+- If you are using the RD Web client, you *must* use the same internal and external FQDN. If the internal and external FQDNs are different, you will encounter websocket errors when making a RemoteApp connection through the RD Web client.

+| [ACS](https://www.acs.com.hk/) | ![n] | ![y]| ![n]| ![n]| ![n] |

+| [ACS](https://www.acs.com.hk/) | ![n] | ![y]| ![n]| ![n]| ![n] |

+- Locations marked as trusted cannot be deleted. Remove the trusted designation before attempting to delete.

+In the following steps, you'll implement a common policy scenario that imposes new rules for token lifetime. It's possible to specify the lifetime of an access, SAML, or ID token issued by the Microsoft identity platform. This can be set for all apps in your organization or for a specific app. They can also be set for multi-organizations (multi-tenant application).

+To allow a user to log in to the VM over RDP, you must assign the Virtual Machine Administrator Login or Virtual Machine User Login role to the Virtual Machine resource.

+ Title: Trigger Logic Apps with custom extensions in entitlement management

+# Trigger Logic Apps with custom extensions in entitlement management

+1. Select the catalog for which you want to add a custom extension and then in the left menu, select **Custom Extensions**.

+1. In the policy settings, go to the **Custom Extensions** tab.

+For the BIG-IP APM to perform SSO to the back-end application on behalf of users, configure KCD in the target Active Directory (AD) domain. Delegating authentication requires you to provision the BIG-IP APM with a domain service account.

+The BIG-IP does not support group Managed Service Accounts (gMSA), therefore create a standard user account for the APM service account.

+1. Enter the following PowerShell command. Replace the **UserPrincipalName** and **SamAccountName** values with your environment values. For better security, use a dedicated SPN that matches the host header of the application.

+ ```New-ADUser -Name "F5 BIG-IP Delegation Account" UserPrincipalName $HOST_SPN SamAccountName "f5-big-ip" -PasswordNeverExpires $true Enabled $true -AccountPassword (Read-Host -AsSecureString "Account Password") ```

+ HOST_SPN = host/f5-big-ip.contoso.com@contoso.com

+ >[!NOTE]

+ >When the Host is used, any application running on the host will delegate the account whereas when HTTPS is used, it will allow only HTTP protocol-related operations.

+2. Create a **Service Principal Name (SPN)** for the APM service account to use during delegation to the web application service account:

+ ```Set-AdUser -Identity f5-big-ip -ServicePrincipalNames @Add="host/f5-big-ip.contoso.com"} ```

+ >[!NOTE]

+ >It is mandatory to include the host/ part in the format of UserPrincipleName (host/name.domain@domain) or ServicePrincipleName (host/name.domain).

+3. Before you specify the target SPN, view its SPN configuration. Ensure the SPN shows against the APM service account. The APM service account delegates for the web application:

+ * Confirm your web application is running in the computer context or a dedicated service account.

+ * For the Computer context, use the following command to query the account object in the Active Directory to see its defined SPNs. Replace <name_of_account> with the account for your environment.

+ ```Get-ADComputer -identity <name_of_account> -properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames ```

+ For example:

+ Get-ADUser -identity f5-big-ip -properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames

+

+ * For the dedicated service account, use the following command to query the account object in Active Directory to see its defined SPNs. Replace <name_of_account> with the account for your environment.

+

+ ```Get-ADUser -identity <name_of_account> -properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames ```

+ For example:

+ Get-ADComputer -identity f5-big-ip -properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames

+ 4. If the application ran in the machine context, add the SPN to the object of the computer account in Active Directory:

+ ```Set-ADComputer -Identity APP-VM-01 -ServicePrincipalNames @{Add="http/myexpenses.contoso.com"} ```

+ ```Get-ADUser -Identity f5-big-ip | Set-ADAccountControl -TrustedToAuthForDelegation $true ```

+ ```Set-ADUser -Identity f5-big-ip -Add @{'msDS-AllowedToDelegateTo'=@('HTTP/myexpenses.contoso.com')} ```

+ >[!NOTE]

+ >You can complete these tasks with the Active Directory Users and Computers, Microsoft Management Console (MMC) snap-in, on a domain controller.

+In the Windows Server 2012 version, and higher, cross-domain KCD uses Resource-Based Constrained Delegation (RBCD). The constraints for a service are transferred from the domain administrator to the service administrator. This delegation allows the back-end service administrator to allow or deny SSO. This situation creates a different approach at configuration delegation, which is possible when you use PowerShell or Active Directory Service Interfaces Editor (ADSI Edit).

+You can use the PrincipalsAllowedToDelegateToAccount property of the application service account (computer or dedicated service account) to grant delegation from BIG-IP. For this scenario, use the following PowerShell command on a domain controller (Windows Server 2012 R2, or later) in the same domain as the application.

+Use an SPN defined against a web application service account. For better security, use a dedicated SPN that matches the host header of the application. For example, because the web application host header in this example is myexpenses.contoso.com, add HTTP/myexpenses.contoso.com to the application service account object in Active Directory (AD):

+```Set-AdUser -Identity web_svc_account -ServicePrincipalNames @{Add="http/myexpenses.contoso.com"} ```

+```$big-ip= Get-ADComputer -Identity f5-big-ip -server dc.contoso.com ```

+```Set-ADUser -Identity web_svc_account -PrincipalsAllowedToDelegateToAccount ```

+```$big-ip Get-ADUser web_svc_account -Properties PrincipalsAllowedToDelegateToAccount ```

+```$big-ip= Get-ADComputer -Identity f5-big-ip -server dc.contoso.com ```

+```Set-ADComputer -Identity web_svc_account -PrincipalsAllowedToDelegateToAccount ```

+```$big-ip Get-ADComputer web_svc_account -Properties PrincipalsAllowedToDelegateToAccount ```

+* MyF5 article, [Active Directory Authentication](https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/2.html)

+For the BIG-IP APM to perform SSO to the back-end application on behalf of users, configure KCD in the target Active Directory (AD) domain. Delegating authentication requires you to provision the BIG-IP APM with a domain service account.

+The BIG-IP does not support group Managed Service Accounts (gMSA), therefore create a standard user account for the APM service account.

+1. Enter the following PowerShell command. Replace the **UserPrincipalName** and **SamAccountName** values with your environment values. For better security, use a dedicated SPN that matches the host header of the application.

+ ```New-ADUser -Name "F5 BIG-IP Delegation Account" UserPrincipalName $HOST_SPN SamAccountName "f5-big-ip" -PasswordNeverExpires $true Enabled $true -AccountPassword (Read-Host -AsSecureString "Account Password") ```

+ HOST_SPN = host/f5-big-ip.contoso.com@contoso.com

+ >[!NOTE]

+ >When the Host is used, any application running on the host will delegate the account whereas when HTTPS is used, it will allow only HTTP protocol-related operations.

+2. Create a **Service Principal Name (SPN)** for the APM service account to use during delegation to the web application service account:

+ ```Set-AdUser -Identity f5-big-ip -ServicePrincipalNames @Add="host/f5-big-ip.contoso.com"} ```

+ >[!NOTE]

+ >It is mandatory to include the host/ part in the format of UserPrincipleName (host/name.domain@domain) or ServicePrincipleName (host/name.domain).

+4. Before you specify the target SPN, view its SPN configuration. Ensure the SPN shows against the APM service account. The APM service account delegates for the web application:

+ * Confirm your web application is running in the computer context or a dedicated service account.

+ * For the Computer context, use the following command to query the account object in the Active Directory to see its defined SPNs. Replace <name_of_account> with the account for your environment.

+ ```Get-ADComputer -identity <name_of_account> -properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames ```

+ For example:

+ Get-ADUser -identity f5-big-ip -properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames

+ * For the dedicated service account, use the following command to query the account object in Active Directory to see its defined SPNs. Replace <name_of_account> with the account for your environment.

+ ```Get-ADUser -identity <name_of_account> -properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames ```

+ For example:

+ Get-ADComputer -identity f5-big-ip -properties ServicePrincipalNames | Select-Object -ExpandProperty ServicePrincipalNames

+4. If the application ran in the machine context, add the SPN to the object of the computer account in Active Directory:

+ ```Set-ADComputer -Identity APP-VM-01 -ServicePrincipalNames @{Add="http/myexpenses.contoso.com"} ```

+With SPNs defined, establish trust for the APM service account delegate to that service. The configuration varies depending on the topology of your BIG-IP instance and application server.

+1. Set trust for the APM service account to delegate authentication:

+ ```Get-ADUser -Identity f5-big-ip | Set-ADAccountControl -TrustedToAuthForDelegation $true ```

+2. The APM service account needs to know the target SPN it's trusted to delegate to. Set the target SPN to the service account running your web application:

+ ```Set-ADUser -Identity f5-big-ip -Add @{'msDS-AllowedToDelegateTo'=@('HTTP/myexpenses.contoso.com')} ```

+ >[!NOTE]

+ >You can complete these tasks with the Active Directory Users and Computers, Microsoft Management Console (MMC) snap-in, on a domain controller.

+In the Windows Server 2012 version, and higher, cross-domain KCD uses Resource-Based Constrained Delegation (RBCD). The constraints for a service are transferred from the domain administrator to the service administrator. This delegation allows the back-end service administrator to allow or deny SSO. This situation creates a different approach at configuration delegation, which is possible when you use PowerShell or Active Directory Service Interfaces Editor (ADSI Edit).

+You can use the PrincipalsAllowedToDelegateToAccount property of the application service account (computer or dedicated service account) to grant delegation from BIG-IP. For this scenario, use the following PowerShell command on a domain controller (Windows Server 2012 R2, or later) in the same domain as the application.

+Use an SPN defined against a web application service account. For better security, use a dedicated SPN that matches the host header of the application. For example, because the web application host header in this example is myexpenses.contoso.com, add HTTP/myexpenses.contoso.com to the application service account object in Active Directory (AD):

+```Set-AdUser -Identity web_svc_account -ServicePrincipalNames @{Add="http/myexpenses.contoso.com"} ```

+For the following commands, note the context.

+If the web_svc_account service runs in the context of a user account, use these commands:

+```$big-ip= Get-ADComputer -Identity f5-big-ip -server dc.contoso.com ```

+```Set-ADUser -Identity web_svc_account -PrincipalsAllowedToDelegateToAccount ```

+```$big-ip Get-ADUser web_svc_account -Properties PrincipalsAllowedToDelegateToAccount ```

+If the web_svc_account service runs in the context of a computer account, use these commands:

+```$big-ip= Get-ADComputer -Identity f5-big-ip -server dc.contoso.com ```

+```Set-ADComputer -Identity web_svc_account -PrincipalsAllowedToDelegateToAccount ```

+```$big-ip Get-ADComputer web_svc_account -Properties PrincipalsAllowedToDelegateToAccount ```

+* dev/central: [APM variable assign examples](https://community.f5.com/t5/codeshare/apm-variable-assign-examples/ta-p/287962)

+* MyF5: [Session Variables](https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/session-variables.html)

+ Title: Azure Active Directory SSO integration with BigPanda

+description: Learn how to configure single sign-on between Azure Active Directory and BigPanda.

+# Azure Active Directory SSO integration with BigPanda

+In this article, you'll learn how to integrate BigPanda with Azure Active Directory (Azure AD). BigPanda transforms IT data into actionable intelligence and automation, enabling incident response teams to increase uptime, efficiency, and velocity. When you integrate BigPanda with Azure AD, you can:

+* Control in Azure AD who has access to BigPanda.

+* Enable your users to be automatically signed-in to BigPanda with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for BigPanda in a test environment. BigPanda supports both **SP** and **IDP** initiated single sign-on and **Just In Time** user provisioning.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Prerequisites

+To integrate Azure Active Directory with BigPanda, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* BigPanda single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the BigPanda application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add BigPanda from the Azure AD gallery

+Add BigPanda from the Azure AD application gallery to configure single sign-on with BigPanda. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **BigPanda** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type the URL:

+ `https://bigpanda.io/SAML2`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://api.bigpanda.io/login/<ORG_NAME>/azure/callback`

+1. If you wish to configure the application in **SP** initiated mode, then perform the following step:

+ In the **Sign on URL** textbox, type a URL using the following pattern:

+ `https://api.bigpanda.io/login/<INSTANCE>`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Reply URL and Sign on URL. Contact [BigPanda support team](mailto:support@bigpanda.io) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Raw)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up BigPanda** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure BigPanda SSO

+To configure single sign-on on **BigPanda** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [BigPanda support team](mailto:support@bigpanda.io). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create BigPanda test user

+In this section, a user called B.Simon is created in BigPanda. BigPanda supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in BigPanda, a new one is commonly created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to BigPanda Sign-on URL where you can initiate the login flow.

+* Go to BigPanda Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the BigPanda for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the BigPanda tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the BigPanda for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure BigPanda you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: Azure Active Directory SSO integration with CivicEye SSO

+description: Learn how to configure single sign-on between Azure Active Directory and CivicEye SSO.

+# Azure Active Directory SSO integration with CivicEye SSO

+In this article, you'll learn how to integrate CivicEye SSO with Azure Active Directory (Azure AD). Provide SSO functionality for our CivicEye Platform customers through their existing AD deployment. When you integrate CivicEye SSO with Azure AD, you can:

+* Control in Azure AD who has access to CivicEye SSO.

+* Enable your users to be automatically signed-in to CivicEye SSO with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for CivicEye SSO in a test environment. CivicEye SSO supports **SP** initiated single sign-on.

+## Prerequisites

+To integrate Azure Active Directory with CivicEye SSO, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* CivicEye SSO single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the CivicEye SSO application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add CivicEye SSO from the Azure AD gallery

+Add CivicEye SSO from the Azure AD application gallery to configure single sign-on with CivicEye SSO. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **CivicEye SSO** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a URL using the following pattern:

+ `https://<CustomerName>.civiceye.com`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://<CustomerName>.civiceye.com/consumer`

+ c. In the **Sign on URL** textbox, type a URL using the following pattern:

+ `https://<CustomerName>.civiceye.com`

+ > [!Note]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [CivicEye SSO support team](mailto:help@civiceye.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Raw)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up CivicEye SSO** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure CivicEye SSO

+To configure single sign-on on **CivicEye SSO** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [CivicEye SSO support team](mailto:help@civiceye.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create CivicEye SSO test user

+In this section, you create a user called Britta Simon at CivicEye SSO. Work with [CivicEye SSO support team](mailto:help@civiceye.com) to add the users in the CivicEye SSO platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to CivicEye SSO Sign-on URL where you can initiate the login flow.

+* Go to CivicEye SSO Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the CivicEye SSO tile in the My Apps, this will redirect to CivicEye SSO Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure CivicEye SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+* A Code42 user account with [Customer Cloud Admin](https://support.code42.com/hc/en-us/articles/14827655905943-Roles-reference#Customer_Cloud_Admin) permission.

+This section guides you through the steps to configure Azure AD as a provisioning provider in the Identity Management section of Code42's console. Doing so will enable Code42 to securely receive provisioning requests from Azure AD. It is recommended to review [Code42's support documentation](https://support.code42.com/hc/en-us/articles/14827670461207-How-to-provision-users-to-Code42-from-Azure-AD) before provisioning with Azure AD.

+* [Configure organization assignments based on SCIM groups in Code42](https://support.code42.com/hc/en-us/articles/14827670461207-How-to-provision-users-to-Code42-from-Azure-AD#step-6-map-users-to-organizations-and-roles-using-scim-groups-0-18)

+* [Configure role assignments based on SCIM groups in Code42](https://support.code42.com/hc/en-us/articles/14827670461207-How-to-provision-users-to-Code42-from-Azure-AD#apply-organization-and-role-mappings-0-21)

+ Title: Azure Active Directory SSO integration with Colloquial

+description: Learn how to configure single sign-on between Azure Active Directory and Colloquial.

+# Azure Active Directory SSO integration with Colloquial

+In this article, you'll learn how to integrate Colloquial with Azure Active Directory (Azure AD). Colloquial enables companies to manage the portfolio of their capabilities, processes, information, apps or technology. When you integrate Colloquial with Azure AD, you can:

+* Control in Azure AD who has access to Colloquial.

+* Enable your users to be automatically signed-in to Colloquial with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+You'll configure and test Azure AD single sign-on for Colloquial in a test environment. Colloquial supports **SP** initiated single sign-on and **Just In Time** user provisioning.

+## Prerequisites

+To integrate Azure Active Directory with Colloquial, you need:

+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Colloquial single sign-on (SSO) enabled subscription.

+## Add application and assign a test user

+Before you begin the process of configuring single sign-on, you need to add the Colloquial application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.

+### Add Colloquial from the Azure AD gallery

+Add Colloquial from the Azure AD application gallery to configure single sign-on with Colloquial. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).

+### Create and assign Azure AD test user

+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.

+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides).

+## Configure Azure AD SSO

+Complete the following steps to enable Azure AD single sign-on in the Azure portal.

+1. In the Azure portal, on the **Colloquial** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a value using the following pattern:

+ `colloquial-<Customer_ID>`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://app.colloquial.io/auth/saml/<Customer_ID>/callback`

+ c. In the **Sign on URL** textbox, type a URL using the following pattern:

+ `https://app.colloquial.io/login/<Customer_ID>/saml`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Colloquial support team](mailto:support@colloquial.io) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Colloquial** section, copy the appropriate URL(s) based on your requirement.

+ 

+## Configure Colloquial SSO

+To configure single sign-on on **Colloquial** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Colloquial support team](mailto:support@colloquial.io). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Colloquial test user

+In this section, a user called B.Simon is created in Colloquial. Colloquial supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Colloquial, a new one is commonly created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Colloquial Sign-on URL where you can initiate the login flow.

+* Go to Colloquial Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Colloquial tile in the My Apps, this will redirect to Colloquial Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Additional resources

+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)

+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).

+## Next steps

+Once you configure Colloquial you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+1. For setting up SSO and claiming a domain refer [this](https://docs.mixpanel.com/docs/admin/sso).

+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

+- For more information about storage best practices, see [Best practices for storage and backups in Azure Kubernetes Service][aks-storage-backups-best-practices].

+- Protect your newly migrated CSI Driver based PVs by [backing them up using Azure Backup for AKS](../backup/azure-kubernetes-service-cluster-backup.md).

+ > [!NOTE]

+ > Modifying any resource under the node resource group in the AKS cluster is an unsupported action and will cause cluster operation failures. You can prevent changes from being made to the node resource group by [blocking users from modifying resources](cluster-configuration.md#fully-managed-resource-group-preview) managed by the AKS cluster.

+description: Learn how to create and manage an Azure Active Directory service principal with a cluster in Azure Kubernetes Service (AKS).

+An AKS cluster requires either an [Azure Active Directory (AD) service principal][aad-service-principal] or a [managed identity][managed-identity-resources-overview] to dynamically create and manage other Azure resources, such as an Azure Load Balancer or Azure Container Registry (ACR).

+> [!NOTE]

+> We recommend using managed identities to authenticate with other resources in Azure, and they're the default authentication method for your AKS cluster. For more information about using a managed identity with your cluster, see [Use a system-assigned managed identity][use-managed-identity].

+This article shows you how to create and use a service principal for your AKS clusters.

+To create an Azure AD service principal, you must have permissions to register an application with your Azure AD tenant and to assign the application to a role in your subscription. If you don't have the necessary permissions, you need to ask your Azure AD or subscription administrator to assign the necessary permissions or pre-create a service principal for you to use with your AKS cluster.

+* If using Azure CLI, you need Azure CLI version 2.0.59 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

+* If using Azure PowerShell, you need Azure PowerShell version 5.0.0 or later. Run `Get-InstalledModule -Name Az` to find the version. If you need to install or upgrade, see [Install the Azure Az PowerShell module][install-the-azure-az-powershell-module].

+1. Create a service principal using the [`az ad sp create-for-rbac`][az-ad-sp-create] command.

+ ```azurecli-interactive

+ az ad sp create-for-rbac --name myAKSClusterServicePrincipal

+ ```

+ Your output should be similar to the following example output:

+ ```json

+ {

+ "appId": "559513bd-0c19-4c1a-87cd-851a26afd5fc",

+ "displayName": "myAKSClusterServicePrincipal",

+ "name": "http://myAKSClusterServicePrincipal",

+ "password": "e763725a-5eee-40e8-a466-dc88d980f415",

+ "tenant": "72f988bf-86f1-41af-91ab-2d7cd011db48"

+ }

+ ```

+2. Copy the values for `appId` and `password` from the output. You use these when creating an AKS cluster in the next section.

+1. Create a service principal using the [`New-AzADServicePrincipal`][new-azadserviceprincipal] command.

+ ```azurepowershell-interactive

+ New-AzADServicePrincipal -DisplayName myAKSClusterServicePrincipal -OutVariable sp

+ ```

+ Your output should be similar to the following example output:

+ ```output

+ Secret : System.Security.SecureString

+ ServicePrincipalNames : {559513bd-0c19-4c1a-87cd-851a26afd5fc, http://myAKSClusterServicePrincipal}

+ ApplicationId : 559513bd-0c19-4c1a-87cd-851a26afd5fc

+ ObjectType : ServicePrincipal

+ DisplayName : myAKSClusterServicePrincipal

+ Id : 559513bd-0c19-4c1a-87cd-851a26afd5fc

+ Type :

+ ```

+ The values are stored in a variable that you use when creating an AKS cluster in the next section.

+2. Decrypt the value stored in the **Secret** secure string using the following command.

+ ```azurepowershell-interactive

+ $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($sp.Secret)

+ [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)

+ ```

+* Use an existing service principal for a new AKS cluster using the [`az aks create`][az-aks-create] command and use the `--service-principal` and `--client-secret` parameters to specify the `appId` and `password` from the output you received the previous section.

+ ```azurecli-interactive

+ az aks create \

+ --resource-group myResourceGroup \

+ --name myAKSCluster \

+ --service-principal <appId> \

+ --client-secret <password>

+ ```

+ > [!NOTE]

+ > If you're using an existing service principal with customized secret, make sure the secret isn't longer than 190 bytes.

+1. Convert the service principal `ApplicationId` and `Secret` to a **PSCredential** object using the following command.

+ ```azurepowershell-interactive

+ $Cred = New-Object -TypeName System.Management.Automation.PSCredential ($sp.ApplicationId, $sp.Secret)

+ ```

+2. Use an existing service principal for a new AKS cluster using the [`New-AzAksCluster`][new-azakscluster] command and specify the `ServicePrincipalIdAndSecret` parameter with the previously created **PSCredential** object as its value.

+ ```azurepowershell-interactive

+ New-AzAksCluster -ResourceGroupName myResourceGroup -Name myAKSCluster -ServicePrincipalIdAndSecret $Cred

+ ```

+ > [!NOTE]

+ > If you're using an existing service principal with customized secret, make sure the secret isn't longer than 190 bytes.

+You can use the service principal for the AKS cluster to access other resources. For example, if you want to deploy your AKS cluster into an existing Azure virtual network subnet or connect to Azure Container Registry (ACR), you need to delegate access to those resources to the service principal. Permission granted to a cluster using a system-assigned managed identity may take up 60 minutes to populate.

+* Create a role assignment using the [`az role assignment create`][az-role-assignment-create] command. Assign the `appId` to a particular scope, such as a resource group or virtual network resource. The role defines what permissions the service principal has on the resource.

+ > [!NOTE]

+ > The `--scope` for a resource needs to be a full resource ID, such as */subscriptions/\<guid\>/resourceGroups/myResourceGroup* or */subscriptions/\<guid\>/resourceGroups/myResourceGroupVnet/providers/Microsoft.Network/virtualNetworks/myVnet*.

+ ```azurecli-interactive

+ az role assignment create --assignee <appId> --scope <resourceScope> --role Contributor

+ ```

+* Create a role assignment using the [`New-AzRoleAssignment`][new-azroleassignment] command. Assign the `ApplicationId` to a particular scope, such as a resource group or virtual network resource. The role defines what permissions the service principal has on the resource.

+ > [!NOTE]

+ > The `Scope` for a resource needs to be a full resource ID, such as */subscriptions/\<guid\>/resourceGroups/myResourceGroup* or */subscriptions/\<guid\>/resourceGroups/myResourceGroupVnet/providers/Microsoft.Network/virtualNetworks/myVnet*

+ ```azurepowershell-interactive

+ New-AzRoleAssignment -ApplicationId <ApplicationId> -Scope <resourceScope> -RoleDefinitionName Contributor

+ ```

+If you use Azure Container Registry (ACR) as your container image store, you need to grant permissions to the service principal for your AKS cluster to read and pull images. We recommend using the [`az aks create`][az-aks-create] or [`az aks update`][az-aks-update] command to integrate with a registry and assign the appropriate role for the service principal. For detailed steps, see [Authenticate with Azure Container Registry from Azure Kubernetes Service][aks-to-acr].

+If you use Azure Container Registry (ACR) as your container image store, you need to grant permissions to the service principal for your AKS cluster to read and pull images. We recommend using the [`New-AzAksCluster`][new-azakscluster] or [`Set-AzAksCluster`][set-azakscluster] command to integrate with a registry and assign the appropriate role for the service principal. For detailed steps, see [Authenticate with Azure Container Registry from Azure Kubernetes Service][aks-to-acr].

+If you need to access existing disk resources in another resource group, assign one of the following sets of role permissions:

+* Create a [custom role][rbac-custom-role] and define the *Microsoft.Compute/disks/read* and *Microsoft.Compute/disks/write* role permissions, or

+* Assign the [Virtual Machine Contributor][rbac-disk-contributor] built-in role on the resource group.

+* The service principal for Kubernetes is a part of the cluster configuration, but don't use this identity to deploy the cluster.

+* By default, the service principal credentials are valid for one year. You can [update or rotate the service principal credentials][update-credentials] at any time.

+* Every service principal is associated with an Azure AD application. You can associate the service principal for a Kubernetes cluster with any valid Azure AD application name (for example: *https://www.contoso.org/example*). The URL for the application doesn't have to be a real endpoint.

+* When you specify the service principal **Client ID**, use the value of the `appId`.

+* On the agent node VMs in the Kubernetes cluster, the service principal credentials are stored in the `/etc/kubernetes/azure.json` file.

+* When you delete an AKS cluster that was created using the [`az aks create`][az-aks-create] command, the service principal created isn't automatically deleted.

+ * To delete the service principal, query for your cluster's *servicePrincipalProfile.clientId* and delete it using the [`az ad sp delete`][az-ad-sp-delete] command. Replace the values for the `-g` parameter for the resource group name and `-n` parameter for the cluster name:

+* The service principal for Kubernetes is a part of the cluster configuration, but don't use this identity to deploy the cluster.

+* By default, the service principal credentials are valid for one year. You can [update or rotate the service principal credentials][update-credentials] at any time.

+* Every service principal is associated with an Azure AD application. You can associate the service principal for a Kubernetes cluster with any valid Azure AD application name (for example: *https://www.contoso.org/example*). The URL for the application doesn't have to be a real endpoint.

+* When you specify the service principal **Client ID**, use the value of the `ApplicationId`.

+* On the agent node VMs in the Kubernetes cluster, the service principal credentials are stored in the `/etc/kubernetes/azure.json` file.

+* When you delete an AKS cluster that was created using the [`New-AzAksCluster`][new-azakscluster], the service principal created isn't automatically deleted.

+ * To delete the service principal, query for your cluster's *ServicePrincipalProfile.ClientId* and delete it using the [`Remove-AzADServicePrincipal`][remove-azadserviceprincipal] command. Replace the values for the `-ResourceGroupName` parameter for the resource group name and `-Name` parameter for the cluster name:

+Azure CLI caches the service principal credentials for AKS clusters. If these credentials expire, you encounter errors during AKS cluster deployment. If you run the [`az aks create`][az-aks-create] command and receive an error message similar to the following, it may indicate a problem with the cached service principal credentials:

+You can check the expiration date of your service principal credentials using the [`az ad app credential list`][az-ad-app-credential-list] command with the `"[].endDateTime"` query.

+Azure PowerShell caches the service principal credentials for AKS clusters. If these credentials expire, you encounter errors during AKS cluster deployment. If you run the [`New-AzAksCluster`][new-azakscluster] command and receive an error message similar to the following, it may indicate a problem with the cached service principal credentials:

+You can check the expiration date of your service principal credentials using the [Get-AzADAppCredential][get-azadappcredential] command. The output shows you the `StartDateTime` of your credentials.

+The Open Service Mesh (OSM) add-on integrates with features provided by Azure and some open source projects.

+Ingress allows for traffic external to the mesh to be routed to services within the mesh. With OSM, you can configure most ingress solutions to work with your mesh, but OSM works best with one of the following solutions:

+* [Web Application Routing][web-app-routing]

+* [NGINX ingress][osm-nginx]

+* [Contour ingress][osm-contour]

+> [!NOTE]

+> At this time, [Azure Gateway Ingress Controller (AGIC)][agic] only works for HTTP backends. If you configure OSM to use AGIC, AGIC won't be used for other backends, such as HTTPS and mTLS.

+### Use the Azure Gateway Ingress Controller (AGIC) with the OSM add-on for HTTP ingress

+> You can't configure [Azure Gateway Ingress Controller (AGIC)][agic] for HTTPS ingress.

+#### Create a namespace and deploy the application service

+1. Installing the AGIC ingress controller.

+2. Create a namespace for the application service using the `kubectl create ns` command.

+ ```console

+ kubectl create ns httpbin

+ ```

+3. Add the namespace to the mesh using the `osm namespace add` OSM CLI command.

+ ```console

+ osm namespace add httpbin

+ ```

+4. Deploy the application service to the namespace using the `kubectl apply` command.

+ ```console

+ export RELEASE_BRANCH=release-v1.2

+ kubectl apply -f https://raw.githubusercontent.com/openservicemesh/osm-docs/$RELEASE_BRANCH/manifests/samples/httpbin/httpbin.yaml -n httpbin

+ ```

+5. Verify the pods are up and running and have the envoy sidecar injected using the `kubectl get pods` command.

+ ```console

+ kubectl get pods -n httpbin

+ ```

+ Your output should look similar to the following example output:

+ ```output

+ NAME READY STATUS RESTARTS AGE

+ httpbin-7c6464475-9wrr8 2/2 Running 0 6d20h

+ ```

+6. List the details of the service using the `kubectl get svc` command.

+ ```console

+ kubectl get svc -n httpbin

+ ```

+ Your output should look similar to the following example output:

+ ```output

+ NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE

+ httpbin ClusterIP 10.0.92.135 <none> 14001/TCP 6d20h

+ ```

+#### Deploy the ingress configurations and verify access to the application service

+1. Deploy the following `Ingress` and `IngressBackend` configurations to allow external clients to access the `httpbin` service on port `14001` using the `kubectl apply` command.

+ ```console

+ kubectl apply -f <<EOF

+ apiVersion: networking.k8s.io/v1

+ kind: Ingress

+ metadata:

+ name: httpbin

+ namespace: httpbin

+ annotations:

+ kubernetes.io/ingress.class: azure/application-gateway

+ spec:

+ rules:

+ - http:

+ paths:

+ - path: /

+ pathType: Prefix

+ backend:

+ service:

+ name: httpbin

+ port:

+ number: 14001

+

+ kind: IngressBackend

+ apiVersion: policy.openservicemesh.io/v1alpha1

+ metadata:

+ name: httpbin

+ namespace: httpbin

+ spec:

+ backends:

+ - name: httpbin

+ port:

+ number: 14001 # targetPort of httpbin service

+ protocol: http

+ sources:

+ - kind: IPRange

+ name: 10.0.0.0/8

+ EOF

+ ```

+2. Verify the `Ingress` object was successfully deployed using the `kubectl get ingress` command and make note of the external IP address.

+ ```console

+ kubectl get ingress -n httpbin

+ ```

+ Your output should look similar to the following example output:

+ ```output

+ NAME CLASS HOSTS ADDRESS PORTS AGE

+ httpbin <none> * 20.85.173.179 80 6d20h

+ ```

+3. Verify the `IngressBackend` object was successfully deployed using the `kubectl get ingressbackend` command.

+ ```console

+ kubectl get ingressbackend -n httpbin

+ ```

+ Your output should look similar to the following example output:

+ ```output

+ NAME STATUS

+ httpbin committed

+ ```

+4. Verify you can access the `httpbin` service using the external IP address of the ingress service and the following `curl` command.

+ ```console

+ curl -sI http://<external-ip>/get

+ ```

+5. Confirm you receive a response with `status 200`.

+Metrics observability allows you to view the metrics of your mesh and the deployments in your mesh. With OSM, you can use [Prometheus and Grafana][osm-metrics] for metrics observability, but those integrations aren't covered by the [AKS support policy][aks-support-policy].

+Before you can enable metrics on your mesh to integrate with Azure Monitor, make sure you have the following prerequisites:

+* Enable Azure Monitor on your cluster.

+* Enable the OSM add-on for your AKS cluster.

+* Onboard your application namespaces to the mesh.

+1. Enable metrics for a namespace in the mesh using the `osm metrics enable` command.

+ ```console

+ osm metrics enable --namespace myappnamespace

+ ```

+2. Create a ConfigMap in the `kube-system` namespace that enables Azure Monitor to monitor your namespaces. For example, create a `monitor-configmap.yaml` with the following contents to monitor the `myappnamespace`:

+ ```yaml

+ kind: ConfigMap

+ apiVersion: v1

+ data:

+ schema-version: v1

+ config-version: ver1

+ osm-metric-collection-configuration: |-

+ # OSM metric collection settings

+ [osm_metric_collection_configuration]

+ [osm_metric_collection_configuration.settings]

+ # Namespaces to monitor

+ monitor_namespaces = ["myappnamespace"]

+ metadata:

+ name: container-azm-ms-osmconfig

+ namespace: kube-system

+ ```

+3. Apply the ConfigMap using the `kubectl apply` command.

+ ```console

+ kubectl apply -f monitor-configmap.yaml

+ ```

+4. Navigate to the Azure portal and select your AKS cluster.

+5. Under **Monitoring**, select **Logs**.

+6. In the **Monitoring** section, query the `InsightsMetrics` table to view metrics in the enabled namespaces. For example, the following query shows the *envoy* metrics for the *myappnamespace* namespace:

+ ```sh

+ InsightsMetrics

+ | where Name contains "envoy"

+ | extend t=parse_json(Tags)

+ | where t.app == "myappnamespace"

+ ```

+OSM can integrate with certain automation projects and developer tooling to help operators and developers build and release applications. For example, OSM integrates with [Flagger][osm-flagger] for progressive delivery and [Dapr][osm-dapr] for building applications. The OSM integrations with Flagger and Dapr aren't covered by the [AKS support policy][aks-support-policy].

+## Next steps

+This article covered the Open Service Mesh (OSM) add-on integrations with features provided by Azure and some open source projects. To learn more about OSM, see [About OSM in AKS][about-osm-in-aks].

+<!-- LINKS -->

+[web-app-routing]: web-app-routing.md

+[about-osm-in-aks]: open-service-mesh-about.md

+Before disabling KMS, you can use the following Azure CLI command to verify if KMS is enabled.

+```azurecli-interactive

+az aks list --query "[].{Name:name, KmsEnabled:securityProfile.azureKeyVaultKms.enabled, KeyId:securityProfile.azureKeyVaultKms.keyId}" -o table

+```

+If the results confirm KMS is enabled, run the following command to disable KMS on the cluster.

+This article shows an Azure API management policy sample that demonstrates how to add a header containing a correlation id to the inbound request. To set or edit a policy code, follow the steps described in [Set or edit a policy](../set-edit-policies.md). To see other examples, see [policy samples](/azure/api-management/policies).

+Learn more about API Management policies:

+Learn more about API Management policies:

+This article shows an Azure API management policy sample that demonstrates how to secure API access by using an external authorizer encapsulating custom authentication/authorization logic. To set or edit a policy code, follow the steps described in [Set or edit a policy](../set-edit-policies.md). To see other examples, see [policy samples](/azure/api-management/policies).

+Learn more about API Management policies:

+This article shows an Azure API management policy sample that demonstrates how to add capabilities to a backend service. For example, accept a name of the place instead of latitude and longitude in a weather forecast API. To set or edit a policy code, follow the steps described in [Set or edit a policy](../set-edit-policies.md). To see other examples, see [policy samples](/azure/api-management/policies).

+Learn more about API Management policies:

+This article shows an Azure API management policy sample that demonstrates how filter on the request IP address when the API Management instance is accessed through an Application Gateway or other intermediary. To set or edit a policy code, follow the steps described in [Set or edit a policy](../set-edit-policies.md). To see other examples, see [policy samples](/azure/api-management/policies).

+Learn more about API Management policies:

+This article shows an Azure API management policy sample that demonstrates how to filter data elements from the response payload based on the product associated with the request. To set or edit a policy code, follow the steps described in [Set or edit a policy](../set-edit-policies.md). To see other examples, see [policy samples](/azure/api-management/policies).

+Learn more about API Management policies:

+This article shows an Azure API management policy sample that demonstrates how to generate [Shared Access Signature](../../storage/common/storage-sas-overview.md) using expressions and forward the request to Azure storage with rewrite-uri policy. To set or edit a policy code, follow the steps described in [Set or edit a policy](../set-edit-policies.md). To see other examples, see [policy samples](/azure/api-management/policies).

+Learn more about API Management policies:

+This article shows an Azure API management policy sample that demonstrates how to implement X-CSRF pattern used by many APIs. This example is specific to SAP Gateway. To set or edit a policy code, follow the steps described in [Set or edit a policy](../set-edit-policies.md). To see other examples, see [policy samples](/azure/api-management/policies).

+Learn more about API Management policies:

+This article shows an Azure API management policy sample that demonstrates how to add an error logging policy to send errors to Stackify for logging. To set or edit a policy code, follow the steps described in [Set or edit a policy](../set-edit-policies.md). To see other examples, see [policy samples](/azure/api-management/policies).

+Learn more about API Management policies:

+This article shows an Azure API management policy sample that demonstrates how to route requests based on the size of their bodies. To set or edit a policy code, follow the steps described in [Set or edit a policy](../set-edit-policies.md). To see other examples, see [policy samples](/azure/api-management/policies).

+Learn more about API Management policies:

+This article shows an Azure API management policy sample that demonstrates how to send request context information to the backend service. To set or edit a policy code, follow the steps described in [Set or edit a policy](../set-edit-policies.md). To see other examples, see [policy samples](/azure/api-management/policies).

+Learn more about API Management policies:

+This article shows an Azure API management policy sample that demonstrates how to set response cache duration using maxAge value in Cache-Control header sent by the backend. To set or edit a policy code, follow the steps described in [Set or edit a policy](../set-edit-policies.md). To see other examples, see [policy samples](/azure/api-management/policies).

+Learn more about API Management policies:

+This article shows an Azure API management policy sample that demonstrates how to add a Forwarded header in the inbound request to allow the backend API to construct proper URLs. To set or edit a policy code, follow the steps described in [Set or edit a policy](../set-edit-policies.md). To see other examples, see [policy samples](/azure/api-management/policies).

+Learn more about API Management policies:

+To set or edit a policy code, follow the steps described in [Set or edit a policy](../set-edit-policies.md). To see other examples, see [policy samples](/azure/api-management/policies).

+Learn more about API Management policies:

+| `twitter` | `{"access_token":"<access_token>", "access_token_secret":"<access_token_secret>"}` | |

+az webapp config set --resource-group <resource-group-name> --name <app-name> --startup-file "<filename-with-extension>"

+ // Consider to call Dispose() on the certificate after it's being used, available in .NET 4.6 and later

+> The renewal process requires that the well-known [service principal for App Service has the required permissions on your key vault](deploy-resource-manager-template.md#deploy-web-app-certificate-from-key-vault). These permissions are set up for you when you import an App Service certificate through the Azure portal. Make sure that you don't remove these permissions from your key vault.

+Delete any existing locks using the following command.

+In case App Service starts showing previously deployed files on a restart, check for the presence of the App Setting - '[WEBSITE_DISABLE_SCM_SEPARATION=true](https://github.com/projectkudu/kudu/wiki/Configurable-settings#use-the-same-process-for-the-user-site-and-the-scm-site)'. After adding this setting any deployments via KUDU start writing to the local VM instead of the persistent storage. Best practices mentioned above in this article should be leveraged, wherein the deployments should always be done to the staging slot which does not have Local Cache enabled.

+| ` WEBSITE_PLACEHOLDER_DISABLE_AUTOSPECIALIZATION` | This env var can be used to disable specialization from being enabled automatically for a given placeholder template site. |

+The Key Vault used to store the App Service Certificate is missing access policy permissions on the key vault for Microsoft.Azure.Websites and Microsoft.Azure.CertificateRegistration. The service principals and their required permissions for Key Vault access are:

+3. [Set a breakpoint](/visualstudio/debugger/) on the first statement in the `GenerateThumbnail` method.

+# Requires non-internal subscription - internal subscriptions doesn't provide permission to correctly configure AAD apps

+1. Use the frontend web site in a browser. The URL is in the format of `https://<front-end-app-name>.azurewebsites.net/`.

+# Requires non-internal subscription - internal subscriptions doesn't provide permission to correctly configure AAD apps

+> You can enable continuous testing by typing `r` into the terminal. This will continuously run tests as you develop the application. You can also use Quarkus' *Live Coding* to see changes to your Java or `pom.xml` immediately. Simlply edit code and reload the browser.

+In the Cloud Shell, open the file `docker-compose-wordpress.yml` in a text editor.

+- For basic access from a command-line tool, you can run `mysql` from the app's SSH terminal.

+zone_pivot_groups: deploy-python-web-app-postgresql

+- For basic access from a command-line tool, you can run `psql` from the app's SSH terminal.

+The [`Timeout`](https://github.com/Azure/azure-webjobs-sdk/blob/master/src/Microsoft.Azure.WebJobs/TimeoutAttribute.cs) attribute causes a function to be canceled if it doesn't finish within a specified amount of time. In the following example, the function would run for one day without the Timeout attribute. Timeout causes the function to be canceled after 15 seconds. When the Timeout attribute's "throwOnError" parameter is set to "true", the function invocation is terminated by having an exception thrown by the webjobs SDK when the timeout interval is exceeded. The default value of "throwOnError" is "false". When the Timeout attribute is used, the default behavior is to cancel the function invocation by setting the cancellation token while allowing the invocation to run indefinitely until the function code returns or throws an exception.

+* Custom neural models are limited to 20 build operations per month. Open a support request if you need the limit increased. For more information, see [Form Recognizer service quotas and limits](service-limits.md)

+| InstallationStatus | The possible installation states of an update on the client computer,<br> `NotStarted` - job not triggered yet.<br> `Failed` - job started but failed with an exception.<br> `InProgress` - job in progress.<br> `MaintenanceWindowExceeded` - if execution was remaining but maintenance window interval reached.<br> `Succeeded` - job succeeded.<br> `Install Failed` - update failed to install successfully.<br> `NotIncluded` - the corresponding update's classification doesn't match with customer's entries in input classification list.<br> `Excluded` - user enters a KBID in excluded list. While patching, if KBID in excluded list matches with the system detected update KB ID, it is marked as excluded. |

+Units are navigable spaces in the building, such as offices, hallways, stairs, and elevators. A closed entity type such as Polygon, closed Polyline, Circle, or closed Ellipse is required to represent each unit. So, walls and doors alone don't create a unit because there isn’t an entity that represents the unit.

+> The following feature class should be defined (not case sensitive) in order to use [wayfinding]. `Wall` will be treated as an obstruction for a given path request. `Stair` and `Elevator` will be treated as level connectors to navigate across floors:

+When you create an indoor map using Azure Maps Creator, default styles are applied. Azure Maps Creator now also supports customizing the styles of the different elements of your indoor maps using the [Style Rest API], or the [visual style editor].

+- [Azure Maps account]

+- [Azure Maps Creator resource]

+- [Subscription key]

+- A map configuration alias or ID. For more information, see [map configuration API].

+> [!TIP]

+> If you have never used Azure Maps Creator to create an indoor map, you might find the [Use Creator to create indoor maps] tutorial helpful.

+The map configuration `alias` (or `mapConfigurationId`) is required to render indoor maps with custom styles via the Azure Maps Indoor Maps module.

+To use the globally hosted Azure Content Delivery Network version of the *Azure Maps Indoor* module, reference the following `script` and `stylesheet` references in the `<head>` element of the HTML file:

+ Or, you can download the *Azure Maps Indoor* module. The *Azure Maps Indoor* module contains a client library for accessing Azure Maps services. The following steps demonstrate how to install and load the *Indoor* module into your web application.

+ 1. Install the latest [azure-maps-indoor package].

+For more information, see [Azure Maps service geographic scope].

+The *Map object* will be used in the next step to instantiate the *Indoor Manager* object. The following code shows you how to instantiate the *Map object* with `mapConfiguration`, `styleAPIVersion` and map domain set:

+To load the indoor map style of the tiles, you must instantiate the *Indoor Manager*. Instantiate the *Indoor Manager* by providing the *Map object*. If you wish to support [dynamic map styling], you must pass the `statesetId`. The `statesetId` variable name is case-sensitive. Your code should look like the following JavaScript code snippet:

+To enable polling of state data you provide, you must provide the `statesetId` and call `indoorManager.setDynamicStyling(true)`. Polling state data lets you dynamically update the state of dynamic properties or *states*. For example, a feature such as room can have a dynamic property (*state*) called `occupancy`. Your application may wish to poll for any *state* changes to reflect the change inside the visual map. The following code shows you how to enable state polling:

+The `eventData` variable holds information about the level or facility that invoked the `levelchanged` or `facilitychanged` event, respectively. When a level changes, the `eventData` object contains the `facilityId`, the new `levelNumber`, and other metadata. When a facility changes, the `eventData` object contains the new `facilityId`, the new `levelNumber`, and other metadata.

+When you create an indoor map using Azure Maps Creator, default styles are applied. Azure Maps Creator now also supports customizing your indoor styles. For more information, see [Create custom styles for indoor maps]. Creator also offers a [visual style editor].

+1. Follow the [Create custom styles for indoor maps] how-to article to create your custom styles. Make a note of the map configuration alias after saving your changes.

+2. Use the [Azure Content Delivery Network] option to install the *Azure Maps Indoor* module.

+ - `bounds` is the smallest rectangular shape that encloses the tileset map data. Set a value for `bounds` if you don't want to set a value for `center`. You can find your map bounds by calling the [Tileset List API]. The Tileset List API returns the `bbox`, which you can parse and assign to `bounds`. Format should appear as `bounds`: [# west, # south, # east, # north].

+ - `style` allows you to set the initial style from your map configuration that is displayed. If not set, the style matching map configuration's default configuration is used.

+> The map configuration is referenced using the `mapConfigurationId` or `alias` . Each time you edit or change a map configuration, its ID changes but its alias remains the same. It is recommended to reference the map configuration by its alias in your applications. For more information, See [map configuration] in the concepts article.

+Your file should now look similar to the following HTML:

+To see your indoor map, load it into a web browser. It should appear like the following image. If you select the stairwell feature, the *level picker* appears in the upper right-hand corner.

+For a live demo of an indoor map with available source code, see [Creator Indoor Maps] in the [Azure Maps Samples].

+[Azure Content Delivery Network]: #embed-the-indoor-maps-module

+[Azure Maps account]: quick-demo-map-app.md#create-an-azure-maps-account

+[Azure Maps Creator resource]: how-to-manage-creator.md

+[Azure Maps service geographic scope]: geographic-scope.md

+[azure-maps-indoor package]: https://www.npmjs.com/package/azure-maps-indoor

+[Create custom styles for indoor maps]: how-to-create-custom-styles.md

+[Creator Indoor Maps]: https://samples.azuremaps.com/?sample=creator-indoor-maps

+[dynamic map styling]: indoor-map-dynamic-styling.md

+[map configuration API]: /rest/api/maps/v20220901preview/map-configuration

+[map configuration]: creator-indoor-maps.md#map-configuration

+[Style Rest API]: /rest/api/maps/v20220901preview/style

+[Subscription key]: quick-demo-map-app.md#get-the-subscription-key-for-your-account

+[Tileset List API]: /rest/api/maps/v2/tileset/list

+[Use Creator to create indoor maps]: tutorial-creator-indoor-maps.md

+ Title: Get started with iOS map control

+Be sure to complete the steps in the [Quickstart: Create an iOS app] article.

+The Azure Maps iOS SDK provides three ways of setting the language and regional view of the map. The following code demonstrates the different ways of setting the *language* to French (fr-FR) and the *regional view* to `Auto`.

+1. Set the default language and regional view properties in your app by passing the language and regional view information into the `AzureMaps` class using the static `language` and `view` properties.

+1. The final way of programmatically setting the language and regional view properties uses the maps `setStyle` method. Use the maps `setStyle` method anytime you need to change the language and regional view of the map.

+Here's an example of an Azure Maps application with the language set to `fr-FR` and regional view set to `Auto`.

+For a complete list of supported languages and regional views, see [Localization support in Azure Maps].

+```swift

+See the following articles for more code examples:

+[Quickstart: Create an iOS app]: quick-ios-app.md

+[Localization support in Azure Maps]: supported-languages.md

+This article uses the Azure Maps Web SDK, however the Azure Maps services work with any map control. For a list of third-party map control plug-ins, see [Azure Maps community - Open-source projects].

+* Obtain your Azure Active Directory (Azure AD) credentials with [authentication options]

+ * Use the globally hosted CDN version of the Azure Maps Web SDK by adding references to the JavaScript and `stylesheet` in the `<head>` element of the HTML file:

+ * Load the Azure Maps Web SDK source code locally using the [azure-maps-control] npm package and host it with your app. This package also includes TypeScript definitions.

+ Then add references to the Azure Maps `stylesheet` to the `<head>` element of the file:

+5. Next, initialize the map control. In order to authenticate the control, use an Azure Maps subscription key or Azure AD credentials with [authentication options].

+ If you're using Azure AD for authentication, copy and paste the following script element inside the `<head>` element, and below the first `<script>` element.

+ For more information about authentication with Azure Maps, see the [Authentication with Azure Maps] document. For a list of samples showing how to integrate Azure AD with Azure Maps, see [Azure Maps & Azure Active Directory Samples] in GitHub.

+7. Your HTML file should now look something like the following code snippet:

+8. Open the file in your web browser and view the rendered map. It should look like the following image:

+Azure Maps provides two different ways of setting the language and regional view for the rendered map. The first option is to add this information to the global `atlas` namespace, which results in all map control instances in your app defaulting to these settings. The following sets the language to French ("fr-FR") and the regional view to "Auto":

+Here's an example of Azure Maps with the language set to "fr-FR" and the regional view set to `Auto`.

+For a list of supported languages and regional views, see [Localization support in Azure Maps].

+The Azure Maps Web SDK supports the Azure Government cloud. All JavaScript and CSS URLs used to access the Azure Maps Web SDK remain the same. The following tasks need to be done to connect to the Azure Government cloud version of the Azure Maps platform.

+The domain for the services needs to be set when creating an instance of an API URL endpoint, when using the services module. For example, the following code creates an instance of the `SearchURL` class and points the domain to the Azure Government cloud.

+* [ng-azure-maps] - Angular 10 wrapper around Azure maps.

+* [AzureMapsControl.Components] - An Azure Maps Blazor component.

+* [Azure Maps React Component] - A react wrapper for the Azure Maps control.

+* [Vue Azure Maps] - An Azure Maps component for Vue application.

+For a list of samples showing how to integrate Azure AD with Azure Maps, see:

+[authentication options]: /javascript/api/azure-maps-control/atlas.authenticationoptions

+[Authentication with Azure Maps]: azure-maps-authentication.md

+[Azure Maps & Azure Active Directory Samples]: https://github.com/Azure-Samples/Azure-Maps-AzureAD-Samples

+[Azure Maps community - Open-source projects]: open-source-projects.md#third-part-map-control-plugins

+[Azure Maps React Component]: https://github.com/WiredSolutions/react-azure-maps

+[AzureMapsControl.Components]: https://github.com/arnaudleclerc/AzureMapsControl.Components

+[azure-maps-control]: https://www.npmjs.com/package/azure-maps-control

+[Localization support in Azure Maps]: supported-languages.md

+[ng-azure-maps]: https://github.com/arnaudleclerc/ng-azure-maps

+[Vue Azure Maps]: https://github.com/rickyruiz/vue-azure-maps

+The [Get drawn shapes from drawing manager] code sample allows you to draw a shape on a map and then get the code used to create those drawings by using the drawing managers `drawingManager.getSource()` function. For the source code for this sample, see [Get drawn shapes from drawing manager sample code].

+[Get drawn shapes from drawing manager]: https://samples.azuremaps.com/drawing-tools-module/get-drawn-shapes-from-drawing-manager

+[Get drawn shapes from drawing manager sample code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Drawing%20Tools%20Module/Get%20drawn%20shapes%20from%20drawing%20manager/Get%20drawn%20shapes%20from%20drawing%20manager.html

+The [Traffic Overlay] sample demonstrates how to display the traffic overlay on a map. For the source code for this sample, see [Traffic Overlay source code].

+The [Traffic Overlay Options] tool lets you switch between the different traffic overlay settings to see how the rendering changes. For the source code for this sample, see [Traffic Overlay Options source code].

+The [Traffic controls] sample is a fully functional map that shows how to display traffic data on a map. For the source code for this sample, see [Traffic controls source code].

+[Traffic controls]: https://samples.azuremaps.com/traffic/traffic-controls

+[Traffic Overlay Options]: https://samples.azuremaps.com/traffic/traffic-overlay-options

+[Traffic Overlay source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Traffic/Traffic%20Overlay/Traffic%20Overlay.html

+[Traffic controls source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Traffic/Traffic%20controls/Traffic%20controls.html

+[Traffic Overlay Options source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Traffic/Traffic%20Overlay%20Options/Traffic%20Overlay%20Options.html

+### [3.0.0-preview.9] (June 27, 2023)

+#### New features (3.0.0-preview.9)

+- WebGL2 is used by default.

+- Elevation APIs: `atlas.sources.ElevationTileSource`, `map.enableElevation(elevationSource, options)`, `map.disableElevation()`

+- ability to customize maxPitch / minPitch in `CameraOptions`

+#### Bug fixes (3.0.0-preview.9)

+- fixed an issue where accessibility-related duplicated DOM elements may result when `map.setServiceOptions` is called

+#### Installation (3.0.0-preview.9)

+The preview is available on [npm][3.0.0-preview.9] and CDN.

+- **NPM:** Refer to the instructions at [azure-maps-control@3.0.0-preview.9][3.0.0-preview.9]

+- **CDN:** Reference the following CSS and JavaScript in the `<head>` element of an HTML file:

+ ```html

+ <link href="https://atlas.microsoft.com/sdk/javascript/mapcontrol/3.0.0-preview.9/atlas.min.css" rel="stylesheet" />

+ <script src="https://atlas.microsoft.com/sdk/javascript/mapcontrol/3.0.0-preview.9/atlas.min.js"></script>

+ ```

+

+### [2.3.1] (June 27, 2023)

+#### Bug fixes (2.3.1)

+- fix `ImageSpriteManager` icon images may get removed during style change

+#### Other changes (2.3.1)

+- security: insecure-randomness fix in UUID generation.

+[3.0.0-preview.9]: https://www.npmjs.com/package/azure-maps-control/v/3.0.0-preview.9

+[2.3.1]: https://www.npmjs.com/package/azure-maps-control/v/2.3.1

+The [Drawing manager options] can be used to test out customization of all options for the drawing manager using the `setOptions` function. For the source code for this sample, see [Drawing manager options source code].

+[Drawing manager options source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Drawing%20Tools%20Module/Drawing%20manager%20options/Drawing%20manager%20options.html

+The [OGC map layer] sample shows how to overlay an OGC map layer on the map. For the source code for this sample, see [OGC map layer source code].

+The [OGC map layer options] sample demonstrates the different OGC map layer options. For the source code for this sample, see [OGC map layer options source code].

+The [OGC Web Map Service explorer] sample overlays imagery from the Web Map Services (WMS) and Web Map Tile Services (WMTS) as layers. You may select which layers in the service are rendered on the map. You may also view the associated legends for these layers. For the source code for this sample, see [OGC Web Map Service explorer source code].

+[OGC map layer source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Spatial%20IO%20Module/OGC%20map%20layer%20example/OGC%20map%20layer%20example.html

+[OGC map layer options source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Spatial%20IO%20Module/OGC%20map%20layer%20options/OGC%20map%20layer%20options.html

+[OGC Web Map Service explorer source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Spatial%20IO%20Module/OGC%20Web%20Map%20Service%20explorer/OGC%20Web%20Map%20Service%20explorer.html

+For example when parsing XML data feeds, you may not know the exact styles and geometry types of the features. The [Simple data layer options] sample shows the power of the simple data layer by rendering the features of a KML file. It also demonstrates various options that the simple data layer class provides. For the source code for this sample, see [Simple data layer options source code].

+[Simple data layer options source code]: https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Spatial%20IO%20Module/Simple%20data%20layer%20options/Simple%20data%20layer%20options.html

+ Title: Configure Azure Monitor OpenTelemetry for .NET, Java, Node.js, and Python applications

+# Configure Azure Monitor OpenTelemetry

+Date list was last updated: 06/27/2023.

+|DeviceEventsCount |Yes |Device Events |Count |Count |Count of all the events generated by an Azure Sphere device. |DeviceId, EventCategory, EventClass, EventType |

+|DeviceRequestsCount |Yes |Device Requests |Count |Count |Count of all the requests sent by an Azure Sphere device. |DeviceId, OperationName, ResultType |

+|SuccessRate |No |AvailabilityRate |Percent |Average |Availability percentage with the following calculation: (Total Calls - Server Errors)/Total Calls. Server Errors include any HTTP responses >=500. |ApiName, OperationName, Region, RatelimitKey |

+|available_memory_bytes |Yes |Available Memory Bytes |Bytes |Average |Amount of physical memory, in bytes. |No Dimensions |

+|Innodb_data_writes |Yes |Innodb Data Writes |Count |Total |The total number of data writes. |No Dimensions |

+|Innodb_row_lock_time |Yes |Innodb Row Lock Time |Milliseconds |Average |The total time spent in acquiring row locks for InnoDB tables, in milliseconds. |No Dimensions |

+|storage_io_count |No |Storage IO Count |Count |Total |The number of storage I/O consumed. |No Dimensions |

+|storage_throttle_count |Yes |Storage Throttle Count (deprecated) |Count |Maximum |Storage IO requests throttled in the selected time range. Deprecated, please check Storage IO Percent for throttling. |No Dimensions |

+|Threads_running |Yes |Threads Running |Count |Total |The number of threads that are not sleeping. |No Dimensions |

+|MalformedRecords |No |Malformed Records |Count |Total |The number of records unable to be processed by the pipeline. |No Dimensions |

+## Microsoft.NetworkCloud/bareMetalMachines

+<!-- Data source : naam-->

+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|

+||||||||

+|HostBootTimeSeconds |No |Host Boot Seconds |Seconds |Average |Unix time of last boot |Host |

+|HostDiskReadCompleted |No |Host Disk Reads Completed |Count |Average |Disk reads completed by node |Device, Host |

+|HostDiskReadSeconds |No |Host Disk Read Seconds |Seconds |Average |Disk read time by node |Device, Host |

+|HostDiskWriteCompleted |No |Total Number of Writes Completed |Count |Average |Disk writes completed by node |Device, Host |

+|HostDiskWriteSeconds |No |Host Disk Write In Seconds |Seconds |Average |Disk write time by node |Device, Host |

+|HostDmiInfo |No |Host DMI Info |Unspecified |Count |Host Desktop Management Interface (DMI) environment information |BiosDate, BiosRelease, BiosVendor, BiosVersion, BoardAssetTag, BoardName, BoardVendor, BoardVersion, ChassisAssetTag, ChassisVendor, ChassisVersion, Host, ProductFamily, ProductName, ProductSku, ProductUuid, ProductVersion, SystemVendor |

+|HostEntropyAvailableBits |No |Host Entropy Available Bits (Preview) |Count |Average |Available bits in node entropy |Host |

+|HostFilesystemAvailBytes |No |Host Filesystem Available Bytes |Count |Average |Available filesystem size by node |Device, FSType, Host, Mountpoint |

+|HostFilesystemDeviceError |No |Host Filesystem Device Errors |Count |Average |Indicates if there was a problem getting information for the filesystem |Device, FSType, Host, Mountpoint |

+|HostFilesystemFiles |No |Host Filesystem Files |Count |Average |Total number of permitted inodes |Device, FSType, Host, Mountpoint |

+|HostFilesystemFilesFree |No |Total Number of Free inodes |Count |Average |Total number of free inodes |Device, FSType, Host, Mountpoint |

+|HostFilesystemReadOnly |No |Host Filesystem Read Only |Unspecified |Count |Indicates if the filesystem is readonly |Device, FSType, Host, Mountpoint |

+|HostFilesystemSizeBytes |No |Host Filesystem Size In Bytes |Count |Average |Filesystem size by node |Device, FSType, Host, Mountpoint |

+|HostHwmonTempCelsius |No |Host Hardware Monitor Temp |Count |Average |Hardware monitor for temperature (celsius) |Chip, Host, Sensor |

+|HostHwmonTempMax |No |Host Hardware Monitor Temp Max |Count |Average |Hardware monitor for maximum temperature (celsius) |Chip, Host, Sensor |

+|HostLoad1 |No |Average Load In 1 Minute |Count |Average |1 minute load average |Host |

+|HostLoad15 |No |Average Load In 15 Minutes |Count |Average |15 minute load average |Host |

+|HostLoad5 |No |Average load in 5 minutes |Count |Average |5 minute load average |Host |

+|HostMemAvailBytes |No |Host Memory Available Bytes |Count |Average |Available memory in bytes by node |Host |

+|HostMemHWCorruptedBytes |No |Total Amount of Memory In Corrupted Pages |Count |Average |Corrupted bytes in hardware by node |Host |

+|HostMemTotalBytes |No |Host Memory Total Bytes |Bytes |Average |Total bytes of memory by node |Host |

+|HostSpecificCPUUtilization |No |Host Specific CPU Utilization |Seconds |Average |A counter metric that counts the number of seconds the CPU has been running in a particular mode |Cpu, Host, Mode |

+|IdracPowerCapacityWatts |No |IDRAC Power Capacity Watts |Unspecified |Average |Power Capacity |Host, PSU |

+|IdracPowerInputWatts |No |IDRAC Power Input Watts |Unspecified |Average |Power Input |Host, PSU |

+|IdracPowerOn |No |IDRAC Power On |Unspecified |Count |IDRAC Power On Status |Host |

+|IdracPowerOutputWatts |No |IDRAC Power Output Watts |Unspecified |Average |Power Output |Host, PSU |

+|IdracSensorsTemperature |No |IDRAC Sensors Temperature |Unspecified |Average |IDRAC sensor temperature |Host, Name, Units |

+|NcNodeNetworkReceiveErrsTotal |No |Network Device Receive Errors |Count |Average |Total network device errors received |Hostname, Interface Name |

+|NcNodeNetworkTransmitErrsTotal |No |Network Device Transmit Errors |Count |Average |Total network device errors transmitted |Hostname, Interface Name |

+|NcTotalCpusPerNuma |No |Total CPUs Available to Nexus per NUMA |Count |Average |Total number of CPUs available to Nexus per NUMA |Hostname, NUMA Node |

+|NcTotalWorkloadCpusAllocatedPerNuma |No |CPUs per NUMA Allocated for Nexus Kubernetes |Count |Average |Total number of CPUs per NUMA allocated for Nexus Kubernetes and Tenant Workloads |Hostname, NUMA Node |

+|NcTotalWorkloadCpusAvailablePerNuma |No |CPUs per NUMA Available for Nexus Kubernetes |Count |Average |Total number of CPUs per NUMA available to Nexus Kubernetes and Tenant Workloads |Hostname, NUMA Node |

+|NodeBondingActive |No |Node Bonding Active |Count |Average |Number of active interfaces per bonding interface |Master |

+|NodeMemHugePagesFree |No |Node Memory Huge Pages Free |Bytes |Average |NUMA hugepages free by node |Host, Node |

+|NodeMemHugePagesTotal |No |Node Memory Huge Pages Total |Bytes |Average |NUMA huge pages total by node |Host, Node |

+|NodeMemNumaFree |No |Node Memory NUMA (Free Memory) |Bytes |Average |NUMA memory free |Name, Host |

+|NodeMemNumaShem |No |Node Memory NUMA (Shared Memory) |Bytes |Average |NUMA shared memory |Host, Node |

+|NodeMemNumaUsed |No |Node Memory NUMA (Used Memory) |Bytes |Average |NUMA memory used |Host, Node |

+|NodeNetworkCarrierChanges |No |Node Network Carrier Changes |Count |Average |Node network carrier changes |Device, Host |

+|NodeNetworkMtuBytes |No |Node Network Maximum Transmission Unit Bytes |Bytes |Average |Node network Maximum Transmission Unit (mtu_bytes) value of /sys/class/net/<iface> |Device, Host |

+|NodeNetworkReceiveMulticastTotal |No |Node Network Received Multicast Total |Bytes |Average |Network device statistic receive_multicast |Device, Host |

+|NodeNetworkReceivePackets |No |Node Network Received Packets |Count |Average |Network device statistic receive_packets |Device, Host |

+|NodeNetworkSpeedBytes |No |Node Network Speed Bytes |Bytes |Average |speed_bytes value of /sys/class/net/<iface> |Device, Host |

+|NodeNetworkTransmitPackets |No |Node Network Transmited Packets |Count |Average |Network device statistic transmit_packets |Device, Host |

+|NodeNetworkUp |No |Node Network Up |Count |Count |Value is 1 if operstate is 'up', 0 otherwise. |Device, Host |

+|NodeNvmeInfo |No |Node NVMe Info |Count |Count |Non-numeric data from /sys/class/nvme/<device>, value is always 1. Provides firmware, model, state and serial for a device |Device, State |

+|NodeOsInfo |No |Node OS Info |Count |Count |Node OS information |Host, Name, Version |

+|NodeTimexMaxErrorSeconds |No |Node Timex Max Error Seconds |Seconds |Average |Maximum time error between the local system and reference clock |Host |

+|NodeTimexOffsetSeconds |No |Node Timex Offset Seconds |Seconds |Average |Time offset in between the local system and reference clock |Host |

+|NodeTimexSyncStatus |No |Node Timex Sync Status |Count |Average |Is clock synchronized to a reliable server (1 = yes, 0 = no) |Host |

+|NodeVmOomKill |No |Node VM Out Of Memory Kill |Count |Average |Information in /proc/vmstat pertaining to the field oom_kill |Host |

+|NodeVmstatPswpIn |No |Node VM PSWP In |Count |Average |Information in /proc/vmstat pertaining to the field pswpin |Host |

+|NodeVmstatPswpout |No |Node VM PSWP Out |Count |Average |Information in /proc/vmstat pertaining to the field pswpout |Host |

+## Microsoft.NetworkCloud/clusters

+<!-- Data source : naam-->

+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|

+||||||||

+|ApiserverAuditRequestsRejectedTotal |No |API Server Audit Requests Rejected Total |Count |Average |Counter of API server requests rejected due to an error in the audit logging backend |Component, Pod Name |

+|ApiserverClientCertificateExpirationSecondsSum |No |API Server Client Certificate Expiration Seconds Sum |Seconds |Average |Sum of API server client certificate expiration (seconds) |Component, Pod Name |

+|ApiserverStorageDataKeyGenerationFailuresTotal |No |API Server Storage Data Key Generation Failures Total |Count |Average |Total number of operations that failed Data Encryption Key (DEK) generation |Component, Pod Name |

+|ApiserverTlsHandshakeErrorsTotal |No |API Server TLS Handshake Errors Total |Count |Average |Number of requests dropped with 'TLS handshake' error |Component, Pod Name |

+|ContainerFsIoTimeSecondsTotal |No |Container FS I/O Time Seconds Total |Seconds |Average |Time taken for container Input/Output (I/O) operations |Device, Host |

+|ContainerMemoryFailcnt |No |Container Memory Fail Count |Count |Average |Number of times a container's memory usage limit is hit |Container, Host, Namespace, Pod |

+|ContainerMemoryUsageBytes |No |Container Memory Usage Bytes |Bytes |Average |Current memory usage, including all memory regardless of when it was accessed |Container, Host, Namespace, Pod |

+|ContainerNetworkReceiveErrorsTotal |No |Container Network Receive Errors Total |Count |Average |Number of errors encountered while receiving bytes over the network |Interface, Namespace, Pod |

+|ContainerNetworkTransmitErrorsTotal |No |Container Network Transmit Errors Total |Count |Average |Count of errors that happened while transmitting |Interface, Namespace, Pod |

+|ContainerScrapeError |No |Container Scrape Error |Unspecified |Average |Indicates whether there was an error while getting container metrics |Host |

+|ContainerTasksState |No |Container Tasks State |Count |Average |Number of tasks or processes in a given state (sleeping, running, stopped, uninterruptible, or waiting) in a container |Container, Host, Namespace, Pod, State |

+|ControllerRuntimeReconcileErrorsTotal |No |Controller Reconcile Errors Total |Count |Average |Total number of reconciliation errors per controller |Controller, Namespace, Pod Name |

+|ControllerRuntimeReconcileTotal |No |Controller Reconciliations Total |Count |Average |Total number of reconciliations per controller |Controller, Namespace, Pod Name |

+|CorednsDnsRequestsTotal |No |CoreDNS Requests Total |Count |Average |Total number of DNS requests |Family, Pod Name, Proto, Server, Type |

+|CorednsDnsResponsesTotal |No |CoreDNS Responses Total |Count |Average |Total number of DNS responses |Pod Name, Server, Rcode |

+|CorednsForwardHealthcheckBrokenTotal |No |CoreDNS Forward Healthcheck Broken Total |Count |Average |Total number of times all upstreams are unhealthy |Pod Name, Namespace |

+|CorednsForwardMaxConcurrentRejectsTotal |No |CoreDNS Forward Max Concurrent Rejects Total |Count |Average |Total number of rejected queries because concurrent queries were at the maximum limit |Pod Name, Namespace |

+|CorednsHealthRequestFailuresTotal |No |CoreDNS Health Request Failures Total |Count |Average |The number of times the self health check failed |Pod Name |

+|CorednsPanicsTotal |No |CoreDNS Panics Total |Count |Average |Total number of panics |Pod Name |

+|CorednsReloadFailedTotal |No |CoreDNS Reload Failed Total |Count |Average |Total number of failed reload attempts |Pod Name, Namespace |

+|EtcdDiskBackendCommitDurationSecondsSum |No |Etcd Disk Backend Commit Duration Seconds Sum |Seconds |Total |The latency distribution of commits called by the backend |Component, Pod Name, Tier |

+|EtcdDiskWalFsyncDurationSecondsSum |No |Etcd Disk WAL Fsync Duration Seconds Sum |Seconds |Total |The sum of latency distributions of 'fsync' called by the write-ahead log (WAL) |Component, Pod Name, Tier |

+|EtcdServerHealthFailures |No |Etcd Server Health Failures |Count |Average |Total server health failures |Pod Name |

+|EtcdServerIsLeader |No |Etcd Server Is Leader |Unspecified |Count |Whether or not this member is a leader; 1 if is, 0 otherwise |Component, Pod Name, Tier |

+|EtcdServerIsLearner |No |Etcd Server Is Learner |Unspecified |Count |Whether or not this member is a learner; 1 if is, 0 otherwise |Component, Pod Name, Tier |

+|EtcdServerLeaderChangesSeenTotal |No |Etcd Server Leader Changes Seen Total |Count |Average |The number of leader changes seen |Component, Pod Name, Tier |

+|EtcdServerProposalsAppliedTotal |No |Etcd Server Proposals Applied Total |Count |Average |The total number of consensus proposals applied |Component, Pod Name, Tier |

+|EtcdServerProposalsCommittedTotal |No |Etcd Server Proposals Committed Total |Count |Average |The total number of consensus proposals committed |Component, Pod Name, Tier |

+|EtcdServerProposalsFailedTotal |No |Etcd Server Proposals Failed Total |Count |Average |The total number of failed proposals |Component, Pod Name, Tier |

+|EtcdServerSlowApplyTotal |No |Etcd Server Slow Apply Total |Count |Average |The total number of slow apply requests |Pod Name, Tier |

+|FelixActiveLocalEndpoints |No |Felix Active Local Endpoints |Count |Average |Number of active endpoints on this host |Host |

+|FelixClusterNumHostEndpoints |No |Felix Cluster Num Host Endpoints |Count |Average |Total number of host endpoints cluster-wide |Host |

+|FelixClusterNumHosts |No |Felix Cluster Number of Hosts |Count |Average |Total number of Calico hosts in the cluster |Host |

+|FelixClusterNumWorkloadEndpoints |No |Felix Cluster Number of Workload Endpoints |Count |Average |Total number of workload endpoints cluster-wide |Host |

+|FelixIntDataplaneFailures |No |Felix Interface Dataplane Failures |Count |Average |Number of times dataplane updates failed and will be retried |Host |

+|FelixIpsetErrors |No |Felix Ipset Errors |Count |Average |Number of 'ipset' command failures |Host |

+|FelixIpsetsCalico |No |Felix Ipsets Calico |Count |Average |Number of active Calico IP sets |Host |

+|FelixIptablesRestoreErrors |No |Felix IP Tables Restore Errors |Count |Average |Number of 'iptables-restore' errors |Host |

+|FelixIptablesSaveErrors |No |Felix IP Tables Save Errors |Count |Average |Number of 'iptables-save' errors |Host |

+|FelixResyncsStarted |No |Felix Resyncs Started |Count |Average |Number of times Felix has started resyncing with the datastore |Host |

+|FelixResyncState |No |Felix Resync State |Unspecified |Average |Current datastore state |Host |

+|KubeDaemonsetStatusCurrentNumberScheduled |No |Daemonsets Current Number Scheduled |Count |Average |Number of daemonsets currently scheduled |Daemonset, Namespace |

+|KubeDaemonsetStatusDesiredNumberScheduled |No |Daemonsets Desired Number Scheduled |Count |Average |Number of daemonsets desired scheduled |Daemonset, Namespace |

+|KubeDeploymentStatusReplicasAvailable |No |Deployment Replicas Available |Count |Average |Number of deployment replicas available |Deployment, Namespace |

+|KubeDeploymentStatusReplicasReady |No |Deployment Replicas Ready |Count |Average |Number of deployment replicas ready |Deployment, Namespace |

+|KubeJobStatusActive |No |Jobs Active |Count |Average |Number of jobs active |Job, Namespace |

+|KubeJobStatusFailed |No |Jobs Failed |Count |Average |Number and reason of jobs failed |Job, Namespace, Reason |

+|KubeJobStatusSucceeded |No |Jobs Succeeded |Count |Average |Number of jobs succeeded |Job, Namespace |

+|KubeletRunningContainers |No |Kubelet Running Containers |Count |Average |Number of containers currently running |Container State, Host |

+|KubeletRunningPods |No |Kubelet Running Pods |Count |Average |Number of pods running on the node |Host |

+|KubeletRuntimeOperationsErrorsTotal |No |Kubelet Runtime Operations Errors Total |Count |Average |Cumulative number of runtime operation errors by operation type |Host, Operation Type |

+|KubeletStartedPodsErrorsTotal |No |Kubelet Started Pods Errors Total |Count |Average |Cumulative number of errors when starting pods |Host |

+|KubeletVolumeStatsAvailableBytes |No |Volume Available Bytes |Bytes |Average |Number of available bytes in the volume |Host, Namespace, Persistent Volume Claim |

+|KubeletVolumeStatsCapacityBytes |No |Volume Capacity Bytes |Bytes |Average |Capacity (in bytes) of the volume |Host, Namespace, Persistent Volume Claim |

+|KubeletVolumeStatsUsedBytes |No |Volume Used Bytes |Bytes |Average |Number of used bytes in the volume |Host, Namespace, Persistent Volume Claim |

+|KubeNodeStatusAllocatable |No |Node Resources Allocatable |Count |Average |Node resources allocatable for pods |Node, Resource, Unit |

+|KubeNodeStatusCapacity |No |Node Resources Capacity |Count |Average |Total amount of node resources available |Node, Resource, Unit |

+|KubeNodeStatusCondition |No |Node Status Condition |Count |Average |The condition of a node |Condition, Node, Status |

+|KubePodContainerResourceLimits |No |Container Resources Limits |Count |Average |The container's resources limits |Container, Namespace, Node, Pod, Resource, Unit |

+|KubePodContainerResourceRequests |No |Container Resources Requests |Count |Average |The container's resources requested |Container, Namespace, Node, Pod, Resource, Unit |

+|KubePodContainerStateStarted |No |Container State Started |Count |Average |Unix timestamp start time of a container |Container, Namespace, Pod |

+|KubePodContainerStatusLastTerminatedReason |No |Container Status Last Terminated Reason |Count |Average |The reason of a container's last terminated status |Container, Namespace, Pod, Reason |

+|KubePodContainerStatusReady |No |Container Status Ready |Count |Average |Describes whether the container's readiness check succeeded |Container, Namespace, Pod |

+|KubePodContainerStatusRestartsTotal |No |Container Restarts |Count |Average |The number of container restarts |Container, Namespace, Pod |

+|KubePodContainerStatusRunning |No |Container Status Running |Count |Average |The number of containers with a status of 'running' |Container, Namespace, Pod |

+|KubePodContainerStatusTerminated |No |Container Status Terminated |Count |Average |The number of containers with a status of 'terminated' |Container, Namespace, Pod |

+|KubePodContainerStatusTerminatedReason |No |Container Status Terminated Reason |Count |Average |The number and reason of containers with a status of 'terminated' |Container, Namespace, Pod, Reason |

+|KubePodContainerStatusWaiting |No |Container Status Waiting |Count |Average |The number of containers with a status of 'waiting' |Container, Namespace, Pod |

+|KubePodContainerStatusWaitingReason |No |Container Status Waiting Reason |Count |Average |The number and reason of containers with a status of 'waiting' |Container, Namespace, Pod, Reason |

+|KubePodDeletionTimestamp |No |Pod Deletion Timestamp |Count |Average |The timestamp of the pod's deletion |Namespace, Pod |

+|KubePodInitContainerStatusReady |No |Pod Init Container Ready |Count |Average |The number of ready pod init containers |Namespace, Container, Pod |

+|KubePodInitContainerStatusRestartsTotal |No |Pod Init Container Restarts |Count |Average |The number of pod init containers restarts |Namespace, Container, Pod |

+|KubePodInitContainerStatusRunning |No |Pod Init Container Running |Count |Average |The number of running pod init containers |Namespace, Container, Pod |

+|KubePodInitContainerStatusTerminated |No |Pod Init Container Terminated |Count |Average |The number of terminated pod init containers |Namespace, Container, Pod |

+|KubePodInitContainerStatusTerminatedReason |No |Pod Init Container Terminated Reason |Count |Average |The number of pod init containers with terminated reason |Namespace, Container, Pod, Reason |

+|KubePodInitContainerStatusWaiting |No |Pod Init Container Waiting |Count |Average |The number of pod init containers waiting |Namespace, Container, Pod |

+|KubePodInitContainerStatusWaitingReason |No |Pod Init Container Waiting Reason |Count |Average |The reason the pod init container is waiting |Namespace, Container, Pod, Reason |

+|KubePodStatusPhase |No |Pod Status Phase |Count |Average |The pod status phase |Namespace, Pod, Phase |

+|KubePodStatusReady |No |Pod Ready State |Count |Average |Signifies if the pod is in ready state |Namespace, Pod |

+|KubePodStatusReason |No |Pod Status Reason |Count |Average |NodeAffinity |Namespace, Pod, Reason |

+|KubeStatefulsetReplicas |No |Statefulset Desired Replicas Number |Count |Average |The desired number of statefulset replicas |Namespace, Statefulset |

+|KubeStatefulsetStatusReplicas |No |Statefulset Replicas Number |Count |Average |The number of replicas per statefulset |Namespace, Statefulset |

+|KubevirtInfo |No |Kubevirt Info |Unspecified |Average |Kubevirt version information |Kube Version |

+|KubevirtVirtControllerLeading |No |Kubevirt Virt Controller Leading |Unspecified |Average |Indication for an operating virt-controller |Pod Name |

+|KubevirtVirtControllerReady |No |Kubevirt Virt Controller Ready |Unspecified |Average |Indication for a virt-controller that is ready to take the lead |Pod Name |

+|KubevirtVirtOperatorReady |No |Kubevirt Virt Operator Ready |Unspecified |Average |Indication for a virt operator being ready |Pod Name |

+|KubevirtVmiMemoryActualBalloonBytes |No |Kubevirt VMI Memory Actual BalloonBytes |Bytes |Average |Current balloon size (in bytes) |Name, Node |

+|KubevirtVmiMemoryAvailableBytes |No |Kubevirt VMI Memory Available Bytes |Bytes |Average |Amount of usable memory as seen by the domain. This value may not be accurate if a balloon driver is in use or if the guest OS does not initialize all assigned pages |Name, Node |

+|KubevirtVmiMemoryDomainBytesTotal |No |Kubevirt VMI Memory Domain Bytes Total |Bytes |Average |The amount of memory (in bytes) allocated to the domain. The memory value in domain XML file |Node |

+|KubevirtVmiMemorySwapInTrafficBytesTotal |No |Kubevirt VMI Memory Swap In Traffic Bytes Total |Bytes |Average |The total amount of data read from swap space of the guest (in bytes) |Name, Node |

+|KubevirtVmiMemorySwapOutTrafficBytesTotal |No |Kubevirt VMI Memory Swap Out Traffic Bytes Total |Bytes |Average |The total amount of memory written out to swap space of the guest (in bytes) |Name, Node |

+|KubevirtVmiMemoryUnusedBytes |No |Kubevirt VMI Memory Unused Bytes |Bytes |Average |The amount of memory left completely unused by the system. Memory that is available but used for reclaimable caches should NOT be reported as free |Name, Node |

+|KubevirtVmiNetworkReceivePacketsTotal |No |Kubevirt VMI Network Receive Packets Total |Bytes |Average |Total network traffic received packets |Interface, Name, Node |

+|KubevirtVmiNetworkTransmitPacketsDroppedTotal |No |Kubevirt VMI Network Transmit Packets Dropped Total |Bytes |Average |The total number of transmit packets dropped on virtual NIC (vNIC) interfaces |Interface, Name, Node |

+|KubevirtVmiNetworkTransmitPacketsTotal |No |Kubevirt VMI Network Transmit Packets Total |Bytes |Average |Total network traffic transmitted packets |Interface, Name, Node |

+|KubevirtVmiOutdatedCount |No |Kubevirt VMI Outdated Count |Count |Average |Indication for the total number of VirtualMachineInstance (VMI) workloads that are not running within the most up-to-date version of the virt-launcher environment |Name |

+|KubevirtVmiPhaseCount |No |Kubevirt VMI Phase Count |Count |Average |Sum of VirtualMachineInstances (VMIs) per phase and node |Node, Phase, Workload |

+|KubevirtVmiStorageIopsReadTotal |No |Kubevirt VMI Storage IOPS Read Total |Count |Average |Total number of Input/Output (I/O) read operations |Drive, Name, Node |

+|KubevirtVmiStorageIopsWriteTotal |No |Kubevirt VMI Storage IOPS Write Total |Count |Average |Total number of Input/Output (I/O) write operations |Drive, Name, Node |

+|KubevirtVmiStorageReadTimesMsTotal |No |Kubevirt VMI Storage Read Times Total |Milliseconds |Average |Total time in milliseconds (ms) spent on read operations |Drive, Name, Node |

+|KubevirtVmiStorageWriteTimesMsTotal |No |Kubevirt VMI Storage Write Times Total |Milliseconds |Average |Total time in milliseconds (ms) spent on write operations |Drive, Name, Node |

+|NcVmiCpuAffinity |No |CPU Pinning Map |Count |Average |Pinning map of virtual CPUs (vCPUs) to CPUs |CPU, NUMA Node, VMI Namespace, VMI Node, VMI Name |

+|TyphaConnectionsAccepted |No |Typha Connections Accepted |Count |Average |Total number of connections accepted over time |Pod Name |

+|TyphaConnectionsDropped |No |Typha Connections Dropped |Count |Average |Total number of connections dropped due to rebalancing |Pod Name |

+|TyphaPingLatencyCount |No |Typha Ping Latency |Count |Average |Round-trip ping/pong latency to client. Typha's protocol includes a regular ping/pong keepalive to verify that the connection is still up |Pod Name |

+## Microsoft.NetworkCloud/storageAppliances

+<!-- Data source : naam-->

+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|

+||||||||

+|PurefaAlertsTotal |No |Nexus Storage Alerts Total |Count |Average |Number of alert events |Severity |

+|PurefaArrayPerformanceAvgBlockBytes |No |Nexus Storage Array Avg Block Bytes |Bytes |Average |Average block size |Dimension |

+|PurefaArrayPerformanceBandwidthBytes |No |Nexus Storage Array Bandwidth Bytes |Bytes |Average |Array throughput in bytes per second |Dimension |

+|PurefaArrayPerformanceIOPS |No |Nexus Storage Array IOPS |Count |Average |Storage array IOPS |Dimension |

+|PurefaArrayPerformanceLatencyUsec |No |Nexus Storage Array Latency (Microseconds) |MilliSeconds |Average |Storage array latency in microseconds |Dimension |

+|PurefaArrayPerformanceQdepth |No |Nexus Storage Array Queue Depth |Bytes |Average |Storage array queue depth |No Dimensions |

+|PurefaArraySpaceCapacityBytes |No |Nexus Storage Array Capacity Bytes |Bytes |Average |Storage array overall space capacity |No Dimensions |

+|PurefaArraySpaceDatareductionRatio |No |Nexus Storage Array Space Datareduction Ratio |Percent |Average |Storage array overall data reduction |No Dimensions |

+|PurefaArraySpaceProvisionedBytes |No |Nexus Storage Array Space Provisioned Bytes |Bytes |Average |Storage array overall provisioned space |No Dimensions |

+|PurefaArraySpaceUsedBytes |No |Nexus Storage Array Space Used Bytes |Bytes |Average |Storage Array overall used space |Dimension |

+|PurefaHardwareComponentHealth |No |Nexus Storage Hardware Component Health |Count |Average |Storage array hardware component health status |Component, Controller, Index |

+|PurefaHardwarePowerVolts |No |Nexus Storage Hardware Power Volts |Unspecified |Average |Storage array hardware power supply voltage |Power Supply |

+|PurefaHardwareTemperatureCelsius |No |Nexus Storage Hardware Temperature Celsius |Unspecified |Average |Storage array hardware temperature sensors |Controller, Sensor |

+|PurefaHostPerformanceBandwidthBytes |No |Nexus Storage Host Bandwidth Bytes |Bytes |Average |Storage array host bandwidth in bytes per second |Dimension, Host |

+|PurefaHostPerformanceIOPS |No |Nexus Storage Host IOPS |Count |Average |Storage array host IOPS |Dimension, Host |

+|PurefaHostPerformanceLatencyUsec |No |Nexus Storage Host Latency (Microseconds) |MilliSeconds |Average |Storage array host latency in microseconds |Dimension, Host |

+|PurefaHostSpaceBytes |No |Nexus Storage Host Space Bytes |Bytes |Average |Storage array host space in bytes |Dimension, Host |

+|PurefaHostSpaceDatareductionRatio |No |Nexus Storage Host Space Datareduction Ratio |Percent |Average |Storage array host volumes data reduction ratio |Host |

+|PurefaHostSpaceSizeBytes |No |Nexus Storage Host Space Size Bytes |Bytes |Average |Storage array host volumes size |Host |

+|PurefaInfo |No |Nexus Storage Info |Unspecified |Average |Storage array system information |Array Name |

+|PurefaVolumePerformanceIOPS |No |Nexus Storage Volume Performance IOPS |Count |Average |Storage array volume IOPS |Dimension, Volume |

+|PurefaVolumePerformanceLatencyUsec |No |Nexus Storage Volume Performance Latency (Microseconds) |MilliSeconds |Average |Storage array volume latency in microseconds |Dimension, Volume |

+|PurefaVolumePerformanceThroughputBytes |No |Nexus Storage Volume Performance Throughput Bytes |Bytes |Average |Storage array volume throughput |Dimension, Volume |

+|PurefaVolumeSpaceBytes |No |Nexus Storage Volume Space Bytes |Bytes |Average |Storage array volume space in bytes |Dimension, Volume |

+|PurefaVolumeSpaceDatareductionRatio |No |Nexus Storage Volume Space Datareduction Ratio |Percent |Average |Storage array overall data reduction |Volume |

+|PurefaVolumeSpaceSizeBytes |No |Nexus Storage Volume Space Size Bytes |Bytes |Average |Storage array volumes size |Volume |

+## Microsoft.SecurityDetonation/SecurityDetonationChambers

+<!-- Data source : arm-->

+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|

+||||||||

+|% Processor Time |Yes |% CPU |Percent |Average |Percent CPU utilization |No Dimensions |

+## Microsoft.ServiceNetworking/trafficControllers

+<!-- Data source : naam-->

+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|

+||||||||

+|BackendConnectionTimeouts |Yes |Backend Connection Timeouts |Count |Total |Count of requests that timed out waiting for a response from the backend target (includes all retry requests initiated from Traffic Controller to the backend target) |Microsoft.regionName, BackendService |

+|BackendHealthyTargets |Yes |Backend Healthy Targets |Count |Average |Count of healthy backend targets |Microsoft.regionName, BackendService |

+|BackendHTTPResponseStatus |Yes |Backend HTTP Response Status |Count |Total |HTTP response status returned by the backend target to Traffic Controller |Microsoft.regionName, BackendService, HttpResponseCode |

+|ClientConnectionIdleTimeouts |Yes |Total Connection Idle Timeouts |Count |Total |Count of connections closed, between client and Traffic Controller frontend, due to exceeding idle timeout |Microsoft.regionName, Frontend |

+|ConnectionTimeouts |Yes |Connection Timeouts |Count |Total |Count of connections closed due to timeout between clients and Traffic Controller |Microsoft.regionName, Frontend |

+|HTTPResponseStatus |Yes |HTTP Response Status |Count |Total |HTTP response status returned by Traffic Controller |Microsoft.regionName, Frontend, HttpResponseCode |

+|TotalRequests |Yes |Total Requests |Count |Total |Count of requests Traffic Controller has served |Microsoft.regionName, Frontend |

+|free_amount_consumed |Yes |Free amount consumed |Count |Maximum |Free amount of vCore seconds consumed this month. Applies only to free database offer. |No Dimensions |

+|free_amount_remaining |Yes |Free amount remaining |Count |Minimum |Free amount of vCore seconds remaining this month. Applies only to free database offer. |No Dimensions |

+## Microsoft.Sql/servers/jobAgents

+<!-- Data source : naam-->

+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|

+||||||||

+|elastic_jobs_failed |Yes |Elastic Jobs Executions Failed |Count |Total |Number of job executions that failed while trying to execute on target |No Dimensions |

+|elastic_jobs_successful |Yes |Elastic Jobs Executions Successful |Count |Total |Number of job executions that were able to successfully execute on target |No Dimensions |

+|elastic_jobs_timeout |Yes |Elastic Jobs Executions Timed Out |Count |Total |Number of job executions that expired before execution was able to finish on target. |No Dimensions |

+|StorageTargetAccessErrors |Yes |Storage Target Access Errors Received |Count |Total |The rate of access error responses received by the cache from a specific StorageTarget. For more details, see https://www.rfc-editor.org/rfc/rfc1813#section-2.6 (NFS3ERR_ACCES). |StorageTarget |

+|StorageTargetFileTooLargeErrors |Yes |Storage Target File Too Large Errors Received |Count |Total |The rate of file too large error responses received by the cache from a specific StorageTarget. For more details, see https://www.rfc-editor.org/rfc/rfc1813#section-2.6 (NFS3ERR_FBIG). |StorageTarget |

+|StorageTargetFlushFailureErrors |Yes |Storage Target Total Flush Failures |Count |Total |The rate of file flush request failures reported by the writeback state machine for a specific StorageTarget. |StorageTarget |

+|StorageTargetNoSpaceErrors |Yes |Storage Target No Space Errors Received |Count |Total |The rate of no space available error responses received by the cache from a specific StorageTarget. For more details, see https://www.rfc-editor.org/rfc/rfc1813#section-2.6 (NFS3ERR_NOSPC). |StorageTarget |

+|StorageTargetPermissionErrors |Yes |Storage Target Permission Errors Received |Count |Total |The rate of permission error responses received by the cache from a specific StorageTarget. For more details, see https://www.rfc-editor.org/rfc/rfc1813#section-2.6 (NFS3ERR_PERM). |StorageTarget |

+|StorageTargetQuotaLimitErrors |Yes |Storage Target Quota Limit Errors Received |Count |Total |The rate of quota limit error responses received by the cache from a specific StorageTarget. For more details, see https://www.rfc-editor.org/rfc/rfc1813#section-2.6 (NFS3ERR_DQUOT). |StorageTarget |

+|StorageTargetReadOnlyErrors |Yes |Storage Target Read-Only Filesystem Errors Received |Count |Total |The rate of read-only filesystem error responses received by the cache from a specific StorageTarget. For more details, see https://www.rfc-editor.org/rfc/rfc1813#section-2.6 (NFS3ERR_ROFS). |StorageTarget |

+|StorageTargetRequestTooSmallErrors |Yes |Storage Target Request Too Small Errors Received |Count |Total |The rate of request too small error responses received by the cache from a specific StorageTarget. For more details, see https://www.rfc-editor.org/rfc/rfc1813#section-2.6 (NFS3ERR_TOOSMALL). |StorageTarget |

+|StorageTargetRetryableFlushErrors |Yes |Storage Target Retryable Flush Request Errors |Count |Total |The rate of retryable file flush errors reported by the writeback state machine for a specific StorageTarget. |StorageTarget |

+|StorageTargetTotalCacheOps |Yes |Storage Target Total Cache Ops |Count |Total |The rate of operations the cache is servicing for the namespace represented by a specific StorageTarget. |StorageTarget |

+|StorageTargetUnrecoverableFlushErrors |Yes |Storage Target Uncoverable Flush Request Errors |Count |Total |The rate of unrecoverable file flush errors reported by the writeback state machine for a specific StorageTarget. |StorageTarget |

+|StorageTargetUpdateFoundAsyncCacheOps |Yes |Storage Target Update Found Asynchronous Verification Cache Ops |Count |Total |The rate of file updates discovered by asynchronous verification operations sent by the cache to a specific StorageTarget. |StorageTarget |

+|StorageTargetUpdateFoundSyncCacheOps |Yes |Storage Target Update Found Synchronous Verification Cache Ops |Count |Total |The rate of file updates discovered by synchronous verification operations sent by the cache to a specific StorageTarget. |StorageTarget |

+|StorageTargetVerificationAsyncCacheOps |Yes |Storage Target Asynchronous Verification Cache Ops |Count |Total |The rate of asynchronous verification operations sent by the cache to a specific StorageTarget. |StorageTarget |

+|StorageTargetVerificationSyncCacheOps |Yes |Storage Target Synchronous Verification Cache Ops |Count |Total |The rate of synchronous verification operations sent by the cache to a specific StorageTarget. |StorageTarget |

+## Microsoft.Synapse/workspaces/kustoPools

+<!-- Data source : naam-->

+|Metric|Exportable via Diagnostic Settings?|Metric Display Name|Unit|Aggregation Type|Description|Dimensions|

+||||||||

+|BatchBlobCount |Yes |Batch Blob Count |Count |Average |Number of data sources in an aggregated batch for ingestion. |Database |

+|BatchDuration |Yes |Batch Duration |Seconds |Average |The duration of the aggregation phase in the ingestion flow. |Database |

+|BatchesProcessed |Yes |Batches Processed |Count |Total |Number of batches aggregated for ingestion. Batching Type: whether the batch reached batching time, data size or number of files limit set by batching policy |Database, SealReason |

+|BatchSize |Yes |Batch Size |Bytes |Average |Uncompressed expected data size in an aggregated batch for ingestion. |Database |

+|BlobsDropped |Yes |Blobs Dropped |Count |Total |Number of blobs permanently rejected by a component. |Database, ComponentType, ComponentName |

+|BlobsProcessed |Yes |Blobs Processed |Count |Total |Number of blobs processed by a component. |Database, ComponentType, ComponentName |

+|BlobsReceived |Yes |Blobs Received |Count |Total |Number of blobs received from input stream by a component. |Database, ComponentType, ComponentName |

+|CacheUtilization |Yes |Cache utilization (deprecated) |Percent |Average |Utilization level in the cluster scope. The metric is deprecated and presented for backward compatibility only, you should use the 'Cache utilization factor' metric instead. |No Dimensions |

+|CacheUtilizationFactor |Yes |Cache utilization factor |Percent |Average |Percentage of utilized disk space dedicated for hot cache in the cluster. 100% means that the disk space assigned to hot data is optimally utilized. No action is needed in terms of the cache size. More than 100% means that the cluster's disk space is not large enough to accommodate the hot data, as defined by your caching policies. To ensure that sufficient space is available for all the hot data, the amount of hot data needs to be reduced or the cluster needs to be scaled out. Enabling auto scale is recommended. |No Dimensions |

+|ContinuousExportMaxLatenessMinutes |Yes |Continuous Export Max Lateness |Count |Maximum |The lateness (in minutes) reported by the continuous export jobs in the cluster |No Dimensions |

+|ContinuousExportNumOfRecordsExported |Yes |Continuous export - num of exported records |Count |Total |Number of records exported, fired for every storage artifact written during the export operation |ContinuousExportName, Database |

+|ContinuousExportPendingCount |Yes |Continuous Export Pending Count |Count |Maximum |The number of pending continuous export jobs ready for execution |No Dimensions |

+|ContinuousExportResult |Yes |Continuous Export Result |Count |Count |Indicates whether Continuous Export succeeded or failed |ContinuousExportName, Result, Database |

+|CPU |Yes |CPU |Percent |Average |CPU utilization level |No Dimensions |

+|DiscoveryLatency |Yes |Discovery Latency |Seconds |Average |Reported by data connections (if exist). Time in seconds from when a message is enqueued or event is created until it is discovered by data connection. This time is not included in the Azure Data Explorer total ingestion duration. |ComponentType, ComponentName |

+|EventsDropped |Yes |Events Dropped |Count |Total |Number of events dropped permanently by data connection. An Ingestion result metric with a failure reason will be sent. |ComponentType, ComponentName |

+|EventsProcessed |Yes |Events Processed |Count |Total |Number of events processed by the cluster |ComponentType, ComponentName |

+|EventsProcessedForEventHubs |Yes |Events Processed (for Event/IoT Hubs) |Count |Total |Number of events processed by the cluster when ingesting from Event/IoT Hub |EventStatus |

+|EventsReceived |Yes |Events Received |Count |Total |Number of events received by data connection. |ComponentType, ComponentName |

+|ExportUtilization |Yes |Export Utilization |Percent |Maximum |Export utilization |No Dimensions |

+|FollowerLatency |Yes |FollowerLatency |MilliSeconds |Average |The follower databases synchronize changes in the leader databases. Because of the synchronization, there's a data lag of a few seconds to a few minutes in data availability.This metric measures the length of the time lag. The time lag depends on the overall size of the leader database metadata.This is a cluster level metrics: the followers catch metadata of all databases that are followed. This metric represents the latency of the process. |State, RoleInstance |

+|IngestionLatencyInSeconds |Yes |Ingestion Latency |Seconds |Average |Latency of data ingested, from the time the data was received in the cluster until it's ready for query. The ingestion latency period depends on the ingestion scenario. |No Dimensions |

+|IngestionResult |Yes |Ingestion result |Count |Total |Total number of sources that either failed or succeeded to be ingested. Splitting the metric by status, you can get detailed information about the status of the ingestion operations. |IngestionResultDetails, FailureKind |

+|IngestionUtilization |Yes |Ingestion utilization |Percent |Average |Ratio of used ingestion slots in the cluster |No Dimensions |

+|IngestionVolumeInMB |Yes |Ingestion Volume |Bytes |Total |Overall volume of ingested data to the cluster |Database |

+|InstanceCount |Yes |Instance Count |Count |Average |Total instance count |No Dimensions |

+|KeepAlive |Yes |Keep alive |Count |Average |Sanity check indicates the cluster responds to queries |No Dimensions |

+|MaterializedViewAgeMinutes |Yes |Materialized View Age |Count |Average |The materialized view age in minutes |Database, MaterializedViewName |

+|MaterializedViewAgeSeconds |Yes |Materialized View Age |Seconds |Average |The materialized view age in seconds |Database, MaterializedViewName |

+|MaterializedViewDataLoss |Yes |Materialized View Data Loss |Count |Maximum |Indicates potential data loss in materialized view |Database, MaterializedViewName, Kind |

+|MaterializedViewExtentsRebuild |Yes |Materialized View Extents Rebuild |Count |Average |Number of extents rebuild |Database, MaterializedViewName |

+|MaterializedViewHealth |Yes |Materialized View Health |Count |Average |The health of the materialized view (1 for healthy, 0 for non-healthy) |Database, MaterializedViewName |

+|MaterializedViewRecordsInDelta |Yes |Materialized View Records In Delta |Count |Average |The number of records in the non-materialized part of the view |Database, MaterializedViewName |

+|MaterializedViewResult |Yes |Materialized View Result |Count |Average |The result of the materialization process |Database, MaterializedViewName, Result |

+|QueryDuration |Yes |Query duration |MilliSeconds |Average |Queries duration in seconds |QueryStatus |

+|QueryResult |No |Query Result |Count |Count |Total number of queries. |QueryStatus |

+|QueueLength |Yes |Queue Length |Count |Average |Number of pending messages in a component's queue. |ComponentType |

+|QueueOldestMessage |Yes |Queue Oldest Message |Count |Average |Time in seconds from when the oldest message in queue was inserted. |ComponentType |

+|ReceivedDataSizeBytes |Yes |Received Data Size Bytes |Bytes |Average |Size of data received by data connection. This is the size of the data stream, or of raw data size if provided. |ComponentType, ComponentName |

+|StageLatency |Yes |Stage Latency |Seconds |Average |Cumulative time from when a message is discovered until it is received by the reporting component for processing (discovery time is set when message is enqueued for ingestion queue, or when discovered by data connection). |Database, ComponentType |

+|StreamingIngestDataRate |Yes |Streaming Ingest Data Rate |Bytes |Average |Streaming ingest data rate |No Dimensions |

+|StreamingIngestDuration |Yes |Streaming Ingest Duration |MilliSeconds |Average |Streaming ingest duration in milliseconds |No Dimensions |

+|StreamingIngestResults |Yes |Streaming Ingest Result |Count |Count |Streaming ingest result |Result |

+|TotalNumberOfConcurrentQueries |Yes |Total number of concurrent queries |Count |Maximum |Total number of concurrent queries |No Dimensions |

+|TotalNumberOfExtents |Yes |Total number of extents |Count |Average |Total number of data extents |No Dimensions |

+|TotalNumberOfThrottledCommands |Yes |Total number of throttled commands |Count |Total |Total number of throttled commands |CommandType |

+|TotalNumberOfThrottledQueries |Yes |Total number of throttled queries |Count |Maximum |Total number of throttled queries |No Dimensions |

+|WeakConsistencyLatency |Yes |Weak consistency latency |Seconds |Average |The max latency between the previous metadata sync and the next one (in DB/node scope) |Database, RoleInstance |

+|LiveDataMigratedInBytes |Yes |Live Data Migrated in Bytes |Bytes |Total |Provides a running total of LiveData which has been changed due to Client activity, since the migration started. |No Dimensions |

+|LiveDataMigratedInBytes |Yes |Live Data Migrated in Bytes |Bytes |Total |Provides a running total of LiveData which has been changed due to Client activity, since the migration started. |No Dimensions |

+<!--Gen Date: Wed Jun 28 2023 02:42:02 GMT+0800 (China Standard Time)-->

+## Microsoft.Cloudtest/hostedpools

+<!-- Data source : naam-->

+|Category|Category Display Name|Costs To Export|

+||||

+|ProvisioningScriptLogs |Provisioning Script Logs |Yes |

+|AutoscaleEvaluationPooled |Autoscale logs for pooled host pools - private preview |Yes |

+|ResourceOperation |Resource Operations |Yes |

+## Microsoft.ServiceNetworking/trafficControllers

+<!-- Data source : naam-->

+|Category|Category Display Name|Costs To Export|

+||||

+|TrafficControllerAccessLog |Traffic Controller Access Log |Yes |

+## Microsoft.StorageCache/amlFilesystems

+<!-- Data source : naam-->

+|Category|Category Display Name|Costs To Export|

+||||

+|AmlfsAuditEvent |Azure Managed Lustre audit event |Yes |

+|Command |Command |Yes |

+|FailedIngestion |Failed ingestion |Yes |

+|IngestionBatching |Ingestion batching |Yes |

+|Journal |Journal |Yes |

+|Query |Query |Yes |

+|SucceededIngestion |Succeeded ingestion |Yes |

+|TableDetails |Table details |Yes |

+|TableUsageStatistics |Table usage statistics |Yes |

+<!--Gen Date: Wed Jun 28 2023 02:42:02 GMT+0800 (China Standard Time)-->

+## Jun-2023

+### AzAcSnap 8b (Build: 1AD3679)

+AzAcSnap 8b is being released with the following fixes and improvements:

+- Fixes and Improvements:

+ - General improvement to `azacsnap` command exit codes.

+ - `azacsnap` should return an exit code of 0 (zero) when it has run as expected, otherwise it should return an exit code of non-zero. For example, running `azacsnap` will return non-zero as it has not done anything and will show usage information whereas `azacsnap -h` will return exit-code of zero as it's expected to return usage information.

+ - Any failure in `--runbefore` exits before any backup activity and returns the `--runbefore` exit code.

+ - Any failure in `--runafter` returns the `--runafter` exit code.

+ - Backup (`-c backup`) changes:

+ - Change in the Db2 workflow to move the protected-paths query outside the WRITE SUSPEND, Storage Snapshot, WRITE RESUME workflow to improve resilience. (Preview)

+ - Fix for missing snapshot name (`azSnapshotName`) in `--runafter` command environment.

+Download the [AzAcSnap 8b](https://aka.ms/azacsnap-8b) installer.

+ - New ability to use `-c restore` to `--restore revertvolume` for Azure NetApp Files.

+ - Fix for when a snapshot is created even though SAP HANA wasn't put into backup-mode. Now if SAP HANA cannot be put into backup-mode, AzAcSnap immediately exits with an error.

+ - Extra logging output to syslog (for example, `/var/log/messages`) on failure.

+ - New ΓÇ£mainlogΓÇ¥ (`azacsnap.log`) to provide a more parse-able high-level log of commands run with success or failure result.

+| OperationNotAllowedOnVMImageAsVMsBeingProvisioned | You might be attempting to delete an image that is currently being used to provision VMs. You cannot delete an image that is being used by any virtual machine during the deployment process. Retry the image delete operation after the deployment of the VM is complete. | |

+|`diarization`|Indicates that diarization analysis should be carried out on the input, which is expected to be a mono channel that contains multiple voices. Specify the minimum and maximum number of people who might be speaking. You must also set the `diarizationEnabled` property to `true`. The [transcription file](batch-transcription-get.md#transcription-result-file) will contain a `speaker` entry for each transcribed phrase.<br/><br/>You need to use this property when you expect three or more speakers. For two speakers setting `diarizationEnabled` property to `true` is enough. See an example of the property usage in [Transcriptions_Create](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-1/operations/Transcriptions_Create) operation description.<br/><br/>Diarization is the process of separating speakers in audio data. The batch pipeline can recognize and separate multiple speakers on mono channel recordings. The maximum number of speakers for diarization must be less than 36 and more or equal to the `minSpeakers` property (see [example](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-1/operations/Transcriptions_Create)). The feature isn't available with stereo recordings.<br/><br/>When this property is selected, source audio length can't exceed 240 minutes per file.<br/><br/>**Note**: This property is only available with Speech to text REST API version 3.1.|

+The complete transcription is shown in the **Display** window. If a word is omitted, inserted, or mispronounced compared to the reference text, the word will be highlighted according to the error type. The error types in the pronunciation assessment are represented using different colors. Yellow indicates mispronunciations, gray indicates omissions, and red indicates insertions. This visual distinction makes it easier to identify and analyze specific errors. It provides a clear overview of the error types and frequencies in the spoken audio, helping you focus on areas that need improvement. While hovering over each word, you can see accuracy scores for the whole word or specific phonemes.

+## Ingesting your data into Azure cognitive search

+For documents and datasets with long text, you should use the available [data preparation script](https://github.com/microsoft/sample-app-aoai-chatGPT/tree/main/scripts) to ingest the data into cognitive search. The script chunks the data so that your response with the service will be more accurate. This script also supports scanned PDF file and images and ingests the data using [Form Recognizer](../../../applied-ai-services/form-recognizer/overview.md).

+ Title: Rooms metrics definitions for Azure Communication Service

+description: This document covers definitions of rooms metrics available in the Azure portal.

+# Rooms metrics overview

+Azure Communication Services currently provides metrics for all ACS primitives. [Azure Metrics Explorer](../../../azure-monitor\essentials\metrics-getting-started.md) can be used to plot your own charts, investigate abnormalities in your metric values, and understand your API traffic by using the metrics data that rooms requests emit.

+## Where to find metrics

+Primitives in Azure Communication Services emit metrics for API requests. These metrics can be found in the Metrics tab under your Communication Services resource. You can also create permanent dashboards using the workbooks tab under your Communication Services resource.

+## Metric definitions

+All API request metrics contain three dimensions that you can use to filter your metrics data. These dimensions can be aggregated together using the `Count` aggregation type and support all standard Azure Aggregation time series including `Sum`, `Average`, `Min`, and `Max`.

+More information on supported aggregation types and time series aggregations can be found [Advanced features of Azure Metrics Explorer](../../../azure-monitor/essentials/metrics-charts.md#aggregation).

+- **Operation** - All operations or routes that can be called on the Azure Communication Services Chat gateway.

+- **Status Code** - The status code response sent after the request.

+- **StatusSubClass** - The status code series sent after the response.

+### Rooms API requests

+The following operations are available on Rooms API request metrics:

+| Operation / Route | Description |

+| -- | - |

+| CreateRoom | Creates a Room. |

+| DeleteRoom | Deletes a Room. |

+| GetRoom | Gets a Room by Room ID. |

+| PatchRoom | Updates a Room by Room ID. |

+| ListRooms | Lists all the Rooms for an ACS Resource. |

+| AddParticipants | Adds participants to a Room.|

+| RemoveParticipants | Removes participants from a Room. |

+| GetParticipants | Gets list of participants for a Room. |

+| UpdateParticipants | Updates list of participants for a Room. |

+## Next steps

+- Learn more about [Data Platform Metrics](../../../azure-monitor/essentials/data-platform-metrics.md)

+ Title: SMS metrics definitions for Azure Communication Service

+description: This document covers definitions of SMS metrics available in the Azure portal.

+# SMS metrics overview

+Azure Communication Services currently provides metrics for all ACS primitives. [Azure Metrics Explorer](../../../azure-monitor\essentials\metrics-getting-started.md) can be used to plot your own charts, investigate abnormalities in your metric values, and understand your API traffic by using the metrics data that Chat and SMS requests emit.

+## Where to find metrics

+Primitives in Azure Communication Services emit metrics for API requests. These metrics can be found in the Metrics tab under your Communication Services resource. You can also create permanent dashboards using the workbooks tab under your Communication Services resource.

+## Metric definitions

+All API request metrics contain three dimensions that you can use to filter your metrics data. These dimensions can be aggregated together using the `Count` aggregation type and support all standard Azure Aggregation time series including `Sum`, `Average`, `Min`, and `Max`.

+More information on supported aggregation types and time series aggregations can be found [Advanced features of Azure Metrics Explorer](../../../azure-monitor/essentials/metrics-charts.md#aggregation).

+- **Operation** - All operations or routes that can be called on the Azure Communication Services Chat gateway.

+- **Status Code** - The status code response sent after the request.

+- **StatusSubClass** - The status code series sent after the response.

+-

+### SMS API requests

+The following operations are available on SMS API request metrics:

+| Operation / Route | Description |

+| -- | - |

+| SMSMessageSent | Sends an SMS message. |

+| SMSDeliveryReportsReceived | Gets SMS Delivery Reports |

+| SMSMessagesReceived | Gets SMS messages. |

+Getting Azure managed Domains is one click setup. You can add a free Azure Subdomain to your email communication resource and you'll able to send emails using mail from domains like donotreply@xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.azurecomm.net. Your Azure Managed domain will be pre-configured with required sender authentication support.

+SPF [RFC 7208](https://tools.ietf.org/html/rfc7208) is a mechanism that allows domain owners to publish and maintain, via a standard DNS TXT record, a list of systems authorized to send email on their behalf. Azure Communication Services allows you to configure the required SPF record that needs to be added to your DNS to verify your custom domains.

+DKIM [RFC 6376](https://tools.ietf.org/html/rfc6376) allows an organization to claim responsibility for transmitting a message in a way that can be validated by the recipient. Azure Communication Services allows you to configure the required DKIM records that need to be added to your DNS to verify your custom domains.

+Inbound PSTN calling is currently supported in GA for Dynamics Omnichannel and Call Automation SDK. You can use phone numbers [provided by Microsoft](./telephony-concept.md#voice-calling-pstn) and phone numbers supplied by [direct routing](./telephony-concept.md#azure-direct-routing).

+Call Automation enables you to build custom calling workflows within your applications to optimize business processes and boost customer satisfaction. The library supports managing incoming calls to the phone numbers acquired from Communication Services and incoming calls via direct routing. You can also use Call Automation to place outbound calls from the phone numbers owned by your resource, among other capabilities.

+*Coming soon*

+- [Managing calls with Call Automation](../call-automation/call-automation.md).

+- Azure Blob Storage *managed* connector actions can read or write files that are *50 MB or smaller*. To handle files larger than 50 MB but up to 1024 MB, Azure Blob Storage actions support [message chunking](../logic-apps/logic-apps-handle-large-messages.md). The Blob Storage action named [**Get blob content**](/connectors/azureblobconnector/#get-blob-content) implicitly uses chunking.

+- While Azure Blob Storage *managed* and *built-in* triggers don't support chunking, the *built-in* triggers can handle files that are 50 MB or more. However, when a *managed* trigger requests file content, the trigger selects only files that are 50 MB or smaller. To get files larger than 50 MB, follow this pattern:

+ 1. Use a Blob trigger that returns file properties, such as [**When a blob is added or modified (properties only)**](/connectors/azureblobconnector/#when-a-blob-is-added-or-modified-(properties-only)).

+ 1. Follow the trigger with the Azure Blob Storage managed connector action named [**Get blob content**](/connectors/azureblobconnector/#get-blob-content), which reads the complete file and implicitly uses chunking.

+Billing in Azure Container Apps is based on your [plan type](plans.md).

+| [Consumption plan](#consumption-plan) | Serverless compute option where you're only billed for the resources your apps use as they're running. |

+| [Dedicated plan](#consumption-dedicated) | Customized compute options where you're billed for instances allocated to each [workload profile](workload-profiles-overview.md). |

+- Your plan selection determines billing calculations.

+- Different applications in an environment can use different plans.

+For more information, see [Azure Container Apps Pricing](https://azure.microsoft.com/pricing/details/container-apps/).

+Billing for apps running in the Consumption plan consists of two types of charges:

+In addition to resource consumption, Azure Container Apps also charges based on the number of HTTP requests received by your container app. Only requests that come from outside a Container Apps environment are billable.

+- [Health probe](./health-probes.md) requests aren't billable.

+## Dedicated plan

+You're billed based on workload profile instances, not by individual applications.

+Billing for apps running in the Dedicated plan is based on workload profile instances, not by individual applications. The charges are as follows:

+| Fixed management costs | Variable costs |

+|||

+| If you have one or more dedicated workload profiles in your environment, you're charged a Dedicated plan management fee. You aren't billed any plan management charges unless you use a Dedicated workload profile in your environment. | You're billed on a per-second basis for vCPU-seconds and GiB-seconds resources in all the workload profile instances in use. As profiles scale out, extra costs apply for the extra instances; as profiles scale in, billing is reduced. |

+Make sure to optimize the applications you deploy to a dedicated workload profile. Evaluate the needs of your applications so that they can use the most amount of resources available to the profile.

+- For pricing details in your account's currency, see [Azure Container Apps Pricing](https://azure.microsoft.com/pricing/details/container-apps/).

+ "revisionName": "<APP_NAME>--fb699ef",

+ "revisionName": "<APP_NAME>--fb699ef",

+### The OOM Issue of reading large JSON/Excel/XML files

+- **Symptoms**: When you read large JSON/Excel/XML files, you meet the out of memory (OOM) issue during the activity execution.

+- **Cause**:

+ - **For large XML files**:

+ The OOM issue of reading large XML files is by design. The cause is that the whole XML file must be read into memory as it is a single object, then the schema is inferred, and the data is retrieved.

+ - **For large Excel files**:

+ The OOM issue of reading large Excel files is by design. The cause is that the SDK (POI/NPOI) used must read the whole excel file into memory, then infer the schema and get data.

+ - **For large JSON files**:

+ The OOM issue of reading large JSON files is by design when the JSON file is a single object.

+- **Recommendation**: Apply one of the following options to solve your issue.

+ - **Option-1**: Register an online self-hosted integration runtime with powerful machine (high CPU/memory) to read data from your large file through your copy activity.

+ - **Option-2**: Use optimized memory and big size cluster (for example, 48 cores) to read data from your large file through the mapping data flow activity.

+ - **Option-3**: Split the large file into small ones, then use copy or mapping data flow activity to read the folder.

+ - **Option-4**: If you are stuck or meet the OOM issue during copy the XML/Excel/JSON folder, use the foreach activity + copy/mapping data flow activity in your pipeline to handle each file or subfolder.

+ - **Option-5**: Others:

+ - For XML, use Notebook activity with memory optimized cluster to read data from files if each file has the same schema. Currently, Spark has different implementations to handle XML.

+ - For JSON, use different document forms (for example, **Single document**, **Document per line** and **Array of documents**) in [JSON settings](format-json.md#source-format-options) under mapping data flow source. If the JSON file content is **Document per line**, it consumes very little memory.

+# Store and use your own license keys

+To use BYOL, you need an Azure subscription. If you don't already have a subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

+In BYOL model, you're responsible for providing your own licenses for satellite and weather data connectors. In this model, you store the secret part of credentials in a customer managed Azure Key Vault. The URI of the secret must be shared with Azure Data Manager for Agriculture instance. Azure Data Manager for Agriculture instance should be given secrets read permissions so that the APIs can work seamlessly. This process is a one-time setup for each connector. Our Data Manager then refers to and reads the secret from the customersΓÇÖ key vault as part of the API call with no exposure of the secret.

+Customer can optionally override credentials to be used for a data plane request by providing credentials as part of the data plane API request.

+## Sequence of steps for setting up connectors

+### Step 1: Create or use existing Key Vault

+Customers can create a key vault or use an existing key vault to share license credentials for satellite (Sentinel Hub) and weather (IBM Weather). Customer [creates Azure Key Vault](/azure/key-vault/general/quick-create-portal) or reuses existing an existing key vault.

+Enable following properties:

+### Step 2: Store secret in Azure Key Vault

+For sharing your satellite or weather service credentials, store secret part of credentials in the key vault, for example `ClientSecret` for `SatelliteSentinelHub` and `APIKey` for `WeatherIBM`. Customers are in control of secret name and rotation.

+### Step 3: Enable system identity

+As a customer you have to enable system identity for your Data Manager for Agriculture instance. This identity is used while given secret read permissions for Azure Data Manager for Agriculture instance.

+Follow one of the following methods to enable:

+1. Via Azure portal UI

+ armclient patch /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.AgFoodPlatform/farmBeats/{ADMA_instance_name}?api-version=2023-06-01-preview "{identity: { type: 'systemAssigned' }}

+### Step 4: Access policy

+Add an access policy in the key vault for your Data Manager for Agriculture instance.

+1. Go to access policies tab in the key vault.

+### Step 5: Invoke control plane API call

+Use the [API call](/rest/api/data-manager-for-agri/controlplane-version2023-06-01-preview/data-connectors) to specify connector credentials. Key vault URI/ key name/ key version can be found after creating secret as shown in the following figure.

+#### Following values should be used for the connectors while invoking above APIs:

+| Scenario | DataConnectorName | Credentials |

+|--|--|--|

+| For Satellite SentinelHub connector | SatelliteSentinelHub | OAuthClientCredentials |

+| For Weather IBM connector | WeatherIBM | ApiKeyAuthCredentials |

+## Overriding connector details

+As part of Data plane APIs, customer can choose to override the connector details that need to be used for that request.

+Customer can refer to API version `2023-06-01-preview` documentation where the Data plane APIs for satellite and weather take the credentials as part of the request body.

+## How Azure Data Manager for Agriculture accesses secret

+Following flow shows how Azure Data Manager for Agriculture accesses secret.

+* Test our APIs [here](/rest/api/data-manager-for-agri).

+- evaluate the value and capabilities of your Microsoft Defender plans.

+- validate any configurations you've made for your security alerts (such as SIEM integrations, workflow automation, and email notifications).

+After the Microsoft Defender for Endpoint agent is installed on your machine, as part of Defender for Servers integration, follow these steps from the machine where you want to be the attacked resource of the alert:

+1. Open an elevated command-line prompt on the device and run the script:

+ 1. Go to **Start** and type `cmd`.

+ 1. Right-select **Command Prompt** and select **Run as administrator**

+

+ :::image type="content" source="media/alert-validation/command-prompt.png" alt-text="Screenshot showing where to select Run as Administrator." lightbox="media/alert-validation/command-prompt.png":::

+1. At the prompt, copy and run the following command: `powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'`

+1. The Command Prompt window closes automatically. If successful, a new alert should appear in Defender for Cloud Alerts blade in 10 minutes.

+1. The message line in the PowerShell box should appear similar to how it's presented here:

+ :::image type="content" source="media/alert-validation/powershell-no-exit.png" alt-text="Screenshot showing PowerShell message line." lightbox="media/alert-validation/powershell-no-exit.png":::

+Alternately, you can also use the [EICAR](https://www.eicar.org/download/eicar.com.txt) test string to perform this test: Create a text file, paste the EICAR line, and save the file as an executable file to your machine's local drive.

+> [!NOTE]

+> When reviewing test alerts for Windows, make sure that you have Defender for Endpoint running with Real-Time protection enabled. Learn how to [validate this configuration](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus?view=o365-worldwide).

+## Simulate alerts on your Azure VMs (Linux) <a name="validate-linux"></a>

+After the Microsoft Defender for Endpoint agent is installed on your machine, as part of Defender for Servers integration, follow these steps from the machine where you want to be the attacked resource of the alert:

+1. Open a Terminal window, copy and run the following command:

+[`curl -o ~/Downloads/eicar.com.txt`](https://www.eicar.org/download/eicar.com.txt).

+1. The Command Prompt window closes automatically. If successful, a new alert should appear in Defender for Cloud Alerts blade in 10 minutes.

+> [!NOTE]

+> When reviewing test alerts for Linux, make sure that you have Defender for Endpoint running with Real-Time protection enabled. Learn how to [validate this configuration](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus?view=o365-worldwide).

+1. Find the HTTP endpoint of the website either by going into Azure portal blade for the App Services website or using the custom DNS entry associated with this website. (The default URL endpoint for Azure App Services website has the suffix `https://XXXXXXX.azurewebsites.net`). The website should be an existing website and not one that was created prior to the alert simulation.

+1. Browse to the website URL and add the following fixed suffix: `/This_Will_Generate_ASC_Alert`. The URL should look like this: `https://XXXXXXX.azurewebsites.net/This_Will_Generate_ASC_Alert`. It might take some time for the alert to be generated (~1.5 hours).

+1. Once you finished the installation, open your regular browser, sign-in to the Azure portal, and access the Key Vault page. Select the highlighted URL and copy the address.

+> [!NOTE]

+> For Azure CLI reference for the classic configuration, see [Manage findings in your Azure SQL databases](sql-azure-vulnerability-assessment-manage.md#azure-cli)

+## Set SQL vulnerability assessment baseline on system database

+## MFA and Microsoft Defender for Cloud

+Defender for Cloud places a high value on MFA. The security control that contributes the most to your secure score is **Enable MFA**.

+To see which accounts don't have MFA enabled, use the following Azure Resource Graph query. The query returns all unhealthy resources - accounts - of the recommendation "Accounts with owner permissions on Azure resources should be MFA enabled".

+ | where properties.displayName contains "Accounts with owner permissions on Azure resources should be MFA enabled"

+1. The `additionalData` property reveals the list of account object IDs for accounts that don't have MFA enforced.

+description: This is a how-to article on managing data partitions using the Microsoft Azure Data Manager for Energy instance UI.

+In this article, you'll learn how to add data partitions to an existing Azure Data Manager for Energy instance. The concept of "data partitions" is picked from [OSDU&trade;](https://osduforum.org/) where single deployment can contain multiple partitions.

+ Title: Use Lockbox for Microsoft Azure Data Manager for Energy

+#Customer intent: As a developer, I want to set up Lockbox for Azure Data Manager for Energy.

+# Use Customer Lockbox for Azure Data Manager for Energy

+Azure Data Manager for Energy is the managed service offering for OSDU&trade;. There are instances where Microsoft Support may need to access your data or compute layer during a support request. You can use Customer Lockbox as an interface to review and approve or reject these access requests.

+This article covers how Customer Lockbox requests are initiated and tracked for Azure Data Manager for Energy.

+## Lockbox workflow for Azure Data Manager for Energy access

+The Azure Data Manager for Energy team at Microsoft typically does not access customer data. The team tries to resolve issues by using standard tools and telemetry.

+1. You have created a [Azure Data Manager for Energy instance](quickstart-create-microsoft-energy-data-services-instance.md).

+1. You raise an issue for Azure Data Manager for Energy using the Azure portal. The support engineer connects to Azure Data Manager for Energy via Support session and tries to troubleshoot the issue by using standard tools and telemetry. Let us say to mitigate the issue, the recommendation is to restart an AKS (Azure Kubernetes Service) cluster.

+If you have not enabled Lockbox, then your consent is not needed to access the compute or data layer of Azure Data Manager for Energy.

+> [Data security and encryption in Azure Data Manager for Energy](how-to-manage-data-security-and-encryption.md)

+ Title: How to generate a refresh token for Microsoft Azure Data Manager for Energy

+To use the Azure Data Manager for Energy platform endpoint, you must register your app using the [Azure app registration portal](https://go.microsoft.com/fwlink/?linkid=2083908). You can use either a Microsoft account or a work or school account to register an app.

+ Title: Integrate airflow logs with Azure Monitor - Microsoft Microsoft Azure Data Manager for Energy

+In this article, you'll learn how to start collecting Airflow Logs for your Microsoft Azure Data Manager for Energy instances into Azure Monitor. This integration feature helps you debug Airflow DAG ([Directed Acyclic Graph](https://airflow.apache.org/docs/apache-airflow/stable/concepts/dags.html)) run failures.

+Every Azure Data Manager for Energy instance comes inbuilt with an Azure Data Factory-managed Airflow instance. We collect Airflow logs for internal troubleshooting and debugging purposes. Airflow logs can be integrated with Azure Monitor in the following ways:

+1. Open Microsoft Azure Data Manager for Energy' *Overview* page

+You can integrate Airflow logs with Log Analytics Workspace by using **Diagnostic Settings** under the left panel of your Microsoft Azure Data Manager for Energy instance overview page.

+ Title: Integrate elastic logs with Azure Monitor - Microsoft Azure Data Manager for Energy

+In this article, you'll learn how to start collecting Elasticsearch logs for your Azure Data Manager for Energy instances in Azure Monitor. This integration feature is developed to help you debug Elasticsearch related issues inside Azure Monitor.

+Every Azure Data Manager for Energy instance comes inbuilt with a managed Elasticsearch service. We collect Elasticsearch logs for internal troubleshooting and debugging purposes. You can get access to these logs by integrating Elasticsearch logs with Azure Monitor.

+We support two destinations for your Elasticsearch logs from Azure Data Manager for Energy instance:

+1. Open *Azure Data Manager for Energy* overview page

+The editor in Log Analytics workspace support Kusto (KQL) queries through which you can easily perform complicated queries to extract interesting logs data from the Elasticsearch service running in your Azure Data Manager for Energy instance.

+* Start collecting logs from other sources such as Airflow in your Azure Data Manager for Energy instance.

+ Title: Integrate OSDU Service Logs with Azure Monitor - Microsoft Azure Data Manager for Energy

+Azure Data Manager for Energy supports exporting OSDU Service Logs to Azure Monitor using a diagnostic setting. This feature helps you better troubleshoot, debug, & monitor the OSDU services. The instructions here are similar to how you would integrate other logs, such as Airflow and Elastic, with Azure Monitor.

+1. Open Microsoft Azure Data Manager for Energy *Overview* page.

+ Title: How to manage audit logs for Microsoft Azure Data Manager for Energy

+description: Learn how to use audit logs on Azure Data Manager for Energy

+#Customer intent: As a developer, I want to use audit logs to check audit trail for data plane APIs for Azure Data Manager for Energy.

+> [Managed Identity in Azure Data Manager for Energy](how-to-use-managed-identity.md)

+ Title: Data security and encryption in Microsoft Azure Data Manager for Energy

+description: Guide on security in Azure Data Manager for Energy and how to set up customer managed keys on Azure Data Manager for Energy

+#Customer intent: As a developer, I want to set up customer-managed keys on Azure Data Manager for Energy.

+# Data security and encryption in Azure Data Manager for Energy

+This article provides an overview of security features in Azure Data Manager for Energy. It covers the major areas of [encryption at rest](../security/fundamentals/encryption-atrest.md), encryption in transit, TLS, https, microsoft-managed keys, and customer managed key.

+Azure Data Manager for Energy uses several storage resources for storing metadata, user data, in-memory data etc. The platform uses service-side encryption to automatically encrypt all the data when it is persisted to the cloud. Data encryption at rest protects your data to help you to meet your organizational security and compliance commitments. All data in Azure Data Manager for Energy is encrypted with Microsoft-managed keys by default.

+In addition to Microsoft-managed key, you can use your own encryption key to protect the data in Azure Data Manager for Energy. When you specify a customer-managed key, that key is used to protect and control access to the Microsoft-managed key that encrypts your data.

+Azure Data Manager for Energy supports Transport Layer Security (TLS 1.2) protocol to protect data when itΓÇÖs traveling between the cloud services and customers. TLS provides strong authentication, message privacy, and integrity (enabling detection of message tampering, interception, and forgery), interoperability, and algorithm flexibility.

+In addition to TLS, when you interact with Azure Data Manager for Energy, all transactions take place over HTTPS.

+## Set up Customer Managed Keys (CMK) for Azure Data Manager for Energy instance

+> You cannot edit CMK settings once the Azure Data Manager for Energy instance is created.

+2. Using customer-managed keys with Azure Data Manager for Energy requires that both soft delete and purge protection be enabled for the key vault. Soft delete is enabled by default when you create a new key vault and cannot be disabled. You can enable purge protection either when you create the key vault or after it is created.

+1. When you enable customer-managed keys for an existing Azure Data Manager for Energy instance you must specify a managed identity that will be used to authorize access to the key vault that contains the key. The managed identity must have permissions to access the key in the key vault.

+1. Create a **Azure Data Manager for Energy** instance.

+ [](media/how-to-manage-data-security-and-encryption/customer-managed-key-2-encryption-tab.png#lightbox)

+14. An Azure Data Manager for Energy instance is created with customer-managed keys.

+ Title: How to manage legal tags in Microsoft Azure Data Manager for Energy

+description: This article describes how to manage legal tags in Azure Data Manager for Energy

+In this article, you'll know how to manage legal tags in your Azure Data Manager for Energy instance. A Legal tag is the entity that represents the legal status of data in the Azure Data Manager for Energy instance. Legal tag is a collection of properties that governs how data can be ingested and consumed. A legal tag is required for data to be [ingested](concepts-csv-parser-ingestion.md) into your Azure Data Manager for Energy instance. It's also required for the [consumption](concepts-index-and-search.md) of the data from your Azure Data Manager for Energy instance. Legal tags are defined at a data partition level individually.

+While in Azure Data Manager for Energy instance, [entitlement service](concepts-entitlements.md) defines access to data for a given user(s), legal tag defines the overall access to the data across users. A user may have access to manage the data within a data partition however, they may not be able to do so-until certain legal requirements are fulfilled.

+Run the below curl command in Azure Cloud Bash to create a legal tag for a given data partition of your Azure Data Manager for Energy instance.

+Consider an Azure Data Manager for Energy instance named "medstest" with a data partition named "dp1"

+ "description": "Azure Data Manager for Energy Legal Tag",

+ "description": "Azure Data Manager for Energy Legal Tag",

+ "description": "Azure Data Manager for Energy Legal Tag",

+ "description": "Azure Data Manager for Energy Legal Tag",

+Run the below curl command in Azure Cloud Bash to get the legal tag associated with a data partition of your Azure Data Manager for Energy instance.

+Consider an Azure Data Manager for Energy instance named "medstest" with a data partition named "dp1"

+ "description": "Azure Data Manager for Energy Legal Tag",

+ Title: How to manage users in Microsoft Azure Data Manager for Energy

+description: This article describes how to manage users in Azure Data Manager for Energy

+In this article, you'll know how to manage users in Azure Data Manager for Energy. It uses the [entitlements API](https://community.opengroup.org/osdu/platform/security-and-compliance/entitlements/-/tree/master/) and acts as a group-based authorization system for data partitions within Azure Data Manager for Energy instance. For more information about Azure Data Manager for Energy entitlements, see [entitlement services](concepts-entitlements.md).

+Create an Azure Data Manager for Energy instance using the tutorial at [How to create Azure Data Manager for Energy instance](quickstart-create-microsoft-energy-data-services-instance.md).

+You will need to pass parameters for generating the access token, which you'll need to make valid calls to the Entitlements API of your Azure Data Manager for Energy instance. You will also need these parameters for different user management requests to the Entitlements API. Hence Keep the following values handy for these actions.

+Often called `app-id`, it's the same value that you used to register your application during the provisioning of your [Azure Data Manager for Energy instance](quickstart-create-microsoft-energy-data-services-instance.md). You'll find the `client-id` in the *Essentials* pane of Azure Data Manager for Energy *Overview* page. Copy the `client-id` and paste in an editor to be used later.

+> The 'client-id' that is passed as values in the entitlement API calls needs to be the same which was used for provisioning of your Azure Data Manager for Energy instance.

+Sometimes called an application password, a `client-secret` is a string value your app can use in place of a certificate to identity itself. Navigate to *App Registrations*. Once there, open 'Certificates & secrets' under the *Manage* section. Create a `client-secret` for the `client-id` that you used to create your Azure Data Manager for Energy instance, you can add one now by clicking on *New Client Secret*. Record the secret's `value` for use in your client application code.

+#### Find the `url`for your Azure Data Manager for Energy instance

+Navigate to your Azure Data Manager for Energy *Overview* page on Azure portal. Copy the URI from the essentials pane.

+You have two ways to get the list of data-partitions in your Azure Data Manager for Energy instance.

+- One option is to navigate *Data Partitions* menu item under the Advanced section of your Azure Data Manager for Energy UI.

+- Another option is by clicking on the *view* below the *data partitions* field in the essentials pane of your Azure Data Manager for Energy *Overview* page.

+Copy the `access_token` value from the response. You'll need it to pass as one of the headers in all calls to the Entitlements API of your Azure Data Manager for Energy instance.

+You can manage users' access to your Azure Data Manager for Energy instance or data partitions. As a prerequisite for this step, you need to find the 'object-id' (OID) of the user(s) first. If you are managing an application's access to your instance or data partition, then you must find and use the application ID (or client ID) instead of the OID.

+You'll need to input the `object-id` (OID) of the users (or the application or client ID if managing access for an application) as parameters in the calls to the Entitlements API of your Azure Data Manager for Energy Instance. `object-id` (OID) is the Azure Active Directory User Object ID.

+Run the below curl command in Azure Cloud Bash to get all the groups that are available for your Azure Data Manager for Energy instance and its data partitions.

+Consider an Azure Data Manager for Energy instance named "medstest" with a data partition named "dp1"

+Consider an Azure Data Manager for Energy instance named "medstest" with a data partition named "dp1"

+Consider an Azure Data Manager for Energy instance named "medstest" with a data partition named "dp1"

+Run the below curl command in Azure Cloud Bash to delete a given user to your Azure Data Manager for Energy instance data partition.

+Consider an Azure Data Manager for Energy instance named "medstest" with a data partition named "dp1"

+Create a legal tag for your Azure Data Manager for Energy instance's data partition.

+Begin your journey by ingesting data into your Azure Data Manager for Energy instance.

+ Title: Create a private endpoint for Microsoft Azure Data Manager for Energy

+description: Learn how to set up private endpoints for Azure Data Manager for Energy by using Azure Private Link.

+#Customer intent: As a developer, I want to set up private endpoints for Azure Data Manager for Energy.

+# Create a private endpoint for Azure Data Manager for Energy

+By using Azure Private Link, you can connect to an Azure Data Manager for Energy instance from your virtual network via a private endpoint, which is a set of private IP addresses in a subnet within the virtual network. You can then limit access to your Azure Data Manager for Energy instance over these private IP addresses.

+You can connect to an Azure Data Manager for Energy instance that's configured with Private Link by using an automatic or manual approval method. To learn more, see the [Private Link documentation](../private-link/private-endpoint-overview.md#access-to-a-private-link-resource-using-approval-workflow).

+This article describes how to set up a private endpoint for Azure Data Manager for Energy.

+[Create a virtual network](../virtual-network/quick-create-portal.md) in the same subscription as the Azure Data Manager for Energy instance. This virtual network allows automatic approval of the Private Link endpoint.

+Use the following steps to create a private endpoint for an existing Azure Data Manager for Energy instance by using the Azure portal:

+1. From the **All resources** pane, choose an Azure Data Manager for Energy instance.

+ > Automatic approval happens only when the Azure Data Manager for Energy instance and the virtual network for the private endpoint are in the same subscription.

+ |**Resource**| Your Azure Data Manager for Energy instance|

+ |**Target sub-resource**| **Azure Data Manager for Energy** (for Azure Data Manager for Energy) by default|

+1. Select the **Azure Data Manager for Energy** instance, select **Networking**, and then select the **Private Access** tab. Confirm that your newly created private endpoint connection appears in the list.

+> When the Azure Data Manager for Energy instance and the virtual network are in different tenants or subscriptions, you have to manually approve the request to create a private endpoint. The **Approve** and **Reject** buttons appear on the **Private Access** tab.

+> [Use Lockbox for Azure Data Manager for Energy](how-to-create-lockbox.md)

+ Title: How to upload large files using file service API in Microsoft Azure Data Manager for Energy

+description: This article describes how to to upload large files using File service API in Microsoft Azure Data Manager for Energy

+# How to upload files in Azure Data Manager for Energy using File service

+In this article, you know how to upload large files (~5GB) using File service API in Microsoft Azure Data Manager for Energy. The upload process involves fetching a signed URL from [File API](https://community.opengroup.org/osdu/platform/system/file/-/tree/master/) and then using the signed URL to store the file into Azure Blob Storage

+Run the below curl command in Azure Cloud Bash to get a signed URL from file service for a given data partition of your Azure Data Manager for Energy resource.

+Consider an Azure Data Manager for Energy resource named "medstest" with a data partition named "dp1"

+Begin your journey by ingesting data into your Azure Data Manager for Energy resource.

+ Title: Use managed identities for Microsoft Azure Data Manager for Energy on Azure

+description: Learn how to use a managed identity to access Azure Data Manager for Energy from other Azure services.

+#Customer intent: As a developer, I want to use a managed identity to access Azure Data Manager for Energy from other Azure services, such as Azure Functions.

+# Use a managed identity to access Azure Data Manager for Energy from other Azure services

+This article describes how to access the data plane or control plane of Azure Data Manager for Energy from other Microsoft Azure services by using a *managed identity*.

+There's a need for services such as Azure Functions to be able to consume Azure Data Manager for Energy APIs. This interoperability allows you to use the best capabilities of multiple Azure services.

+For example, you can write a script in Azure Functions to ingest data in Azure Data Manager for Energy. In that scenario, you should assume that Azure Functions is the source service and Azure Data Manager for Energy is the target service.

+This article walks you through the five main steps for configuring Azure Functions to access Azure Data Manager for Energy.

+A managed identity from Azure Active Directory (Azure AD) allows your application to easily access other Azure AD-protected resources. The identity is managed by the Azure platform and doesn't require you to create or rotate any secrets. Any Azure service that wants to access Azure Data Manager for Energy control plane or data plane for any operation can use a managed identity to do so.

+Currently, other services can connect to Azure Data Manager for Energy by using a system-assigned or user-assigned managed identity. However, Azure Data Manager for Energy doesn't support system-assigned managed identities.

+For the scenario in this article, you'll use a user-assigned managed identity in Azure Functions to call a data plane API in Azure Data Manager for Energy.

+* [Azure Data Manager for Energy instance](quickstart-create-microsoft-energy-data-services-instance.md)

+To retrieve the object ID for the user-assigned identity that will access the Azure Data Manager for Energy APIs:

+Next, add the application ID to the appropriate groups that will use the entitlement service to access Azure Data Manager for Energy APIs. The following example adds the application ID to two groups:

+ * Azure Data Manager for Energy URI

+ curl --location --request POST 'https://<Azure Data Manager for Energy URI>/api/entitlements/v2/groups/users@ <data-partition-id>.dataservices.energy/members' \

+ curl --location --request POST 'https://<Azure Data Manager for Energy URI>/api/entitlements/v2/groups/ users.datalake.editors@ <data-partition-id>.dataservices.energy/members' \

+Now Azure Functions is ready to access Azure Data Manager for Energy APIs.

+The Azure function generates a token by using the user-assigned identity. The function uses the application ID that's present in the Azure Data Manager for Energy instance while generating the token.

+ //To authenticate by using a managed identity, you need to pass the Azure Data Manager for Energy application ID as the resource.

+ // Passing the data partition ID of Azure Data Manager for Energy in headers along with the token received using the managed instance.

+With the preceding steps completed, you can now use Azure Functions to access Azure Data Manager for Energy APIs with appropriate use of managed identities.

+> [Lockbox in Azure Data Manager for Energy](how-to-create-lockbox.md)

+ Title: Overview of domain data management services - Microsoft Azure Data Manager for Energy

+Domain data management services (DDMS) store, access, and retrieve metadata and bulk data from applications connected to the data platform. Developers, therefore, use DDMS to deliver seamless and secure consumption of data in the applications they build on Azure Data Manager for Energy. The Azure Data Manager for Energy suite of DDMS adheres to [Open Subsurface Data Universe](https://osduforum.org/) (OSDU&trade;) standards and provides enhancements in performance, geo-availability, and access controls. DDMS service is optimized for each data type and can be extended to accommodate new data types. The DDMS service preserves raw data and offers multi format support and conversion for consuming applications such as Petrel while tracking lineage. Data within the DDMS service is discoverable and governed by entitlement and legal tags.

+The Azure Data Manager for Energy DDMS service enables energy companies to access their data in a manner that is fast, portable, testable and extendible. As a result, they can achieve unparalleled streaming performance and use the standards and output from OSDU&trade;. The Azure DDMS service includes the OSDU&trade; DDMS and SLB proprietary DMS. Microsoft also continues to contribute to the OSDU&trade; community DDMS to ensure compatibility and architectural alignment.

+You can deploy applications on top of Azure Data Manager for Energy that has been developed as per the OSDU&trade; standard. They're able to connect applications to Core Services and DDMS without spending extensive cycles on deployment. Customers can also easily connect DELFI to Azure Data Manager for Energy, eliminating the cycles associated with Petrel deployments and connection to data management systems. By connecting applications to DDMS service, Geoscientists can execute integrated E&P workflows with unparalleled performance on Azure and use OSDU&trade; core services. For example, a geophysicist can pick well ties on a seismic volume in Petrel and stream data from the seismic DMS.

+The seismic DMS is part of the OSDU&trade; platform and enables users to connect seismic data to cloud storage to applications. It allows secure access to metadata associated with seismic data to efficiently retrieve and handle large blocks of data for OpenVDS, ZGY, and other seismic data formats. The DMS therefore enables users to stream huge amounts of data in OSDU&trade; compliant applications in real time. Enabling the seismic DMS on Azure Data Manager for Energy opens a pathway for Azure customers to bring their seismic data to the cloud and take advantage of Azure storage and high performance computing.

+Geoscientists working in [Petrel](https://www.software.slb.com/products/petrel) build Petrel Projects to store, track, share, and communicate their technical work. A Petrel project stores associated data in a ```.PET``` manifest file. It also keeps track of your windows within Petrel and setup. Petrel Data Services is an open DMS and doesn't require any additional licensing to get started. You can ingest Petrel projects to Petrel Data Services using OpenAPIΓÇÖs. By moving to Petrel on Azure Data Manager for Energy, you can use Petrel Data Services Project Explorer UI to discover all the Petrel projects across your organization. You can create and save projects as well as track version history and experience unparalleled performance. This enables you to collaborate in real time with data permanently stored in Azure Data Manager for Energy.

+Additionally, Petrel Data Services serves to liberate data stored in Petrel ```.PET``` files to their respective DDMS for search and utilization in external applications. For example, you can upload a Petrel project containing many well logs to Azure Data Manager for Energy. With data liberation, once the project is saved, the Wellbore data liberation service is triggered and that well log is extracted to the wellbore DMS. The association with the ```.PET``` Petrel project is tracked through lineage and you can use that well log in any ISV open app ecosystem. Petrel Data Services offers round trip data liberation and consumption for seismic, wellbore, and Petrel Project data.

+ Title: What is Microsoft Azure Data Manager for Energy?

+description: This article provides an overview of Azure Data Manager for Energy

+# What is Azure Data Manager for Energy?

+Azure Data Manager for Energy is a secure, reliable, hyperscale, fully managed cloud-based data platform solution for the energy industry. It is an enterprise-grade data platform that brings together the capabilities of OSDU&trade; Data Platform, Microsoft's secure and trusted Azure cloud platform, and SLB's extensive domain expertise. It allows customers to free data from silos, provides strong data management, storage, and federation strategy. Azure Data Manager for Energy ensures compatibility with evolving community standards like OSDU&trade; and enables value addition through interoperability with both first-party and third-party solutions.

+Azure Data Manager for Energy conforms to the following principles:

+Azure Data Manager for Energy is a first-party PaaS (Platform as a Service) offering where Microsoft manages the deployment, monitoring, management, scale, security, updates, and upgrades of the service so that the customers can focus on the value from the platform. Microsoft offers seamless upgrades to the latest OSDU&trade; milestone versions after testing and validation.

+Furthermore, Azure Data Manager for Energy provides security capabilities like encryption for data-in-transit and data-at-rest. The authentication and authorization are provided by Azure Active Directory. Microsoft also assumes the responsibility of providing regular security patches and updates.

+Azure Data Manager for Energy also supports multiple data partitions for every platform instance. More data partitions can also be created after creating an instance, as needed.

+Azure Data Manager for Energy is compatible with the OSDU&trade; Technical Standard enables seamless integration of existing applications that have been developed in alignment with the emerging requirements of the OSDU&trade; Standard.

+Most of our customers rely on ubiquitous tools and applications from Microsoft. The Azure Data Manager for Energy platform is piloting how it can seamlessly work with deeply used Microsoft apps like SharePoint for data ingestion, Synapse for data transformations and pipelines, Power BI for data visualization, and other possibilities. A Power BI connector has already been released in the community, and partners are leveraging these tools and connectors to enhance their integrations with Microsoft apps and services.

+Follow the quickstart guide to quickly deploy Azure Data Manager for Energy in your Azure subscription

+> [Quickstart: Create Azure Data Manager for Energy instance](quickstart-create-microsoft-energy-data-services-instance.md)

+ Title: Release notes for Microsoft Azure Data Manager for Energy

+description: This article provides release notes of Azure Data Manager for Energy releases, improvements, bug fixes, and known issues.

+# Release Notes for Azure Data Manager for Energy

+Azure Data Manager for Energy is updated on an ongoing basis. To stay up to date with the most recent developments, this article provides you with information about:

+Now you can configure diagnostic settings of your Azure Data Manager for Energy to export OSDU Service Logs to Azure Monitor. You can access, query, & analyze the logs in a Log Analytics Workspace. You can archive them in a storage account for later use. Learn more about [how to integrate OSDU service logs with Azure Monitor](how-to-integrate-osdu-service-logs-with-azure-monitor.md)

+Azure Data Manager for Energy is now compliant with the M14 OSDU&trade; milestone release. With this release, you can take advantage of the latest features and capabilities available in the [OSDU&trade; M14](https://community.opengroup.org/osdu/governance/project-management-committee/-/wikis/M14-Release-Notes).

+Billing for Azure Data Manager for Energy is enabled. During, the price for each instance is based on a fixed per-hour consumption. [Pricing information for Azure Data Manager for Energy.](https://azure.microsoft.com/pricing/details/energy-data-services/#pricing)

+You can go directly to the [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.AzureDataManagerforEnergy?tab=Overview) to create an Azure Data Manager for Energy resource in your subscription. You don't need to raise a support ticket with Microsoft to provision an instance anymore.

+Azure Data Manager for Energy supports [Petrel Data Services](overview-ddms.md#) that allows you to use [Petrel](https://www.software.slb.com/products/petrel) from SLB&trade; with Azure Data Manager from Energy as its data store. You can view your Petrel projects, liberate data from Petrel, and collaborate in real time with data permanently stored in Azure Data Manager for Energy.

+CORS provides a secure way to allow one origin (the origin domain) to call APIs in another origin. You can set CORS rules for each Azure Data Manager for Energy instance. When you set CORS rules for the instance they get applied automatically across all the services and storage accounts linked with Azure Data Manager for Energy. [How to enable CORS.]( ../energy-data-services/how-to-enable-CORS.md)

+You can use a managed identity to authenticate to any [service that supports Azure AD (Active Directory) authentication](../active-directory/managed-identities-azure-resources/services-azure-active-directory-support.md) with Azure Data Manager for Energy. For example, you can write a script in Azure Function to ingest data in Azure Data Manager for Energy. Now, you can use managed identity to connect to Azure Data Manager for Energy using system or user assigned managed identity from other Azure services. [Learn more.](../energy-data-services/how-to-use-managed-identity.md)

+Availability Zones are physically separate locations within an Azure region made up of one or more datacenters equipped with independent power, cooling, and networking. Availability Zones provide in-region High Availability and protection against local disasters. Azure Data Manager for Energy supports zone-redundant instance by default and there's no setup required by the customer. [Learn more.](https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=energy-data-services&regions=all)

+Most operations, support, and troubleshooting performed by Microsoft personnel don't require access to customer data. In those rare circumstances where such access is required, Customer Lockbox for Azure Data Manager for Energy provides you with an interface to review, approve or reject data access requests. Azure Data Manager for Energy now supports Lockbox. [Learn more](../security/fundamentals/customer-lockbox-overview.md).

+Azure Private Link on Azure Data Manager for Energy provides private access to the service. With Azure Private Link, traffic between your private network and Azure Data Manager for Energy travels over the Microsoft backbone network, therefore limiting any exposure over the internet. By using Azure Private Link, you can connect to an Azure Data Manager for Energy instance from your virtual network via a private endpoint. You can limit access to your Azure Data Manager for Energy instance over these private IP addresses. [Create a private endpoint for Azure Data Manager for Energy](how-to-set-up-private-links.md).

+Azure Data Manager for Energy supports customer managed encryption keys (CMK). All data in Azure Data Manager for Energy is encrypted with Microsoft-managed keys by default. In addition to Microsoft-managed key, you can use your own encryption key to protect the data in Azure Data Manager for Energy. When you specify a customer-managed key, that key is used to protect and control access to the Microsoft-managed key that encrypts your data. [Data security and encryption in Azure Data Manager for Energy](how-to-manage-data-security-and-encryption.md).

+### Key Announcement: Release

+Azure Data Manager for Energy is now available in. Information on latest releases, bug fixes, & deprecated functionality for Azure Data Manager for Energy will be updated monthly.

+Azure Data Manager for Energy is developed in alignment with the emerging requirements of the OSDU&trade; technical standard, version 1.0. and is currently aligned with Mercury Release(R3), [Milestone-12](https://community.opengroup.org/osdu/governance/project-management-committee/-/wikis/M12-Release-Notes).

+- New data partitions can be [created after provisioning an Azure Data Manager for Energy instance](how-to-add-more-data-partitions.md). Earlier, data partitions could only be created when provisioning a new instance.

+- Azure Data Manager for Energy supports user context in ingestion ([ADR: Issue 52](https://community.opengroup.org/osdu/platform/data-flow/ingestion/home/-/issues/52))

+- Azure Data Manager for Energy uses Azure Data Factory (ADF) to run large scale ingestion workloads.

+Azure Data Manager for Energy is more secure as Elasticsearch images are now pulled from Microsoft's internal Azure Container Registry instead of public repositories. In addition, Elastic search, registration, and notification services are now encrypted in transit further enhancing the security of the product.

+Azure Data Manager for Energy supports diagnostic settings for [Airflow logs](how-to-integrate-airflow-logs-with-azure-monitor.md) and [Elasticsearch logs](how-to-integrate-elastic-logs-with-azure-monitor.md). You can configure Azure Monitor to view these logs in the storage location of your choice.

+Currently, Azure Data Manager for Energy is available in the following regions - South Central US, East US, West Europe, and North Europe.

+ Title: Microsoft Azure Data Manager for Energy partners

+description: Lists of third-party Azure Data Manager for Energy partners solutions.

+# Azure Data Manager for Energy partners

+Partner community is the growth engine for Microsoft. To help our customers quickly realize the benefits of Azure Data Manager for Energy, we've worked closely with many partners who have tested their software applications and tools on our data platform.

+This article highlights Microsoft partners with software solutions officially supporting Azure Data Manager for Energy.

+| Bluware | Bluware enables energy companies to explore the full value of seismic data for exploration, carbon capture, wind farms, and geothermal workflows. Bluware technology on Azure Data Manager for Energy is increasing workflow productivity utilizing the power of Azure. Bluware's flagship seismic deep learning solution, InteractivAI&trade;, drastically improves the effectiveness of interpretation workflows. The interactive experience reduces seismic interpretation time by 10 times from weeks to hours and provides full control over interpretation results. | [Bluware technologies on Azure](https://go.bluware.com/bluware-on-azure-markeplace) [Bluware Products and Evaluation Packages](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/bluwarecorp1581537274084.bluwareazurelisting)|

+| Interica | Interica OneView&trade; harnesses the power of application connectors to extract rich metadata from live projects discovered across the organization. IOV scans automatically discover content and extract detailed metadata at the sub-element level. Quickly and easily discover data across multiple file systems and data silos, and clearly determine which projects contain selected data objects to inform business decisions. Live data discovery enables businesses to see a complete holistic view of subsurface project landscapes for improved time to decisions, more efficient data search, and effective storage management. | [Accelerate Azure Data Manager for Energy adoption with Interica OneView&trade;](https://www.petrosys.com.au/interica-oneview-connecting-to-microsoft-data-services/) [Interica OneView&trade;](https://www.petrosys.com.au/assets/Interica_OneView_Accelerate_MEDS_Azure_adoption.pdf) [Interica OneView&trade; connecting to Microsoft Data Services](https://youtu.be/uPEOo3H01w4)|

+To learn more about Azure Data Manager for Energy, visit

+> [What is Azure Data Manager for Energy?](overview-microsoft-energy-data-services.md)

+ Title: Troubleshoot manifest ingestion in Microsoft Azure Data Manager for Energy

+This article helps you troubleshoot workflow problems with manifest ingestion in Azure Data Manager for Energy by using Airflow task logs.

+ Title: Microsoft Azure Data Manager for Energy - Steps to perform a CSV parser ingestion

+#Customer intent: As a customer, I want to learn how to use CSV parser ingestion so that I can load CSV data into the Azure Data Manager for Energy instance.

+CSV Parser ingestion provides the capability to ingest CSV files into the Azure Data Manager for Energy instance.

+> * Ingest a sample wellbore data CSV file into the Azure Data Manager for Energy instance using Postman

+### Get Azure Data Manager for Energy instance details

+* Azure Data Manager for Energy instance is created already. If not, follow the steps outlined in [Quickstart: Create an Azure Data Manager for Energy instance](quickstart-create-microsoft-energy-data-services-instance.md)

+ | DNS | URI | `<instance>`.energy.Azure.com | Overview page of Azure Data Manager for Energy instance|

+ | data-partition-id | Data Partition(s) | `<instance>`-`<data-partition-name>` | Overview page of Azure Data Manager for Energy instance|

+* Update the **CURRENT_VALUE** of the Postman environment with the information obtained in [Azure Data Manager for Energy instance details](#get-azure-data-manager-for-energy-instance-details)

+## Ingest a sample wellbore data CSV file into the Azure Data Manager for Energy instance using Postman

+ Title: Microsoft Azure Data Manager for Energy - Steps to perform a manifest-based file ingestion

+#Customer intent: As a customer, I want to learn how to use manifest ingestion so that I can load manifest information into the Azure Data Manager for Energy instance.

+Manifest ingestion provides the capability to ingest manifests into Azure Data Manager for Energy instance

+> * Ingest sample manifests into the Azure Data Manager for Energy instance using Postman

+### Get Azure Data Manager for Energy instance details

+* Azure Data Manager for Energy instance is created already. If not, follow the steps outlined in [Quickstart: Create an Azure Data Manager for Energy instance](quickstart-create-microsoft-energy-data-services-instance.md)

+ | DNS | URI | `<instance>`.energy.Azure.com | Overview page of Azure Data Manager for Energy instance|

+ | data-partition-id | Data Partition(s) | `<instance>`-`<data-partition-name>` | Overview page of Azure Data Manager for Energy instance|

+* Update the **CURRENT_VALUE** of the postman environment with the information obtained in [Get Azure Data Manager for Energy instance details](#get-azure-data-manager-for-energy-instance-details)

+## Ingest sample manifests into the Azure Data Manager for Energy instance using Postman

+ Title: Tutorial - Work with Petrel data records by using Petrel DDMS APIs in Azure Data Manager for Energy

+description: Learn how to work with Petrel data records in your Azure Data Manager for Energy instance by using Petrel Domain Data Management Services (Petrel DDMS) APIs in Postman.

+Use Petrel Domain Data Management Services (Petrel DDMS) APIs in Postman to work with Petrel data in your instance of Azure Data Manager for Energy.

+- An instance of [Azure Data Manager for Energy](quickstart-create-microsoft-energy-data-services-instance.md) created in your Azure subscription.

+## Get your Azure Data Manager for Energy instance details

+The first step is to get the following information from your [Azure Data Manager for Energy instance](quickstart-create-microsoft-energy-data-services-instance.md) in the [Azure portal](https://portal.azure.com/?microsoft_azure_marketplace_ItemHideKey=Microsoft_Azure_OpenEnergyPlatformHidden):

+The Postman collection for Petrel DDMS contains requests you can use to interact with your Petrel Projects. It also contains a request to query current Petrel projects and records in your Azure Data Manager for Energy instance.

+You can also generate a token by using the cURL command in Postman or a terminal to generate a bearer token. Use the values from your Azure Data Manager for Energy instance.

+Given a Project ID, returns the corresponding Petrel Project record in your Azure Data Manager for Energy instance.

+Given a Project ID, deletes the project and the associated Petrel Project record data in your Azure Data Manager for Energy instance.

+Given a `Project ID` and a `Version ID`, gets the Petrel Version record associated with that project/version ID in your Azure Data Manager for Energy instance.

+Given a Project ID, returns a SAS URL to download the data of the corresponding project from your Azure Data Manager for Energy instance.

+Given a Project ID, returns two SAS URLs. One to upload data to and one to download data from the corresponding project in your Azure Data Manager for Energy instance.

+Given a Project ID, SAS upload URL, and a Petrel Project record, updates the Petrel Project record in your Azure Data Manager for Energy with the new values provided. Can also upload data to a given project but doesn't have to.

+ Title: Microsoft Azure Data Manager for Energy - Seismic store sdutil tutorial

+## Usage for Azure Data Manager for Energy

+Azure Data Manager for Energy instance is using OSDU&trade; M12 Version of sdutil. Follow the below steps if you would like to use SDUTIL to leverage the SDMS API of your Azure Data Manager for Energy instance.

+ Title: Tutorial - Sample steps to interact with Seismic DDMS in Microsoft Azure Data Manager for Energy

+description: This tutorial shows you how to interact with Seismic DDMS Azure Data Manager for Energy

+Seismic DDMS provides the capability to operate on seismic data in the Azure Data Manager for Energy instance.

+### Azure Data Manager for Energy instance details

+* Once the [Azure Data Manager for Energy instance](./quickstart-create-microsoft-energy-data-services-instance.md) is created, note down the following details:

+3. Update the **CURRENT_VALUE** of the Postman Environment with the information obtained in [Azure Data Manager for Energy instance details](#azure-data-manager-for-energy-instance-details)

+description: Learn how to work with well data records in your Azure Data Manager for Energy instance by using Well Delivery Domain Data Management Services (Well Delivery DDMS) APIs in Postman.

+Use Well Delivery Domain Data Management Services (Well Delivery DDMS) APIs in Postman to work with well data in your instance of Azure Data Manager for Energy.

+- An instance of [Azure Data Manager for Energy](quickstart-create-microsoft-energy-data-services-instance.md) created in your Azure subscription

+## Get your Azure Data Manager for Energy instance details

+The first step is to get the following information from your [Azure Data Manager for Energy instance](quickstart-create-microsoft-energy-data-services-instance.md) in the [Azure portal](https://portal.azure.com/?microsoft_azure_marketplace_ItemHideKey=Microsoft_Azure_OpenEnergyPlatformHidden):

+1. In the Postman environment, update **CURRENT VALUE** with the information from your [Azure Data Manager for Energy instance](#get-your-azure-data-manager-for-energy-instance-details):

+ 1. In the **CURRENT VALUE** column, enter the information that's described in the table in [Get your Azure Data Manager for Energy instance details](#get-your-azure-data-manager-for-energy-instance-details). Scroll to see all relevant variables.

+The Postman collection for Well Delivery DDMS contains requests you can use to interact with data about wells, wellbores, well logs, and well trajectory data in your Azure Data Manager for Energy instance.

+1. Import the following cURL command in Postman to generate a bearer token. Use the values from your Azure Data Manager for Energy instance.

+Successfully completing the Postman requests that are described in the following Well Delivery DDMS APIs indicates successful ingestion and retrieval of well records in your Azure Data Manager for Energy instance.

+You can delete a wellbore record in your Azure Data Manager for Energy instance by using Well Delivery DDMS APIs. For example:

+You can delete a well record in your Azure Data Manager for Energy instance by using Well Delivery DDMS APIs. For example:

+description: Learn how to work with well data records in your Azure Data Manager for Energy instance by using Wellbore Domain Data Management Services (Wellbore DDMS) APIs in Postman.

+Use Wellbore Domain Data Management Services (Wellbore DDMS) APIs in Postman to work with well data in your instance of Azure Data Manager for Energy.

+- An instance of [Azure Data Manager for Energy](quickstart-create-microsoft-energy-data-services-instance.md) created in your Azure subscription.

+## Get your Azure Data Manager for Energy instance details

+The first step is to get the following information from your [Azure Data Manager for Energy instance](quickstart-create-microsoft-energy-data-services-instance.md) in the [Azure portal](https://portal.azure.com/?microsoft_azure_marketplace_ItemHideKey=Microsoft_Azure_OpenEnergyPlatformHidden):

+1. In the Postman environment, update **CURRENT VALUE** with the information from your [Azure Data Manager for Energy instance details](#get-your-azure-data-manager-for-energy-instance-details).

+ 1. In the **CURRENT VALUE** column, enter the information that's described in the table in [Get your Azure Data Manager for Energy instance details](#get-your-azure-data-manager-for-energy-instance-details).

+The Postman collection for Wellbore DDMS contains requests you can use to interact with data about wells, wellbores, well logs, and well trajectory data in your Azure Data Manager for Energy instance.

+1. Import the following cURL command in Postman to generate a bearer token. Use the values from your Azure Data Manager for Energy instance.

+Successfully completing the Postman requests that are described in the following Wellbore DDMS APIs indicates successful ingestion and retrieval of well records in your Azure Data Manager for Energy instance.

+Create a well record in your Azure Data Manager for Energy instance.

+Get the well record data for your Azure Data Manager for Energy instance.

+Get the versions of each ingested well record in your Azure Data Manager for Energy instance.

+Get the details of a specific version for a specific well record in your Azure Data Manager for Energy instance.

+Delete a specific well record from your Azure Data Manager for Energy instance.

+step ca init --deployment-type standalone --name MqttAppSamplesCA --dns localhost --address 127.0.0.1:443 --provisioner MqttAppSamplesCAProvisioner

+step certificate create client1-authnID client1-authnID.pem client1-authnID.key --ca .step/certs/intermediate_ca.crt --ca-key .step/secrets/intermediate_ca_key --no-password --insecure --not-after 2400h

+step certificate fingerprint client1-authnID.pem

+| **Hong Kong** | Equinix | Chief<br/>Macroview Telecom |

+| **[Aryaka Networks](https://www.aryaka.com/)** | Supported | Supported | Amsterdam<br/>Chicago<br/>Dallas<br/>Hong Kong<br/>Sao Paulo<br/>Seattle<br/>Silicon Valley<br/>Singapore<br/>Tokyo<br/>Washington DC |

+| **[British Telecom](https://www.globalservices.bt.com/en/solutions/products/cloud-connect-azure)** | Supported | Supported | Amsterdam<br/>Amsterdam2<br/>Chicago<br/>Frankfurt<br/>Hong Kong<br/>Johannesburg<br/>London<br/>London2<br/>Newport(Wales)<br/>Paris<br/>Sao Paulo<br/>Silicon Valley<br/>Singapore<br/>Sydney<br/>Tokyo<br/>Washington DC |

+| **[Equinix](https://www.equinix.com/partners/microsoft-azure/)** | Supported | Supported | Amsterdam<br/>Amsterdam2<br/>Atlanta<br/>Berlin<br/>Bogota<br/>Canberra2<br/>Chicago<br/>Dallas<br/>Dubai2<br/>Dublin<br/>Frankfurt<br/>Frankfurt2<br/>Geneva<br/>Hong Kong<br/>Hong Kong2<br/>London<br/>London2<br/>Los Angeles*<br/>Los Angeles2<br/>Melbourne<br/>Miami<br/>Milan<br/>New York<br/>Osaka<br/>Paris<br/>Paris2<br/>Perth<br/>Quebec City<br/>Rio de Janeiro<br/>Sao Paulo<br/>Seattle<br/>Seoul<br/>Silicon Valley<br/>Singapore<br/>Singapore2<br/>Stockholm<br/>Sydney<br/>Tokyo<br/>Tokyo2<br/>Toronto<br/>Washington DC<br/>Warsaw<br/>Zurich</br></br> **New ExpressRoute circuits are no longer supported with Equinix in Los Angeles. Create new circuits in Los Angeles2.* |

+| **[NTT Communications](https://www.ntt.com/en/services/network/virtual-private-network.html)** | Supported | Supported | Amsterdam<br/>Hong Kong<br/>London<br/>Los Angeles<br/>New York<br/>Osaka<br/>Singapore<br/>Sydney<br/>Tokyo<br/>Washington DC |

+| **[Orange](https://www.orange-business.com/en/products/business-vpn-galerie)** |Supported |Supported | Amsterdam<br/>Amsterdam2<br/>Chicago<br/>Dallas<br/>Dubai2<br/>Frankfurt<br/>Hong Kong<br/>Johannesburg<br/>London<br/>London2<br/>Mumbai2<br/>Melbourne<br/>Paris<br/>Sao Paulo<br/>Silicon Valley<br/>Singapore<br/>Sydney<br/>Tokyo<br/>Washington DC |

+| **[Orange](https://www.orange-business.com/en/products/business-vpn-galerie)** | Supported | Supported | Amsterdam<br/>Amsterdam2<br/>Chicago<br/>Dallas<br/>Dubai2<br/>Dublin2 Frankfurt<br/>Hong Kong<br/>Johannesburg<br/>London<br/>London2<br/>Mumbai2<br/>Melbourne<br/>Paris<br/>Sao Paulo<br/>Silicon Valley<br/>Singapore<br/>Sydney<br/>Tokyo<br/>Toronto<br/>Washington DC |

+| **[Tata Communications](https://www.tatacommunications.com/solutions/network/cloud-ready-networks/)** | Supported | Supported | Amsterdam<br/>Chennai<br/>Chicago<br/>Hong Kong<br/>London<br/>Mumbai<br/>Pune<br/>Sao Paulo<br/>Silicon Valley<br/>Singapore<br/>Washington DC |

+| **[Verizon](https://enterprise.verizon.com/products/network/application-enablement/secure-cloud-interconnect/)** | Supported | Supported | Amsterdam<br/>Chicago<br/>Dallas<br/>Frankfurt<br/>Hong Kong<br/>London<br/>Mumbai<br/>Paris<br/>Silicon Valley<br/>Singapore<br/>Sydney<br/>Tokyo<br/>Toronto<br/>Washington DC |

+| **[Chief](https://www.chief.com.tw/)** | Equinix | Hong Kong |

+| **[Macroview Telecom](http://www.macroview.com/en/scripts/catitem.php?catid=solution&sectionid=expressroute)** |Equinix |Hong Kong

+> If a Key Vault certificate expires it can still be retrieved, but certificate may become inoperable in scenarios like TLS protection where expiration of certificate is validated.

+az keyvault secret download --file {nameofcert.pfx}

+- To purge a secret in the soft-deleted state, a service principal must be granted an additional "purge" access policy permission. The purge access policy permission isn't granted by default to any service principal including key vault and subscription owners and must be deliberately set. By requiring an elevated access policy permission to purge a soft-deleted secret, it reduces the probability of accidentally deleting a secret.

+When creating a new key vault, soft-delete is on by default. Once soft-delete is enabled on a key vault it can't be disabled.

+The retention policy interval can only be configured during key vault creation and can't be changed afterwards. You have the option to set it anywhere from 7 to 90 days, with 90 days being the default. The same interval applies to both soft-delete and the purge protection retention policy.

+You can't reuse the name of a key vault that has been soft-deleted until the retention period has passed.

+When purge protection is on, a vault or an object in the deleted state can't be purged until the retention period has passed. Soft-deleted vaults and objects can still be recovered, ensuring that the retention policy will be followed.

+The default retention period is 90 days, but it's possible to set the retention policy interval to a value from 7 to 90 days through the Azure portal. Once the retention policy interval is set and saved it can't be changed for that vault.

+- A key vault with the same name can't be created in the same location; correspondingly, a key vault object can't be created in a given vault if that key vault contains an object with the same name and which is in a deleted state.

+You no longer need to [create and manage compute](./how-to-create-attach-compute-cluster.md) to train your model in a scalable way. Your job can instead be submitted to a new compute target type, called _serverless compute_. Serverless compute is the easiest way to run training jobs on Azure Machine Learning. Serverless compute is a fully-managed, on-demand compute. It is created, scaled, and managed by Azure Machine Learning for you. Through model training with serverless compute, machine learning professionals can focus on their expertise of building machine learning models and not have to learn about compute infrastructure or setting it up.

+* Azure Machine Learning manages creating, setting up, scaling, deleting, patching, compute infrastructure reducing management overhead

+* You don't need to learn about compute, various compute types, and related properties.

+* Reduction in steps involved to run a job

+* User identity and workspace user-assigned managed identity is supported for job submission.

+* Admin control through quota and Azure policies

+Endpoint for image classification returns all the labels in the dataset and their probability scores for the input image in the following format. `visualizations` and `attributions` are related to explainability and when the request is only for scoring, these keys will not be included in the output. For more information on explainability input and output schema for image classification, see the [explainability for image classification section](#image-classification-binarymulti-class-2).

+ ]

+For image classification multi-label, model endpoint returns labels and their probabilities. `visualizations` and `attributions` are related to explainability and when the request is only for scoring, these keys will not be included in the output. For more information on explainability input and output schema for multi-label classification, see the [explainability for image classification multi-label section](#image-classification-multi-label-2).

+ ]

+Output schema is [same as described above](#data-schema-for-online-scoring) except that `visualizations` and `attributions` key values are included, if these keys were set to `True` in the request.

+**vCenter Server permissions** | Agentless migration uses the [Migrate Appliance](migrate-appliance.md). The appliance needs these permissions in vCenter Server:<br/><br/> - **Datastore.Browse** (Datastore -> Browse datastore): Allow browsing of VM log files to troubleshoot snapshot creation and deletion.<br/><br/> - **Datastore.FileManagement** (Datastore -> Low level file operations): Allow read/write/delete/rename operations in the datastore browser, to troubleshoot snapshot creation and deletion.<br/><br/> - **VirtualMachine.Config.ChangeTracking** (Virtual machine -> Disk change tracking): Allow enable or disable change tracking of VM disks, to pull changed blocks of data between snapshots.<br/><br/> - **VirtualMachine.Config.DiskLease** (Virtual machine -> Disk lease): Allow disk lease operations for a VM, to read the disk using the VMware vSphere Virtual Disk Development Kit (VDDK).<br/><br/> - **VirtualMachine.Provisioning.DiskRandomRead** (Virtual machine -> Provisioning -> Allow read-only disk access): Allow opening a disk on a VM, to read the disk using the VDDK.<br/><br/> - **VirtualMachine.Provisioning.DiskRandomAccess** (Virtual machine -> Provisioning -> Allow disk access): Allow opening a disk on a VM, to read the disk using the VDDK.<br/><br/> - **VirtualMachine.Provisioning.GetVmFiles** (Virtual machine -> Provisioning -> Allow virtual machine download): Allows read operations on files associated with a VM, to download the logs and troubleshoot if failure occurs.<br/><br/> - **VirtualMachine.State.\*** (Virtual machine -> Snapshot management): Allow creation and management of VM snapshots for replication.<br/><br/> - **VirtualMachine.GuestOperations.\*** (Virtual machine -> Guest operations): Allow Discovery, Software Inventory, and Dependency Mapping on VMs.<br/><br/> -**VirtualMachine.Interact.PowerOff** (Virtual machine > Interaction > Power off): Allow the VM to be powered off during migration to Azure.

+| [TCGA Open Data](dataset-encode.md) | TCGA Open Data |

+| [Pan UK-Biobank](dataset-panancestry-uk-bio-bank.md) | Pan UK-Biobank |

+- Other Python libraries to consider include [PySAL](http://pysal.org/), [Rasterio](https://rasterio.readthedocs.io/en/latest/intro.html), [WhiteboxTools](https://www.whiteboxgeo.com/manual/wbt_book/intro.html), [Turf.js](https://turfjs.org/), [Pointpats](https://pypi.org/project/pointpats/), [Raster Vision](https://docs.rastervision.io/en/0.13/), [EarthPy](https://earthpy.readthedocs.io/en/latest/https://docsupdatetracker.net/index.html), [Planetary Computer](https://planetarycomputer.microsoft.com/), [PDAL](https://pdal.io/), etc.

+* Network security groups (NSG) traffic is bypassed from private endpoints due to network policies being disabled for a subnet in a virtual network by default. To utilize network policies like User-Defined Routes and Network Security Groups support, network policy support must be enabled for the subnet. This setting is only applicable to private endpoints within the subnet. This setting affects all private endpoints within the subnet. For other resources in the subnet, access is controlled based on security rules in the network security group.

+| Azure Automation (Microsoft.Automation/automationAccounts) / Webhook, DSCAndHybridWorker | privatelink.azure-automation.net | azure-automation.net |

+| Azure SQL Managed Instance (Microsoft.Sql/managedInstances) / managedInstance | privatelink.{dnsPrefix}.database.windows.net | {instanceName}.{dnsPrefix}.database.windows.net |

+| Microsoft Purview (Microsoft.Purview) / portal | privatelink.purviewstudio.azure.com | purview.azure.com |

+# Reliability in Azure Data Manager for Energy

+Azure Data Manager for Energy supports zone-redundant instance by default and there's no setup required.

+The Azure Data Manager for Energy supports availability zones in the following regions:

+If you're experiencing failures with Azure Data Manager for Energy APIs, you may need to implement a retry mechanism for 5XX errors.

+### Symptom - Unable to update or delete a custom role

+You're unable to update or delete an existing custom role.

+**Cause 1**

+You're currently signed in with a user that doesn't have permission to update or delete custom roles.

+**Solution 1**

+**Cause 2**

+The custom role includes a subscription in assignable scopes and that subscription is in a [disabled state](../cost-management-billing/manage/subscription-states.md).

+**Solution 2**

+Reactivate the disabled subscription and update the custom role as needed. For more information, see [Reactivate a disabled Azure subscription](../cost-management-billing/manage/subscription-disabled.md).

+ - jq

+ - unzip

+> NFS Azure file shares aren't supported for Windows. Before using NFS Azure file shares in production, see [Troubleshoot NFS Azure file shares](/troubleshoot/azure/azure-storage/files-troubleshoot-linux-nfs?toc=/azure/storage/files/toc.json) for a list of known issues. NFS access control lists (ACLs) aren't supported.

+> Before using NFS Azure file shares in production, see [Troubleshoot NFS Azure file shares](/troubleshoot/azure/azure-storage/files-troubleshoot-linux-nfs?toc=/azure/storage/files/toc.json) for a list of known issues.

+- [Troubleshoot SMB issues on Linux](/troubleshoot/azure/azure-storage/files-troubleshoot-linux-smb?toc=/azure/storage/files/toc.json)

+- [Troubleshoot NFS issues on Linux](/troubleshoot/azure/azure-storage/files-troubleshoot-linux-nfs?toc=/azure/storage/files/toc.json)