Resource Provider | Category | G | H | I |

-### Azure diagnostics mode

-In this mode, all data from any diagnostic setting will be collected in the [AzureDiagnostics](/azure/azure-monitor/reference/tables/azurediagnostics) table. This is the legacy method used today by most Azure services. Since multiple resource types send data to the same table, its schema is the superset of the schemas of all the different data types being collected. See [AzureDiagnostics reference](/azure/azure-monitor/reference/tables/azurediagnostics) for details on the structure of this table and how it works with this potentially large number of columns.

-Consider the following example where diagnostic settings are being collected in the same workspace for the following data types:

-The AzureDiagnostics table will look as follows:

-Most Azure resources will write data to the workspace in either **Azure Diagnostic** or **Resource-Specific mode** without giving you a choice. See the [documentation for each service](./resource-logs-schema.md) for details on which mode it uses. All Azure services will eventually use Resource-Specific mode. As part of this transition, some resources will allow you to select a mode in the diagnostic setting. Specify resource-specific mode for any new diagnostic settings since this makes the data easier to manage and may help you to avoid complex migrations at a later date.

-

- 

-> [!NOTE]

-> For an example setting the collection mode using a resource manager template, see [Resource Manager template samples for diagnostic settings in Azure Monitor](./resource-manager-diagnostic-settings.md#diagnostic-setting-for-recovery-services-vault).

-You can modify an existing diagnostic setting to resource-specific mode. In this case, data that was already collected will remain in the _AzureDiagnostics_ table until it's removed according to your retention setting for the workspace. New data will be collected in the dedicated table. Use the [union](/azure/kusto/query/unionoperator) operator to query data across both tables.

-Continue to watch [Azure Updates](https://azure.microsoft.com/updates/) blog for announcements about Azure services supporting Resource-Specific mode.

-Send resource logs to an event hub to send them outside of Azure, for example to a third-party SIEM or other log analytics solutions. Resource logs from event hubs are consumed in JSON format with a `records` element containing the records in each payload. The schema depends on the resource type as described in [Common and service-specific schema for Azure Resource Logs](resource-logs-schema.md).

-Following is sample output data from Event Hubs for a resource log:

-Send resource logs to Azure storage to retain it for archiving. Once you have created the diagnostic setting, a storage container is created in the storage account as soon as an event occurs in one of the enabled log categories.

-For example, the blob for a network security group might have a name similar to the following:

-Each PT1H.json blob contains a JSON blob of events that occurred within the hour specified in the blob URL (for example, h=12). During the present hour, events are appended to the PT1H.json file as they occur. The minute value (m=00) is always 00, since resource log events are broken into individual blobs per hour.

-Within the PT1H.json file, each event is stored with the following format. This will use a common top-level schema but be unique for each Azure service as described in [Resource logs schema](./resource-logs-schema.md).

-> Logs are written to the blob relevant to time that the log was generated, not time that it was received. This means at the turn of the hour, both the previous hour and current hour blobs could be receiving new writes.

-Resource logs can also be sent partner solutions that are fully integrated into Azure. See [Azure Monitor partner integrations](../../partner-solutions/overview.md) for a list of these solutions and details on configuring them.

-You canΓÇÖt [purge personal data](personal-data-mgmt.md#how-to-export-and-delete-private-data) from Basic Logs tables.

-You can also purge data from a workspace using the [purge feature](personal-data-mgmt.md#how-to-export-and-delete-private-data), which removes personal data. You canΓÇÖt purge data from archived logs.

-description: This article describes how to manage personal data stored in Azure Log Analytics and the methods to identify and remove it.

-# Guidance for personal data stored in Log Analytics and Application Insights

-Log Analytics is a data store where personal data is likely to be found. Application Insights stores its data in a Log Analytics partition. This article will discuss where in Log Analytics and Application Insights such data is typically found, as well as the capabilities available to you to handle such data.

-> [!NOTE]

-> For the purposes of this article _log data_ refers to data sent to a Log Analytics workspace, while _application data_ refers to data collected by Application Insights. If you are using a workspace-based Application Insights resource, the information on log data will apply but if you are using the classic Application Insights resource then the application data applies.

-While it will be up to you and your company to ultimately determine the strategy with which you will handle your private data (if at all), the following are some possible approaches. They are listed in order of preference from a technical point of view from most to least preferable:

-* Where possible, stop collection of, obfuscate, anonymize, or otherwise adjust the data being collected to exclude it from being considered "private". This is _by far_ the preferred approach, saving you the need to create a very costly and impactful data handling strategy.

-* Where not possible, attempt to normalize the data to reduce the impact on the data platform and performance. For example, instead of logging an explicit User ID, create a lookup data that will correlate the username and their details to an internal ID that can then be logged elsewhere. That way, should one of your users ask you to delete their personal information, it is possible that only deleting the row in the lookup table corresponding to the user will be sufficient.

-* Finally, if private data must be collected, build a process around the purge API path and the existing query API path to meet any obligations you may have around exporting and deleting any private data associated with a user.

-## Where to look for private data in Log Analytics?

-Log Analytics is a flexible store, which while prescribing a schema to your data, allows you to override every field with custom values. Additionally, any custom schema can be ingested. As such, it is impossible to say exactly where Private data will be found in your specific workspace. The following locations, however, are good starting points in your inventory:

-* *IP addresses*: Log Analytics collects a variety of IP information across many different tables. For example, the following query shows all tables where IPv4 addresses have been collected over the last 24 hours:

-* *User IDs*: User IDs are found in a large variety of solutions and tables. You can look for a particular username across your entire dataset using the search command:

- search "[username goes here]"

- Remember to look not only for human-readable user names but also GUIDs that can directly be traced back to a particular user!

-* *Device IDs*: Like user IDs, device IDs are sometimes considered "private". Use the same approach as listed above for user IDs to identify tables where this might be a concern.

-* *Custom data*: Log Analytics allows the collection in a variety of methods: custom logs and custom fields, the [HTTP Data Collector API](../logs/data-collector-api.md) , and custom data collected as part of system event logs. All of these are susceptible to containing private data, and should be examined to verify whether any such data exists.

-* *Solution-captured data*: Because the solution mechanism is an open-ended one, we recommend reviewing all tables generated by solutions to ensure compliance.

-* *IP addresses*: While Application Insights will by default obfuscate all IP address fields to "0.0.0.0", it is a fairly common pattern to override this value with the actual user IP to maintain session information. The Analytics query below can be used to find any table that contains values in the IP address column other than "0.0.0.0" over the last 24 hours:

-* *User IDs*: By default, Application Insights will use randomly generated IDs for user and session tracking. However, it is common to see these fields overridden to store an ID more relevant to the application. For example: usernames, AAD GUIDs, etc. These IDs are often considered to be in-scope as personal data, and therefore, should be handled appropriately. Our recommendation is always to attempt to obfuscate or anonymize these IDs. Fields where these values are commonly found include session_Id, user_Id, user_AuthenticatedId, user_AccountId, as well as customDimensions.

-* *Custom data*: Application Insights allows you to append a set of custom dimensions to any data type. These dimensions can be *any* data. Use the following query to identify any custom dimensions collected over the last 24 hours:

-* *In-memory and in-transit data*: Application Insights will track exceptions, requests, dependency calls, and traces. Private data can often be collected at the code and HTTP call level. Review the exceptions, requests, dependencies, and traces tables to identify any such data. Use [telemetry initializers](../app/api-filtering-sampling.md) where possible to obfuscate this data.

-* *Snapshot Debugger captures*: The [Snapshot Debugger](../app/snapshot-debugger.md) feature in Application Insights allows you to collect debug snapshots whenever an exception is caught on the production instance of your application. Snapshots will expose the full stack trace leading to the exceptions as well as the values for local variables at every step in the stack. Unfortunately, this feature does not allow for selective deletion of snap points, or programmatic access to data within the snapshot. Therefore, if the default snapshot retention rate does not satisfy your compliance requirements, the recommendation is to turn off the feature.

-## How to export and delete private data

-As mentioned in the [strategy for personal data handling](#strategy-for-personal-data-handling) section earlier, it is __strongly__ recommended to if it all possible, to restructure your data collection policy to disable the collection of private data, obfuscating or anonymizing it, or otherwise modifying it to remove it from being considered "private". Handling the data will foremost result in costs to you and your team to define and automate a strategy, build an interface for your customers to interact with their data through, and ongoing maintenance costs. Further, it is computationally costly for Log Analytics and Application Insights, and a large volume of concurrent query or purge API calls have the potential to negatively impact all other interaction with Log Analytics functionality. That said, there are indeed some valid scenarios where private data must be collected. For these cases, data should be handled as described in this section.

-For both view and export data requests, the [Log Analytics query API](https://dev.loganalytics.io/) or the [Application Insights query API](https://dev.applicationinsights.io/quickstart) should be used. Logic to convert the shape of the data to an appropriate one to deliver to your users will be up to you to implement. [Azure Functions](https://azure.microsoft.com/services/functions/) makes a great place to host such logic.

-> [!IMPORTANT]

-> While the vast majority of purge operations may complete much quicker than the SLA, **the formal SLA for the completion of purge operations is set at 30 days** due to their heavy impact on the data platform used. This SLA meets GDPR requirements. It's an automated process so there is no way to request that an operation be handled faster.

-We have made available as part of a privacy handling a *purge* API path. This path should be used sparingly due to the risk associated with doing so, the potential performance impact, and the potential to skew all-up aggregations, measurements, and other aspects of your Log Analytics data. See the [Strategy for personal data handling](#strategy-for-personal-data-handling) section for alternative approaches to handle private data.

-> [!NOTE]

-> Once the purge operation has been performed, the data cannot be accessed while the [purge operation status](/rest/api/loganalytics/workspacepurge/getpurgestatus) is *pending*.

-Purge is a highly privileged operation that no app or user in Azure (including even the resource owner) will have permissions to execute without explicitly being granted a role in Azure Resource Manager. This role is _Data Purger_ and should be cautiously delegated due to the potential for data loss.

-> [!IMPORTANT]

-> In order to manage system resources, purge requests are throttled at 50 requests per hour. You should batch the execution of purge requests by sending a single command whose predicate includes all user identities that require purging. Use the [in operator](/azure/kusto/query/inoperator) to specify multiple identities. You should run the query before executing the purge request to verify that the results are expected.

-Once the Azure Resource Manager role has been assigned, two new API paths are available:

-* [POST purge](/rest/api/loganalytics/workspacepurge/purge) - takes an object specifying parameters of data to delete and returns a reference GUID

-* GET purge status - the POST purge call will return an 'x-ms-status-location' header that will include a URL that you can call to determine the status of your purge API. For example:

-> [!IMPORTANT]

-> While we expect the vast majority of purge operations to complete much quicker than our SLA, due to their heavy impact on the data platform used by Log Analytics, **the formal SLA for the completion of purge operations is set at 30 days**.

-* [POST purge](/rest/api/application-insights/components/purge) - takes an object specifying parameters of data to delete and returns a reference GUID

-* GET purge status - the POST purge call will return an 'x-ms-status-location' header that will include a URL that you can call to determine the status of your purge API. For example:

-> [!IMPORTANT]

-> While the vast majority of purge operations may complete much quicker than the SLA, due to their heavy impact on the data platform used by Application Insights, **the formal SLA for the completion of purge operations is set at 30 days**.

- Regional Coverage: Australia East, Australia Southeast, Brazil South, Canada Central, Canada East, Central US, East US, France Central, Germany West Central, Japan West, North Central US, North Europe, South Central US, Southeast Asia, Switzerland West, UK South, UK West, West US. Regional coverage will expand as the preview progresses.

-|March Service Release (2203)|2021.106.111.115,<br>2021.107.129.116,<br>2021.109.129.108, <br>2021.111.124.109, <br>2022.101.112.106, <br>2022.102.109.102|[2022.103.110.103 OTA update package](<https://download.microsoft.com/download/2/3/4/234bdbf8-8f08-4d7a-8b33-7d5afc921bf1/2022.103.110.103 OTA update package.zip>)|Make sure you are using the **old version** of the Device Update for IoT Hub. To do that, navigate to **Device management > Updates** in your IoT Hub, select the **switch to the older version** link in the banner. For more information, please refer to [Update Azure Percept DK over-the-air](./how-to-update-over-the-air.md).|

-May Service Release (2205): [Azure-Percept-DK-1.0.20220511.1756-public_preview_1.0.zip](https://download.microsoft.com/download/c/7/7/c7738a05-819c-48d9-8f30-e4bf64e19f11/Azure-Percept-DK-1.0.20220511.1756-public_preview_1.0.zip)

-> | resourcegroups | subscription | 1-90 | Letters or digits as defined by the [Char.IsLetterOrDigit](/dotnet/api/system.char.isletterordigit) function.<br><br>Valid characters are members of the following categories in [UnicodeCategory](/dotnet/api/system.globalization.unicodecategory):<br>**UppercaseLetter**,<br>**LowercaseLetter**,<br>**TitlecaseLetter**,<br>**ModifierLetter**,<br>**OtherLetter**,<br>**DecimalDigitNumber**.<br><br>Can't end with period. |

-| Endpoint | The URI of your ASRS instance. | Y | N/A | https://foo.service.signalr.net |

-| ClientEndpoint | The URI of your reverse proxy, like App Gateway or API Management | N | null | https://foo.bar |

-> [Azure Web PubSub bindings for Azure Functions](https://azure.github.io/azure-webpubsub/references/functions-bindings)

-> [Quick start: Create a simple chatroom with Azure Web PubSub](https://azure.github.io/azure-webpubsub/getting-started/create-a-chat-app/js-handle-events)

-> [Tutorial: Create a simple chatroom with Azure Web PubSub](https://azure.github.io/azure-webpubsub/getting-started/create-a-chat-app/js-handle-events)

-> [Azure Web PubSub bindings for Azure Functions](https://azure.github.io/azure-webpubsub/references/functions-bindings)

-Our project is now initialized with a *packages.json* file. Our project is going to use some Azure libraries contained in NPM packages. We'll use the library for Azure Active Directory authentication in Node.js (@azure/ms-rest-nodeauth) and the Azure CDN Client Library for JavaScript (@azure/arm-cdn). Let's add those to the project as dependencies.

-npm install --save @azure/ms-rest-nodeauth

- "@azure/arm-cdn": "^5.2.0",

- "@azure/ms-rest-nodeauth": "^3.0.0"

- var msRestAzure = require('@azure/ms-rest-nodeauth');

- var credentials = new msRestAzure.ApplicationTokenCredentials(clientId, tenantId, clientSecret);

-function cdnCreateProfile() {

- cdnClient.profiles.create( resourceGroupName, parms[2], standardCreateParameters, callback);

-function cdnCreateEndpoint() {

- cdnClient.endpoints.create(resourceGroupName, parms[2], parms[3], endpointProperties, callback);

-function cdnPurge() {

- cdnClient.endpoints.purgeContent(resourceGroupName, parms[2], parms[3], purgeContentPaths, callback);

-function cdnDelete() {

- cdnClient.profiles.deleteMethod(resourceGroupName, parms[2], callback);

- cdnClient.endpoints.deleteMethod(resourceGroupName, parms[2], parms[3], callback);

-description: Enable KeyVault VM Extension for Cloud Services (extended support)

-## What is the Key Vault VM Extension?

-The Key Vault VM extension provides automatic refresh of certificates stored in an Azure Key Vault. Specifically, the extension monitors a list of observed certificates stored in key vaults, and upon detecting a change, retrieves, and installs the corresponding certificates. For more details, see [Key Vault VM extension for Windows](../virtual-machines/extensions/key-vault-windows.md).

-## What's new in the Key Vault VM Extension?

-The Key Vault VM extension is now supported on the Azure Cloud Services (extended support) platform to enable the management of certificates end to end. The extension can now pull certificates from a configured Key Vault at a pre-defined polling interval and install them for use by the service.

-## How can I leverage the Key Vault VM extension?

-The following tutorial will show you how to install the Key Vault VM extension on PaaSV1 services by first creating a bootstrap certificate in your vault to get a token from AAD that will help in the authentication of the extension with the vault. Once the authentication process is set up and the extension is installed all latest certificates will be pulled down automatically at regular polling intervals.

-> The Key Vault VM extension downloads all the certificates in the windows certificate store or to the location provided by "certificateStoreLocation" property in the VM extension settings. Currently, the KV VM extension grants access to the private key of the certificate only to the local system admin account.

-## Prerequisites

-To use the Azure Key Vault VM extension, you need to have an Azure Active Directory tenant. For more information on setting up a new Active Directory tenant, see [Setup your AAD tenant](../active-directory/develop/quickstart-create-new-tenant.md)

-## Enable the Azure Key Vault VM extension

-1. [Generate a certificate](../key-vault/certificates/create-certificate-signing-request.md) in your vault and download the .cer for that certificate.

-2. In the [Azure portal](https://portal.azure.com) navigate to **App Registrations**.

- :::image type="content" source="media/app-registration-0.jpg" alt-text="Shows selecting app registration in the portal.":::

-3. In the App Registrations page select **New Registration** on the top left corner of the page

- :::image type="content" source="media/app-registration-1.png" alt-text="Shows the app registration sin the Azure portal.":::

-4. On the next page you can fill the form and complete the app creation.

-5. Upload the .cer of the certificate to the Azure Active Directory app portal.

- - Optionally you can also leverage the [Key Vault Event Grid notification feature](https://azure.microsoft.com/updates/azure-key-vault-event-grid-integration-is-now-available/) to upload the certificate.

-6. Grant the Azure Active Directory app secret list/get permissions in Key Vault:

- - If you are using RBAC preview, search for the name of the AAD app you created and assign it to the Key Vault Secrets User (preview) role.

- - If you are using vault access policies, then assign **Secret-Get** permissions to the AAD app you created. For more information, see [Assign access policies](../key-vault/general/assign-access-policy-portal.md)

-7. Install first

-step and the Key Vault VM extension using the ARM template snippet for `cloudService` resource as shown below:

- You might need to specify the certificate store for boot strap certificate in ServiceDefinition.csdef like below:

-Further improve your deployment by [enabling monitoring in Cloud Services (extended support)](enable-alerts.md)

-* [Azure Cloud Services Part 1: Introduction](https://justazure.com/microsoft-azure-cloud-services-part-1-introduction/)

- |.NET | [1.0.0-beta.3 ](https://www.nuget.org/packages/Azure.AI.Language.Conversations/1.0.0-beta.3) |

- |Python | [1.1.0b1](https://pypi.org/project/azure-ai-language-conversations/) |

- * [C#](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/cognitivelanguage/Azure.AI.Language.Conversations/samples)

- * [Python](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/cognitivelanguage/azure-ai-language-conversations/samples)

- * [C#](/dotnet/api/azure.ai.language.conversations?view=azure-dotnet-preview&preserve-view=true)

- * [Python](/python/api/azure-ai-language-conversations/azure.ai.language.conversations?view=azure-python-preview&preserve-view=true)

- |.NET | [1.0.0-beta.3 ](https://www.nuget.org/packages/Azure.AI.Language.Conversations/1.0.0-beta.3) |

- |Python | [1.1.0b1](https://pypi.org/project/azure-ai-language-conversations/) |

- * [C#](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/cognitivelanguage/Azure.AI.Language.Conversations/samples)

- * [Python](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/cognitivelanguage/azure-ai-language-conversations/samples)

- * [C#](/dotnet/api/azure.ai.language.conversations?view=azure-dotnet-preview&preserve-view=true)

- * [Python](/python/api/azure-ai-language-conversations/azure.ai.language.conversations?view=azure-python-preview&preserve-view=true)

-> Currently authoring functionality is only available via the REST API. This article provides examples of using the REST API with cURL. For full documentation of all parameters and functionality available consult the [REST API reference content](/rest/api/cognitiveservices/questionanswering/question-answering-projects).

-* Python client library for [conversation summarization](summarization/quickstart.md?tabs=conversation-summarization&pivots=programming-language-python).

-With Azure Container Apps, you get a fully managed version of the Dapr APIs when building microservices. When you use Dapr in Azure Container Apps, you can enable sidecars to run next to your microservices that provide a rich set of capabilities. Available Dapr APIs include [Service to Service calls](https://docs.dapr.io/developing-applications/building-blocks/service-invocation/), [Pub/Sub](https://docs.dapr.io/developing-applications/building-blocks/pubsub/), [Event Bindings](https://docs.dapr.io/developing-applications/building-blocks/bindings/), [State Stores](https://docs.dapr.io/developing-applications/building-blocks/state-management/), and [Actors](https://docs.dapr.io/developing-applications/building-blocks/actors/).

-With Azure Container Apps, you get a fully managed version of the Dapr APIs when building microservices. When you use Dapr in Azure Container Apps, you can enable sidecars to run next to your microservices that provide a rich set of capabilities. Available Dapr APIs include [Service to Service calls](https://docs.dapr.io/developing-applications/building-blocks/service-invocation/), [Pub/Sub](https://docs.dapr.io/developing-applications/building-blocks/pubsub/), [Event Bindings](https://docs.dapr.io/developing-applications/building-blocks/bindings/), [State Stores](https://docs.dapr.io/developing-applications/building-blocks/state-management/), and [Actors](https://docs.dapr.io/developing-applications/building-blocks/actors/).

-If you're experiencing problems using the registry with Azure Kubernetes Service, run the [az aks check-acr](/cli/azure/aks#az-aks-check-acr) command to validate that the registry is accessible from the AKS cluster.

-After the analytical store is enabled, based on the data retention needs of the transactional workloads, you can configure the transactional store Time-to-Live (TTTL) property to have records automatically deleted from the transactional store after a certain time period. Similarly, the analytical store Time-to-Live (ATTL) allows you to manage the lifecycle of data retained in the analytical store independent from the transactional store. By enabling analytical store and configuring TTL properties, you can seamlessly tier and define the data retention period for the two stores.

-Currently analytical store doesn't support backup and restore, and your backup policy can't be planned relying on that. For more information, check the limitations section of [this](synapse-link.md#limitations) document. While continuous backup mode isn't supported in database accounts with Synapse Link enabled, periodic backup mode is.

-With periodic backup mode and existing containers, you can:

- ### Fully rebuild analytical store when TTTL >= ATTL

- The original container is restored without analytical store. But you can enable it and it will be rebuild with all data that existing in the container.

- ### Partially rebuild analytical store when TTTL < ATTL

-The data that was only in analytical store isn't restored, but it will be kept available for queries as long as you keep the original container. Analytical store is only deleted when you delete the container. Your analytical queries in Azure Synapse Analytics can read data from both original and restored container's analytical stores. Example:

-Azure Cosmos DB's point-in-time restore feature helps in multiple scenarios such as the following:

-* To recover from an accidental write or delete operation within a container.

-* To restore a deleted account, database, or a container.

-* To restore into any region (where backups existed) at the restore point in time.

-> [!VIDEO https://aka.ms/docs.continuous-backup-restore]

-Azure Cosmos DB performs data backup in the background without consuming any extra provisioned throughput (RUs) or affecting the performance and availability of your database. Continuous backups are taken in every region where the account exists. The following image shows how a container with write region in West US, read regions in East and East US 2 is backed up to a remote Azure Blob Storage account in the respective regions. By default, each region stores the backup in Locally Redundant storage accounts. If the region has [Availability zones](/azure/architecture/reliability/architect) enabled then the backup is stored in Zone-Redundant storage accounts.

-The available time window for restore (also known as retention period) is the lower value of the following two: *30 days back in past from now* or *up to the resource creation time*. The point in time for restore can be any timestamp within the retention period. In strong consistency mode, backup taken in the write region is more up to date when compared to the read regions. Read regions can lag behind due to network or other transient issues. While doing restore, you can [get latest restorable timestamp](get-latest-restore-timestamp.md) for a given resource in that region to ensure that the resource has taken backups up to the given timestamp and can restore in that region.

-Currently, you can restore the Azure Cosmos DB account for SQL API or MongoDB contents point in time to another account via the [Azure portal](restore-account-continuous-backup.md#restore-account-portal), the [Azure CLI](restore-account-continuous-backup.md#restore-account-cli) (az CLI), [Azure PowerShell](restore-account-continuous-backup.md#restore-account-powershell), or [Azure Resource Manager templates](restore-account-continuous-backup.md#restore-arm-template). Table API or Gremlin APIs are in preview and supported through [Azure CLI](restore-account-continuous-backup.md#restore-account-cli) (az CLI) and [Azure PowerShell](restore-account-continuous-backup.md#restore-account-powershell).

-In a steady state, all mutations performed on the source account (which includes databases, containers, and items) are backed up asynchronously within 100 seconds. If the backup media (that is Azure storage) is down or unavailable, the mutations are persisted locally until the media is available back and then they are flushed out to prevent any loss in fidelity of operations that can be restored.

-## What is not restored?

-To restore Azure Cosmos DB live accounts that are not deleted, it is a best practice to always identify the [latest restorable timestamp](get-latest-restore-timestamp.md) for the container. You can then use this timestamp to restore the account to its latest version.

-However, there could be scenarios where you don't know the exact time of accidental deletion or corruption. Scenarios [4] and [5] demonstrate how to _discover_ the restore timestamp using the new event feed APIs on the restorable database or containers.

-Azure Cosmos DB accounts that have continuous backup enabled will incur an additional monthly charge to *store the backup* and to *restore your data*. The restore cost is added every time the restore operation is initiated. If you configure an account with continuous backup but don't restore the data, only backup storage cost is included in your bill.

-The following example is based on the price for an Azure Cosmos account deployed in West US. The pricing and calculation can vary depending on the region you are using, see the [Azure Cosmos DB pricing page](https://azure.microsoft.com/pricing/details/cosmos-db/) for latest pricing information.

-* All accounts enabled with continuous backup policy incur an additional monthly charge for backup storage that is calculated as follows:

- $0.20/GB * Data size in GB in account * Number of regions

-* Every restore API invocation incurs a one time charge. The charge is a function of the amount of data restore and it is calculated as follows:

- $0.15/GB * Data size in GB.

-* Backup storage cost is calculated as (1000 * 0.20 * 2) = $400 per month

-* Restore cost is calculated as (1000 * 0.15) = $150 per restore

-> For more information about measuring the current data usage of your Azure Cosmos DB account, see [Explore Azure Monitor Cosmos DB insights](../azure-monitor/insights/cosmosdb-insights-overview.md#view-utilization-and-performance-metrics-for-azure-cosmos-db).

-* Azure Cosmos DB APIs for SQL and MongoDB are supported for continuous backup. Cassandra API is not supported at present

-* Multi-regions write accounts are not supported.

-* Azure Synapse Link and periodic backup mode can coexist in the same database account. However, analytical store data isn't included in backups and restores. When Synapse Link is enabled, Azure Cosmos DB will continue to automatically take backups of your data in the transactional store at a scheduled backup interval.

-* Azure Synapse Link and continuous backup mode can't coexist in the same database account. Currently database accounts with Synapse Link enabled can't use continuous backup mode and vice-versa.

-* The restored account is created in the same region where your source account exists. You can't restore an account into a region where the source account did not exist.

-* The restore window is only 30 days and it cannot be changed.

-* The backups are not automatically geo-disaster resistant. You have to explicitly add another region to have resiliency for the account and the backup.

-* While a restore is in progress, don't modify or delete the Identity and Access Management (IAM) policies that grant the permissions for the account or change any VNET, firewall configuration.

-* Azure Cosmos DB API for SQL or MongoDB accounts that create unique index after the container is created are not supported for continuous backup. Only containers that create unique index as a part of the initial container creation are supported. For MongoDB accounts, you create unique index using [extension commands](mongodb/custom-commands.md).

-* The point-in-time restore functionality always restores to a new Azure Cosmos account. Restoring to an existing account is currently not supported. If you are interested in providing feedback about in-place restore, contact the Azure Cosmos DB team via your account representative.

-* After restoring, it is possible that for certain collections the consistent index may be rebuilding. You can check the status of the rebuild operation via the [IndexTransformationProgress](how-to-manage-indexing-policy.md) property.

-* The restore process restores all the properties of a container including its TTL configuration. As a result, it is possible that the data restored is deleted immediately if you configured that way. In order to prevent this situation, the restore timestamp must be before the TTL properties were added into the container.

-* Unique indexes in API for MongoDB can't be added or updated when you create a continuous backup mode account or migrate an account from periodic to continuous mode.

-* Continuous mode restore may not restore throughput setting valid as of restore point.

-* Provision continuous backup using [Azure portal](provision-account-continuous-backup.md#provision-portal), [PowerShell](provision-account-continuous-backup.md#provision-powershell), [CLI](provision-account-continuous-backup.md#provision-cli), or [Azure Resource Manager](provision-account-continuous-backup.md#provision-arm-template).

-* [Resource model of continuous backup mode](continuous-backup-restore-resource-model.md)

-A new property in the account level backup policy named `Type` under `backuppolicy` parameter enables continuous backup and point-in-time restore functionalities. This mode is called **continuous backup**. You can set this mode when creating the account or while [migrating an account from periodic to continuous mode](migrate-continuous-backup.md). After continuous mode is enabled, all the containers and databases created within this account will have continuous backup and point-in-time restore functionalities enabled by default.

-> Currently the point-in-time restore feature is available for Azure Cosmos DB API for MongoDB and SQL accounts. After you create an account with continuous mode you can't switch it to a periodic mode.

-|Property Name |Description |

-|||

-|restoreMode | The restore mode should be *PointInTime* |

-|restoreSource | The instanceId of the source account from which the restore will be initiated. |

-|restoreTimestampInUtc | Point in time in UTC to restore the account. |

-|databasesToRestore | List of `DatabaseRestoreResource` objects to specify which databases and containers should be restored. Each resource represents a single database and all the collections under that database, see the [restorable SQL resources](#restorable-sql-resources) section for more details. If this value is empty, then the entire account is restored. |

-|gremlinDatabasesToRestore | List of `GremlinDatabaseRestoreResource` objects to specify which databases and graphs should be restored. Each resource represents a single database and all the graphs under that database. See the [restorable Gremlin resources](#restorable-graph-resources) section for more details. If this value is empty, then the entire account is restored. |

-|tablesToRestore | List of `TableRestoreResource` objects to specify which tables should be restored. Each resource represents a table under that database, see the [restorable Table resources](#restorable-table-resources) section for more details. If this value is empty, then the entire account is restored. |

-A set of new resources and APIs is available to help you discover critical information about resources, which can be restored, locations where they can be restored from, and the timestamps when key operations were performed on these resources.

-|Property Name |Description |

-|||

-| ID | The unique identifier of the resource. |

-| accountName | The global database account name. |

-| creationTime | The time in UTC when the account was created or migrated. |

-| deletionTime | The time in UTC when the account was deleted. This value is empty if the account is live. |

-| apiType | The API type of the Azure Cosmos DB account. |

-| restorableLocations | The list of locations where the account existed. |

-| restorableLocations: locationName | The region name of the regional account. |

-| restorableLocations: regionalDatabaseAccountInstanceId | The GUID of the regional account. |

-| restorableLocations: creationTime | The time in UTC when the regional account was created r migrated.|

-| restorableLocations: deletionTime | The time in UTC when the regional account was deleted. This value is empty if the regional account is live.|

-|Property Name |Description |

-|||

-| eventTimestamp | The time in UTC when the database is created or deleted. |

-| ownerId | The name of the SQL database. |

-| ownerResourceId | The resource ID of the SQL database|

-| operationType | The operation type of this database event. Here are the possible values:<br/><ul><li>Create: database creation event</li><li>Delete: database deletion event</li><li>Replace: database modification event</li><li>SystemOperation: database modification event triggered by the system. This event isn't initiated by the user</li></ul> |

-| database |The properties of the SQL database at the time of the event|

-|Property Name |Description |

-|||

-| eventTimestamp | The time in UTC when this container event happened.|

-| ownerId| The name of the SQL container.|

-| ownerResourceId | The resource ID of the SQL container.|

-| operationType | The operation type of this container event. Here are the possible values: <br/><ul><li>Create: container creation event</li><li>Delete: container deletion event</li><li>Replace: container modification event</li><li>SystemOperation: container modification event triggered by the system. This event isn't initiated by the user</li></ul> |

-| container | The properties of the SQL container at the time of the event.|

-| databaseName | The name of the SQL database.

-| collectionNames | The list of SQL containers under this database.|

-|Property Name |Description |

-|||

-|eventTimestamp| The time in UTC when this database event happened.|

-| ownerId| The name of the MongoDB database. |

-| ownerResourceId | The resource ID of the MongoDB database. |

-| operationType | The operation type of this database event. Here are the possible values:<br/><ul><li> Create: database creation event</li><li> Delete: database deletion event</li><li> Replace: database modification event</li><li> SystemOperation: database modification event triggered by the system. This event isn't initiated by the user </li></ul> |

-|Property Name |Description |

-|||

-| eventTimestamp |The time in UTC when this collection event happened. |

-| ownerId| The name of the MongoDB collection. |

-| ownerResourceId | The resource ID of the MongoDB collection. |

-| operationType |The operation type of this collection event. Here are the possible values:<br/><ul><li>Create: collection creation event</li><li>Delete: collection deletion event</li><li>Replace: collection modification event</li><li>SystemOperation: collection modification event triggered by the system. This event isn't initiated by the user</li></ul> |

-To get a list of all container mutations under the same database see [Restorable Mongodb Collections - List](/rest/api/cosmos-db-resource-provider/2021-04-01-preview/restorable-mongodb-collections/list) article.

-|Property Name |Description |

-|||

-| databaseName |The name of the MongoDB database. |

-| collectionNames | The list of MongoDB collections under this database. |

-To get a list of all MongoDB database and collection combinations that exist on the account at the given timestamp and location, see [Restorable Mongodb Resources - List](/rest/api/cosmos-db-resource-provider/2021-04-01-preview/restorable-mongodb-resources/list) article.

-Each resource represents a single database and all the graphs under that database.

-|Property Name |Description |

-|||

-| gremlinDatabaseName | The name of the Graph database. |

-| graphNames | The list of Graphs under this database. |

-### Restorable Graph database

-Each resource contains information about a mutation event, such as a creation and deletion, that occurred on the Graph database. This information can help in the scenario where the database was accidentally deleted and user needs to find out when that event happened.

-|Property Name |Description |

-|||

-|eventTimestamp| The time in UTC when this database event happened.|

-| ownerId| The name of the Graph database. |

-| ownerResourceId | The resource ID of the Graph database. |

-| operationType | The operation type of this database event. Here are the possible values:<br/><ul><li> Create: database creation event</li><li> Delete: database deletion event</li><li> Replace: database modification event</li><li> SystemOperation: database modification event triggered by the system. This event isn't initiated by the user. </li></ul> |

-To get an event feed of all mutations on the Gremlin database for the account, see theΓÇ»[Restorable Graph Databases - List]( /rest/api/cosmos-db-resource-provider/2021-11-15-preview/restorable-gremlin-databases/list) article.

-### Restorable Graphs

-Each resource contains information of a mutation event such as creation and deletion that occurred on the Graph. This information can help in scenarios where the graph was modified or deleted, and if you need to find out when that event happened.

-|Property Name |Description |

-|||

-| eventTimestamp |The time in UTC when this collection event happened. |

-| ownerId| The name of the Graph collection. |

-| ownerResourceId | The resource ID of the Graph collection. |

-| operationType |The operation type of this collection event. Here are the possible values:<br/><ul><li>Create: Graph creation event</li><li>Delete: Graph deletion event</li><li>Replace: Graph modification event</li><li>SystemOperation: collection modification event triggered by the system. This event isn't initiated by the user.</li></ul> |

-### Restorable Table resources

-|Property Name |Description |

-|||

-| TableNames | The list of Table containers under this account. |

-To get a list of tables that exist on the account at the given timestamp and location, see [Restorable Table Resources - List](/rest/api/cosmos-db-resource-provider/2021-11-15-preview/restorable-table-resources/list) article.

-Each resource contains information of a mutation event such as creation and deletion that occurred on the Table. This information can help in scenarios where the table was modified or deleted, and if you need to find out when that event happened.

-|Property Name |Description |

-|||

-|eventTimestamp| The time in UTC when this database event happened.|

-| ownerId| The name of the Table database. |

-| ownerResourceId | The resource ID of the Table resource. |

-| operationType | The operation type of this Table event. Here are the possible values:<br/><ul><li> Create: Table creation event</li><li> Delete: Table deletion event</li><li> Replace: Table modification event</li><li> SystemOperation: database modification event triggered by the system. This event isn't initiated by the user </li></ul> |

-To get a list of all table mutations under the same database, see [Restorable Table - List](/rest/api/cosmos-db-resource-provider/2021-11-15-preview/restorable-tables/list) article.

-* The ability to restore at time granularity of the second within the last 30-day window.

-After you migrate your account to continuous backup mode, the cost with this mode is different when compared to the periodic backup mode. The continuous mode backup cost can vary from periodic mode. To learn more, see [continuous backup mode pricing](continuous-backup-restore-introduction.md#continuous-backup-pricing).

-Install the [latest version of Azure PowerShell](/powershell/azure/install-az-ps?view=azps-6.2.1&preserve-view=true) or version higher than 6.2.0. Next, run the following steps:

-1. Connect to your Azure account:

- ```azurepowershell-interactive

- Connect-AzAccount

- ```

-1. Migrate your account from periodic to continuous backup mode:

- ```azurepowershell-interactive

- Update-AzCosmosDBAccount `

- -ResourceGroupName "myrg" `

- -Name "myAccount" `

- -BackupPolicyType Continuous

- ```

- * If you donΓÇÖt have CLI, [install](/cli/azure/) the latest version of Azure CLI or version higher than 2.26.0.

- * If you already have Azure CLI installed, use `az upgrade` command to upgrade to the latest version.

- * Alternatively, user can also use Cloud Shell from Azure portal.

-1. After the migration completes successfully, the output shows the backupPolicy object has the type property set to Continuous.

- "type": "Continuous"

- },

- "capabilities": [],

- "connectorOffer": null,

- "consistencyPolicy": {

- "defaultConsistencyLevel": "Session",

- "maxIntervalInSeconds": 5,

- "maxStalenessPrefix": 100

- …

-Run the following command and check the **status**, **targetType** properties of the **backupPolicy** object. The status shows in-progress after the migration starts:

-When the migration is complete, backup type changes to **Continuous**. Run the same command again to check the status:

-## <a id="ARM-template"></a> Migrate using Resource Manager template

-},

-"backupPolicy": {

- "type": "Continuous"

-},

-#### Does the migration only happen at the account level?

-#### Which accounts can be targeted for backup migration?

-#### Does the migration take time? What is the typical time?

-Migration takes time and it depends on the size of data and the number of regions in your account. You can get the migration status using Azure CLI or PowerShell commands. For large accounts with tens of terabytes of data, the migration can take up to few days to complete.

-#### Does the migration cause any availability impact/downtime?

-No, the migration operation takes place in the background, so the client requests aren't impacted. However, we need to perform some backend operations during the migration, and it might take extra time if the account is under heavy load.

-#### What happens if the migration fails? Will I still get the periodic backups or get the continuous backups?

-Once the migration process is started, the account will start to become a continuous mode. If the migration fails, you must initiate migration again until it succeeds.

-#### How do I perform a restore to a timestamp before/during/after the migration?

-Assume that you started migration at t1 and finished at t5, you canΓÇÖt use a restore timestamp between t1 and t5.

-To restore to a time after t5 because your account is now in continuous mode, you can perform the restore using Azure portal, CLI, or PowerShell like you normally do with continuous account. This self-service restore request can only be done after the migration is complete.

-To restore to a time before t1, you can open a support ticket like you normally do with the periodic backup account. After the migration, you have up to 30 days to perform the periodic restore. During these 30 days, you can restore based on the backup retention/interval of your account before the migration. For example, if the backup config was to retain 24 copies at 1 hour interval, then you can restore to anytime between [t1 ΓÇô 24 hours] and [t1].

-#### Which account level control plane operations are blocked during migration?

-Operations such as add/remove region, failover, changing backup policy, throughput changes resulting in data movement are blocked during migration.

-#### If the migration fails for some underlying issue, would it still block the control plane operation until it's retried and completed successfully?

-#### Is it possible to cancel the migration?

-It isn't possible to cancel the migration because it isn't a reversible operation.

-#### Is there a tool that can help estimate migration time based on the data usage and number of regions?

-There isn't a tool to estimate time. But our scale runs indicate single region with 1 TB of data takes roughly one and half hour.

-For multi-region accounts, calculate the total data size as `Number_of_regions * Data_in_single_region`.

-#### Since the continuous backup mode is now GA, would you still recommend restoring a copy of your account and try migration on the copy before deciding to migrate the production account?

-ItΓÇÖs recommended to test the continuous backup mode feature to see it works as expected before migrating production accounts. Because migration is a one-way operation and itΓÇÖs not reversible.

- * If all you know is the number of vCores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](convert-vcore-to-request-unit.md)

- * If you know typical request rates for your current database workload, read about [estimating request units using Azure Cosmos DB capacity planner](estimate-ru-with-capacity-planner.md)

-* **Continuous backup mode** ΓÇô This mode allows you to do restore to any point of time within the last 30 days. You can choose this mode while creating the Azure Cosmos DB account. To learn more, see the [Introduction to Continuous backup mode](continuous-backup-restore-introduction.md), provision continuous backup using [Azure portal](provision-account-continuous-backup.md#provision-portal), [PowerShell](provision-account-continuous-backup.md#provision-powershell), [CLI](provision-account-continuous-backup.md#provision-cli), or [Azure Resource Manager](provision-account-continuous-backup.md#provision-arm-template) articles. You can also [migrate the accounts from periodic to continuous mode](migrate-continuous-backup.md).

-* **Periodic backup mode** - This mode is the default backup mode for all existing accounts. In this mode, backup is taken at a periodic interval and the data is restored by creating a request with the support team. In this mode, you configure a backup interval and retention for your account. The maximum retention period extends to a month. The minimum backup interval can be one hour. To learn more, see the [Periodic backup mode](configure-periodic-backup-restore.md) article.

-For Azure Synapse Link enabled accounts, analytical store data isn't included in the backups and restores. When Synapse Link is enabled, Azure Cosmos DB will continue to automatically take backups of your data in the transactional store at a scheduled backup interval. Automatic backup and restore of your data in the analytical store is not supported at this time.

-Yes. However, analytical store data isn't included in backups and restores. When Synapse Link is enabled on a database account, Azure Cosmos DB will continue to automatically take backups of your data in the transactional store at scheduled backup interval, as always.

-Yes, but only for the regular transactional data. Backup and restore of your data in the analytical store is not supported at this time.

-* Provision continuous backup using [Azure portal](provision-account-continuous-backup.md#provision-portal), [PowerShell](provision-account-continuous-backup.md#provision-powershell), [CLI](provision-account-continuous-backup.md#provision-cli), or [Azure Resource Manager](provision-account-continuous-backup.md#provision-arm-template).

-# Provision an Azure Cosmos DB account with continuous backup and point in time restore

-Azure Cosmos DB's point-in-time restore feature helps you to recover from an accidental change within a container, to restore a deleted account, database, or a container or to restore into any region (where backups existed). The continuous backup mode allows you to do restore to any point of time within the last 30 days.

-Before provisioning the account, install the [latest version of Azure PowerShell](/powershell/azure/install-az-ps?view=azps-6.2.1&preserve-view=true) or version higher than 6.2.0. Next connect to your Azure account and select the required subscription with the following commands:

-1. Sign into Azure using the following command:

- ```azurepowershell

- Connect-AzAccount

- ```

-1. Select a specific subscription with the following command:

- ```azurepowershell

- Select-AzSubscription -Subscription <SubscriptionName>

- ```

-#### <a id="provision-powershell-sql-api"></a>SQL API account

-The following cmdlet is an example of a single region write account *Pitracct* with continuous backup policy created in *West US* region under *MyRG* resource group:

-

-#### <a id="provision-powershell-mongodb-api"></a>API for MongoDB

-The following cmdlet is an example of continuous backup account *Pitracct* created in *West US* region under *MyRG* resource group:

-#### <a id="provision-powershell-table-api"></a>Table API account

-The following cmdlet is an example of a single region write account *Pitracct* with continuous backup policy created in *West US* region under *MyRG* resource group:

-

-#### <a id="provision-powershell-graph-api"></a>Gremlin API account

-The following cmdlet is an example of a single region write account *Pitracct* with continuous backup policy created in *West US* region under *MyRG* resource group:

- -ApiKind "Gremlin"

-

- * Install the latest version of [Azure CLI](/cli/azure/install-azure-cli) or version higher than 2.26.0

- * If you have already installed CLI, run `az upgrade` command to update to the latest version. This command will only work with CLI version higher than 2.11. If you have an earlier version, use the above link to install the latest version.

- * Sign into your Azure account with `az login` command.

- * Select the required subscription using `az account set -s <subscriptionguid>` command.

-To provision a SQL API account with continuous backup, an extra argument `--backup-policy-type Continuous` should be passed along with the regular provisioning command. The following command is an example of a single region write account named *Pitracct* with continuous backup policy created in the *West US* region under *MyRG* resource group:

-The following command shows an example of a single region write account named *Pitracct* with continuous backup policy created in the *West US* region under *MyRG* resource group:

-The following command shows an example of a single region write account named *Pitracct* with continuous backup policy created in the *West US* region under *MyRG* resource group:

-```azurecli-interactive

-The following command shows an example of a single region write account named *Pitracct* with continuous backup policy created the *West US* region under *MyRG* resource group:

-```azurecli-interactive

-You can use Azure Resource Manager templates to deploy an Azure Cosmos DB account with continuous mode. When defining the template to provision an account, include the `backupPolicy` parameter as shown in the following example:

- "backupPolicy": {

- "type": "Continuous"

- },

- }

- }

- ]

-}

-It's strongly recommended to use version 3.10.0 and above.

-It's strongly recommended to use version 4.18.0 and above.

-The EA portal doesn't the Total charges column. The Power BI template app includes Adjustments, Service Overage, Charges billed separately, and Azure marketplace service charges as Total charges.

-# Link a partner ID to your Azure accounts

-| **Warned** | Your Azure subscription is in a warned state and will be disabled shortly if the warning reason isn't addressed. A subscription may be in warned state if its past due, canceled by user, or if the subscription has expired.<br><br>You can retrieve or delete resources (GET/DELETE), but you can't create any resources (PUT/PATCH/POST) |

- :::image type="content" source="media/how-to-manage-studio-preview-exp/data-factory-preview-exp-1.png" alt-text="Screenshot of Azure Data Factory home page with an Opt in option in a banner at the top of the screen.":::

- :::image type="content" source="media/how-to-manage-studio-preview-exp/data-factory-preview-exp-5.png" alt-text="Screenshot of Azure Data Factory home page with an Opt out option in a banner at the top of the screen and Settings gear in the top right corner of the screen.":::

- * [ForEach activity container](#foreach-activity-container)

-Settings specific to a transformation will now show in a pop up instead of the configuration panel. With each new transformation, a corresponding pop-up will automatically appear.

-You now have the option to add an activity using the add button in the bottom right corner of an activity in the pipeline editor canvas. Clicking the button will open a drop-down list of all activities that you can add.

-#### ForEach activity container

-You can now view the activities contained in your ForEach activity.

-You have two options to add activities to your ForEach loop.

-1. Use the + button in your ForEach container to add an activity.

- :::image type="content" source="media/how-to-manage-studio-preview-exp/data-factory-preview-exp-12.png" alt-text="Screenshot of new ForEach activity container with the add button highlighted on the left side of the center of the screen.":::

- :::image type="content" source="media/how-to-manage-studio-preview-exp/data-factory-preview-exp-13.png" alt-text="Screenshot of a drop-down list in the ForEach container with all the activities listed.":::

- Select an activity by using the search box or scrolling through the listed activities. The selected activity will be added to the canvas inside of the ForEach container.

- :::image type="content" source="media/how-to-manage-studio-preview-exp/data-factory-preview-exp-14.png" alt-text="Screenshot of the ForEach container with three activities in the center of the container.":::

-> If your ForEach container includes more than 5 activities, only the first 4 will be shown in the container preview.

-2. Use the edit button in your ForEach container to see everything within the container. You can use the canvas to edit or add to your pipeline.

- :::image type="content" source="media/how-to-manage-studio-preview-exp/data-factory-preview-exp-15.png" alt-text="Screenshot of the ForEach container with the edit button highlighted on the right side of a box in the center of the screen.":::

- :::image type="content" source="media/how-to-manage-studio-preview-exp/data-factory-preview-exp-16.png" alt-text="Screenshot of the inside of the ForEach container with three activities linked together.":::

- Add additional activities by dragging new activities to the canvas or click the add button on the right most activity to bring up a drop-down list of activities.

- :::image type="content" source="media/how-to-manage-studio-preview-exp/data-factory-preview-exp-17.png" alt-text="Screenshot of the Add activity button in the bottom left corner of the right most activity.":::

- :::image type="content" source="media/how-to-manage-studio-preview-exp/data-factory-preview-exp-18.png" alt-text="Screenshot of the drop-down list of activities in the right most activity.":::

- Select an activity by using the search box or scrolling through the listed activities. The selected activity will be added to the canvas inside of the ForEach container.

-We want to hear from you! If you see this pop-up, please provide feedback, and let us know your thoughts.

-| Vulnerability Assessment | Registry scan | ACR, Private ACR | GA | Γ£ô (Preview) | Agentless | Defender for Containers | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

-| Vulnerability Assessment | View vulnerabilities for running images | AKS | Preview | Γ£ô (Preview) | Defender profile | Defender for Containers | Commercial clouds |

-| Hardening | Control plane recommendations | ACR, AKS | GA | Γ£ô | Agentless | Free | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

-| Runtime protection| Threat detection (control plane)| AKS | GA | Γ£ô | Agentless | Defender for Containers | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

-| Discovery and provisioning | Discovery of unprotected clusters | AKS | GA | Γ£ô | Agentless | Free | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

-| Discovery and provisioning | Collection of control plane threat data | AKS | GA | Γ£ô | Agentless | Defender for Containers | Commercial clouds<br><br> National clouds: Azure Government, Azure China 21Vianet |

-| Runtime protection| Threat detection (control plane)| EKS | Preview | Γ£ô | Agentless | Defender for Containers |

-| Discovery and provisioning | Collection of control plane threat data | EKS | Preview | Γ£ô | Agentless | Defender for Containers |

-| Runtime protection| Threat detection (control plane)| GKE | Preview | Γ£ô | Agentless | Defender for Containers |

-| Discovery and provisioning | Collection of control plane threat data | GKE | Preview | Γ£ô | Agentless | Defender for Containers |

-| Vulnerability Assessment | Registry scan | ACR, Private ACR | GA | Γ£ô (Preview) | Agentless | Defender for Containers |

-| Runtime protection| Threat detection (control plane)| Arc enabled K8s clusters | Preview | Γ£ô | Defender extension | Defender for Containers |

-| Discovery and provisioning | Collection of control plane threat data | Arc enabled K8s clusters | Preview | Γ£ô | Defender extension | Defender for Containers |

-| Discovery and provisioning | Auto provisioning of Defender extension | Arc enabled K8s clusters | Preview | Γ£ô | Agentless | Defender for Containers |

-| [Multiple changes to identity recommendations](#multiple-changes-to-identity-recommendations) | June 2022 |

-**Estimated date for change:** June 2022

-$blobStorageAccountKey = (Get-AzStorageAccountKey -ResourceGroupName myResourceGroup -Name $blobStorageAccount).Key1

- $ERDirect = Get-AzExpressRoutePort -Name $Name -ResourceGroupName $ResourceGroupName

- $ERDirect

- -Sku AZFW_Hub -HubIPAddress $AzFWHubIPs

-# Connect to one VM and ping the other. It shouldnt work, because the firewall should drop the traffic, since no rule for ICMP is configured

-2. For **Subscription**, select your subscription.

-1. For **Resource group**, select **Create new**, and type **fw-manager-rg** for the name and select **OK**.

-2. For **Name**, type **Spoke-01**.

-3. For **Region**, select **(US) East US**.

-4. Select **Next: IP Addresses**.

-1. For **Address space**, type **10.0.0.0/16**.

-1. Select **Add subnet**.

-1. For **Subnet name**, type **Workload-01-SN**.

-1. For **Subnet address range**, type **10.0.1.0/24**.

-1. Select **Add**.

-1. Select **Review + create**.

-1. Select **Create**.

-7. For **Region**, select **East US**.

-1. For the **Secured virtual hub name**, type **Hub-01**.

-2. For **Hub address space**, type **10.2.0.0/16**.

-3. For the new virtual WAN name, type **Vwan-01**.

-4. Leave the **Include VPN gateway to enable Trusted Security Partners** check box cleared.

-5. Select **Next: Azure Firewall**.

-6. Accept the default **Azure Firewall** **Enabled** setting.

-1. For **Azure Firewall tier**, select **Standard**.

-1. Select **Next: Trusted Security Partner**.

-1. Accept the default **Trusted Security Partner** **Disabled** setting, and select **Next: Review + create**.

-1. Select **Create**.

- It takes about 30 minutes to deploy.

-7. Select **Public IP configuration**.

-8. Note the public IP address to use later.

-Repeat to connect the **Spoke-02** virtual network: connection name - **hub-spoke-02**

-6. Accept the other defaults and select **Next: Disks**.

-7. Accept the disk defaults and select **Next: Networking**.

-8. Select **Spoke-01** for the virtual network and select **Workload-01-SN** for the subnet.

-9. For **Public IP**, select **None**.

-11. Accept the other defaults and select **Next: Management**.

-12. Select **Disable** to disable boot diagnostics. Accept the other defaults and select **Review + create**.

-13. Review the settings on the summary page, and then select **Create**.

-1. For **Resource group**, select **fw-manager-rg**.

-1. Under **Policy details**, for the **Name** type **Policy-01** and for **Region** select **East US**.

-1. For **Policy tier**, select **Standard**.

-1. Select **Next: DNS Settings**.

-1. Select **Next: TLS Inspection**.

-1. Select **Next : Rules**.

-1. On the **Rules** tab, select **Add a rule collection**.

-1. On the **Add a rule collection** page, type **App-RC-01** for the **Name**.

-1. For **Rule collection type**, select **Application**.

-1. For **Priority**, type **100**.

-1. Ensure **Rule collection action** is **Allow**.

-1. For the rule **Name** type **Allow-msft**.

-1. For the **Source type**, select **IP address**.

-1. For **Source**, type **\***.

-1. For **Protocol**, type **http,https**.

-1. Ensure **Destination type** is **FQDN**.

-1. For **Destination**, type **\*.microsoft.com**.

-1. Select **Add**.

-Add a DNAT rule so you can connect a remote desktop to the **Srv-Workload-01** virtual machine.

-1. Select **Add/Rule collection**.

-1. For **Name**, type **dnat-rdp**.

-1. For **Rule collection type**, select **DNAT**.

-1. For **Priority**, type **100**.

-1. For the rule **Name** type **Allow-rdp**.

-1. For the **Source type**, select **IP address**.

-1. For **Source**, type **\***.

-1. For **Protocol**, select **TCP**.

-1. For **Destination Ports**, type **3389**.

-1. For **Destination Type**, select **IP Address**.

-1. For **Destination**, type the firewall public IP address that you noted previously.

-1. For **Translated address**, type the private IP address for **Srv-Workload-01** that you noted previously.

-1. For **Translated port**, type **3389**.

-1. Select **Add**.

-Add a network rule so you can connect a remote desktop from **Srv-Workload-01** to **Srv-Workload-02**.

-1. Select **Add a rule collection**.

-2. For **Name**, type **vnet-rdp**.

-3. For **Rule collection type**, select **Network**.

-4. For **Priority**, type **100**.

-1. For **Rule collection action**, select **Allow**.

-1. For the rule **Name** type **Allow-vnet**.

-1. For the **Source type**, select **IP address**.

-1. For **Source**, type **\***.

-1. For **Protocol**, select **TCP**.

-1. For **Destination Ports**, type **3389**.

-1. For **Destination Type**, select **IP Address**.

-1. For **Destination**, type the **Srv-Workload-02** private IP address that you noted previously.

-1. Select **Add**.

-1. Select **Review + create**.

-1. Select **Create**.

-1. Select the check box for **Policy-01**.

-1. Select **Manage associations**, **Associate hubs**.

-1. Select **hub-01**.

-1. Select **Add**.

-1. Select **Save**.

-1. Select **OK** on the **Warning** dialog.

- It takes a few minutes to update the route tables.

-1. Verify that the two connections show Azure Firewall secures both Internet and private traffic.

-3. Open Internet Explorer and browse to `https://www.microsoft.com`.

-4. Select **OK** > **Close** on the Internet Explorer security alerts.

-5. Browse to `https://www.google.com`.

-19. Select **OK**.

-[Tutorial: Monitor Azure Firewall logs](./firewall-diagnostics.md)

- npm install @azure/ms-rest-nodeauth

- > Verify in _package.json_ `@azure/arm-policy` is version **3.1.0** or higher,

- > `@azure/arm-policyinsights` is version **3.2.0** or higher, and `@azure/ms-rest-nodeauth` is

- > version **3.0.5** or higher.

- const authenticator = require("@azure/ms-rest-nodeauth");

- const policyObjects = require("@azure/arm-policy");

- const credentials = await authenticator.interactiveLogin();

- const client = new policyObjects.PolicyClient(credentials, argv.subID);

- const assignments = new policyObjects.PolicyAssignments(client);

- const result = await assignments.create(

- const authenticator = require("@azure/ms-rest-nodeauth");

- const policyInsights = require("@azure/arm-policyinsights");

- const credentials = await authenticator.interactiveLogin();

- const client = new policyInsights.PolicyInsightsClient(credentials);

- const policyStates = new policyInsights.PolicyStates(client);

- const result = await policyStates.listQueryResultsForSubscription(

- npm uninstall @azure/arm-policy @azure/arm-policyinsights @azure/ms-rest-nodeauth yargs

- npm install @azure/ms-rest-nodeauth

- > Verify in _package.json_ `@azure/arm-resourcegraph` is version **2.0.0** or higher and

- > `@azure/ms-rest-nodeauth` is version **3.0.3** or higher.

- const authenticator = require("@azure/ms-rest-nodeauth");

- const resourceGraph = require("@azure/arm-resourcegraph");

- const credentials = await authenticator.interactiveLogin();

- const client = new resourceGraph.ResourceGraphClient(credentials);

-npm uninstall @azure/arm-resourcegraph @azure/ms-rest-nodeauth yargs

-> Resource configuration changes only supports changes to resource types from the [Resources table](..//reference/supported-tables-resources.md#resources) in Resource Graph. This does not yet include changes to the resource container resources, such as Subscriptions and Resource groups. Changes are queryable for fourteen days. For longer retention, you can [integrate your Resource Graph query with Azure Logic Apps](../tutorials/logic-app-calling-arg.md) and export your query results to any of the Azure data stores (e.g., Log Analytics) for your desired retention.

-Currently, [TrustBox by Scalys](https://scalys.com/trustbox-industrial/) is the only device supported with manufacturer service agreements for deploying confidential applications as IoT Edge modules. The TrustBox is built on The TrustBox Edge and TrustBox EdgeXL devices both come pre-loaded with the Open Enclave SDK and Azure IoT Edge.

-Containers rely on IP packet forwarding in order to connect to the internet so that they can communicate with cloud services. IP packet forwarding is enabled by default in Docker, but if it gets disabled then any modules that connect to cloud services will not work as expected. For more information, see [Understand container communication](https://apimirror.com/docker~1.12/engine/userguide/networking/default_network/container-communication/index) in the Docker documentation.

-client, err := azsecrets.NewClient("https://quickstart-kv.vault.azure.net/", cred, nil)

-If you used a different key vault name, replace `quickstart-kv` with that name.

-### List secrets

-pager := client.ListSecrets(nil)

-for pager.NextPage(context.TODO()) {

- resp := pager.PageResponse()

- for _, secret := range resp.Secrets {

- fmt.Printf("Secret ID: %s\n", *secret.ID)

- }

-}

-if pager.Err() != nil {

- log.Fatalf("failed to get list secrets: %v", err)

- mySecretName := "quickstart-secret"

- mySecretValue := "createdWithGO"

- keyVaultName := os.Getenv("KEY_VAULT_NAME")

- keyVaultUrl := fmt.Sprintf("https://%s.vault.azure.net/", keyVaultName)

- client, err := azsecrets.NewClient(keyVaultURL, cred, nil)

-### Sample Kusto queries

-> [!NOTE]

-> There is currently an issue with Kusto queries that prevents data from being retrieved from load balancer logs.

-Azure Machine Learning only uses MLflow Tracking for metric logging and artifact storage for your experiments, whether you created the experiment via the Azure Machine Learning Python SDK, Azure Machine Learning CLI or the Azure Machine Learning studio.

-> Unlike the Azure Machine Learning SDK v1, there is no logging functionality in the SDK v2 (preview), and it is recommended to use MLflow for logging and tracking.

-[MLflow](https://www.mlflow.org) is an open-source library for managing the lifecycle of your machine learning experiments. MLflow's tracking URI and logging API, collectively known as [MLflow Tracking](https://mlflow.org/docs/latest/quickstart.html#using-the-tracking-api) is a component of MLflow that logs and tracks your training job metrics and model artifacts, no matter your experiment's environment--locally on your computer, on a remote compute target, a virtual machine or an Azure Machine Learning compute instance.

-## Track experiments

-With MLflow Tracking you can connect Azure Machine Learning as the backend of your MLflow experiments. By doing so, you can

-+ Track and log experiment metrics and artifacts in your [Azure Machine Learning workspace](./concept-azure-machine-learning-v2.md#workspace). If you already use MLflow Tracking for your experiments, the workspace provides a centralized, secure, and scalable location to store training metrics and models. Learn more at [Track ML models with MLflow and Azure Machine Learning CLI v2](how-to-use-mlflow-cli-runs.md).

-+ Model management in MLflow or Azure Machine Learning model registry.

-## Deploy MLflow experiments

-You can [Deploy MLflow models to an online endpoint](how-to-deploy-mlflow-models-online-endpoints.md), so you can leverage and apply Azure Machine Learning's model management capabilities and no-code deployment offering.

-You can use MLflow's tracking URI and logging API, collectively known as MLflow Tracking, to submit training jobs with [MLflow Projects](https://www.mlflow.org/docs/latest/projects.html) and Azure Machine Learning backend support (preview). You can submit jobs locally with Azure Machine Learning tracking or migrate your jobs to the cloud like via an [Azure Machine Learning Compute](./how-to-create-attach-compute-cluster.md).

-* [Deploy MLflow models to an online endpoint](how-to-deploy-mlflow-models-online-endpoints.md)

-You can't delete a registered model that's being used in an active deployment.

-For more information, see the "Register model" section of [Deploy models](how-to-deploy-and-where.md#registermodel).

-> When you use the **Filter by** `Tags` option on the **Models** page of Azure Machine Learning Studio, instead of using `TagName : TagValue`, use `TagName=TagValue` without spaces.

-> * [v2 (current version)](how-to-deploy-mlflow-models-online-endpoints.md)

-* If you're running in a compute not hosted in Azure ML, configure MLflow to point to the Azure ML MLtracking URL. You can follow the instruction at [Track runs from your local machine](how-to-use-mlflow-cli-runs.md#track-runs-from-your-local-machine)

-By experiment id:

-## Accessing runs details

-By default, MLflow returns runs as a Pandas `Dataframe`. You can get Python objects if needed, which may be useful to get details about them by specifying the `output_format` parameter:

-## Getting child (nested) runs information

-In this article, learn how to enable MLflow's tracking URI and logging API, collectively known as [MLflow Tracking](https://mlflow.org/docs/latest/quickstart.html#using-the-tracking-api), to connect your Azure Databricks (ADB) experiments, MLflow, and Azure Machine Learning.

-> [!TIP]

-> The information in this document is primarily for data scientists and developers who want to monitor the model training process. If you are an administrator interested in monitoring resource usage and events from Azure Machine Learning, such as quotas, completed training runs, or completed model deployments, see [Monitoring Azure Machine Learning](monitor-azure-machine-learning.md).

-* Install the `azureml-mlflow` package.

- * This package automatically brings in `azureml-core` of the [The Azure Machine Learning Python SDK](/python/api/overview/azure/ml/install), which provides the connectivity for MLflow to access your workspace.

-## Track Azure Databricks runs

-MLflow Tracking with Azure Machine Learning lets you store the logged metrics and artifacts from your Azure Databricks runs into both your:

-* Azure Databricks workspace.

-* Azure Machine Learning workspace

-After you create your Azure Databricks workspace and cluster,

-1. Install the *azureml-mlflow* library from PyPi, to ensure that your cluster has access to the necessary functions and classes.

-1. Set up your experiment notebook.

-1. Connect your Azure Databricks workspace and Azure Machine Learning workspace.

-Additional details for these steps are in the following sections so you can successfully run your MLflow experiments with Azure Databricks.

-## Set up your notebook

-Once your ADB cluster is set up,

-1. Select **Workspaces** on the left navigation pane.

-1. Expand the workspaces drop down menu and select **Import**

-1. Drag and drop, or browse to find, your experiment notebook to import your ADB workspace.

-1. Select **Import**. Your experiment notebook opens automatically.

-1. Under the notebook title on the top left, select the cluster want to attach to your experiment notebook.

-## MLflow Tracking in your workspaces

-### Set MLflow Tracking to only track in your Azure Machine Learning workspace

-As opposite to tracking, **model registries can't operate** at the same time in Azure Databricks and Azure Machine Learning. Either one or the other has to be used. By default, the Azure Databricks workspace is used for model registries; unless you chose to [set MLflow Tracking to only track in your Azure Machine Learning workspace](#set-mlflow-tracking-to-only-track-in-your-azure-machine-learning-workspace), then the model registry is the Azure Machine Learning workspace.

-At some point you may want to start registering models in Azure Machine Learning. Such configuration has the advantage of enabling all the deployment capabilities of Azure Machine Learning automatically, including no-code-deployment and model management capabilities. In that case, we recommend you to [set MLflow Tracking to only track in your Azure Machine Learning workspace](#set-mlflow-tracking-to-only-track-in-your-azure-machine-learning-workspace). This will remove the ambiguity of where models are being registered.

-> The value of `azureml_mlflow_uri` was obtained in the same way it was demostrated in [Set MLflow Tracking to only track in your Azure Machine Learning workspace](#set-mlflow-tracking-to-only-track-in-your-azure-machine-learning-workspace)

-description: Set up MLflow Tracking with Azure Machine Learning to log metrics and artifacts from ML models with MLflow or the Azure Machine Learning CLI (v2)

-# Track ML experiments and models with MLflow or the Azure Machine Learning CLI (v2)

-In this article, learn how to enable MLflow's tracking URI and logging API, collectively known as [MLflow Tracking](https://mlflow.org/docs/latest/quickstart.html#using-the-tracking-api), to connect Azure Machine Learning as the backend of your MLflow experiments. You can accomplish this connection with either the MLflow Python API or the [Azure Machine Learning CLI v2](how-to-train-cli.md) in your terminal. You also learn how to use [MLflow's Model Registry](https://mlflow.org/docs/latest/model-registry.html) capabilities with Azure Machine Learning.

- * This package automatically brings in `azureml-core` of the [The Azure Machine Learning Python SDK](/python/api/overview/azure/ml/install), which provides the connectivity for MLflow to access your workspace.

-## Track runs from your local machine

-MLflow Tracking with Azure Machine Learning lets you store the logged metrics and artifacts runs that were executed on your local machine into your Azure Machine Learning workspace.

-To track a local run, you need to point your local machine to the Azure Machine Learning MLflow Tracking URI.

->[!IMPORTANT]

-> Make sure you are logged in to your Azure account on your local machine, otherwise the tracking URI returns an empty string. If you are using any Azure ML compute the tracking environment and experiment name is already configured..

-# [MLflow SDK](#tab/mlflow)

-The following code uses `mlflow` and your Azure Machine Learning workspace details to construct the unique MLFLow tracking URI associated with your workspace. Then the method [`set_tracking_uri()`](https://mlflow.org/docs/latest/python_api/mlflow.html#mlflow.set_tracking_uri) points the MLflow tracking URI to that URI.

-#get a handle to the workspace

-ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group, workspace)

-tracking_uri = ml_client.workspaces.get(name=workspace).mlflow_tracking_uri

-mlflow.set_tracking_uri(tracking_uri)

-print(tracking_uri)

-# [Terminal](#tab/terminal)

-# Configure MLflow to communicate with a Azure Machine Learning-hosted tracking server

-### Set experiment name

-All MLflow runs are logged to the active experiment, which can be set with the MLflow SDK or Azure CLI.

-# [MLflow SDK](#tab/mlflow)

-With MLflow you can use the [`mlflow.set_experiment()`](https://mlflow.org/docs/latest/python_api/mlflow.html#mlflow.set_experiment) command.

-# [Terminal](#tab/terminal)

-You can set one of the MLflow environment variables [MLFLOW_EXPERIMENT_NAME or MLFLOW_EXPERIMENT_ID](https://mlflow.org/docs/latest/cli.html#cmdoption-mlflow-run-arg-uri) with the experiment name.

-```Azure CLI

-# Configure MLflow to communicate with a Azure Machine Learning-hosted tracking server

-## Track remote runs with Azure Machine Learning CLI (v2)

-Remote runs (jobs) let you train your models on more powerful computes, such as GPU enabled virtual machines, or Machine Learning Compute clusters. See [Use compute targets for model training](how-to-set-up-training-targets.md) to learn about different compute options.

-MLflow Tracking with Azure Machine Learning lets you store the logged metrics and artifacts from your remote runs into your Azure Machine Learning workspace. Any run with MLflow Tracking code in it logs metrics automatically to the workspace.

-## View metrics and artifacts in your workspace

-### Retrieve artifacts with MLFLow

-### Compare and query

-Compare and query all MLflow runs in your Azure Machine Learning workspace with the following code.

-[Learn more about how to query runs with MLflow](https://mlflow.org/docs/latest/search-syntax.html#programmatically-searching-runs).

-```Python

-from mlflow.entities import ViewType

-all_experiments = [exp.experiment_id for exp in MlflowClient().list_experiments()]

-query = "metrics.hello_metric > 0"

-runs = mlflow.search_runs(experiment_ids=all_experiments, filter_string=query, run_view_type=ViewType.ALL)

-runs.head(10)

-```

-## Automatic logging

-With Azure Machine Learning and MLFlow, users can log metrics, model parameters and model artifacts automatically when training a model. A [variety of popular machine learning libraries](https://mlflow.org/docs/latest/tracking.html#automatic-logging) are supported.

-To enable [automatic logging](https://mlflow.org/docs/latest/tracking.html#automatic-logging) insert the following code before your training code:

-```Python

-mlflow.autolog()

-```

-[Learn more about Automatic logging with MLflow](https://mlflow.org/docs/latest/python_api/mlflow.html#mlflow.autolog).

-* [Deploy MLflow models to managed online endpoint (preview)](how-to-deploy-mlflow-models-online-endpoints.md).

-* [Manage your models](concept-model-management-and-deployment.md).

-1. In the **Principal ID** box, provide the Azure AD object ID of the user, group, or application that you want to be granted permission to the managed resource group. Identify the user by their Principal ID, which can be found at the [Azure Active Directory users blade](https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/AllUsers) on the Azure portal.

-description: How to check whether your company has a work account set up with Microsoft, create a new work account, or set up multiple work accounts to use with Partner Center (Azure Marketplace).

-Partner Center uses company work accounts, also known as Azure Active Directory (AD) tenants, to manage account access for multiple users, control permissions, host groups and applications, and maintain profile data. By linking your company's work email account domain to your Partner Center account, employees of your company can sign in to Partner Center to manage marketplace offers using their own work account usernames and passwords.