+> Azure AI Content Safety models have been specifically trained and tested on the following languages: Chinese, English, French, German, Italian, Japanese, Portuguese. However, the service can work in many other languages, but the quality might vary. In all cases, you should do your own testing to ensure that it works for your application.

+| Language name | Language code | Supported Languages | Specially trained languages|

+| Europe | North Europe | `northeurope` ^1,2,4,5,7,10 |

+| Europe | Sweden Central | `swedencentral`^8,10 |

+| US | South Central US | `southcentralus` ^{1,2,4,5,6,7,10} |

+## Supported prebuilt avatar characters, styles, and gestures

+| Harry | business | 123<br>calm-down<br>come-on<br>five-star-reviews<br>good<br>hello<br>introduce<br>invite<br>thanks<br>welcome |

+| Harry | casual | 123<br>come-on<br>five-star-reviews<br>gong-xi-fa-cai<br>good<br>happy-new-year<br>hello<br>please<br>welcome |

+| Harry | youthful | 123<br>come-on<br>down<br>five-star<br>good<br>hello<br>invite<br>show-right-up-down<br>welcome |

+| Jeff | business | 123<br>come-on<br>five-star-reviews<br>hands-up<br>here<br>meddle<br>please2<br>show<br>silence<br>thanks |

+| Jeff | formal | 123<br>come-on<br>five-star-reviews<br>lift<br>please<br>silence<br>thanks<br>very-good |

+| Lisa | technical-standing |

+| Lori | casual | 123-left<br>a-little<br>beg<br>calm-down<br>come-on<br>five-star-reviews<br>good<br>hello<br>open<br>please<br>thanks |

+| Lori | graceful | 123-left<br>applaud<br>come-on<br>introduce<br>nod<br>please<br>show-left<br>show-right<br>thanks<br>welcome |

+| Lori | formal | 123<br>come-on<br>come-on-left<br>down<br>five-star<br>good<br>hands-triangle<br>hands-up<br>hi<br>hopeful<br>thanks |

+| Max | business | a-little-bit<br>click-the-link<br>display-number<br>encourage-1<br>encourage-2<br>five-star-praise<br>front-right<br>good-01<br>good-02<br>introduction-to-products-1<br>introduction-to-products-2<br>introduction-to-products-3<br>left<br>lower-left<br>number-one<br>press-both-hands-down-1<br>press-both-hands-down-2<br>push-forward<br>raise-ones-hand<br>right<br>say-hi<br>shrug-ones-shoulders<br>slide-from-left-to-right<br>slide-to-the-left<br>thanks<br>the-front<br>top-middle-and-bottom-left<br>top-middle-and-bottom-right<br>upper-left<br>upper-right<br>welcome |

+| Max | casual | a-little-bit<br>applaud<br>click-the-link<br>display-number<br>encourage-1<br>encourage-2<br>five-star-praise<br>front-left<br>good-1<br>good-2<br>hello<br>introduction-to-products-1<br>introduction-to-products-2<br>introduction-to-products-3<br>introduction-to-products-4<br>left<br>length<br>nodding<br>number-one<br>press-both-hands-down<br>raise-ones-hand<br>right<br>right-front<br>shrug-ones-shoulders<br>slide-from-left-to-right<br>slide-to-the-left<br>thanks<br>the-front<br>upper-left<br>upper-right<br>welcome |

+| Max | formal | a-little-bit<br>click-the-link<br>display-number<br>encourage-1<br>encourage-2<br>five-star-praise<br>front-left<br>front-right<br>good-1<br>good-2<br>introduction-to-products-1<br>introduction-to-products-2<br>introduction-to-products-3<br>left<br>lower-left<br>lower-right<br>press-both-hands-down<br>push-forward<br>right<br>say-hi<br>shrug-ones-shoulders<br>slide-from-left-to-right<br>slide-to-the-left<br>the-front<br>top-middle-and-bottom-right<br>upper-left<br>upper-right |

+| Meg | formal | a-little-bit<br>click-the-link<br>display-number<br>encourage-1<br>encourage-2<br>five-star-praise<br>front-left<br>front-right<br>good-1<br>good-2<br>hands-forward<br>introduction-to-products-1<br>introduction-to-products-2<br>introduction-to-products-3<br>left<br>number-one<br>press-both-hands-down-1<br>press-both-hands-down-2<br>right<br>say-hi<br>shrug-ones-shoulders<br>slide-from-left-to-right<br>the-front<br>upper-left<br>upper-right |

+| Meg | casual | a-little-bit<br>click-the-link<br>cross-hand<br>display-number<br>encourage-1<br>encourage-2<br>five-star-praise<br>front-left<br>front-right<br>good-1<br>good-2<br>handclap<br>introduction-to-products-1<br>introduction-to-products-2<br>introduction-to-products-3<br>left<br>length<br>lower-left<br>lower-right<br>number-one<br>press-both-hands-down<br>right<br>say-hi<br>shrug-ones-shoulders<br>slide-from-right-to-left<br>slide-to-the-left<br>spread-hands<br>the-front<br>top-middle-and-bottom-left<br>top-middle-and-bottom-right<br>upper-left<br>upper-right |

+| Meg | business | a-little-bit<br>encourage-1<br>encourage-2<br>five-star-praise<br>front-left<br>front-right<br>good-1<br>good-2<br>introduction-to-products-1<br>introduction-to-products-2<br>introduction-to-products-3<br>left<br>length<br>number-one<br>press-both-hands-down-1<br>press-both-hands-down-2<br>raise-ones-hand<br>right<br>say-hi<br>shrug-ones-shoulders<br>slide-from-left-to-right<br>slide-to-the-left<br>spread-hands<br>thanks<br>the-front<br>upper-left |

+| avatarConfig.talkingAvatarCharacter | The character name of the talking avatar.<br/><br/>The supported avatar characters can be found [here](avatar-gestures-with-ssml.md#supported-prebuilt-avatar-characters-styles-and-gestures).<br/><br/>This property is required.|

+| avatarConfig.talkingAvatarStyle | The style name of the talking avatar.<br/><br/>The supported avatar styles can be found [here](avatar-gestures-with-ssml.md#supported-prebuilt-avatar-characters-styles-and-gestures).<br/><br/>This property is required for prebuilt avatar, and optional for customized avatar.|

+- Set the required `talkingAvatarCharacter` and `talkingAvatarStyle` properties. You can find supported avatar characters and styles [here](./avatar-gestures-with-ssml.md#supported-prebuilt-avatar-characters-styles-and-gestures).

+The supported avatar characters and styles can be found [here](avatar-gestures-with-ssml.md#supported-prebuilt-avatar-characters-styles-and-gestures).

+- For more information, see [Speech service pricing](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/). Note that avatar pricing will only be visible for service regions where the feature is available, including Southeast Asia, North Europe, West Europe, Sweden Central, South Central US, and West US 2.

+The text to speech avatar feature is only available in the following service regions: Southeast Asia, North Europe, West Europe, Sweden Central, South Central US, and West US 2.

+* **🆕 Document translation**. Synchronously translate documents while preserving structure and format in real time. For more information, *see* [Container:translate documents](translate-document-parameters.md).

+The Docker command:

+# Container: Translate Documents

+curl -i -X POST "http://localhost:5000/translator/document:translate?sourceLanguage=en&targetLanguage=hi&api-version=2024-05-01" -F "document=@C:\Test\test-file.md;type=text/markdown" -o "C:\translation\translated-file.md"

+curl -v "http://localhost:5000/translator/document:translate?sourceLanguage=en&targetLanguage=es&api-version=2024-05-01" -F "document=@document-translation-sample-docx" -o "C:\translation\translated-file.md"

+> * The public preview version of Document Translation client libraries default to REST API version **2024-05-01**.

+|[**Translate document**](translate-document.md)|POST|Synchronously translate a single document.|`{document-translation-endpoint}/translator/document:translate?sourceLanguage={source language}&targetLanguage={target language}&api-version=2024-05-01" -H "Ocp-Apim-Subscription-Key:{your-key}" -F "document={path-to-your-document-with-file-extension};type={ContentType}/{file-extension}" -F "glossary={path-to-your-glossary-with-file-extension};type={ContentType}/{file-extension}" -o "{path-to-output-file}"`|

+|**api-version** | _Required parameter_.<br>Version of the API requested by the client. Current value is `2024-05-01`. |

+- An [Azure AI Studio hub](../how-to/create-azure-ai-resource.md). The serverless API model deployment offering for JAIS is only available with hubs created in these regions:

+ * East US

+ * East US 2

+ * North Central US

+ * South Central US

+ * West US

+ * West US 3

+ * Sweden Central

+ For a list of regions that are available for each of the models supporting serverless API endpoint deployments, see [Region availability for models in serverless API endpoints](deploy-models-serverless-availability.md).

+JAIS 30b Chat is an auto-regressive bi-lingual LLM for **Arabic** & **English**. The tuned versions use supervised fine-tuning (SFT). The model is fine-tuned with both Arabic and English prompt-response pairs. The fine-tuning datasets included a wide range of instructional data across various domains. The model covers a wide range of common tasks including question answering, code generation, and reasoning over textual content. To enhance performance in Arabic, the Core42 team developed an in-house Arabic dataset as well as translating some open-source English instructions into Arabic.

+- [Region availability for models in serverless API endpoints](deploy-models-serverless-availability.md)

+- An [Azure AI Studio hub](../how-to/create-azure-ai-resource.md). The serverless API model deployment offering for Cohere Command is only available with hubs created in these regions:

+ * East US

+ * East US 2

+ * North Central US

+ * South Central US

+ * West US

+ * West US 3

+ * Sweden Central

+

+ For a list of regions that are available for each of the models supporting serverless API endpoint deployments, see [Region availability for models in serverless API endpoints](deploy-models-serverless-availability.md).

+- [Region availability for models in serverless API endpoints](deploy-models-serverless-availability.md)

+- An [AI Studio hub](../how-to/create-azure-ai-resource.md). The serverless API model deployment offering for Cohere Embed is only available with hubs created in these regions:

+ * East US

+ * East US 2

+ * North Central US

+ * South Central US

+ * West US

+ * West US 3

+ * Sweden Central

+

+ For a list of regions that are available for each of the models supporting serverless API endpoint deployments, see [Region availability for models in serverless API endpoints](deploy-models-serverless-availability.md).

+- [Region availability for models in serverless API endpoints](deploy-models-serverless-availability.md)

+- An [AI Studio hub](../how-to/create-azure-ai-resource.md). The serverless API model deployment offering for Jamba Instruct is only available with hubs created in these regions:

+ * East US

+ * East US 2

+ * North Central US

+ * South Central US

+ * West US

+ * West US 3

+ * Sweden Central

+

+ For a list of regions that are available for each of the models supporting serverless API endpoint deployments, see [Region availability for models in serverless API endpoints](deploy-models-serverless-availability.md).

+- [Region availability for models in serverless API endpoints](deploy-models-serverless-availability.md)

+- An [AI Studio hub](../how-to/create-azure-ai-resource.md). The serverless API model deployment offering for Meta Llama 3 is only available with hubs created in these regions:

+ * East US

+ * East US 2

+ * North Central US

+ * South Central US

+ * West US

+ * West US 3

+ * Sweden Central

+

+ For a list of regions that are available for each of the models supporting serverless API endpoint deployments, see [Region availability for models in serverless API endpoints](deploy-models-serverless-availability.md).

+- An [AI Studio hub](../how-to/create-azure-ai-resource.md). The serverless API model deployment offering for Meta Llama 2 is only available with hubs created in these regions:

+ * East US

+ * East US 2

+ * North Central US

+ * South Central US

+ * West US

+ * West US 3

+

+ For a list of regions that are available for each of the models supporting serverless API endpoint deployments, see [Region availability for models in serverless API endpoints](deploy-models-serverless-availability.md).

+- [Region availability for models in serverless API endpoints](deploy-models-serverless-availability.md)

+- An [Azure AI Studio hub](../how-to/create-azure-ai-resource.md). The serverless API model deployment offering for Phi-3 is only available with hubs created in these regions:

+ * East US 2

+ * Sweden Central

+ For a list of regions that are available for each of the models supporting serverless API endpoint deployments, see [Region availability for models in serverless API endpoints](deploy-models-serverless-availability.md).

+- [Region availability for models in serverless API endpoints](deploy-models-serverless-availability.md)

+- [Region availability for models in serverless API endpoints](deploy-models-serverless-availability.md)

+|cachingMode | [Azure Data Disk Host Cache Setting][disk-host-cache-setting](PremiumV2_LRS and UltraSSD_LRS only support `None` caching mode) | `None`, `ReadOnly`, `ReadWrite` | No | `ReadOnly`|

+ volumeHandle: "{resource-group-name}#{account-name}#{file-share-name}" # make sure this volumeid is unique for every identical share in the cluster

+ - key: "sku"

+ operator: "Equal"

+ value: "gpu"

+ effect: "NoSchedule"

+ --resource-group <private-cluster-resource-group> \

+ --resource-group $RESOURCE_GROUP_NAME \

+ --resource-group $RESOURCE_GROUP_NAME \

+ --node-init-taints ""

+[verify-secure-boot-failures]: ../virtual-machines/trusted-launch-faq.md#verify-secure-boot-failures

+1. In the [Azure portal](https://portal.azure.com), navigate to your API Management instance.

+1. In the left menu, under **Developer portal**, select **Delegation**.

+For Bicep, modify the properties `clientCertEnabled`, `clientCertMode`, and `clientCertExclusionPaths`. A sample Bicep snippet is provided for you:

+For ARM templates, modify the properties `clientCertEnabled`, `clientCertMode`, and `clientCertExclusionPaths`. A sample ARM template snippet is provided for you:

+## Python sample

+The following Flask and Django Python code samples implement a decorator named `authorize_certificate` that can be used on a view function to permit access only to callers that present a valid client certificate. It expects a PEM formatted certificate in the `X-ARR-ClientCert` header and uses the Python [cryptography](https://pypi.org/project/cryptography/) package to validate the certificate based on its fingerprint (thumbprint), subject common name, issuer common name, and beginning and expiration dates. If validation fails, the decorator ensures that an HTTP response with status code 403 (Forbidden) is returned to the client.

+### [Flask](#tab/flask)

+```python

+from functools import wraps

+from datetime import datetime, timezone

+from flask import abort, request

+from cryptography import x509

+from cryptography.x509.oid import NameOID

+from cryptography.hazmat.primitives import hashes

+def validate_cert(request):

+ try:

+ cert_value = request.headers.get('X-ARR-ClientCert')

+ if cert_value is None:

+ return False

+

+ cert_data = ''.join(['--BEGIN CERTIFICATE--\n', cert_value, '\n--END CERTIFICATE--\n',])

+ cert = x509.load_pem_x509_certificate(cert_data.encode('utf-8'))

+

+ fingerprint = cert.fingerprint(hashes.SHA1())

+ if fingerprint != b'12345678901234567890':

+ return False

+

+ subject = cert.subject

+ subject_cn = subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value

+ if subject_cn != "contoso.com":

+ return False

+

+ issuer = cert.issuer

+ issuer_cn = issuer.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value

+ if issuer_cn != "contoso.com":

+ return False

+

+ current_time = datetime.now(timezone.utc)

+

+ if current_time < cert.not_valid_before_utc:

+ return False

+

+ if current_time > cert.not_valid_after_utc:

+ return False

+

+ return True

+ except Exception as e:

+ # Handle any errors encountered during validation

+ print(f"Encountered the following error during certificate validation: {e}")

+ return False

+

+def authorize_certificate(f):

+ @wraps(f)

+ def decorated_function(*args, **kwargs):

+ if not validate_cert(request):

+ abort(403)

+ return f(*args, **kwargs)

+ return decorated_function

+```

+The following code snippet shows how to use the decorator on a Flask view function.

+```python

+@app.route('/hellocert')

+@authorize_certificate

+def hellocert():

+ print('Request for hellocert page received')

+ return render_template('https://docsupdatetracker.net/index.html')

+```

+### [Django](#tab/django)

+```python

+from functools import wraps

+from datetime import datetime, timezone

+from django.core.exceptions import PermissionDenied

+from cryptography import x509

+from cryptography.x509.oid import NameOID

+from cryptography.hazmat.primitives import hashes

+def validate_cert(request):

+ try:

+ cert_value = request.headers.get('X-ARR-ClientCert')

+ if cert_value is None:

+ return False

+

+ cert_data = ''.join(['--BEGIN CERTIFICATE--\n', cert_value, '\n--END CERTIFICATE--\n',])

+ cert = x509.load_pem_x509_certificate(cert_data.encode('utf-8'))

+

+ fingerprint = cert.fingerprint(hashes.SHA1())

+ if fingerprint != b'12345678901234567890':

+ return False

+

+ subject = cert.subject

+ subject_cn = subject.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value

+ if subject_cn != "contoso.com":

+ return False

+

+ issuer = cert.issuer

+ issuer_cn = issuer.get_attributes_for_oid(NameOID.COMMON_NAME)[0].value

+ if issuer_cn != "contoso.com":

+ return False

+

+ current_time = datetime.now(timezone.utc)

+

+ if current_time < cert.not_valid_before_utc:

+ return False

+

+ if current_time > cert.not_valid_after_utc:

+ return False

+

+ return True

+ except Exception as e:

+ # Handle any errors encountered during validation

+ print(f"Encountered the following error during certificate validation: {e}")

+ return False

+def authorize_certificate(view):

+ @wraps(view)

+ def _wrapped_view(request, *args, **kwargs):

+ if not validate_cert(request):

+ raise PermissionDenied

+ return view(request, *args, **kwargs)

+ return _wrapped_view

+```

+The following code snippet shows how to use the decorator on a Django view function.

+```python

+@authorize_certificate

+def hellocert(request):

+ print('Request for hellocert page received')

+ return render(request, 'hello_azure/https://docsupdatetracker.net/index.html')

+```

+The side-by-side migration feature automates your migration to App Service Environment v3. The side-by-side migration feature creates a new App Service Environment v3 with all of your apps in a different subnet. Your existing App Service Environment isn't deleted until you initiate its deletion at the end of the migration process. This migration option is best for customers who want to migrate to App Service Environment v3 with zero downtime and can support using a different subnet for their new environment. If you need to use the same subnet and can support about one hour of application downtime, see the [in-place migration feature](migrate.md). For manual migration options that allow you to migrate at your own pace, see [manual migration options](migration-alternatives.md).

+If you discover any issues with your new App Service Environment v3, don't run the command to redirect customer traffic. This command also initiates the deletion of your App Service Environment v2. If you find an issue, contact support.

+If you find any issues or decide at this point that you no longer want to proceed with the migration, contact support to discuss your options. Don't run the DNS change command since that command completes the migration.

+ If there's an unexpected issue, support teams are on hand. We recommend that you migrate dev environments before touching any production environments to learn about the migration process and see how it impacts your workloads.

+**Prerequisite**

+- Hybrid Worker should be deployed and the machine should be in running state before executing a runbook.

+**Hybrid Worker Credentials**

+ > - Use *.zip* files for PowerShell runbook types as mentioned [here](https://learn.microsoft.com/powershell/scripting/developer/module/understanding-a-windows-powershell-module?view=powershell-7.4)

+|Solution and version | Kubernetes version | Azure Arc-enabled data services version | SQL engine version | PostgreSQL server version|

+|[Portworx Enterprise 3.1](https://www.purestorage.com/products/cloud-native-applications/portworx.html)|1.28.7|1.30.0_2024-06-11|16.0.5349.20214|Not validated|

+|Portworx Enterprise 2.7 1.22.5 |1.20.7 |1.1.0_2021-11-02 |15.0.2148.140 |Not validated |

+|Portworx Enterprise 2.9 |1.22.5 |1.1.0_2021-11-02 |15.0.2195.191 |12.3 (Ubuntu 12.3-1) |

+> Your application can use any client library that is compatible with open-source Redis to connect to your Azure Cache for Redis instance.

+- If your production workload on a _C1_ cache is negatively affected by extra latency from some internal defender scan runs, you can reduce the effect by scaling to a higher tier offering with multiple CPU cores, such as _C2_.

+On _C0_ and _C1_ caches, you might see short spikes in server load not caused by an increase in requests a couple times a day while internal defender scanning is running on the VMs. You see higher latency for requests while internal defender scans happen on these tiers. Caches on the _C0_ and _C1_ tiers only have a single core to multitask, dividing the work of serving internal defender scanning and Redis requests.

+> - **Data upload:** Cloud ingestion services will gradually reduce support for MMA agents, which may result in decreased support and potential compatibility issues for MMA agents over time. Ingestion for MMA will be unchanged until February 1 2025.

+> - **Installation:** The ability to install the legacy agents will be removed from the Azure Portal and installation policies for legacy agents will be removed. You can still install the MMA agents extension as well as perform offline installations.

+> - **OS Support:** Support for new Linux or Windows distros, including service packs, won't be added after the deprecation of the legacy agents.

+- `FilePath` (string) [Optional]

+- `Computer` (string) [Optional]

+The default table schema for log data collected from text files is 'TimeGenerated' and 'RawData'. Adding the 'FilePath' or 'Computer' to either stream is optional. If you know your final schema or your source is a JSON log, you can add the final columns in the script before creating the table. You can always [add columns using the Log Analytics table UI](../logs/create-custom-table.md#add-or-delete-a-custom-column) later.

+ {

+ "name": "Computer",

+ "type": "String"

+ },

+ {

+* [Filtering](./api-filtering-sampling.md#filtering) can modify or discard telemetry before it's sent from the SDK by implementing `ITelemetryProcessor`. For example, you could reduce the volume of telemetry by excluding requests from robots. Unlike sampling, You have full control over what is sent or discarded, but it affects any metrics based on aggregated logs. Depending on how you discard items, you might also lose the ability to navigate between related items.

+## Prerequisites

+Install the appropriate SDK for your application: [ASP.NET](asp-net.md), [ASP.NET Core](asp-net-core.md), [Non-HTTP/Worker for .NET/.NET Core](worker-service.md), or [JavaScript](javascript.md).

+### .NET applications

+1. Implement `ITelemetryProcessor`.

+ #### [ASP.NET](#tab/dotnet)

+

+ Insert this snippet in ApplicationInsights.config:

+

+ ```xml

+ <TelemetryProcessors>

+ <Add Type="WebApplication9.SuccessfulDependencyFilter, WebApplication9">

+ <!-- Set public property -->

+ <MyParamFromConfigFile>2-beta</MyParamFromConfigFile>

+ </Add>

+ </TelemetryProcessors>

+ ```

+

+ You can pass string values from the .config file by providing public named properties in your class.

+

+ > [!WARNING]

+ > Take care to match the type name and any property names in the .config file to the class and property names in the code. If the .config file references a nonexistent type or property, the SDK may silently fail to send any telemetry.

+ >

+

+ Alternatively, you can initialize the filter in code. In a suitable initialization class, for example, AppStart in `Global.asax.cs`, insert your processor into the chain:

+

+ ```csharp

+ var builder = TelemetryConfiguration.Active.DefaultTelemetrySink.TelemetryProcessorChainBuilder;

+ builder.Use((next) => new SuccessfulDependencyFilter(next));

+

+ // If you have more processors:

+ builder.Use((next) => new AnotherProcessor(next));

+

+ builder.Build();

+ ```

+

+ Telemetry clients created after this point use your processors.

+ #### [ASP.NET Core/Worker service](#tab/dotnetcore)

+

+ > [!NOTE]

+ > Adding a processor by using `ApplicationInsights.config` or `TelemetryConfiguration.Active` isn't valid for ASP.NET Core applications or if you're using the Microsoft.ApplicationInsights.WorkerService SDK.

+

+ For apps written by using [ASP.NET Core](asp-net-core.md#add-telemetry-processors) or [WorkerService](worker-service.md#add-telemetry-processors), adding a new telemetry processor is done by using the `AddApplicationInsightsTelemetryProcessor` extension method on `IServiceCollection`, as shown. This method is called in the `ConfigureServices` method of your `Startup.cs` class.

+

+ ```csharp

+

+ ```

+

+ To register telemetry processors that need parameters in ASP.NET Core, create a custom class implementing **ITelemetryProcessorFactory**. Call the constructor with the desired parameters in the **Create** method and then use **AddSingleton<ITelemetryProcessorFactory, MyTelemetryProcessorFactory>()**.

+

+

+ if (!string.IsNullOrEmpty(item.Context.Operation.SyntheticSource)) {return;}

+

+ // Send everything else:

+ this.Next.Process(item);

+### Java applications

+You can filter telemetry from JavaScript web applications by using ITelemetryInitializer.

+ ```js

+ var filteringFunction = (envelope) => {

+ if (envelope.data.someField === 'tobefilteredout') {

+ return false;

+ }

+ return true;

+ };

+ ```

+ ```js

+For example, Application Insights for a web package collects telemetry about HTTP requests. By default, it flags any request with a response code >=400 as failed. If instead you want to treat 400 as a success, you can provide a telemetry initializer that sets the success property.

+If you provide a telemetry initializer, it's called whenever any of the Track*() methods are called. This initializer includes `Track()` methods called by the standard telemetry modules. By convention, these modules don't set any property that was already set by an initializer. Telemetry initializers are called before calling telemetry processors, so any enrichments done by initializers are visible to processors.

+### .NET applications

+1. Define your initializer

+ ```csharp

+ using System;

+ using Microsoft.ApplicationInsights.Channel;

+ using Microsoft.ApplicationInsights.DataContracts;

+ using Microsoft.ApplicationInsights.Extensibility;

+

+ namespace MvcWebRole.Telemetry

+ /*

+ * Custom TelemetryInitializer that overrides the default SDK

+ * behavior of treating response codes >= 400 as failed requests

+ *

+ */

+ public class MyTelemetryInitializer : ITelemetryInitializer

+ public void Initialize(ITelemetry telemetry)

+ {

+ var requestTelemetry = telemetry as RequestTelemetry;

+ // Is this a TrackRequest() ?

+ if (requestTelemetry == null) return;

+ int code;

+ bool parsed = Int32.TryParse(requestTelemetry.ResponseCode, out code);

+ if (!parsed) return;

+ if (code >= 400 && code < 500)

+ {

+ // If we set the Success property, the SDK won't change it:

+ requestTelemetry.Success = true;

+

+ // Allow us to filter these requests in the portal:

+ requestTelemetry.Properties["Overridden400s"] = "true";

+ }

+ // else leave the SDK to set the Success property

+ }

+ ```

+2. Load your initializer

+ #### [ASP.NET](#tab/dotnet)

+

+ In ApplicationInsights.config:

+

+ ```xml

+ <ApplicationInsights>

+ <TelemetryInitializers>

+ <!-- Fully qualified type name, assembly name: -->

+ <Add Type="MvcWebRole.Telemetry.MyTelemetryInitializer, MvcWebRole"/>

+ ...

+ </TelemetryInitializers>

+ </ApplicationInsights>

+ ```

+

+ Alternatively, you can instantiate the initializer in code, for example, in Global.aspx.cs:

+

+ ```csharp

+ protected void Application_Start()

+ {

+ // ...

+ TelemetryConfiguration.Active.TelemetryInitializers.Add(new MyTelemetryInitializer());

+ }

+ ```

+

+ See more of [this sample](https://github.com/MohanGsk/ApplicationInsights-Home/tree/master/Samples/AzureEmailService/MvcWebRole).

+

+ #### [ASP.NET Core/Worker service](#tab/dotnetcore)

+

+ > [!NOTE]

+ > Adding an initializer by using `ApplicationInsights.config` or `TelemetryConfiguration.Active` isn't valid for ASP.NET Core applications or if you're using the Microsoft.ApplicationInsights.WorkerService SDK.

+

+ For apps written using [ASP.NET Core](asp-net-core.md#add-telemetryinitializers) or [WorkerService](worker-service.md#add-telemetry-initializers), adding a new telemetry initializer is done by adding it to the Dependency Injection container, as shown. Accomplish this step in the `Startup.ConfigureServices` method.

+

+ ```csharp

+ using Microsoft.ApplicationInsights.Extensibility;

+ using CustomInitializer.Telemetry;

+ public void ConfigureServices(IServiceCollection services)

+ {

+ services.AddSingleton<ITelemetryInitializer, MyTelemetryInitializer>();

+ }

+ ```

+

+

+!(function (cfg){function e(){cfg.onInit&&cfg.onInit(n)}var x,w,D,t,E,n,C=window,O=document,b=C.location,q="script",I="ingestionendpoint",L="disableExceptionTracking",j="ai.device.";"instrumentationKey"[x="toLowerCase"](),w="crossOrigin",D="POST",t="appInsightsSDK",E=cfg.name||"appInsights",(cfg.name||C[t])&&(C[t]=E),n=C[E]||function(g){var f=!1,m=!1,h={initialize:!0,queue:[],sv:"8",version:2,config:g};function v(e,t){var n={},i="Browser";function a(e){e=""+e;return 1===e.length?"0"+e:e}return n[j+"id"]=i[x](),n[j+"type"]=i,n["ai.operation.name"]=b&&b.pathname||"_unknown_",n["ai.internal.sdkVersion"]="javascript:snippet_"+(h.sv||h.version),{time:(i=new Date).getUTCFullYear()+"-"+a(1+i.getUTCMonth())+"-"+a(i.getUTCDate())+"T"+a(i.getUTCHours())+":"+a(i.getUTCMinutes())+":"+a(i.getUTCSeconds())+"."+(i.getUTCMilliseconds()/1e3).toFixed(3).slice(2,5)+"Z",iKey:e,name:"Microsoft.ApplicationInsights."+e.replace(/-/g,"")+"."+t,sampleRate:100,tags:n,data:{baseData:{ver:2}},ver:undefined,seq:"1",aiDataContract:undefined}}var n,i,t,a,y=-1,T=0,S=["js.monitor.azure.com","js.cdn.applicationinsights.io","js.cdn.monitor.azure.com","js0.cdn.applicationinsights.io","js0.cdn.monitor.azure.com","js2.cdn.applicationinsights.io","js2.cdn.monitor.azure.com","az416426.vo.msecnd.net"],o=g.url||cfg.src,r=function(){return s(o,null)};function s(d,t){if((n=navigator)&&(~(n=(n.userAgent||"").toLowerCase()).indexOf("msie")||~n.indexOf("trident/"))&&~d.indexOf("ai.3")&&(d=d.replace(/(\/)(ai\.3\.)([^\d]*)$/,function(e,t,n){return t+"ai.2"+n})),!1!==cfg.cr)for(var e=0;e<S.length;e++)if(0<d.indexOf(S[e])){y=e;break}var n,i=function(e){var a,t,n,i,o,r,s,c,u,l;h.queue=[],m||(0<=y&&T+1<S.length?(a=(y+T+1)%S.length,p(d.replace(/^(.*\/\/)([\w\.]*)(\/.*)$/,function(e,t,n,i){return t+S[a]+i})),T+=1):(f=m=!0,s=d,!0!==cfg.dle&&(c=(t=function(){var e,t={},n=g.connectionString;if(n)for(var i=n.split(";"),a=0;a<i.length;a++){var o=i[a].split("=");2===o.length&&(t[o[0][x]()]=o[1])}return t[I]||(e=(n=t.endpointsuffix)?t.location:null,t[I]="https://"+(e?e+".":"")+"dc."+(n||"services.visualstudio.com")),t}()).instrumentationkey||g.instrumentationKey||"",t=(t=(t=t[I])&&"/"===t.slice(-1)?t.slice(0,-1):t)?t+"/v2/track":g.endpointUrl,t=g.userOverrideEndpointUrl||t,(n=[]).push((i="SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details)",o=s,u=t,(l=(r=v(c,"Exception")).data).baseType="ExceptionData",l.baseData.exceptions=[{typeName:"SDKLoadFailed",message:i.replace(/\./g,"-"),hasFullStack:!1,stack:i+"\nSnippet failed to load ["+o+"] -- Telemetry is disabled\nHelp Link: https://go.microsoft.com/fwlink/?linkid=2128109\nHost: "+(b&&b.pathname||"_unknown_")+"\nEndpoint: "+u,parsedStack:[]}],r)),n.push((l=s,i=t,(u=(o=v(c,"Message")).data).baseType="MessageData",(r=u.baseData).message='AI (Internal): 99 message:"'+("SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details) ("+l+")").replace(/\"/g,"")+'"',r.properties={endpoint:i},o)),s=n,c=t,JSON&&((u=C.fetch)&&!cfg.useXhr?u(c,{method:D,body:JSON.stringify(s),mode:"cors"}):XMLHttpRequest&&((l=new XMLHttpRequest).open(D,c),l.setRequestHeader("Content-type","application/json"),l.send(JSON.stringify(s)))))))},a=function(e,t){m||setTimeout(function(){!t&&h.core||i()},500),f=!1},p=function(e){var n=O.createElement(q),e=(n.src=e,t&&(n.integrity=t),n.setAttribute("data-ai-name",E),cfg[w]);return!e&&""!==e||"undefined"==n[w]||(n[w]=e),n.onload=a,n.onerror=i,n.onreadystatechange=function(e,t){"loaded"!==n.readyState&&"complete"!==n.readyState||a(0,t)},cfg.ld&&cfg.ld<0?O.getElementsByTagName("head")[0].appendChild(n):setTimeout(function(){O.getElementsByTagName(q)[0].parentNode.appendChild(n)},cfg.ld||0),n};p(d)}cfg.sri&&(n=o.match(/^((http[s]?:\/\/.*\/)\w+(\.\d+){1,5})\.(([\w]+\.){0,2}js)$/))&&6===n.length?(d="".concat(n[1],".integrity.json"),i="@".concat(n[4]),l=window.fetch,t=function(e){if(!e.ext||!e.ext[i]||!e.ext[i].file)throw Error("Error Loading JSON response");var t=e.ext[i].integrity||null;s(o=n[2]+e.ext[i].file,t)},l&&!cfg.useXhr?l(d,{method:"GET",mode:"cors"}).then(function(e){return e.json()["catch"](function(){return{}})}).then(t)["catch"](r):XMLHttpRequest&&((a=new XMLHttpRequest).open("GET",d),a.onreadystatechange=function(){if(a.readyState===XMLHttpRequest.DONE)if(200===a.status)try{t(JSON.parse(a.responseText))}catch(e){r()}else r()},a.send())):o&&r();try{h.cookie=O.cookie}catch(k){}function e(e){for(;e.length;)!function(t){h[t]=function(){var e=arguments;f||h.queue.push(function(){h[t].apply(h,e)})}}(e.pop())}var c,u,l="track",d="TrackPage",p="TrackEvent",l=(e([l+"Event",l+"PageView",l+"Exception",l+"Trace",l+"DependencyData",l+"Metric",l+"PageViewPerformance","start"+d,"stop"+d,"start"+p,"stop"+p,"addTelemetryInitializer","setAuthenticatedUserContext","clearAuthenticatedUserContext","flush"]),h.SeverityLevel={Verbose:0,Information:1,Warning:2,Error:3,Critical:4},(g.extensionConfig||{}).ApplicationInsightsAnalytics||{});return!0!==g[L]&&!0!==l[L]&&(e(["_"+(c="onerror")]),u=C[c],C[c]=function(e,t,n,i,a){var o=u&&u(e,t,n,i,a);return!0!==o&&h["_"+c]({message:e,url:t,lineNumber:n,columnNumber:i,error:a,evt:C.event}),o},g.autoExceptionInstrumented=!0),h}(cfg.cfg),(C[E]=n).queue&&0===n.queue.length?(n.queue.push(e),n.trackPageView({})):e();})({

+crossOrigin: "anonymous", // When supplied this will add the provided value as the cross origin attribute on the script tag

+ sdk.addTelemetryInitializer(function (envelope) {

+ });

+// sri: false, // Custom optional value to specify whether fetching the snippet from integrity file and do integrity check

+```js

+import { ApplicationInsights } from '@microsoft/applicationinsights-web'

+const appInsights = new ApplicationInsights({ config: {

+ connectionString: 'YOUR_CONNECTION_STRING'

+ /* ...Other Configuration Options... */

+} });

+appInsights.loadAppInsights();

+// To insert a telemetry initializer, uncomment the following code.

+/** var telemetryInitializer = (envelope) => { envelope.data = envelope.data || {}; envelope.data.someField = 'This item passed through my telemetry initializer';

+ };

+appInsights.addTelemetryInitializer(telemetryInitializer); **/

+appInsights.trackPageView();

+```

+ var itemProperties = item as ISupportProperties;

+ if(itemProperties != null && !itemProperties.Properties.ContainsKey("customProp"))

+The following sample initializer sets the client IP, which is used for geolocation mapping, instead of the client socket IP address, during telemetry ingestion.

+* [Profiler and Snapshot Debugger Bring your own storage (BYOS)](./profiler-bring-your-own-storage.md) gives you full control over:

+- A Log Analytics workspace with the access control mode set to the **"Use resource or workspace permissions"** setting:

+ - Workspace-based Application Insights resources aren't compatible with workspaces set to the dedicated **workspace-based permissions** setting. To learn more about Log Analytics workspace access control, see the [Access control mode guidance](../logs/manage-access.md#access-control-mode).

+ - If you don't already have an existing Log Analytics workspace, see the [Log Analytics workspace creation documentation](../logs/quick-create-workspace.md).

+ > [!CAUTION]

+ > * Diagnostic settings use a different export format/schema than continuous export. Migrating breaks any existing integrations with Azure Stream Analytics.

+ > * Diagnostic settings export might increase costs. For more information, see [Export telemetry from Application Insights](export-telemetry.md#diagnostic-settings-based-export).

+ > [!NOTE]

+ > - If you currently store Application Insights data for longer than the default 90 days and want to retain this longer retention period after migration, adjust your [workspace retention settings](../logs/data-retention-archive.md?tabs=portal-1%2cportal-2#configure-retention-and-archive-at-the-table-level).

+ > - If you've selected data retention longer than 90 days on data ingested into the classic Application Insights resource prior to migration, data retention continues to be billed through that Application Insights resource until the data exceeds the retention period.

+ > - If the retention setting for your Application Insights instance under **Configure** > **Usage and estimated costs** > **Data Retention** is enabled, use that setting to control the retention days for the telemetry data still saved in your classic resource's storage.

+## Find your Classic Application Insights resources

+You can use on of the following methods to find Classic Application Insights resources within your subscription:

+#### Application Insights resource in Azure portal

+Within the Overview of an Application Insights resource, Classic Application Insights resources don't have a linked Workspace and the Classic Application Insights retirement warning banner appears. Workspace-based resources have a linked workspace within the overview section

+Classic resource:

+Workspace-based resource:

+#### Azure Resource Graph

+You can use the Azure Resource Graph (ARG) Explorer and run a query on the 'resources' table to pull this information:

+```kusto

+resources

+| where subscriptionId == 'Replace with your own subscription ID'

+| where type contains 'microsoft.insights/components'

+| distinct resourceGroup, name, tostring(properties['IngestionMode']), tostring(properties['WorkspaceResourceId'])

+```

+> [!NOTE]

+> Classic resources are identified by ΓÇÿApplicationInsightsΓÇÖ, 'N/A', or *Empty* values.

+#### Azure CLI:

+Run the following script from Cloud Shell in the portal where authentication is built in or anywhere else after authenticating using `az login`:

+```azurecli

+$resources = az resource list --resource-type 'microsoft.insights/components' | ConvertFrom-Json

+$resources | Sort-Object -Property Name | Format-Table -Property @{Label="App Insights Resource"; Expression={$_.name}; width = 35}, @{Label="Ingestion Mode"; Expression={$mode = az resource show --name $_.name --resource-group $_.resourceGroup --resource-type microsoft.insights/components --query "properties.IngestionMode" -o tsv; $mode}; width = 45}

+```

+> [!NOTE]

+> Classic resources are identified by ΓÇÿApplicationInsightsΓÇÖ, 'N/A', or *Empty* values.

+The following PowerShell script can be run from the Azure CLI:

+```azurepowershell

+$subscription = "SUBSCRIPTION ID GOES HERE"

+$token = (Get-AZAccessToken).Token

+$header = @{Authorization = "Bearer $token"}

+$uri = "https://management.azure.com/subscriptions/$subscription/providers/Microsoft.Insights/components?api-version=2015-05-01"

+$RestResult=""

+$RestResult = Invoke-RestMethod -Method GET -Uri $uri -Headers $header -ContentType "application/json" -ErrorAction Stop -Verbose

+ $list=@()

+$ClassicList=@()

+foreach ($app in $RestResult.value)

+ {

+ #"processing: " + $app.properties.WorkspaceResourceId ## Classic Application Insights do not have a workspace.

+ if ($app.properties.WorkspaceResourceId)

+ {

+ $Obj = New-Object -TypeName PSObject

+ #$app.properties.WorkspaceResourceId

+ $Obj | Add-Member -Type NoteProperty -Name Name -Value $app.name

+ $Obj | Add-Member -Type NoteProperty -Name WorkspaceResourceId -Value $app.properties.WorkspaceResourceId

+ $list += $Obj

+ }

+ else

+ {

+ $Obj = New-Object -TypeName PSObject

+ $app.properties.WorkspaceResourceId

+ $Obj | Add-Member -Type NoteProperty -Name Name -Value $app.name

+ $ClassicList += $Obj

+ }

+ }

+$list |Format-Table -Property Name, WorkspaceResourceId -Wrap

+ "";"Classic:"

+$ClassicList | FT

+```

+1. From your Application Insights resource, select **"Properties"** under the **"Configure"** heading in the menu on the left.

+ :::image type="content" source="./media/convert-classic-resource/properties.png" lightbox="./media/convert-classic-resource/properties.png" alt-text="Screenshot that shows Properties under the Configured heading.":::

+### What happens if I don't migrate my Application Insights classic resource to a workspace-based resource?

+Microsoft began a phased approach to migrating classic resources to workspace-based resources in May 2024 and this migration is ongoing for several months. We can't provide approximate dates that specific resources, subscriptions, or regions are migrated.

+We strongly encourage manual migration to workspace-based resources. This process is initiated by selecting the retirement notice banner. You can find it in the classic Application Insights resource Overview pane of the Azure portal. This process typically involves a single step of choosing which Log Analytics workspace is used to store your application data. If you use continuous export, you need to additionally migrate to diagnostic settings or disable the feature first.

+If you don't wish to have your classic resource automatically migrated to a workspace-based resource, you can delete or manually migrate the resource.

+- Application Insights resources that were receiving 1 GB per month free via legacy Application Insights pricing model doesn't receive the free data.

+- Application Insights resources that were in the basic pricing tier before April 2018 continue to be billed at the same nonregional price point as before April 2018. Application Insights resources created after that time, or those resources converted to be workspace-based, will receive the current regional pricing. For current prices in your currency and region, see [Application Insights pricing](https://azure.microsoft.com/pricing/details/monitor/).

+The migration to workspace-based Application Insights offers many options to further [optimize cost](../logs/cost-logs.md), including [Log Analytics commitment tiers](../logs/cost-logs.md#commitment-tiers), [dedicated clusters](../logs/cost-logs.md#dedicated-clusters), and [basic logs](../logs/cost-logs.md#basic-logs).

+### Will my dashboards with pinned metric and log charts continue to work after migration?

+To continue with automated exports, you need to migrate to [diagnostic settings](/previous-versions/azure/azure-monitor/app/continuous-export-diagnostic-setting) before migrating to workspace-based resource. The diagnostic setting carries over in the migration to workspace-based Application Insights.

+If you're using Terraform to manage your Azure resources, it's important to use the latest version of the Terraform azurerm provider before attempting to upgrade your App Insights resource. Use of an older version of the provider, such as version 3.12, can result in the deletion of the classic component before creating the replacement workspace-based Application Insights resource. It can cause the loss of previous data and require updating the configurations in your monitored apps with new connection string and instrumentation key values.

+To avoid this issue, make sure to use the latest version of the Terraform [azurerm provider](https://registry.terraform.io/providers/hashicorp/azurerm/latest), version 3.89 or higher. It performs the proper migration steps by issuing the appropriate Azure Resource Manager (ARM) call to upgrade the App Insights classic resource to a workspace-based resource while preserving all the old data and connection string/instrumentation key values.

+For backwards compatibility, calls to the old API for creating Application Insights resources continue to work. Each of these calls creates both a workspace-based Application Insights resource and a Log Analytics workspace to store the data.

+This section provides troubleshooting tips.

+**Error message:** "The selected workspace is configured with workspace-based access mode. Some Application Performance Monitoring (APM) features can be impacted. Select another workspace or allow resource-based access in the workspace settings. You can override this error by using CLI."

+1. From your Application Insights resource view, under the **"Configure"** heading, select **"Continuous export"**.

+ - After migrating your Application Insights resource, you can use diagnostic settings to replace the functionality that continuous export used to provide. Select **Diagnostics settings** > **Add diagnostic setting** in your Application Insights resource. You can select all tables, or a subset of tables, to archive to a storage account or stream to Azure Event Hubs. For more information on diagnostic settings, see the [Azure Monitor diagnostic settings guidance](../essentials/diagnostic-settings.md).

+**Warning message:** "Your customized Application Insights retention settings doesn't apply to data sent to the workspace. You need to reconfigure them separately."

+You don't have to make any changes before migrating. This message alerts you that your current Application Insights retention settings aren't set to the default 90-day retention period. This warning message means you might want to modify the retention settings for your Log Analytics workspace before migrating and starting to ingest new data.

+Before the introduction of [workspace-based Application Insights resources](create-workspace-resource.md), Application Insights data was stored separately from other log data in Azure Monitor. Both are based on Azure Data Explorer and use the same Kusto Query Language (KQL). Workspace-based Application Insights resources data is stored in a Log Analytics workspace, together with other monitoring data and application data. This arrangement simplifies your configuration. You can analyze data across multiple solutions more easily and use the capabilities of workspaces.

+|`iKey`|string|`IKey`|string|

+|`iKey`|string|`IKey`|string|

+|`iKey`|string|`IKey`|string|

+|`iKey`|string|`IKey`|string|

+|`iKey`|string|`IKey`|string|

+|`iKey`|string|`IKey`|string|

+|`iKey`|string|`IKey`|string|

+|`iKey`|string|`IKey`|string|

+|`iKey`|string|`IKey`|string|

+|`iKey`|string|`IKey`|string|

+Paste the JavaScript (Web) SDK Loader Script at the top of each page for which you want to enable Application Insights.

+<!-- IMPORTANT: If you're updating this code example, please remember to also update it in: 1) articles\azure-monitor\app\javascript-sdk.md and 2) articles\azure-monitor\app\api-filtering-sampling.md -->

+```html

+<script type="text/javascript" src="https://js.monitor.azure.com/scripts/b/ext/ai.clck.2.min.js"></script>

+<script type="text/javascript">

+var clickPluginInstance = new Microsoft.ApplicationInsights.ClickAnalyticsPlugin();

+ // Click Analytics configuration

+var clickPluginConfig = {

+ autoCapture : true,

+ dataTags: {

+ useDefaultContentNameOrId: true

+ }

+}

+// Application Insights configuration

+var configObj = {

+ connectionString: "YOUR_CONNECTION_STRING",

+ // Alternatively, you can pass in the instrumentation key,

+ // but support for instrumentation key ingestion will end on March 31, 2025.

+ // instrumentationKey: "YOUR INSTRUMENTATION KEY",

+ extensions: [

+ clickPluginInstance

+ ],

+ extensionConfig: {

+ [clickPluginInstance.identifier] : clickPluginConfig

+ },

+};

+// Application Insights JavaScript (Web) SDK Loader Script code

+!(function (cfg){function e(){cfg.onInit&&cfg.onInit(n)}var x,w,D,t,E,n,C=window,O=document,b=C.location,q="script",I="ingestionendpoint",L="disableExceptionTracking",j="ai.device.";"instrumentationKey"[x="toLowerCase"](),w="crossOrigin",D="POST",t="appInsightsSDK",E=cfg.name||"appInsights",(cfg.name||C[t])&&(C[t]=E),n=C[E]||function(g){var f=!1,m=!1,h={initialize:!0,queue:[],sv:"8",version:2,config:g};function v(e,t){var n={},i="Browser";function a(e){e=""+e;return 1===e.length?"0"+e:e}return n[j+"id"]=i[x](),n[j+"type"]=i,n["ai.operation.name"]=b&&b.pathname||"_unknown_",n["ai.internal.sdkVersion"]="javascript:snippet_"+(h.sv||h.version),{time:(i=new Date).getUTCFullYear()+"-"+a(1+i.getUTCMonth())+"-"+a(i.getUTCDate())+"T"+a(i.getUTCHours())+":"+a(i.getUTCMinutes())+":"+a(i.getUTCSeconds())+"."+(i.getUTCMilliseconds()/1e3).toFixed(3).slice(2,5)+"Z",iKey:e,name:"Microsoft.ApplicationInsights."+e.replace(/-/g,"")+"."+t,sampleRate:100,tags:n,data:{baseData:{ver:2}},ver:undefined,seq:"1",aiDataContract:undefined}}var n,i,t,a,y=-1,T=0,S=["js.monitor.azure.com","js.cdn.applicationinsights.io","js.cdn.monitor.azure.com","js0.cdn.applicationinsights.io","js0.cdn.monitor.azure.com","js2.cdn.applicationinsights.io","js2.cdn.monitor.azure.com","az416426.vo.msecnd.net"],o=g.url||cfg.src,r=function(){return s(o,null)};function s(d,t){if((n=navigator)&&(~(n=(n.userAgent||"").toLowerCase()).indexOf("msie")||~n.indexOf("trident/"))&&~d.indexOf("ai.3")&&(d=d.replace(/(\/)(ai\.3\.)([^\d]*)$/,function(e,t,n){return t+"ai.2"+n})),!1!==cfg.cr)for(var e=0;e<S.length;e++)if(0<d.indexOf(S[e])){y=e;break}var n,i=function(e){var a,t,n,i,o,r,s,c,u,l;h.queue=[],m||(0<=y&&T+1<S.length?(a=(y+T+1)%S.length,p(d.replace(/^(.*\/\/)([\w\.]*)(\/.*)$/,function(e,t,n,i){return t+S[a]+i})),T+=1):(f=m=!0,s=d,!0!==cfg.dle&&(c=(t=function(){var e,t={},n=g.connectionString;if(n)for(var i=n.split(";"),a=0;a<i.length;a++){var o=i[a].split("=");2===o.length&&(t[o[0][x]()]=o[1])}return t[I]||(e=(n=t.endpointsuffix)?t.location:null,t[I]="https://"+(e?e+".":"")+"dc."+(n||"services.visualstudio.com")),t}()).instrumentationkey||g.instrumentationKey||"",t=(t=(t=t[I])&&"/"===t.slice(-1)?t.slice(0,-1):t)?t+"/v2/track":g.endpointUrl,t=g.userOverrideEndpointUrl||t,(n=[]).push((i="SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details)",o=s,u=t,(l=(r=v(c,"Exception")).data).baseType="ExceptionData",l.baseData.exceptions=[{typeName:"SDKLoadFailed",message:i.replace(/\./g,"-"),hasFullStack:!1,stack:i+"\nSnippet failed to load ["+o+"] -- Telemetry is disabled\nHelp Link: https://go.microsoft.com/fwlink/?linkid=2128109\nHost: "+(b&&b.pathname||"_unknown_")+"\nEndpoint: "+u,parsedStack:[]}],r)),n.push((l=s,i=t,(u=(o=v(c,"Message")).data).baseType="MessageData",(r=u.baseData).message='AI (Internal): 99 message:"'+("SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details) ("+l+")").replace(/\"/g,"")+'"',r.properties={endpoint:i},o)),s=n,c=t,JSON&&((u=C.fetch)&&!cfg.useXhr?u(c,{method:D,body:JSON.stringify(s),mode:"cors"}):XMLHttpRequest&&((l=new XMLHttpRequest).open(D,c),l.setRequestHeader("Content-type","application/json"),l.send(JSON.stringify(s)))))))},a=function(e,t){m||setTimeout(function(){!t&&h.core||i()},500),f=!1},p=function(e){var n=O.createElement(q),e=(n.src=e,t&&(n.integrity=t),n.setAttribute("data-ai-name",E),cfg[w]);return!e&&""!==e||"undefined"==n[w]||(n[w]=e),n.onload=a,n.onerror=i,n.onreadystatechange=function(e,t){"loaded"!==n.readyState&&"complete"!==n.readyState||a(0,t)},cfg.ld&&cfg.ld<0?O.getElementsByTagName("head")[0].appendChild(n):setTimeout(function(){O.getElementsByTagName(q)[0].parentNode.appendChild(n)},cfg.ld||0),n};p(d)}cfg.sri&&(n=o.match(/^((http[s]?:\/\/.*\/)\w+(\.\d+){1,5})\.(([\w]+\.){0,2}js)$/))&&6===n.length?(d="".concat(n[1],".integrity.json"),i="@".concat(n[4]),l=window.fetch,t=function(e){if(!e.ext||!e.ext[i]||!e.ext[i].file)throw Error("Error Loading JSON response");var t=e.ext[i].integrity||null;s(o=n[2]+e.ext[i].file,t)},l&&!cfg.useXhr?l(d,{method:"GET",mode:"cors"}).then(function(e){return e.json()["catch"](function(){return{}})}).then(t)["catch"](r):XMLHttpRequest&&((a=new XMLHttpRequest).open("GET",d),a.onreadystatechange=function(){if(a.readyState===XMLHttpRequest.DONE)if(200===a.status)try{t(JSON.parse(a.responseText))}catch(e){r()}else r()},a.send())):o&&r();try{h.cookie=O.cookie}catch(k){}function e(e){for(;e.length;)!function(t){h[t]=function(){var e=arguments;f||h.queue.push(function(){h[t].apply(h,e)})}}(e.pop())}var c,u,l="track",d="TrackPage",p="TrackEvent",l=(e([l+"Event",l+"PageView",l+"Exception",l+"Trace",l+"DependencyData",l+"Metric",l+"PageViewPerformance","start"+d,"stop"+d,"start"+p,"stop"+p,"addTelemetryInitializer","setAuthenticatedUserContext","clearAuthenticatedUserContext","flush"]),h.SeverityLevel={Verbose:0,Information:1,Warning:2,Error:3,Critical:4},(g.extensionConfig||{}).ApplicationInsightsAnalytics||{});return!0!==g[L]&&!0!==l[L]&&(e(["_"+(c="onerror")]),u=C[c],C[c]=function(e,t,n,i,a){var o=u&&u(e,t,n,i,a);return!0!==o&&h["_"+c]({message:e,url:t,lineNumber:n,columnNumber:i,error:a,evt:C.event}),o},g.autoExceptionInstrumented=!0),h}(cfg.cfg),(C[E]=n).queue&&0===n.queue.length?(n.queue.push(e),n.trackPageView({})):e();})({

+ src: "https://js.monitor.azure.com/scripts/b/ai.3.gbl.min.js",

+ crossOrigin: "anonymous",

+ // sri: false, // Custom optional value to specify whether fetching the snippet from integrity file and do integrity check

+ cfg: configObj // configObj is defined above.

+});

+</script>

+```

+To add or update JavaScript (Web) SDK Loader Script configuration, see [JavaScript (Web) SDK Loader Script configuration](./javascript-sdk.md?tabs=javascriptwebsdkloaderscript#javascript-web-sdk-loader-script-configuration).

+ 1. The value of the `value` attribute for the element

+ 1. The value of the `name` attribute for the element

+ 1. The value of the `alt` attribute for the element

+ 1. The value of the innerText attribute for the element

+ 1. The value of the `id` attribute for the element

+To reduce the bytes you pass, pass in the number value instead of the full text string. If cost isnΓÇÖt an issue, you can pass in the full text string (for example, NAVIGATIONBACK).

+ dataTags : {

+ customDataPrefix: "",

+ parentDataTag: "",

+ dntDataTag: "ai-dnt",

+ captureAllMetaDataContent:false,

+ useDefaultContentNameOrId: true,

+ autoCapture: true

+ },

+ <div>Test1</div>

+ <div>with id, data-id, parent data-id defined</div>

+ <Button id="id1" data-id="test1id" variant="info" onClick={trackEvent}>Test1</Button>

+For clicked element `<Button>` the value of `parentId` is `ΓÇ£not_specifiedΓÇ¥`, because no `parentDataTag` details are defined and no parent element ID is provided within the current element.

+In example 2, `parentDataTag` is declared and `data-parentid` is defined. This example shows how parent ID details are collected.

+ dataTags : {

+ customDataPrefix: "",

+ parentDataTag: "group",

+ ntDataTag: "ai-dnt",

+ captureAllMetaDataContent:false,

+ useDefaultContentNameOrId: false,

+ autoCapture: true

+ },

+<div className="test2" data-group="buttongroup1" data-id="test2parent">

+ <div>Test2</div>

+ <div>with data-id, parentid, parent data-id defined</div>

+ <Button data-id="test2id" data-parentid = "parentid2" variant="info" onClick={trackEvent}>Test2</Button>

+</div>

+For clicked element `<Button>`, the value of `parentId` is `parentid2`. Even though `parentDataTag` is declared, the `data-parentid` is directly defined within the element. Therefore, this value takes precedence over all other parent IDs or ID details defined in its parent elements.

+ dataTags : {

+ customDataPrefix: "",

+ parentDataTag: "group",

+ dntDataTag: "ai-dnt",

+ captureAllMetaDataContent:false,

+ useDefaultContentNameOrId: false,

+ autoCapture: true

+ },

+For clicked element `<Button>`, the value of `parentId` is `test6parent`, because `parentDataTag` is declared. This declaration allows the plugin to traverse the current element tree and therefore the ID of its closest parent will be used when parent ID details aren't directly provided within the current element. With the `data-group="buttongroup1"` defined, the plug-in finds the `parentId` more efficiently.

+- If you're adding a [framework extension](./javascript-framework-extensions.md), which you can [add](#optional-add-advanced-sdk-configuration) after you follow the steps to [get started](#get-started), you can optionally add Click Analytics when you add the framework extension.

+ Preferably, you should add it as the first script in your `<head>` section so that it can monitor any potential issues with all of your dependencies.

+

+ If Internet Explorer 8 is detected, JavaScript SDK v2.x is automatically loaded.

+ <!-- IMPORTANT: If you're updating this code example, please remember to also update it in: 1) articles\azure-monitor\app\javascript-feature-extensions.md and 2) articles\azure-monitor\app\api-filtering-sampling.md -->

+ ```html

+ <script type="text/javascript">

+ !(function (cfg){function e(){cfg.onInit&&cfg.onInit(n)}var x,w,D,t,E,n,C=window,O=document,b=C.location,q="script",I="ingestionendpoint",L="disableExceptionTracking",j="ai.device.";"instrumentationKey"[x="toLowerCase"](),w="crossOrigin",D="POST",t="appInsightsSDK",E=cfg.name||"appInsights",(cfg.name||C[t])&&(C[t]=E),n=C[E]||function(g){var f=!1,m=!1,h={initialize:!0,queue:[],sv:"8",version:2,config:g};function v(e,t){var n={},i="Browser";function a(e){e=""+e;return 1===e.length?"0"+e:e}return n[j+"id"]=i[x](),n[j+"type"]=i,n["ai.operation.name"]=b&&b.pathname||"_unknown_",n["ai.internal.sdkVersion"]="javascript:snippet_"+(h.sv||h.version),{time:(i=new Date).getUTCFullYear()+"-"+a(1+i.getUTCMonth())+"-"+a(i.getUTCDate())+"T"+a(i.getUTCHours())+":"+a(i.getUTCMinutes())+":"+a(i.getUTCSeconds())+"."+(i.getUTCMilliseconds()/1e3).toFixed(3).slice(2,5)+"Z",iKey:e,name:"Microsoft.ApplicationInsights."+e.replace(/-/g,"")+"."+t,sampleRate:100,tags:n,data:{baseData:{ver:2}},ver:undefined,seq:"1",aiDataContract:undefined}}var n,i,t,a,y=-1,T=0,S=["js.monitor.azure.com","js.cdn.applicationinsights.io","js.cdn.monitor.azure.com","js0.cdn.applicationinsights.io","js0.cdn.monitor.azure.com","js2.cdn.applicationinsights.io","js2.cdn.monitor.azure.com","az416426.vo.msecnd.net"],o=g.url||cfg.src,r=function(){return s(o,null)};function s(d,t){if((n=navigator)&&(~(n=(n.userAgent||"").toLowerCase()).indexOf("msie")||~n.indexOf("trident/"))&&~d.indexOf("ai.3")&&(d=d.replace(/(\/)(ai\.3\.)([^\d]*)$/,function(e,t,n){return t+"ai.2"+n})),!1!==cfg.cr)for(var e=0;e<S.length;e++)if(0<d.indexOf(S[e])){y=e;break}var n,i=function(e){var a,t,n,i,o,r,s,c,u,l;h.queue=[],m||(0<=y&&T+1<S.length?(a=(y+T+1)%S.length,p(d.replace(/^(.*\/\/)([\w\.]*)(\/.*)$/,function(e,t,n,i){return t+S[a]+i})),T+=1):(f=m=!0,s=d,!0!==cfg.dle&&(c=(t=function(){var e,t={},n=g.connectionString;if(n)for(var i=n.split(";"),a=0;a<i.length;a++){var o=i[a].split("=");2===o.length&&(t[o[0][x]()]=o[1])}return t[I]||(e=(n=t.endpointsuffix)?t.location:null,t[I]="https://"+(e?e+".":"")+"dc."+(n||"services.visualstudio.com")),t}()).instrumentationkey||g.instrumentationKey||"",t=(t=(t=t[I])&&"/"===t.slice(-1)?t.slice(0,-1):t)?t+"/v2/track":g.endpointUrl,t=g.userOverrideEndpointUrl||t,(n=[]).push((i="SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details)",o=s,u=t,(l=(r=v(c,"Exception")).data).baseType="ExceptionData",l.baseData.exceptions=[{typeName:"SDKLoadFailed",message:i.replace(/\./g,"-"),hasFullStack:!1,stack:i+"\nSnippet failed to load ["+o+"] -- Telemetry is disabled\nHelp Link: https://go.microsoft.com/fwlink/?linkid=2128109\nHost: "+(b&&b.pathname||"_unknown_")+"\nEndpoint: "+u,parsedStack:[]}],r)),n.push((l=s,i=t,(u=(o=v(c,"Message")).data).baseType="MessageData",(r=u.baseData).message='AI (Internal): 99 message:"'+("SDK LOAD Failure: Failed to load Application Insights SDK script (See stack for details) ("+l+")").replace(/\"/g,"")+'"',r.properties={endpoint:i},o)),s=n,c=t,JSON&&((u=C.fetch)&&!cfg.useXhr?u(c,{method:D,body:JSON.stringify(s),mode:"cors"}):XMLHttpRequest&&((l=new XMLHttpRequest).open(D,c),l.setRequestHeader("Content-type","application/json"),l.send(JSON.stringify(s)))))))},a=function(e,t){m||setTimeout(function(){!t&&h.core||i()},500),f=!1},p=function(e){var n=O.createElement(q),e=(n.src=e,t&&(n.integrity=t),n.setAttribute("data-ai-name",E),cfg[w]);return!e&&""!==e||"undefined"==n[w]||(n[w]=e),n.onload=a,n.onerror=i,n.onreadystatechange=function(e,t){"loaded"!==n.readyState&&"complete"!==n.readyState||a(0,t)},cfg.ld&&cfg.ld<0?O.getElementsByTagName("head")[0].appendChild(n):setTimeout(function(){O.getElementsByTagName(q)[0].parentNode.appendChild(n)},cfg.ld||0),n};p(d)}cfg.sri&&(n=o.match(/^((http[s]?:\/\/.*\/)\w+(\.\d+){1,5})\.(([\w]+\.){0,2}js)$/))&&6===n.length?(d="".concat(n[1],".integrity.json"),i="@".concat(n[4]),l=window.fetch,t=function(e){if(!e.ext||!e.ext[i]||!e.ext[i].file)throw Error("Error Loading JSON response");var t=e.ext[i].integrity||null;s(o=n[2]+e.ext[i].file,t)},l&&!cfg.useXhr?l(d,{method:"GET",mode:"cors"}).then(function(e){return e.json()["catch"](function(){return{}})}).then(t)["catch"](r):XMLHttpRequest&&((a=new XMLHttpRequest).open("GET",d),a.onreadystatechange=function(){if(a.readyState===XMLHttpRequest.DONE)if(200===a.status)try{t(JSON.parse(a.responseText))}catch(e){r()}else r()},a.send())):o&&r();try{h.cookie=O.cookie}catch(k){}function e(e){for(;e.length;)!function(t){h[t]=function(){var e=arguments;f||h.queue.push(function(){h[t].apply(h,e)})}}(e.pop())}var c,u,l="track",d="TrackPage",p="TrackEvent",l=(e([l+"Event",l+"PageView",l+"Exception",l+"Trace",l+"DependencyData",l+"Metric",l+"PageViewPerformance","start"+d,"stop"+d,"start"+p,"stop"+p,"addTelemetryInitializer","setAuthenticatedUserContext","clearAuthenticatedUserContext","flush"]),h.SeverityLevel={Verbose:0,Information:1,Warning:2,Error:3,Critical:4},(g.extensionConfig||{}).ApplicationInsightsAnalytics||{});return!0!==g[L]&&!0!==l[L]&&(e(["_"+(c="onerror")]),u=C[c],C[c]=function(e,t,n,i,a){var o=u&&u(e,t,n,i,a);return!0!==o&&h["_"+c]({message:e,url:t,lineNumber:n,columnNumber:i,error:a,evt:C.event}),o},g.autoExceptionInstrumented=!0),h}(cfg.cfg),(C[E]=n).queue&&0===n.queue.length?(n.queue.push(e),n.trackPageView({})):e();})({

+ src: "https://js.monitor.azure.com/scripts/b/ai.3.gbl.min.js",

+ // name: "appInsights", // Global SDK Instance name defaults to "appInsights" when not supplied

+ // ld: 0, // Defines the load delay (in ms) before attempting to load the sdk. -1 = block page load and add to head. (default) = 0ms load after timeout,

+ // useXhr: 1, // Use XHR instead of fetch to report failures (if available),

+ // dle: true, // Prevent the SDK from reporting load failure log

+ crossOrigin: "anonymous", // When supplied this will add the provided value as the cross origin attribute on the script tag

+ // onInit: null, // Once the application insights instance has loaded and initialized this callback function will be called with 1 argument -- the sdk instance (DON'T ADD anything to the sdk.queue -- As they won't get called)

+ // sri: false, // Custom optional value to specify whether fetching the snippet from integrity file and do integrity check

+ cfg: { // Application Insights Configuration

+ connectionString: "YOUR_CONNECTION_STRING"

+ }});

+ </script>

+ ```

+1. (Optional) Add or update optional [JavaScript (Web) SDK Loader Script configuration](#javascript-web-sdk-loader-script-configuration), if you need to optimize the loading of your web page or resolve loading errors.

+ :::image type="content" source="media/javascript-sdk/sdk-loader-script-configuration.png" alt-text="Screenshot of the JavaScript (Web) SDK Loader Script. The parameters for configuring the JavaScript (Web) SDK Loader Script are highlighted." lightbox="media/javascript-sdk/sdk-loader-script-configuration.png":::

+| Name | Type | Required? | Description

+|||--|

+| src | string | Required | The full URL for where to load the SDK from. This value is used for the "src" attribute of a dynamically added &lt;script /&gt; tag. You can use the public CDN location or your own privately hosted one.

+| name | string | Optional | The global name for the initialized SDK. Use this setting if you need to initialize two different SDKs at the same time.<br><br>The default value is appInsights, so ```window.appInsights``` is a reference to the initialized instance.<br><br> Note: If you assign a name value or if a previous instance is assigned to the global name appInsightsSDK, the SDK initialization code requires it to be in the global namespace as `window.appInsightsSDK=<name value>` to ensure the correct JavaScript (Web) SDK Loader Script skeleton, and proxy methods are initialized and updated.

+| ld | number in ms | Optional | Defines the load delay to wait before attempting to load the SDK. Use this setting when the HTML page is failing to load because the JavaScript (Web) SDK Loader Script is loading at the wrong time.<br><br>The default value is 0ms after timeout. If you use a negative value, the script tag is immediately added to the `<head>` region of the page and blocks the page load event until the script is loaded or fails.

+| useXhr | boolean | Optional | This setting is used only for reporting SDK load failures. For example, this setting is useful when the JavaScript (Web) SDK Loader Script is preventing the HTML page from loading, causing fetch() to be unavailable.<br><br>Reporting first attempts to use fetch() if available and then fallback to XHR. Set this setting to `true` to bypass the fetch check. This setting is necessary only in environments where fetch cannot transmit failure events, for example, when the JavaScript (Web) SDK Loader Script fails to load successfully.

+| crossOrigin | string | Optional | By including this setting, the script tag added to download the SDK includes the crossOrigin attribute with this string value. Use this setting when you need to provide support for CORS. When not defined (the default), no crossOrigin attribute is added. Recommended values aren't defined (the default), "", or "anonymous". For all valid values, see the [cross origin HTML attribute](https://developer.mozilla.org/docs/Web/HTML/Attributes/crossorigin) documentation.

+| onInit | function(aiSdk) { ... } | Optional | This callback function is called after the main SDK script is successfully loaded and initialized from the CDN (based on the src value). This callback function is useful when you need to insert a telemetry initializer. It's passed one argument, which is a reference to the SDK instance that's being called for and is also called before the first initial page view. If the SDK has already been loaded and initialized, this callback is still called. NOTE: During the processing of the sdk.queue array, this callback is called. You CANNOT add any more items to the queue because they're ignored and dropped. (Added as part of JavaScript (Web) SDK Loader Script version 5--the sv:"5" value within the script). |

+| cr | boolean | Optional | If the SDK fails to load and the endpoint value defined for `src` is the public CDN location, this configuration option attempts to immediately load the SDK from one of the following backup CDN endpoints:<ul><li>js.monitor.azure.com</li><li>js.cdn.applicationinsights.io</li><li>js.cdn.monitor.azure.com</li><li>js0.cdn.applicationinsights.io</li><li>js0.cdn.monitor.azure.com</li><li>js2.cdn.applicationinsights.io</li><li>js2.cdn.monitor.azure.com</li><li>az416426.vo.msecnd.net</li></ul>NOTE: az416426.vo.msecnd.net is partially supported, so it's not recommended.<br><br>If the SDK successfully loads from a backup CDN endpoint, it loads from the first available one, which is determined when the server performs a successful load check. If the SDK fails to load from any of the backup CDN endpoints, the SDK Failure error message appears.<br><br>When not defined, the default value is `true`. If you donΓÇÖt want to load the SDK from the backup CDN endpoints, set this configuration option to `false`.<br><br>If youΓÇÖre loading the SDK from your own privately hosted CDN endpoint, this configuration option isn't applicable.

+ ```sh

+ npm i --save @microsoft/applicationinsights-web

+ ```

+ *Typings are included with this package*, so you *don't* need to install a separate typings package.

+ Where and also how you add this JavaScript code depends on your application code. For example, you might be able to add it exactly as it appears below or you may need to create wrappers around it.

+

+ ```js

+ import { ApplicationInsights } from '@microsoft/applicationinsights-web'

+ const appInsights = new ApplicationInsights({ config: {

+ connectionString: 'YOUR_CONNECTION_STRING'

+ /* ...Other Configuration Options... */

+ } });

+ appInsights.loadAppInsights();

+ appInsights.trackPageView();

+ ```

+1. Navigate to the **Overview** pane of your Application Insights resource.

+1. Locate the **Connection String**.

+1. Select the **Copy to clipboard** icon to copy the connection string to the clipboard.

+ :::image type="content" source="media/migrate-from-instrumentation-keys-to-connection-strings/migrate-from-instrumentation-keys-to-connection-strings.png" alt-text="Screenshot that shows Application Insights overview and connection string." lightbox="media/migrate-from-instrumentation-keys-to-connection-strings/migrate-from-instrumentation-keys-to-connection-strings.png":::

+1. Replace the placeholder `"YOUR_CONNECTION_STRING"` in the JavaScript code with your [connection string](./sdk-connection-string.md) copied to the clipboard.

+ The `connectionString` format must follow "InstrumentationKey=xxxx;....". If the string provided doesn't meet this format, the SDK load process fails.

+

+ The connection string isn't considered a security token or key. For more information, see [Do new Azure regions require the use of connection strings?](./sdk-connection-string.md#do-new-azure-regions-require-the-use-of-connection-strings).

+ - **Page View** for Azure Monitor Application Insights Real User Monitoring

+ - **Custom Event** for the Click Analytics Auto-Collection plug-in.

+

+ It might take a few minutes for data to show up in the portal. If the only data you see showing up is a load failure exception, see [Troubleshoot SDK load failure for JavaScript web apps](/troubleshoot/azure/azure-monitor/app-insights/javascript-sdk-troubleshooting#troubleshoot-sdk-load-failure-for-javascript-web-apps).

+

+ In some cases, if multiple instances of different versions of Application Insights are running on the same page, errors can occur during initialization. For these cases and the error message that appears, see [Running multiple versions of the Application Insights JavaScript SDK in one session](https://github.com/microsoft/ApplicationInsights-JS/blob/main/versionConflict.md). If you've encountered one of these errors, try changing the namespace by using the `name` setting. For more information, see [JavaScript (Web) SDK Loader Script configuration](#javascript-web-sdk-loader-script-configuration).

+

+ :::image type="content" source="media/javascript-sdk/confirm-data-flowing.png" alt-text="Screenshot of the Application Insights Transaction search pane in the Azure portal with the Page View option selected. The page views are highlighted." lightbox="media/javascript-sdk/confirm-data-flowing.png":::

+ 1. Select **Logs** in the left pane.

+

+ When you select Logs, the [Queries dialog](../logs/queries.md#queries-dialog) opens, which contains sample queries relevant to your data.

+

+ 1. Select **Run** for the sample query you want to run.

+

+ 1. If needed, you can update the sample query or write a new query by using [Kusto Query Language (KQL)](/azure/data-explorer/kusto/query/).

+

+ For essential KQL operators, see [Learn common KQL operators](/azure/data-explorer/kusto/query/tutorials/learn-common-operators).

+- [Accelerate your observability journey with Azure Monitor pipeline (preview)](https://techcommunity.microsoft.com/t5/azure-observability-blog/accelerate-your-observability-journey-with-azure-monitor/ba-p/4124852)

+- [Configure Azure Monitor pipeline for edge and multicloud](../essentials/edge-pipeline-configure.md)

+The data size used for the daily cap is the size after customer-defined data transformations. (Learn more about data [transformations in Data Collection Rules](../essentials/data-collection-transformations.md).)

+An alias has been predefined for [public modules](./modules.md#file-in-registry). To reference a public module, you can use the format:

+> [!NOTE]

+> Non-AVM (Azure Verified Modules) modules are retired from the public module registry with most of them available as AVM modules.

+You can override the public module registry alias definition in the [bicepconfig.json file](./bicep-config.md):

+- To use [public modules](./modules.md#path-to-module):

+ using 'br/public:avm/res/storage/storage-account:0.9.0'

+Bicep enables you to organize deployments into modules. A module is a Bicep file (or an Azure Resource Manager JSON template) that is deployed from another Bicep file. With modules, you improve the readability of your Bicep files by encapsulating complex details of your deployment. You can also easily reuse modules for different deployments.

+To share modules with other people in your organization, create a [template spec](../bicep/template-specs.md), or [private registry](private-module-registry.md). Template specs and modules in the registry are only available to users with the correct permissions.

+Bicep modules are converted into a single Azure Resource Manager template with [nested templates](../templates/linked-templates.md#nested-template). For more information about how Bicep resolves configuration files and how Bicep merges user-defined configuration file with the default configuration file, see [Configuration file resolution process](./bicep-config.md#understand-the-file-resolution-process) and [Configuration file merge process](./bicep-config.md#understand-the-merge-process).

+The file for the module can be either a local file or an external file. The external file can be in template spec or a Bicep module registry.

+> [!NOTE]

+> Non-AVM (Azure Verified Modules) modules are retired from the public module registry.

+[Azure Verified Modules](https://azure.github.io/Azure-Verified-Modules/) are prebuilt, pretested, and preverified modules for deploying resources on Azure. Created and owned by Microsoft employees, these modules are designed to simplify and accelerate the deployment process for common Azure resources and configurations whilst also aligning to best practices; such as the Well-Architected Framework.

+Browse to the [Azure Verified Modules Bicep Index](https://azure.github.io/Azure-Verified-Modules/indexes/bicep/)to see the list of modules available, select the highlighted numbers in the following screenshot to be taken directly to that filtered view.

+The module list shows the latest version. Select the version number to see a list of available versions:

+To link to a public module, specify the module path with the following syntax:

+- **br/public** is the alias for public modules. You can customize this alias in the [Bicep configuration file](./bicep-config-modules.md).

+```bicep

+module storage 'br/public:avm/res/storage/storage-account:0.9.0' = {

+ name: 'myStorage'

+ params: {

+ name: 'store${resourceGroup().name}'

+ }

+}

+```

+> **br/public** is the alias for public modules. It can also be written as:

+```bicep

+module storage 'br/public:avm/res/storage/storage-account:0.9.0' = {

+ name: 'myStorage'

+ params: {

+ name: 'store${resourceGroup().name}'

+ }

+}

+```

+using 'br/public:avm/res/storage/storage-account:0.9.0'

+To share [modules](modules.md) within your organization, you can create a private module registry. You can then publish modules to that registry and give read access to users who need to deploy the modules. After the modules are shared in the registries, you can reference them from your Bicep files. To use public modules, see [Bicep Modules](./modules.md#file-in-registry).

+After setting up the container registry, you can publish files to it. Use the [publish](bicep-cli.md#publish) command and provide any Bicep files you intend to use as modules. Specify the target location for the module in your registry. The publish command creates an ARM template, which is stored in the registry. This means if publishing a Bicep file that references other local modules, these modules are fully expanded as one JSON file and published to the registry.

+With the with source switch, you see another layer in the manifest:

+If the Bicep module references a module in a Private Registry, the ACR endpoint is visible. To hide the full endpoint, you can configure an alias for the private registry.

+1. Select the module path (repository). In the preceding example, the module path name is **bicep/modules/storage**.

+1. The **Artifact reference** matches the reference you use in the Bicep file.

+When using bicep files that are hosted in a remote registry, it's important to understand how your local machine interacts with the registry. When you first declare the reference to the registry, your local editor tries to communicate with the Azure Container Registry and download a copy of the registry to your local cache.

+Your local machine can recognize any changes made to the remote registry until you run a `restore` with the specified file that includes the registry reference.

+For more information, see the [`restore` command.](bicep-cli.md#restore)

+- To learn about modules, see [Bicep modules](modules.md).

+- To configure aliases for a module registry, see [Add module settings in the Bicep config file](bicep-config-modules.md).

+- For more information about publishing and restoring modules, see [Bicep CLI commands](bicep-cli.md).

+Learn how to publish Bicep modules to private modules registry, and how to call the modules from your Bicep files. Private module registry allows you to share Bicep modules within your organization. To learn more, see [Create private registry for Bicep modules](./private-module-registry.md).

+In the REST API, [information about a pool](/rest/api/batchservice/get-information-about-a-pool) includes the latest automatic scaling run information in the [autoScaleRun](/rest/api/batchservice/get-information-about-a-pool) property.

+Some images may perform automatic package updates upon boot (or shortly thereafter), which may interfere with certain user directed actions such

+It's recommended to enable [Auto OS upgrade for Batch pools](batch-upgrade-policy.md), which allows the underlying

+Azure infrastructure to coordinate updates across the pool. This option can be configured to be nondisrupting for task

+execution. Automatic OS upgrade doesn't support all operating systems that Batch supports. For more information, see the

+[Virtual Machine Scale Sets Auto OS upgrade Support Matrix](../virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade.md#supported-os-images).

+For Windows operating systems, ensure that you aren't enabling the property

+`virtualMachineConfiguration.windowsConfiguration.enableAutomaticUpdates` when using Auto OS upgrade on the Batch pool.

+When you create a Batch pool with a [virtual network](batch-virtual-network.md), there can be interaction

+When scheduling a task on Batch nodes, you can choose whether to run it with task scope or pool scope. If the task will only run for a short time, task scope can be inefficient due to the resources needed to create the autouser account for that task. For greater efficiency, consider setting these tasks to pool scope. For more information, see [Run a task as an autouser with pool scope](batch-user-accounts.md#run-a-task-as-an-auto-user-with-pool-scope).

+By default, Azure Batch accounts have a public endpoint and are publicly accessible. When an Azure Batch pool is created,

+the pool is provisioned in a specified subnet of an Azure virtual network. Virtual machines in the Batch pool are accessed,

+by default, through public IP addresses that Batch creates. Compute nodes in a pool can communicate with each other when needed,

+such as to run multi-instance tasks, but nodes in a pool can't communicate with virtual machines outside of the pool.

+Pools can be configured in one of two node communication modes, classic or [simplified](simplified-compute-node-communication.md).

+We strongly recommend using Microsoft Entra ID for Batch account authentication. Some Batch capabilities require this method of authentication, including many of the security-related features discussed here. The service API authentication mechanism for a Batch account can be restricted to only Microsoft Entra ID using the [allowedAuthenticationModes](/rest/api/batchmanagement/batch-account/create) property. When this property is set, API calls using Shared Key authentication is rejected.

+- **Batch service**: The default option, where the underlying Virtual Machine Scale Set resources used to allocate and manage pool nodes are created on Batch-owned subscriptions, and aren't directly visible in the Azure portal. Only the Batch pools and nodes are visible.

+- **User subscription**: The underlying Virtual Machine Scale Set resources are created in the same subscription as the Batch account. These resources are therefore visible in the subscription, in addition to the corresponding Batch resources.

+It's recommended to enable [Auto OS upgrade for Batch pools](batch-upgrade-policy.md), which allows the underlying

+Azure infrastructure to coordinate updates across the pool. This option can be configured to be nondisrupting for task

+execution. Automatic OS upgrade doesn't support all operating systems that Batch supports. For more information, see the

+[Virtual Machine Scale Sets Auto OS upgrade Support Matrix](../virtual-machine-scale-sets/virtual-machine-scale-sets-automatic-upgrade.md#supported-os-images).

+For Windows operating systems, ensure that you aren't enabling the property

+`virtualMachineConfiguration.windowsConfiguration.enableAutomaticUpdates` when using Auto OS upgrade on the Batch pool.

+most secure settings available when possible, it can still be limited by operating system level settings. We recommend that

+description: Deploy Azure Cloud Services (extended support) by using the Azure portal.

+# Deploy Cloud Services (extended support) by using the Azure portal

+This article shows you how to use the Azure portal to create an Azure Cloud Services (extended support) deployment.

+## Prerequisites

+Review the [deployment prerequisites](deploy-prerequisite.md) for Cloud Services (extended support) and create the required resources.

+## Deploy Cloud Services (extended support)

+To deploy Cloud Services (extended support) by using the portal:

+1. In the search bar, enter **Cloud Services (extended support)**, and then select it in the search results.

+ :::image type="content" source="media/deploy-portal-1.png" alt-text="Screenshot that shows a Cloud Services (extended support) search in the Azure portal, and selecting the result.":::

+1. On the **Cloud services (extended support)** services pane, select **Create**.

+ :::image type="content" source="media/deploy-portal-2.png" alt-text="Screenshot that shows selecting Create in the menu to create a new instance of Cloud Services (extended support).":::

+ The **Create a cloud service (extended support)** pane opens.

+1. On the **Basics** tab, select or enter the following information:

+ - **Subscription**: Select a subscription to use for the deployment.

+ - **Resource group**: Select an existing resource group, or create a new one.

+ - **Cloud service name**: Enter a name for your Cloud Services (extended support) deployment.

+ - The DNS name of the cloud service is separate and is specified by the DNS name label of the public IP address. You can modify the DNS name in **Public IP** on the **Configuration** tab.

+ - **Region**: Select the region to deploy the service to.

+ :::image type="content" source="media/deploy-portal-3.png" alt-text="Image shows the Cloud Services (extended support) Basics tab.":::

+1. On the **Basics** tab under **Cloud service configuration, package, and service definition**, add your package (.cspkg or .zip) file, configuration (.cscfg) file, and definition (.csdef) file for the deployment. You can add existing files from blob storage or upload the files from your local machine. If you upload the files from your local machine, the files are then stored in a storage account in Azure.

+ :::image type="content" source="media/deploy-portal-4.png" alt-text="Screenshot that shows the section of the Basics tab where you upload files and select storage.":::

+1. Select the **Configuration** tab, and then select or enter the following information:

+ - **Virtual network**: Select a virtual network to associate with the cloud service, or create a new virtual network.

+ - Cloud Services (extended support) deployments *must* be in a virtual network.

+ - The virtual network *must* also be referenced in the configuration (.cscfg) file under `NetworkConfiguration`.

+ - **Public IP**: Select an existing public IP address to associate with the cloud service, or create a new one.

+ - If you have IP input endpoints defined in your definition (.csdef) file, create a public IP address for your cloud service.

+ - Cloud Services (extended support) supports only a Basic SKU public IP address.

+ - If your configuration (.cscfg) file contains a reserved IP address, set the allocation type for the public IP address to **Static**.

+ - (Optional) You can assign a DNS name for your cloud service endpoint by updating the DNS label property of the public IP address that's associated with the cloud service.

+ - (Optional) **Start cloud service**: Select the checkbox if you want to start the service immediately after it's deployed.

+ - **Key vault**: Select a key vault.

+ - A key vault is required when you specify one or more certificates in your configuration (.cscfg) file. When you select a key vault, we attempt to find the selected certificates that are defined in your configuration (.cscfg) file based on the certificate thumbprints. If any certificates are missing from your key vault, you can upload them now , and then select **Refresh**.

+ :::image type="content" source="media/deploy-portal-5.png" alt-text="Screenshot that shows the Configuration tab in the Azure portal when you create a Cloud Services (extended support) deployment.":::

+1. When all information is entered or selected, select the **Review + Create** tab to validate your deployment configuration and create your Cloud Services (extended support) deployment.

+## Related content

+- Deploy Cloud Services (extended support) by using [Azure PowerShell](deploy-powershell.md), an [ARM template](deploy-template.md), or [Visual Studio](deploy-visual-studio.md).

+- Visit the [Cloud Services (extended support) samples repository](https://github.com/Azure-Samples/cloud-services-extended-support).

+ Title: Deploy Azure Cloud Services (extended support) - Azure PowerShell

+description: Deploy Azure Cloud Services (extended support) by using Azure PowerShell.

+# Deploy Cloud Services (extended support) by using Azure PowerShell

+This article shows you how to use the Az.CloudService Azure PowerShell module to create an Azure Cloud Services (extended support) deployment that has multiple roles (WebRole and WorkerRole).

+## Prerequisites

+Complete the following steps as prerequisites to creating your deployment by using Azure PowerShell.

+1. Review the [deployment prerequisites](deploy-prerequisite.md) for Cloud Services (extended support) and create the required resources.

+1. Install the Az.CloudService PowerShell module:

+1. Create a new resource group. This step is optional if you use an existing resource group.

+1. Create a storage account and container in Azure to store the package (.cspkg or .zip) file and configuration (.cscfg) file for the Cloud Services (extended support) deployment. You must use a unique name for the storage account name. This step is optional if you use an existing storage account.

+## Deploy Cloud Services (extended support)

+Use any of the following PowerShell cmdlet options to deploy Cloud Services (extended support):

+- Quick-create a deployment by using a [storage account](#quick-create-a-deployment-by-using-a-storage-account)

+ - This parameter set inputs the package (.cspkg or .zip) file, the configuration (.cscfg) file, and the definition (.csdef) file for the deployment as inputs with the storage account.

+ - The Cloud Services (extended support) role profile, network profile, and OS profile are created by the cmdlet with minimal input.

+ - To input a certificate, you must specify a key vault name. The certificate thumbprints in the key vault are validated against the certificates that you specify in the configuration (.cscfg) file for the deployment.

+- Quick-create a deployment by using a [shared access signature URI](#quick-create-a-deployment-by-using-an-sas-uri)

+ - This parameter set inputs the shared access signature (SAS) URI of the package (.cspkg or .zip) file with the local paths to the configuration (.cscfg) file and definition (.csdef) file. No storage account input is required.

+ - The cloud service role profile, network profile, and OS profile are created by the cmdlet with minimal input.

+ - To input a certificate, you must specify a key vault name. The certificate thumbprints in the key vault are validated against the certificates that you specify in the configuration (.cscfg) file for the deployment.

+- Create a deployment by using a [role profile, OS profile, network profile, and extension profile with shared access signature URIs](#create-a-deployment-by-using-profile-objects-and-sas-uris)

+ - This parameter set inputs the SAS URIs of the package (.cspkg or .zip) file and configuration (.cscfg) file.

+ - You must specify profile objects: role profile, network profile, OS profile, and extension profile. The profiles must match the values that you set in the configuration (.cscfg) file and definition (.csdef) file.

+### Quick-create a deployment by using a storage account

+Create a Cloud Services (extended support) deployment by using the package (.cspkg or .zip) file, configuration (.cscfg) file, and definition (.csdef) files:

+$cspkgFilePath = "<Path to .cspkg file>"

+$cscfgFilePath = "<Path to .cscfg file>"

+$csdefFilePath = "<Path to .csdef file>"

+# Create a Cloud Services (extended support) deployment

+### Quick-create a deployment by using an SAS URI

+1. Upload the package (.cspkg or .zip) file for the deployment to the storage account:

+1. Create the Cloud Services (extended support) deployment by using the package (.cspkg or .zip) file, configuration (.cscfg) file, and definition (.csdef) file SAS URI:

+### Create a deployment by using profile objects and SAS URIs

+1. Upload your Cloud Services (extended support) configuration (.cscfg) file to the storage account:

+1. Upload your Cloud Services (extended support) package (.cspkg or .zip) file to the storage account:

+1. Create a virtual network and subnet. This step is optional if you use an existing network and subnet. This example uses a single virtual network and subnet for both Cloud Services (extended support) roles (WebRole and WorkerRole).

+1. Create a public IP address and set a DNS label value for the public IP address. Cloud Services (extended support) supports only a [Basic](../virtual-network/ip-services/public-ip-addresses.md#sku) SKU public IP address. Standard SKU public IP addresses don't work with Cloud Services (extended support).

+ If you use a static IP address, you must reference it as a reserved IP address in the configuration (.cscfg) file for the deployment.

+1. Create a network profile object, and then associate the public IP address to the front end of the load balancer. The Azure platform automatically creates a Classic SKU load balancer resource in the same subscription as the Cloud Services (extended support) resource. The load balancer is a read-only resource in Azure Resource Manager. You can update resources only via the Cloud Services (extended support) configuration (.cscfg) file and deployment (.csdef) file.

+1. Create a key vault. The key vault stores certificates that are associated with Cloud Services (extended support) roles. The key vault must be in the same region and subscription as the Cloud Services (extended support) deployment and have a unique name. For more information, see [Use certificates with Cloud Services (extended support)](certificates-and-key-vault.md).

+1. Update the key vault access policy and grant certificate permissions to your user account:

+ Alternatively, set the access policy by using the `ObjectId` value. To get the `ObjectId` value, run `Get-AzADUser`:

+1. The following example adds a self-signed certificate to a key vault. You must add the certificate thumbprint via the configuration (.cscfg) file for Cloud Services (extended support) roles.

+1. Create an OS profile in-memory object. An OS profile specifies the certificates that are associated with Cloud Services (extended support) roles. This is the certificate that you created in the preceding step.

+1. Create a role profile in-memory object. A role profile defines a role's SKU-specific properties such as name, capacity, and tier. In this example, two roles are defined: frontendRole and backendRole. Role profile information must match the role configuration that's defined in the deployment configuration (.cscfg) file and definition (.csdef) file.

+1. (Optional) Create an extension profile in-memory object to add to your Cloud Services (extended support) deployment. This example adds a Remote Desktop Protocol (RDP) extension:

+ The configuration (.cscfg) file should have only `PublicConfig` tags and should contain a namespace as shown in the following example:

+1. (Optional) In a PowerShell hash table, you can define tags to add to your deployment:

+1. Create the Cloud Services (extended support) deployment by using the profile objects and SAS URIs that you defined:

+## Related content

+- Deploy Cloud Services (extended support) by using the [Azure portal](deploy-portal.md), an [ARM template](deploy-template.md), or [Visual Studio](deploy-visual-studio.md).

+ Title: Prerequisites for deploying Cloud Services (extended support)

+description: Learn about the prerequisites for deploying Azure Cloud Services (extended support).

+To help ensure a successful Azure Cloud Services (extended support) deployment, review the following steps. Complete each prerequisitive before you begin to create a deployment.

+## Required configuration file updates

+Use the information in the following sections to make required updates to the configuration (.cscfg) file for your Cloud Services (extended support) deployment.

+### Virtual network

+Cloud Services (extended support) deployments must be in a virtual network. You can create a virtual network by using the [Azure portal](../virtual-network/quick-create-portal.md), [Azure PowerShell](../virtual-network/quick-create-powershell.md), the [Azure CLI](../virtual-network/quick-create-cli.md), or an [Azure Resource Manager template (ARM template)](../virtual-network/quick-create-template.md). The virtual network and subnets must be referenced in the [NetworkConfiguration](schema-cscfg-networkconfiguration.md) section of the configuration (.cscfg) file.

+For a virtual network that is in the same resource group as the cloud service, referencing only the virtual network name in the configuration (.cscfg) file is sufficient. If the virtual network and Cloud Services (extended support) are in two different resource groups, specify the complete Azure Resource Manager ID of the virtual network in the configuration (.cscfg) file.

+> If the virtual network and Cloud Services (extended support) are located in different resource groups, you can't use Visual Studio 2019 for your deployment. For this scenario, consider using an ARM template or the Azure portal to create your deployment.

+#### Virtual network in the same resource group

+#### Virtual network in a different resource group

+### Remove earlier versions of plugins

+Remove earlier versions of remote desktop settings from the configuration (.cscfg) file:

+Remove earlier versions of diagnostics settings for each role in the configuration (.cscfg) file:

+## Required definition file updates

+> If you make changes to the definition (.csdef) file, you must generate the package (.cspkg or .zip) file again. Build and repackage your package (.cspkg or .zip) file after you make the following changes in the definition (.csdef) file to get the latest settings for your cloud service.

+### Virtual machine sizes

+The following table lists deprecated virtual machine sizes and updated naming conventions through which you can continue to use the sizes.

+The sizes listed in the left column of the table are deprecated in Azure Resource Manager. If you want to continue to use the virtual machine sizes, update the `vmsize` value to use the new naming convention from the right column.

+| Previous size name | Updated size name |

+| ExtraSmall | Standard_A1_v2 |

+| Medium | Standard_A2_v2 |

+| Large | Standard_A4_v2 |

+| ExtraLarge | Standard_A8_v2 |

+| A5 | Standard_A2m_v2 |

+| A6 | Standard_A4m_v2 |

+| A8 | Deprecated |

+| A10 | Deprecated |

+| A11 | Deprecated |

+| MSODSG5 | Deprecated |

+For example, `<WorkerRole name="WorkerRole1" vmsize="Medium">` becomes `<WorkerRole name="WorkerRole1" vmsize="Standard_A2">`.

+> To retrieve a list of available sizes, see the [list of resource SKUs](/rest/api/compute/resourceskus/list). Apply the following filters:

+>

+> `ResourceType = virtualMachines`

+> `VMDeploymentTypes = PaaS`

+### Remove earlier versions of remote desktop plugins

+For deployments that use earlier versions of remote desktop plugins, remove the modules from the definition (.csdef) file and from any associated certificates:

+For deployments that use earlier versions of diagnostics plugins, remove the settings for each role from the definition (.csdef) file:

+## Access control

+The subscription that contains networking resources must have the [Network Contributor](../role-based-access-control/built-in-roles.md#network-contributor) or greater role for Cloud Services (extended support). For more information, see [RBAC built-in roles](../role-based-access-control/built-in-roles.md).

+## Key vault creation

+Azure Key Vault stores certificates that are associated with Cloud Services (extended support). Add the certificates to a key vault, and then reference the certificate thumbprints in the configuration (.cscfg) file for your deployment. You also must enable the key vault access policy (in the portal) for **Azure Virtual Machines for deployment** so that the Cloud Services (extended support) resource can retrieve the certificate that's stored as secrets in the key vault. You can create a key vault in the [Azure portal](../key-vault/general/quick-create-portal.md) or by using [PowerShell](../key-vault/general/quick-create-powershell.md). You must create the key vault in the same region and subscription as the cloud service. For more information, see [Use certificates with Cloud Services (extended support)](certificates-and-key-vault.md).

+## Related content

+- Deploy a Cloud Services (extended support) by using the [Azure portal](deploy-portal.md), [PowerShell](deploy-powershell.md), an [ARM template](deploy-template.md), or [Visual Studio](deploy-visual-studio.md).

+- Visit the [Cloud Services (extended support) samples repository](https://github.com/Azure-Samples/cloud-services-extended-support).

+ Title: Deploy Azure Cloud Services (extended support) - SDK

+description: Deploy Azure Cloud Services (extended support) by using the Azure SDK.

+This article shows how to use the [Azure SDK](https://azure.microsoft.com/downloads/) to create an Azure Cloud Services (extended support) deployment that has multiple roles (WebRole and WorkerRole) and the Remote Desktop Protocol (RDP) extension. Cloud Services (extended support) is a deployment model of Azure Cloud Services that's based on Azure Resource Manager.

+## Prerequisites

+Review the [deployment prerequisites](deploy-prerequisite.md) for Cloud Services (extended support) and create the required resources.

+To deploy Cloud Services (extended support) by using the SDK:

+1. Install the [Azure Compute SDK NuGet package](https://www.nuget.org/packages/Microsoft.Azure.Management.Compute/43.0.0-preview) and initialize the client by using a standard authentication method:

+1. Create a new resource group by installing the Azure Resource Manager NuGet package:

+ ```csharp

+1. Create a storage account and container where you'll store the package (.cspkg or .zip) file and configuration (.cscfg) file for the deployment. Install the [Azure Storage NuGet package](https://www.nuget.org/packages/Azure.Storage.Common/). This step is optional if you're using an existing storage account. The storage account name must be unique.

+1. Upload the package (.cspkg or .zip) file to the storage account. The package URL can be a shared access signature (SAS) URI from any storage account.

+ ```csharp

+ CloudBlockBlob cspkgblockBlob = container.GetBlockBlobReference(ΓÇ£ContosoApp.cspkgΓÇ¥);

+ cspkgblockBlob.UploadFromFileAsync(ΓÇ£./ContosoApp/ContosoApp.cspkgΓÇ¥). Wait();

+ //Generate the shared access signature on the blob, setting the constraints directly on the signature.

+ string cspkgsasContainerToken = cspkgblockBlob.GetSharedAccessSignature(sasConstraints);

+ //Return the URI string for the container, including the SAS token.

+ string cspkgSASUrl = cspkgblockBlob.Uri + cspkgsasContainerToken;

+ ```

+1. Upload the configuration (.cscfg) file to the storage account. Specify the service configuration as either string XML or URL format.

+1. Create a virtual network and subnet. Install the [Azure Network NuGet package](https://www.nuget.org/packages/Azure.ResourceManager.Network/). This step is optional if you're using an existing network and subnet.

+1. Create a public IP address and set the DNS label property of the public IP address. Cloud Services (extended support) supports only a [Basic](../virtual-network/ip-services/public-ip-addresses.md#sku) SKU public IP address. Standard SKU public IP addresses do not work with Cloud Services (extended support).

+ If you use a static IP address, you must reference it as a reserved IP address in the configuration (.cscfg) file.

+ ```csharp

+1. Create a network profile object and associate the public IP address with the front end of the load balancer. The Azure platform automatically creates a Classic SKU load balancer resource in the same subscription as the deployment. The load balancer resource is read-only in Azure Resource Manager. You can update the resource only via the Cloud Services (extended support) configuration (.cscfg) file and definition (.csdef) file.

+1. Create a key vault. This key vault stores certificates that are associated with the Cloud Services (extended support) roles. The key vault must be in the same region and subscription as the Cloud Services (extended support) resource and have a unique name. For more information, see [Use certificates with Cloud Services (extended support)](certificates-and-key-vault.md).

+ ```powershell

+ New-AzKeyVault -Name "ContosKeyVaultΓÇ¥ -ResourceGroupName ΓÇ£ContosoOrgΓÇ¥ -Location ΓÇ£East USΓÇ¥

+ ```

+1. Update the key vault's access policy and grant certificate permissions to your user account:

+ ```powershell

+ Set-AzKeyVaultAccessPolicy -VaultName 'ContosKeyVault' -ResourceGroupName 'ContosoOrg' -UserPrincipalName 'user@domain.com' -PermissionsToCertificates create,get,list,delete

+ ```

+ Alternatively, set the access policy via object ID (which you can get by running `Get-AzADUser`):

+ Set-AzKeyVaultAccessPolicy -VaultName 'ContosKeyVault' -ResourceGroupName 'ContosOrg' -ObjectId 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' -PermissionsToCertificates create,get,list,delete

+1. The following example adds a self-signed certificate to a key vault. The certificate thumbprint must be added in the configuration (.cscfg) file for Cloud Services (extended support) roles.

+ $Policy = New-AzKeyVaultCertificatePolicy -SecretContentType "application/x-pkcs12" - SubjectName "CN=contoso.com" -IssuerName "Self" -ValidityInMonths 6 -ReuseKeyOnRenewal

+ Add-AzKeyVaultCertificate -VaultName "ContosKeyVault" -Name "ContosCert" -CertificatePolicy $Policy

+1. Create an OS profile object. The OS profile specifies the certificates that are associated with Cloud Services (extended support) roles. You use the same certificate that you created in the preceding step.

+1. Create a role profile object. A role profile defines role-specific properties for a SKU, such as name, capacity, and tier.

+ This example defines two roles: ContosoFrontend and ContosoBackend. Role profile information must match the role that's defined in the configuration (.cscfg) file and definition (.csdef) file.

+1. (Optional) Create an extension profile object to add to your Cloud Services (extended support) deployment. This example adds a Remote Desktop Protocol (RDP) extension:

+1. Create the Cloud Services (extended support) deployment:

+## Related content

+- Deploy Cloud Services (extended support) by using the [Azure portal](deploy-portal.md), [Azure PowerShell](deploy-powershell.md), an [ARM template](deploy-template.md), or [Visual Studio](deploy-visual-studio.md).

+- Visit the [Cloud Services (extended support) samples repository](https://github.com/Azure-Samples/cloud-services-extended-support).

+ Title: Deploy Azure Cloud Services (extended support) - ARM template

+description: Deploy Azure Cloud Services (extended support) by using an ARM template.

+# Deploy Cloud Services (extended support) by using an ARM template

+This article shows you how to use an [Azure Resource Manager template (ARM template)](../azure-resource-manager/templates/overview.md) to create an Azure Cloud Services (extended support) deployment.

+## Prerequisites

+Complete the following steps as prerequisites to creating your deployment by using ARM templates.

+1. Review the [deployment prerequisites](deploy-prerequisite.md) for Cloud Services (extended support) and create the required resources.

+1. Create a new resource group by using the [Azure portal](../azure-resource-manager/management/manage-resource-groups-portal.md) or [Azure PowerShell](../azure-resource-manager/management/manage-resource-groups-powershell.md). This step is optional if you use an existing resource group.

+1. Create a new storage account by using the [Azure portal](../storage/common/storage-account-create.md?tabs=azure-portal) or [Azure PowerShell](../storage/common/storage-account-create.md?tabs=azure-powershell). This step is optional if you use an existing storage account.

+1. Upload the package (.cspkg or .zip) file and configuration (.cscfg) file to the storage account by using the [Azure portal](../storage/blobs/storage-quickstart-blobs-portal.md#upload-a-block-blob) or [Azure PowerShell](../storage/blobs/storage-quickstart-blobs-powershell.md#upload-blobs-to-the-container). Save the shared access signature (SAS) URIs for both files to add to the ARM template in a later step.

+1. (Optional) Create a key vault and upload the certificates.

+ - You can attach certificates to your deployment for secure communication to and from the service. If you use certificates, the certificate thumbprints must be specified in your configuration (.cscfg) file and be uploaded to a key vault. You can create a key vault by using the [Azure portal](../key-vault/general/quick-create-portal.md) or [Azure PowerShell](../key-vault/general/quick-create-powershell.md).

+ - The associated key vault must be in the same region and subscription as your Cloud Services (extended support) deployment.

+ - The associated key vault must have the relevant permissions so that Cloud Services (extended support) resources can retrieve certificates from the key vault. For more information, see [Use certificates with Cloud Services (extended support)](certificates-and-key-vault.md).

+ - The key vault must be referenced in the `osProfile` section of the ARM template as shown in a later step.

+## Deploy Cloud Services (extended support)

+To deploy Cloud Services (extended support) by using a template:

+> An easier and faster way to generate your ARM template and parameter file is by using the [Azure portal](https://portal.azure.com). You can [download the generated ARM template](generate-template-portal.md) in the portal to create your Cloud Services (extended support) via Azure PowerShell.

+1. Create a virtual network. The name of the virtual network must match virtual network references in the configuration (.cscfg) file. If you use an existing virtual network, omit this section from the ARM template.

+

+ If you create a new virtual network, add the following lines to the `dependsOn` section to ensure that the platform creates the virtual network before it creates the Cloud Services (extended support) instance:

+1. Create a public IP address and (optionally) set the DNS label property of the public IP address. If you use a static IP address, you must reference it as a reserved IP address in the configuration (.cscfg) file. If you use an existing IP address, skip this step and add the IP address information directly in the load balancer configuration settings in your ARM template.

+ If you create a new IP address, add the following lines to the `dependsOn` section to ensure that the platform creates the IP address before it creates the Cloud Services (extended support) instance:

+1. Create a Cloud Services (extended support) object. Add relevant `dependsOn` references if you are deploying virtual networks or public IP addresses in your template.

+1. Create a network profile object for your deployment, and associate the public IP address with the front end of the load balancer. The Azure platform automatically creates a load balancer.

+1. Add your key vault reference in the `osProfile` section of the ARM template. A key vault stores certificates that are associated with Cloud Services (extended support). Add the certificates to the key vault, and then reference the certificate thumbprints in the configuration (.cscfg) file. Also, set the key vault access policy for **Azure Virtual Machines for deployment** in the Azure portal so that the Cloud Services (extended support) resource can retrieve the certificates that are stored as secrets in the key vault. The key vault must be in the same region and subscription as your Cloud Services (extended support) resource and have a unique name. For more information, see [Use certificates with Cloud Services (extended support)](certificates-and-key-vault.md).

+ > `sourceVault`in the ARM template  is the value of the resource ID for your key vault. You can get this information by finding **Resource ID** in the **Properties** section of your key vault.

+ > - You can get the value for `certificateUrl` by going to the certificate in the key vault that's labeled **Secret Identifier**.ΓÇ»

+ > - `certificateUrl` should be of the form of `https://{keyvault-endpoint}/secrets/{secret-name}/{secret-id}`.

+1. Create a role profile. Ensure that the number of roles, the number of instances in each role, role names, and role sizes are the same across the configuration (.cscfg) file, the definition (.csdef) file, and the `roleProfile` section in the ARM template.

+

+1. (Optional) Create an extension profile to add extensions to your Cloud Services (extended support) deployment. The following example adds the Remote Desktop Protocol (RDP) extension and the Azure Diagnostics extension.

+ > [!NOTE]

+ > The password for RDP must from 8 to 123 characters and must satisfy at least *three* of the following password-complexity requirements:

+ >

+ > Contains an uppercase character.

+ > Contains a lowercase character.

+ > Contains a numeric digit.

+ > Contains a special character.

+ > Cannot contain a control character.

+1. Review the full template:

+ "description": "SAS URI of the package (.cspkg) file to deploy"

+ "description": "SAS URI of the configuration (.cscfg) file"

+ "description": "Public configuration of the Azure Diagnostics extension"

+ "description": "Private configuration of the Azure Diagnostics extension"

+1. Deploy the template and parameter file (to define parameters in the template file) to create the Cloud Services (extended support) deployment. You can use these [sample templates](https://github.com/Azure-Samples/cloud-services-extended-support).

+## Related content

+- Deploy Cloud Services (extended support) by using the [Azure portal](deploy-portal.md), [Azure PowerShell](deploy-powershell.md), or [Visual Studio](deploy-visual-studio.md).

+- Visit the [Cloud Services (extended support) samples repository](https://github.com/Azure-Samples/cloud-services-extended-support).

+| Migration of deployment containing the remote desktop plugin and the remote desktop extensions | Option 1: Remove the remote desktop plugin before migration. This requires changes to deployment files. The migration will then go through. <br><br> Option 2: Remove remote desktop extension and migrate the deployment. Post-migration, remove the plugin and install the extension. This requires changes to deployment files. <br><br> Remove the plugin and extension before migration. [Plugins aren't recommended](./deploy-prerequisite.md#required-definition-file-updates) for use on Cloud Services (extended support).|

+# Post-migration changes

+The Cloud Services (classic) deployment is converted to a Cloud Services (extended support) deployment. For more information, see [Cloud Services (extended support) documentation](deploy-prerequisite.md).

+- Classic sizes like Small, Large, ExtraLarge are replaced by their new size names, Standard_A*. The size names need to be changed to their new names in .csdef file. For more information, see [Cloud Services (extended support) deployment prerequisites](deploy-prerequisite.md#required-definition-file-updates)

+ - [Auto Scale rules](configure-scaling.md) aren't migrated. After migration, recreate the auto scale rules.

+ - [Alerts](enable-alerts.md) aren't migrated. After migration, recreate the alerts.

+Currently, the Azure portal does a validation for you to check if all the required Certificates are uploaded in certificate store in Key Vault and warns if a certificate isn't found. However, if you're planning to use Certificates as secrets, then these certificates can't be validated for their thumbprint and any update operation that involves addition of secrets would fail via Portal. Customers are recommended to use PowerShell or RestAPI to continue updates involving Secrets.

+If you were publishing updates via Visual Studio directly, then you would need to first download the latest CSCFG file from your deployment post migration. Use this file as reference to add Network Configuration details to your current CSCFG file in Visual Studio project. Then build the solution and publish it. You might have to choose the Key Vault and Resource Group for this update.

+###### **June 27, 2024**

+The June Guest OS has released.

+| WA-GUEST-OS-7.42_202406-01 | June 27, 2024 | Post 7.45 |

+|~~WA-GUEST-OS-7.39_202403-02~~| April 9, 2024 | June 27, 2024 |

+| WA-GUEST-OS-6.72_202406-01 | June 27, 2024 | Post 6.75 |

+|~~WA-GUEST-OS-6.69_202403-02~~| April 9, 2024 | June 27, 2024 |

+| WA-GUEST-OS-5.96_202406-01 | June 27, 2024 | Post 5.99 |

+|~~WA-GUEST-OS-5.93_202403-02~~| April 9, 2024 | June 27, 2024 |

+| WA-GUEST-OS-4.132_202406-01 | June 27, 2024 | Post 4.135 |

+|~~WA-GUEST-OS-4.129_202403-02~~| April 9, 2024 | June 27, 2024 |

+| WA-GUEST-OS-3.140_202406-01 | June 27, 2024 | Post 3.143 |

+|~~WA-GUEST-OS-3.137_202403-02~~| April 9, 2024 | June 27, 2024 |

+| WA-GUEST-OS-2.152_202406-01 | June 27, 2024 | Post 2.155 |

+|~~WA-GUEST-OS-2.149_202403-02~~| April 9, 2024 | June 27, 2024 |

+- **Rooms enable an invite-only experience.** Rooms allow your services to control which users can join the room for a virtual appointment with doctors or financial consultants. This allows only a subset of users with assigned Communication Services identities to join a room call.

+Rooms can also be accessed using the [Azure Communication Services UI Library](../../concepts/ui-library/ui-library-overview.md). The UI Library enables developers to add a call client that is Rooms enabled into their application with only a couple lines of code.

+

+The UI Library is fully documented for developers on a separate site. The documentation is interactive and helps you understand how the APIs work by giving you the ability to try them directly from a webpage. For more information, see the [UI Library documentation](../../concepts/ui-library/ui-library-overview.md).

+| 0 | 603 | Call ended successfully as it was declined by the callee. | Success | |

+| 3100 | 410 | Call setup failed due to unexpected network problem on the client, please check client's network and retry. | UnxpectedClientError | - Ensure that you're using the latest SDK in a supported environment.<br> |

+| 3101 | 410 | Call dropped due to unexpected network problem on the client, please check client's network and retry. | UnxpectedClientError | |

+| 3112 | 410 | Call setup failed due to network configuration problem on the client side, please check client's network configuration, and retry. | ExpectedError | |

+| 4507 | 495 | Call ended as application didn't provide a valid Azure Communication Services token. | UnexpectedClientError |- Ensure that your application implements token refresh mechanism correctly. |

+| 4521 | 0 | Call ended because user disconnected from the call abruptly, this may be a result of a user closing the application that hosted the call, eg a user terminated application, closed browser of browser tab without proper hang-up. | ExpectedError | |

+| 10024 | 487 | Call ended successfully as it was declined by all callee endpoints. | Success | - Try to place the call again. |

+| 10057 | 408 | Call failed, callee failed to finalize call setup, most likely callee lost network or terminated the application abruptly. Ensure clients are connected and available. | ExpectedError | |

+| 560486 | 486 | Call ended because remote PSTN participant was busy. The number called was already in a call or having technical issues. | Success | - For Direct Routing calls, check your Session Border Control logs and settings and timeouts configuration.<br> Possible causes: <br> - The number called was already in a call or having technical issues.<br> |

+description: Learn how to use Microsoft Teams, Graph, and Azure Communication Services to build a custom event management platform.

+Microsoft empowers event platforms to integrate event capabilities using [Microsoft Teams](/microsoftteams/quick-start-meetings-live-events), [Microsoft Graph](/graph/api/application-post-onlinemeetings?tabs=http&view=graph-rest-beta&preserve-view=true) and [Azure Communication Services](../overview.md). Virtual Events are a communication modality where event organizers schedule and configure a virtual environment for event presenters and participants to engage with content through voice, video, and chat. Event management platforms enable users to configure events and for attendees to participate in those events, within their platform, applying in-platform capabilities and gamification. Learn more about [Teams Meetings, Webinars, and Live Events](/microsoftteams/quick-start-meetings-live-events) that are used throughout this article to enable virtual event scenarios.

+For event attendees, they're presented with an experience that enables them to attend, participate, and engage with an eventΓÇÖs content. This experience might include capabilities like watching content, sharing their camera stream, asking questions, responding to polls, and more. Microsoft provides two options for attendees to consume events powered by Teams and Azure Communication

+Throughout the rest of this tutorial, we'll focus on how using Azure Communication Services and Microsoft Graph to build a custom event management platform. We'll be using the sample architecture below. Based on that architecture we'll be focusing on setting up scheduling and registration flows and embedding the attendee experience right on the event platform to join the event.

+ 2. As part of the application setup, the service account is used to log in into the solution once. With this permission the application can retrieve and store an access token on behalf of the service account that will own the meetings. Your application will need to store the tokens generated from the login and place them in a secure location such as a key vault. The application will need to store both the access token and the refresh token. Learn more about [auth tokens](/entra/identity-platform/access-tokens). and [refresh tokens](/entra/identity-platform/refresh-tokens).

+Attendee experience can be directly embedded into an application or platform using [Azure Communication Services](../overview.md) so that your attendees never need to leave your platform. It provides low-level calling and chat SDKs that support [interoperability with Teams Events](../concepts/teams-interop.md), as well as a turn-key UI Library, which can be used to reduce development time and easily embed communications. Azure Communication Services enables developers to have flexibility with the type of solution they need. Review [limitations](../concepts/join-teams-meeting.md#limitations-and-known-issues) of using Azure Communication Services for webinar scenarios.

+4. Developers can leverage [headless SDKs](../concepts/teams-interop.md) or [UI Library](../concepts/ui-library/ui-library-overview.md) using the join link URL to join the Teams meeting through [Teams Interoperability](../concepts/teams-interop.md). Details below:

+| Developers can leverage the [calling](../quickstarts/voice-video-calling/get-started-teams-interop.md?pivots=platform-javascript&preserve-view=true) and [chat](../quickstarts/chat/meeting-interop.md?pivots=platform-javascript&preserve-view=true) SDKs to join a Teams meeting with your custom client | Developers can choose between the [call + chat](https://azure.github.io/communication-ui-library/?path=/docs/composites-meeting-basicexample--basic-example) or pure [call](../concepts/ui-library/ui-library-overview.md) and [chat](https://azure.github.io/communication-ui-library/?path=/docs/composites-chat-basicexample--basic-example) composites to build their experience. Alternatively, developers can leverage [composable components](../concepts/ui-library/ui-library-use-cases.md) to build a custom Teams interop experience.|

+## <a name="scale-rules"></a>Use managed identity for scale rules

+You can use managed identities in your scale rules to authenticate with Azure services that support managed identities. To use a managed identity in your scale rule, use the `identity` property instead of the `auth` property in your scale rule. Acceptable values for the `identity` property are either the Azure resource ID of a user-assigned identity, or `system` to use a system-assigned identity.

+> [!NOTE]

+> Managed identity authentication in scale rules is in public preview. It's available in API version `2024-02-02-preview`.

+The following ARM template example shows how to use a managed identity with an Azure Queue Storage scale rule:

+The queue storage account uses the `accountName` property to identify the storage account, while the `identity` property specifies which managed identity to use. You do not need to use the `auth` property.

+To learn more about using managed identity with scale rules, see [Set scaling rules in Azure Container Apps](scale-app.md?pivots=azure-portal#authentication-2).

+Container Apps allows you to specify [init containers](containers.md#init-containers) and main containers. By default, both main and init containers in a consumption workload profile environment can use managed identity to access other Azure services. In consumption-only environments and dedicated workload profile environments, only main containers can use managed identity. Managed identity access tokens are available for every managed identity configured on the container app. However, in some situations only the init container or the main container require access tokens for a managed identity. Other times, you may use a managed identity only to access your Azure Container Registry to pull the container image, and your application itself doesn't need to have access to your Azure Container Registry.

+- `Init`: Available only to init containers. Use this when you want to perform some initialization work that requires a managed identity, but you no longer need the managed identity in the main container. This option is currently only supported in [workload profile consumption environments](environment.md#types)

+- `Main`: Available only to main containers. Use this if your init container does not need managed identity.

+- `All`: Available to all containers. This value is the default setting.

+- `None`: Not available to any containers. Use this when you have a managed identity that is only used for ACR image pull, scale rules, or Key Vault secrets and does not need to be available to the code running in your containers.

+The following ARM template example shows how to configure a container app on a workload profile consumption environment that:

+ "lifecycle": "None"

+ "lifecycle": "Init"

+ "lifecycle": "Main"

+For authentication, KEDA scaler authentication parameters take [Container Apps secrets](manage-secrets.md) or [managed identity](managed-identity.md#scale-rules).

+Container Apps scale rules support secrets-based authentication. Scale rules for Azure resources, including Azure Queue Storage, Azure Service Bus, and Azure Event Hubs, also support managed identity. Where possible, use managed identity authentication to avoid storing secrets within the app.

+#### Use secrets

+To use secrets for authentication, you need to create a secret in the container app's `secrets` array. The secret value is used in the `auth` array of the scale rule.

+KEDA scalers can use secrets in a [TriggerAuthentication](https://keda.sh/docs/latest/concepts/authentication/) that is referenced by the `authenticationRef` property. You can map the TriggerAuthentication object to the Container Apps scale rule.

+#### Using managed identity

+Container Apps scale rules can use managed identity to authenticate with Azure services. The following ARM template passes in system-based managed identity to authenticate for an Azure Queue scaler.

+```

+"scale": {

+ "minReplicas": 0,

+ "maxReplicas": 4,

+ "rules": [

+ {

+ "name": "azure-queue",

+ "custom": {

+ "type": "azure-queue",

+ "metadata": {

+ "accountName": "apptest123",

+ "queueName": "queue1",

+ "queueLength": "1"

+ },

+ "identity": "system"

+ }

+ }

+ ]

+}

+```

+To learn more about using managed identity with scale rules, see [Managed identity](managed-identity.md#scale-rules).

+Container Apps scale rules support secrets-based authentication. Scale rules for Azure resources, including Azure Queue Storage, Azure Service Bus, and Azure Event Hubs, also support managed identity. Where possible, use managed identity authentication to avoid storing secrets within the app.

+#### Use secrets

+To configure secrets-based authentication for a Container Apps scale rule, you configure the secrets in the container app and reference them in the scale rule.

+A KEDA scaler supports secrets in a [TriggerAuthentication](https://keda.sh/docs/latest/concepts/authentication/) which the `authenticationRef` property uses for reference. You can map the `TriggerAuthentication` object to the Container Apps scale rule.

+

+#### Using managed identity

+Container Apps scale rules can use managed identity to authenticate with Azure services. The following command creates a container app with a user-assigned managed identity and uses it to authenticate for an Azure Queue scaler.

+```bash

+az containerapp create \

+ --resource-group <RESOURCE_GROUP> \

+ --name <APP_NAME> \

+ --environment <ENVIRONMENT_ID> \

+ --user-assigned <USER_ASSIGNED_IDENTITY_ID> \

+ --scale-rule-name azure-queue \

+ --scale-rule-type azure-queue \

+ --scale-rule-metadata "accountName=<AZURE_STORAGE_ACCOUNT_NAME>" "queueName=queue1" "queueLength=1" \

+ --scale-rule-identity <USER_ASSIGNED_IDENTITY_ID>

+```

+Replace placeholders with your values.

+Container Apps scale rules support secrets-based authentication. Scale rules for Azure resources, including Azure Queue Storage, Azure Service Bus, and Azure Event Hubs, also support managed identity. Where possible, use managed identity authentication to avoid storing secrets within the app.

+#### Use secrets

+#### Using managed identity

+Managed identity authentication is not supported in the Azure portal. Use the [Azure CLI](scale-app.md?pivots=azure-cli#authentication) or [Azure Resource Manager](scale-app.md?&pivots=azure-resource-manager#authentication) to authenticate using managed identity.

+| Tier | Type | CPU | Memory (GB) |

+| - | -- | | -- |

+| S1 | standard | 2 | 3 |

+| S2 | standard | 4 | 8 |

+| S3 | standard | 8 | 16 |

+| I6 | isolated | 64 | 216 |

+| | -- | -- | -- | -- | | - |

+| Outbound | TCP | VirtualNetwork | Any | AzureMonitor | 443,12000 | Default |

+- [Memory](#ai-agent-memory-system). AI agents possess the ability to remember past interactions (tool usage and perception) and behaviors (tool usage and planning). They store these experiences and even perform self-reflection to inform future actions. This memory component allows for continuity and improvement in agent performance over time.

+### AI agent memory system

+#### In-memory databases

+In-memory databases are excellent for speed but may struggle with the large-scale data persistence that AI agents require.

+#### Relational databases

+Relational databases are not ideal for the varied modalities and fluid schemas of data handled by agents. Moreover, relational databases require manual efforts and even downtime to manage provisioning, partitioning, and sharding.

+#### Pure vector databases

+Pure vector databases tend to be less effective for transactional operations, real-time updates, and distributed workloads. The popular pure vector databases nowadays typically offer

+## Memory can make or break agents

+Weaving together [a web of standalone in-memory, relational, and vector databases](#ai-agent-memory-system) is not an optimal solution for the varied data types, either. This approach may work for prototypical agent systems; however, it adds complexity and performance bottlenecks that can hamper the performance of advanced autonomous agents.

+## Building a robust AI agent memory system

+The above characteristics require AI agent memory systems to be highly scalable and swift. Painstakingly weaving together [a plethora of disparate in-memory, relational, and vector databases](#ai-agent-memory-system) may work for early-stage AI-enabled applications; however, this approach adds complexity and performance bottlenecks that can hamper the performance of advanced autonomous agents.

+Chatbots have been a long-standing concept, but AI agents are advancing beyond basic human conversation to carry out tasks based on natural language, traditionally requiring coded logic. This AI travel agent uses the LangChain Agent framework for agent planning, tool usage, and perception. Its [unified memory system](#memory-can-make-or-break-agents) uses the [vector database](vector-database.md) and document store capabilities of Azure Cosmos DB to address traveler inquiries and facilitate trip bookings, ensuring [speed, scale, and simplicity](#building-a-robust-ai-agent-memory-system). It operates within a Python FastAPI backend and support user interactions through a React JS user interface.

+load_dotenv(override=False)

+The **init.py** file commences by initiating the loading of environment variables from a **.env** file utilizing the ```load_dotenv(override=False)``` method. Then, a global variable named ```agent_with_chat_history``` is instantiated for the agent, intended for use by our **TravelAgent.py**. The ```LLM_init()``` method is invoked during module initialization to configure our AI agent for conversation via the API web layer. The OpenAI Chat object is instantiated using the GPT-3.5 model, incorporating specific parameters such as model name and temperature. The chat object, tools list, and prompt template are combined to generate an ```AgentExecutor```, which operates as our AI Travel Agent. Lastly, the agent with history, ```agent_with_chat_history```, is established using ```RunnableWithMessageHistory``` with chat history (MongoDBChatMessageHistory), enabling it to maintain a complete conversation history via Azure Cosmos DB.

+load_dotenv(override=False)

+Azure Cosmos DB simplifies and expedites your application development by being the single database for your operational data needs, from [geo-replicated distributed caching](https://medium.com/@marcodesanctis2/using-azure-cosmos-db-as-your-persistent-geo-replicated-distributed-cache-b381ad80f8a0) to backup to [vector indexing and search](vector-database.md). It provides the data infrastructure for modern applications like [AI agents](ai-agents.md), digital commerce, Internet of Things, and booking management. It can accommodate all your operational data models, including relational, document, vector, key-value, graph, and table.

+Inverted File (IVF) Indexing is a method that organizes vectors into clusters. During a vector search, the query vector is first compared against the centers of these clusters. The search is then conducted within the cluster whose center is closest to the query vector.

+The `numList`s parameter determines the number of clusters to be created. A single cluster implies that the search is conducted against all vectors in the database, akin to a brute-force or kNN search. This setting provides the highest accuracy but also the highest latency.

+Increasing the `numLists` value results in more clusters, each containing fewer vectors. For instance, if `numLists=2`, each cluster contains more vectors than if `numLists=3`, and so on. Fewer vectors per cluster speed up the search (lower latency, higher queries per second). However, this increases the likelihood of missing the most similar vector in your database to the query vector. This is due to the imperfect nature of clustering, where the search might focus on one cluster while the actual ΓÇ£closestΓÇ¥ vector resides in a different cluster.

+The `nProbes` parameter controls the number of clusters to be searched. By default, itΓÇÖs set to 1, meaning it searches only the cluster with the center closest to the query vector. Increasing this value allows the search to cover more clusters, improving accuracy but also increasing latency (thus decreasing queries per second) as more clusters and vectors are being searched.

+<br>

+> [!VIDEO https://www.youtube.com/embed/7EFcxFGRB5Y?si=e7BiJ-JGK7WH79NG]

+A vector database that is integrated in a highly performant NoSQL or relational database provides additional capabilities. The integrated vector database in a NoSQL or relational database can store, index, and query embeddings alongside the corresponding original data. This approach eliminates the extra cost of replicating data in a separate pure vector database. Moreover, keeping the vector embeddings and original data together better facilitates multi-modal data operations, and enables greater data consistency, scale, and performance. A highly performant database with schema flexibility and integrated vector database is especially optimal for [AI agents](ai-agents.md).

+You can simplify billing management for your organization by creating multitenant billing relationships using associated billing tenants. A multitenant billing relationship lets you securely share your organizationΓÇÖs billing account with other tenants, while maintaining control over your billing data. You can move subscriptions in different tenants and provide users in those tenants with access to your organizationΓÇÖs billing account. This relationship lets users on those tenants do billing activities like viewing and downloading invoices or managing licenses.

+## Prerequisites

+You must have a Microsoft Customer Agreement - enterprise billing account to use associated billing tenants. An enterprise billing account is a billing account that is created by working with a Microsoft sales representative.

+If you don't have one, you don't see the **Associated billing tenants** option in the Azure portal. You also can't move subscriptions to other tenants or assign roles to users in other tenants.

+To learn more about types of billing accounts, see [Billing accounts and scopes in the Azure portal](view-all-accounts.md).

+1. In the Add role assignment pane, select a role, select the associated billing tenant from the tenant dropdown, then enter the email address of the users, groups, or apps to whom you want to assign roles.

+|Security | The users that you invite to share your billing account follow their tenant's security policies. | The users that you invite to share your billing account follow your tenant's security policies. |

+Reservations don't support roles assigned with Azure Lighthouse. To view reservations, you need to be a global admin or an admin agent in the customer's tenant.

+> Being a guest in the customer's tenant allows you to view reservations. However, guest access prevents you from refunding or exchanging reservations. To make changes to reservations, you must remove guest access from the tenant. Admin agent privilege doesn't override guest access.

+## Related content

+If an invoice includes over 1,000 line items, it gets split into multiple invoices.

+1. You have access to an Azure Stack Edge device on which you deploy one or more GPU VMs. See how to [Deploy a GPU VM on your device](azure-stack-edge-gpu-deploy-gpu-virtual-machine.md).

+1. [Download the GPU extension templates and parameters files](https://aka.ms/ase-vm-templates) to your client machine. Unzip it into a directory you use as a working directory.

+1. Verify that the client you'll use to access your device is still connected to the Azure Resource Manager over Azure PowerShell. The connection to Azure Resource Manager expires every 1.5 hours or if your Azure Stack Edge device restarts. If this happens, any cmdlets that you execute will return error messages to the effect that you aren't connected to Azure anymore. You must sign in again. For detailed instructions, see [Connect to Azure Resource Manager on your Azure Stack Edge device](azure-stack-edge-gpu-connect-resource-manager.md).

+- You follow the steps in [using RHEL BYOS image](azure-stack-edge-gpu-create-virtual-machine-image.md).

+- You install the `vulkan-filesystem` package, as the installation script looks for a `vulkan-filesystem` package.

+A successful install displays a `message` with `Enable Extension` and `status` of `success`.

+2. Run the nvidia-smi command-line utility installed with the driver. If the driver is successfully installed, you are able to run the utility and see the following output:

+### [(Preview) Azure DevOps repositories should require minimum two-reviewer approval for code pushes](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/470742ea-324a-406c-b91f-fc1da6a27c0c)

+**Description**: To prevent unintended or malicious changes from being directly committed, it's important to implement protection policies for the default branch in Azure DevOps repositories. We recommend requiring at least two code reviewers to approve pull requests before the code is merged with the default branch. By requiring approval from a minimum number of two reviewers, you can reduce the risk of unauthorized modifications, which could lead to system instability or security vulnerabilities.

+**Severity**: High

+### [(Preview) Azure DevOps repositories should not allow requestors to approve their own Pull Requests](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/98b5895a-0ad8-4ed9-8c9d-d654f5bda816)

+**Description**: To prevent unintended or malicious changes from being directly committed, it's important to implement protection policies for the default branch in Azure DevOps repositories. We recommend prohibiting pull request creators from approving their own submissions to ensure that every change undergoes objective review by someone other than the author. By doing this, you can reduce the risk of unauthorized modifications, which could lead to system instability or security vulnerabilities.

+**Severity**: High

+### [(Preview) GitHub organizations should not make action secrets accessible to all repositories](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/6331fad3-a7a2-497d-b616-52672057e0f3)

+**Description**: For secrets used in GitHub Action workflows that are stored at the GitHub organization-level, you can use access policies to control which repositories can use organization secrets. Organization-level secrets let you share secrets between multiple repositories, which reduces the need for creating duplicate secrets. However, once a secret is made accessible to a repository, anyone with write access on repository can access the secret from any branch in a workflow. To reduce the attack surface, ensure that the secret is accessible from selected repositories only.

+**Severity**: High

+| June 28 | [New DevOps security recommendations](#new-devops-security-recommendations) |

+| June 27 | [General Availability of Checkov IaC Scanning in Defender for Cloud](#general-availability-of-checkov-iac-scanning-in-defender-for-cloud) |

+| June 27 | [Four security incidents have been deprecated](#four-security-incidents-have-been-deprecated) |

+### New DevOps security recommendations

+June 28, 2024

+We're announcing DevOps security recommendations that improve the security posture of Azure DevOps and GitHub environments. If issues are found, these recommendations offer remediation steps.

+The following new recommendations are supported if you have connected Azure DevOps or GitHub to Microsoft Defender for Cloud. All recommendations are included in Foundational Cloud Security Posture Management.

+| Recommendation name | Description | Severity |

+|--|--|--|

+| [Azure DevOps repositories should require minimum two-reviewer approval for code pushes](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/470742ea-324a-406c-b91f-fc1da6a27c0c) | To prevent unintended or malicious changes from being directly committed, it's important to implement protection policies for the default branch in Azure DevOps repositories. We recommend requiring at least two code reviewers to approve pull requests before the code is merged with the default branch. By requiring approval from a minimum number of two reviewers, you can reduce the risk of unauthorized modifications, which could lead to system instability or security vulnerabilities. | High |

+| [Azure DevOps repositories should not allow requestors to approve their own Pull Requests](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/98b5895a-0ad8-4ed9-8c9d-d654f5bda816) | To prevent unintended or malicious changes from being directly committed, it's important to implement protection policies for the default branch in Azure DevOps repositories. We recommend prohibiting pull request creators from approving their own submissions to ensure that every change undergoes objective review by someone other than the author. By doing this, you can reduce the risk of unauthorized modifications, which could lead to system instability or security vulnerabilities. | High |

+| [GitHub organizations should not make action secrets accessible to all repositories](https://portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/6331fad3-a7a2-497d-b616-52672057e0f3) | For secrets used in GitHub Action workflows that are stored at the GitHub organization-level, you can use access policies to control which repositories can use organization secrets. Organization-level secrets let you share secrets between multiple repositories, which reduces the need for creating duplicate secrets. However, once a secret is made accessible to a repository, anyone with write access on repository can access the secret from any branch in a workflow. To reduce the attack surface, ensure that the secret is accessible from selected repositories only. | High |

+ > For online migrations, you must already have set up your Microsoft Entra credentials. For more information, see the article [Use the portal to create a Microsoft Entra application and service principal that can access resources](/entra/identity-platform/howto-create-service-principal-portal).

+- **Recommendation**: Migrate the TDE certificate to the target instance and retry the process. For more information about migrating TDE-enabled databases, see [Tutorial: Migrate TDE-enabled databases (preview) to Azure SQL in Azure Data Studio](tutorial-transparent-data-encryption-migration-ads.md).

+SQL Server to Azure SQL Managed Instance| [Online](/data-migration/sql-server/managed-instance/database-migration-service) / [Offline](/data-migration/sql-server/managed-instance/database-migration-service)

+SQL Server to SQL Server on an Azure virtual machine|[Online](/data-migration/sql-server/virtual-machines/database-migration-service) / [Offline](/data-migration/sql-server/virtual-machines/database-migration-service)

+SQL Server to Azure SQL Database | [Offline](/data-migration/sql-server/database/database-migration-service)

+**Custom Role for the APP ID**. This role is required for Azure Database Migration Service migration at the *resource* or *resource group* level that hosts the Azure Database Migration Service (for more information about the APP ID, see the article [Use the portal to create a Microsoft Entra application and service principal that can access resources](/entra/identity-platform/howto-create-service-principal-portal)).

+ | SQL Server to Azure SQL Managed Instance | [Online](/data-migration/sql-server/managed-instance/database-migration-service) / [Offline](/data-migration/sql-server/managed-instance/database-migration-service) |

+ | SQL Server to SQL Server on an Azure virtual machine | [Online](/data-migration/sql-server/virtual-machines/database-migration-service) / [Offline](/data-migration/sql-server/virtual-machines/database-migration-service) |

+- [Tutorial: Migrate SQL Server to Azure SQL Database - Offline](/data-migration/sql-server/database/database-migration-service)

+- [Tutorial: Migrate SQL Server to Azure SQL Managed Instance - Online](/data-migration/sql-server/managed-instance/database-migration-service)

+- [Tutorial: Migrate SQL Server to SQL Server On Azure Virtual Machines - Online](/data-migration/sql-server/virtual-machines/database-migration-service)

+> This tutorial uses an older version of the Azure Database Migration Service. For improved functionality and supportability, consider migrating to Azure SQL Managed Instance by using the [Azure SQL migration extension for Azure Data Studio](/data-migration/sql-server/managed-instance/database-migration-service).

+* Create a Microsoft Entra Application ID that generates the Application ID key that Azure Database Migration Service can use to connect to target Azure SQL Managed Instance and Azure Storage Container. For more information, see the article [Use portal to create a Microsoft Entra application and service principal that can access resources](/entra/identity-platform/howto-create-service-principal-portal).

+ For more information, see the article [Use portal to create a Microsoft Entra application and service principal that can access resources](/entra/identity-platform/howto-create-service-principal-portal).

+> This tutorial uses an older version of the Azure Database Migration Service. For improved functionality and supportability, consider migrating to Azure SQL Database by using the [Azure SQL migration extension for Azure Data Studio](/data-migration/sql-server/database/database-migration-service).

+> This tutorial uses an older version of the Azure Database Migration Service. For improved functionality and supportability, consider migrating to Azure SQL Managed Instance by using the [Azure SQL migration extension for Azure Data Studio](/data-migration/sql-server/managed-instance/database-migration-service).

+ - As an alternative to using the above built-in roles, you can assign a custom role. For more information, see [Custom roles: Online SQL Server to SQL Managed Instance migrations using ADS](/data-migration/sql-server/managed-instance/custom-roles).

+ - [Tutorial: Migrate SQL Server to Azure SQL Managed Instance online](/data-migration/sql-server/managed-instance/database-migration-service)

+ - [Tutorial: Migrate SQL Server to Azure SQL Managed Instance offline](/data-migration/sql-server/managed-instance/database-migration-service)

+- [Tutorial: Migrate SQL Server to Azure SQL Database - Offline](/data-migration/sql-server/database/database-migration-service)

+- [Tutorial: Migrate SQL Server to Azure SQL Managed Instance - Online](/data-migration/sql-server/managed-instance/database-migration-service)

+- [Tutorial: Migrate SQL Server to SQL Server On Azure Virtual Machines - Online](/data-migration/sql-server/virtual-machines/database-migration-service)

+All outbound virtual network traffic IP addresses are translated to the Azure Firewall public IP (Source Network Address Translation). You can identify and allow traffic originating from your virtual network to remote Internet destinations. When Azure Firewall has multiple public IPs configured for providing outbound connectivity, it will use IPs as needed based on available ports. It will only use the next available public IP once the connections cannot be made from the current public IP.

+In scenarios where you have high throughput or dynamic traffic patterns, it is recommended to us an [Azure NAT Gateway](/azure/nat-gateway/nat-overview). Azure NAT Gateway dynamically selects SNAT ports for providing outbound connectivity,

+so all the SNAT ports provided by its associated IP addresses is available on demand. To learn more about how to integrate NAT Gateway with Azure Firewall, see [Scale SNAT ports with Azure NAT Gateway](/azure/firewall/integrate-with-nat-gateway).

+Azure NAT Gateway can be used with Azure Firewall by associating NAT Gateway to the Azure Firewall subnet. See the [Integrate NAT gateway with Azure Firewall](/azure/nat-gateway/tutorial-hub-spoke-nat-firewall) tutorial for guidance on this configuration.

+Azure Firewall doesn't SNAT when the destination IP is a private IP range per [IANA RFC 1918](https://tools.ietf.org/html/rfc1918).

+One of the challenges with using a large number of public IP addresses is when there are downstream IP address filtering requirements. When Azure Firewall is associated with multiple public IP addresses, you need to apply the filtering requirements across all public IP addresses associated with it. Even if you use [Public IP address prefixes](../virtual-network/ip-services/public-ip-address-prefix.md) and you need to associate 250 public IP addresses to meet your outbound SNAT port requirements, you still need to create and allow 16 public IP address prefixes.

+When you create policy definitions, work with SDKs, or set up the [Azure Policy for Kubernetes](../concepts/policy-for-kubernetes.md) add-on, you might run into errors. This article describes various general errors that might occur, and it suggests ways to resolve them.

+- If you're working with a custom policy, go to the Azure portal to get linting feedback about the schema, or review resulting [compliance data](../how-to/get-compliance-data.md) to see how resources were evaluated.

+- If you're working with any of the various SDKs, the SDK provides details about why the function failed.

+- If you're working with the add-on for Kubernetes, start with the [logging](../concepts/policy-for-kubernetes.md#logging) in the cluster.

+An incorrect or nonexistent alias is used in a policy definition. Azure Policy uses [aliases](../concepts/definition-structure-alias.md) to map to Azure Resource Manager properties.

+First, validate that the Resource Manager property has an alias. To look up the available aliases, go to [Azure Policy extension for Visual Studio Code](../how-to/extension-for-vscode.md) or the SDK. If the alias for a Resource Manager property doesn't exist, create a support ticket.

+A new policy or initiative assignment takes about five minutes to be applied. New or updated resources within scope of an existing assignment become available in about 15 minutes. A standard compliance scan occurs every 24 hours. For more information, see [evaluation triggers](../how-to/get-compliance-data.md#evaluation-triggers).

+First, wait an appropriate amount of time for an evaluation to finish and compliance results to become available in the Azure portal or the SDK. To start a new evaluation scan with Azure PowerShell or the REST API, see [On-demand evaluation scan](../how-to/get-compliance-data.md#on-demand-evaluation-scan).

+A resource isn't in either the _Compliant_ or _Not-Compliant_ evaluation state expected for the resource.

+The resource isn't in the correct scope for the policy assignment, or the policy definition doesn't operate as intended.

+To troubleshoot your policy definition, do the following steps:

+1. First, wait the appropriate amount of time for an evaluation to finish and compliance results to become available in the Azure portal or SDK.

+1. To start a new evaluation scan with Azure PowerShell or the REST API, see [On-demand evaluation scan](../how-to/get-compliance-data.md#on-demand-evaluation-scan).

+1. Check the [policy definition mode](../concepts/definition-structure-basics.md#mode):

+1. Ensure that the scope of the resource isn't [excluded](../concepts/assignment-structure.md#excluded-scopes) or [exempt](../concepts/exemption-structure.md).

+1. If compliance for a policy assignment shows `0/0` resources, no resources were determined to be applicable within the assignment scope. Check both the policy definition and the assignment scope.

+1. For a [Resource Provider mode](../concepts/definition-structure-basics.md#resource-provider-modes) definition that supports a RegEx string parameter (such as `Microsoft.Kubernetes.Data` and the built-in definition "Container images should be deployed from trusted registries only"), validate that the [RegEx string](/dotnet/standard/base-types/regular-expression-language-quick-reference) parameter is correct.

+1. For other common issues and solutions, see [Troubleshoot: Enforcement not as expected](#scenario-enforcement-not-as-expected).

+If you still have an issue with your duplicated and customized built-in policy definition or custom definition, create a support ticket under **Authoring a policy** to route the issue correctly.

+A resource that you expect Azure Policy to act on isn't being acted on, and there's no entry in the [Azure Activity log](../../../azure-monitor/data-sources.md#azure-resources).

+The policy assignment was configured for an [enforcementMode](../concepts/assignment-structure.md#enforcement-mode) setting of _Disabled_. While `enforcementMode` is disabled, the policy effect isn't enforced, and there's no entry in the Activity log.

+Troubleshoot your policy assignment's enforcement by doing the following steps:

+1. First, wait the appropriate amount of time for an evaluation to finish and compliance results to become available in the Azure portal or the SDK.

+1. To start a new evaluation scan with Azure PowerShell or the REST API, see [On-demand evaluation scan](../how-to/get-compliance-data.md#on-demand-evaluation-scan).

+1. Ensure that the assignment parameters and assignment scope are set correctly and that `enforcementMode` is _Enabled_.

+1. Check the [policy definition mode](../concepts/definition-structure-basics.md#mode):

+1. Ensure that the scope of the resource isn't [excluded](../concepts/assignment-structure.md#excluded-scopes) or [exempt](../concepts/exemption-structure.md).

+1. Verify that the resource payload matches the policy logic. This verification can be done by [capturing an HTTP Archive (HAR) trace](../../../azure-portal/capture-browser-trace.md) or reviewing the Azure Resource Manager template (ARM template) properties.

+1. For other common issues and solutions, see [Troubleshoot: Compliance not as expected](#scenario-compliance-isnt-as-expected).

+If you still have an issue with your duplicated and customized built-in policy definition or custom definition, create a support ticket under **Authoring a policy** to route the issue correctly.

+A policy assignment to the scope of your new or updated resource meets the criteria of a policy definition with a [Deny](../concepts/effect-deny.md) effect. Resources that meet these definitions are prevented from being created or updated.

+The error message from a deny policy assignment includes the policy definition and policy assignment IDs. If the error information in the message is missed, it's also available in the [Activity log](../../../azure-monitor/essentials/activity-log-insights.md#view-the-activity-log). Use this information to get more details to understand the resource restrictions and adjust the resource properties in your request to match allowed values.

+A policy definition that includes multiple resource types fails validation during creation or update with the following error:

+The policy definition rule has one or more conditions that don't get evaluated by the target resource types.

+If an alias is used, make sure that the alias gets evaluated against only the resource type it belongs to by adding a type condition before it. An alternative is to split the policy definition into multiple definitions to avoid targeting multiple resource types.

+An error message on the compliance page in Azure portal is shown when retrieving compliance for policy assignments.

+The number of subscriptions under the selected scopes in the request exceeded the limit of 5,000 subscriptions. The compliance results might be partially displayed.

+To see the complete results, select a more granular scope with fewer child subscriptions.

+Azure Policy supports many ARM template functions and functions that are available only in a policy definition. Resource Manager processes these functions as part of a deployment instead of as part of a policy definition.

+Using supported functions, such as `parameter()` or `resourceGroup()`, results in the processed outcome of the function at deployment time instead of allowing the function for the policy definition and Azure Policy engine to process.

+To pass a function through as part of a policy definition, escape the entire string with `[` such that the property looks like `[[resourceGroup().tags.myTag]`. The escape character causes Resource Manager to treat the value as a string when it processes the template. Azure Policy then places the function into the policy definition, which allows it to be dynamic as expected. For more information, see [Syntax and expressions in Azure Resource Manager templates](../../../azure-resource-manager/templates/template-expressions.md).

+When you run `helm install azure-policy-addon`, escape the comma (`,`) in the password value with a backslash (`\`).

+The Helm Chart with the name `azure-policy-addon` was already installed or partially installed.

+Follow the instructions to [remove the Azure Policy for Kubernetes add-on](../concepts/policy-for-kubernetes.md#remove-the-add-on), then rerun the `helm install azure-policy-addon` command.

+After you assign Guest Configuration policy initiatives to audit settings inside a machine, the user-assigned managed identities that were assigned to the machine are no longer assigned. Only a system-assigned managed identity is assigned.

+The policy definitions that were previously used in Guest Configuration `deployIfNotExists` definitions ensured that a system-assigned identity is assigned to the machine. But they also removed the user-assigned identity assignments.

+The definitions that previously caused this issue appear as `\[Deprecated\]`, and are replaced by policy definitions that manage prerequisites without removing user-assigned managed identities. A manual step is required. Delete any existing policy assignments that are marked as `\[Deprecated\]`, and replace them with the updated prerequisite policy initiative and policy definitions that have the same name as the original.

+For a detailed narrative, see the blog post [Important change released for Guest Configuration audit policies](https://techcommunity.microsoft.com/t5/azure-governance-and-management/important-change-released-for-guest-configuration-audit-policies/ba-p/1655316).

+The add-on can't reach the Azure Policy service endpoint, and it returns one of the following errors:

+This error occurs when `aad-pod-identity` is installed on the cluster and the _kube-system_ pods aren't excluded in `aad-pod-identity`.

+The `aad-pod-identity` component Node Managed Identity (NMI) pods modify the nodes' iptables to intercept calls to the Azure instance metadata endpoint. This setup means that any request made to the metadata endpoint is intercepted by NMI, even if the pod doesn't use `aad-pod-identity`. The `AzurePodIdentityException` CustomResourceDefinition (CRD) can be configured to inform `aad-pod-identity` that any requests to a metadata endpoint that originate from a pod matching the labels defined in the CRD should be proxied without any processing in NMI.

+Exclude the system pods that have the `kubernetes.azure.com/managedby: aks` label in _kube-system_ namespace in `aad-pod-identity` by configuring the `AzurePodIdentityException` CRD.

+For more information, see [Disable the Azure Active Directory (Azure AD) pod identity for a specific pod/application](https://azure.github.io/aad-pod-identity/docs/configure/application_exception).

+The add-on can reach the Azure Policy service endpoint, but the add-on logs display one of the following errors:

+The `Microsoft.PolicyInsights` resource provider isn't registered. It must be registered for the add-on to get policy definitions and return compliance data.

+Register the `Microsoft.PolicyInsights` resource provider in the cluster subscription. For instructions, see [Register a resource provider](../../../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider).

+This error means that the subscription was determined to be problematic, and the feature flag `Microsoft.PolicyInsights/DataPlaneBlocked` was added to block the subscription.

+When attempting to create a custom policy definition from the Azure portal page for policy definitions, you select the **Duplicate definition** button. After assigning the policy, you find machines are _NonCompliant_ because no guest configuration assignment resource exists.

+Guest configuration relies on custom metadata added to policy definitions when creating guest configuration assignment resources. The _Duplicate definition_ activity in the Azure portal doesn't copy custom metadata.

+If there's a Kubernetes cluster connectivity failure, evaluation for newly created or updated resources might be bypassed due to Gatekeeper's fail-open behavior.

+In the prior event, the error case can be monitored from the [admission webhook metrics](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#admission-webhook-metrics) provided by the `kube-apiserver`. If evaluation is bypassed at creation time and an object is created, it's reported on Azure Policy compliance as non-compliant as a flag to customers.

+Regardless of the scenario, Azure policy retains the last known policy on the cluster and keeps the guardrails in place.

+If your problem isn't listed in this article or you can't resolve it, get support by visiting one of the following channels:

+- Get answers from experts through [Microsoft Q&A](/answers/topics/azure-policy.html).

+- Connect with [@AzureSupport](https://twitter.com/azuresupport). This official Microsoft Azure resource on Twitter helps improve the customer experience by connecting the Azure community to the right answers, support, and experts.

+- If you still need help, go to the [Azure support site](https://azure.microsoft.com/support/options/) and select **Submit a support ticket**.

+## Connect to Azure

+From a Visual Studio Code terminal session, connect to Azure. If you have more than one subscription, run the commands to set context to your subscription. Replace `<subscriptionID>` with your Azure subscription ID.

+```azurecli

+az login

+# Run these commands if you have multiple subscriptions

+az account list --output table

+az account set --subscription <subscriptionID>

+```

+In this quickstart, you ran Azure Resource Graph queries using the extension for Azure CLI. To learn more about the Resource Graph language, continue to the query language details page.

+This quickstart describes how to run an Azure Resource Graph query using the `Az.ResourceGraph` module for Azure PowerShell. The module is included with the latest version of Azure PowerShell and adds [cmdlets](/powershell/module/az.resourcegraph) for Resource Graph.

+The article also shows how to order (sort) and limit the query's results. You can run a query for resources in your tenant, management groups, or subscriptions.

+- Latest versions of [PowerShell](/powershell/scripting/install/installing-powershell) and [Azure PowerShell](/powershell/azure/install-azure-powershell).

+If you installed the latest versions of PowerShell and Azure PowerShell, you already have the `Az.ResourceGraph` module and required version of PowerShellGet.

+### Optional module installation

+Use the following steps to install the `Az.ResourceGraph` module so that you can use Azure PowerShell to run Azure Resource Graph queries. The Azure Resource Graph module requires PowerShellGet version 2.0.1 or higher.

+To sign out of your Azure PowerShell session:

+```azurepowershell

+Disconnect-AzAccount

+```

+### Optional clean up steps

+If you installed the latest version of Azure PowerShell, the `Az.ResourceGraph` module is included and shouldn't be removed. The following steps are optional if you did a manual install of the `Az.ResourceGraph` module and want to remove the module.

+## Connect to Azure

+From a Visual Studio Code terminal session, connect to Azure. If you have more than one subscription, run the commands to set context to your subscription. Replace `<subscriptionID>` with your Azure subscription ID.

+```azurecli

+az login

+# Run these commands if you have multiple subscriptions

+az account list --output table

+az account set --subscription <subscriptionID>

+```

+1. Select **Charts** and then select **Map** to view the location map.

+1. Select **Charts** and then select **Map** to view the location map.

+To remove the shared query:

+```azurecli

+az graph shared-query delete --name "Summarize resources by location" --resource-group demoSharedQuery

+```

+When a resource group is deleted, the resource group and all its resources are deleted. To remove the resource group:

+In this quickstart, you added the Resource Graph extension to your Azure CLI environment and created a shared query. To learn more about the Resource Graph language, continue to the query language details page.

+ Title: "Quickstart: Create a Resource Graph shared query using Azure PowerShell"

+description: In this quickstart, you create a Resource Graph shared query using Azure PowerShell.

+In this quickstart, you create an Azure Resource Graph shared query using the `Az.ResourceGraph` Azure PowerShell module. The module is included with the latest version of Azure PowerShell and adds [cmdlets](/powershell/module/az.resourcegraph) for Resource Graph.

+A shared query can be run from Azure CLI with the _experimental_ feature's commands, or you can run the shared query from the Azure portal. A shared query is an Azure Resource Manager object that you can grant permission to or run in Azure Resource Graph Explorer. When you finish, you can remove the Resource Graph extension.

+- If you don't have an Azure account, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+- Latest versions of [PowerShell](/powershell/scripting/install/installing-powershell) and [Azure PowerShell](/powershell/azure/install-azure-powershell).

+- [Visual Studio Code](https://code.visualstudio.com/).

+## Install the module

+If you installed the latest versions of PowerShell and Azure PowerShell, you already have the `Az.ResourceGraph` module and required version of PowerShellGet.

+### Optional module installation

+Use the following steps to install the `Az.ResourceGraph` module so that you can use Azure PowerShell to run Azure Resource Graph queries. The Azure Resource Graph module requires PowerShellGet version 2.0.1 or higher.

+1. Verify your PowerShellGet version:

+ ```azurepowershell

+ Get-Module -Name PowerShellGet

+ ```

+ If you need to update, go to [PowerShellGet](/powershell/gallery/powershellget/install-powershellget).

+1. Install the module:

+ ```azurepowershell

+ Install-Module -Name Az.ResourceGraph -Repository PSGallery -Scope CurrentUser

+ ```

+ The command installs the module in the `CurrentUser` scope. If you need to install in the `AllUsers` scope, run the installation from an administrative PowerShell session.

+1. Verify the module was installed:

+ ```azurepowershell

+ Get-Command -Module Az.ResourceGraph -CommandType Cmdlet

+ The command displays the `Search-AzGraph` cmdlet version and loads the module into your PowerShell session.

+## Connect to Azure

+From a Visual Studio Code terminal session, connect to Azure. If you have more than one subscription, run the commands to set context to your subscription. Replace `<subscriptionID>` with your Azure subscription ID.

+```azurepowershell

+Connect-AzAccount

+# Run these commands if you have multiple subscriptions

+Get-AzSubScription

+Set-AzContext -Subscription <subscriptionID>

+```

+## Create a shared query

+The shared query is an Azure Resource Manager object that you can grant permission to or run in Azure Resource Graph Explorer. The query summarizes the count of all resources grouped by location.

+1. Create a resource group to store the Azure Resource Graph shared query.

+ ```azurepowershell

+ New-AzResourceGroup -Name demoSharedQuery -Location westus2

+ ```

+1. Create the Azure Resource Graph shared query.

+ ```azurepowershell

+ $params = @{

+ ResourceGroupName = 'demoSharedQuery'

+ New-AzResourceGraphQuery @params

+ The `$params` variable uses PowerShell [splatting](/powershell/module/microsoft.powershell.core/about/about_splatting) to improve readability for the parameter values used in the command to create the shared query.

+1. List all shared queries in the resource group.

+ ```azurepowershell

+ Get-AzResourceGraphQuery -ResourceGroupName demoSharedQuery

+1. Limit the results to a specific shared query.

+ ```azurepowershell

+ Get-AzResourceGraphQuery -ResourceGroupName demoSharedQuery -Name 'Summarize resources by location'

+## Run the shared query

+You can verify the shared query works using Azure Resource Graph Explorer. To change the scope, use the **Scope** menu on the left side of the page.

+1. Sign in to [Azure portal](https://portal.azure.com).

+1. Enter _resource graph_ into the search field at the top of the page.

+1. Select **Resource Graph Explorer**.

+1. Select **Open query**.

+1. Change **Type** to _Shared queries_.

+1. Select the query _Count VMs by OS_.

+1. Select **Run query** and the view output in the **Results** tab.

+1. Select **Charts** and then select **Map** to view the location map.

+You can also run the query from your resource group.

+1. In Azure, go to the resource group, _demoSharedQuery_.

+1. From the **Overview** tab, select the query _Count VMs by OS_.

+1. Select the **Results** tab to view a list.

+1. Select **Charts** and then select **Map** to view the location map.

+When you finish, you can remove the Resource Graph shared query and resource group from your Azure environment. When a resource group is deleted, the resource group and all its resources are deleted.

+Remove the shared query:

+```azurepowershell

+Remove-AzResourceGraphQuery -ResourceGroupName demoSharedQuery -Name 'Summarize resources by location'

+```

+Delete the resource group:

+```azurepowershell

+Remove-AzResourceGroup -Name demoSharedQuery

+```

+To sign out of your Azure PowerShell session:

+```azurepowershell

+Disconnect-AzAccount

+```

+### Optional clean up steps

+If you installed the latest version of Azure PowerShell, the `Az.ResourceGraph` module is included and shouldn't be removed. The following steps are optional if you did a manual install of the `Az.ResourceGraph` module and want to remove the module.

+To remove the `Az.ResourceGraph` module from your PowerShell session, run the following command:

+```azurepowershell

+Remove-Module -Name Az.ResourceGraph

+To uninstall the `Az.ResourceGraph` module from your computer, run the following command:

+```azurepowershell

+Uninstall-Module -Name Az.ResourceGraph

+```

+A message might be displayed that _module Az.ResourceGraph is currently in use_. If so, you need to shut down your PowerShell session and start a new session. Then run the command to uninstall the module from your computer.

+In this quickstart, you created a Resource Graph shared query using Azure PowerShell. To learn more about the Resource Graph language, continue to the query language details page.

+> [Understanding the Azure Resource Graph query language](./concepts/query-language.md)

+az group create --name demoSharedQuery --location eastus

+az deployment group create --resource-group demoSharedQuery --template-file main.bicep

+New-AzResourceGroup -Name demoSharedQuery -Location eastus

+New-AzResourceGroupDeployment -ResourceGroupName demoSharedQuery -TemplateFile main.bicep

+az resource list --resource-group demoSharedQuery

+Get-AzResource -ResourceGroupName demoSharedQuery

+1. In Azure, go to the resource group, _demoSharedQuery_.

+When you no longer need the resource that you created, delete the resource group using Azure CLI or Azure PowerShell. When a resource group is deleted, the resource group and all its resources are deleted. And if you signed into Azure portal to run the query, be sure to sign out.

+az group delete --name demoSharedQuery

+Remove-AzResourceGroup -Name demoSharedQuery

+In this quickstart, you created a Resource Graph shared query using Bicep. To learn more about the Resource Graph language, continue to the query language details page.

+> [Understanding the Azure Resource Graph query language](./concepts/query-language.md)

+ Title: "Quickstart: Create Resource Graph shared query using ARM template"

+In this quickstart, you created a Resource Graph shared query. To learn more about the Resource Graph language, continue to the query language details page.

+> [Understanding the Azure Resource Graph query language](./concepts/query-language.md)

+> We recommend to use [service tag](hdinsight-service-tags.md) feature for network security groups. If you require region specific service tags, please refer the [Azure IP Ranges and Service Tags ΓÇô Public Cloud](https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_20240624.json)

+> Renewal of an Edge CA requires all server certificates issued by that CA to be regenerated. This regeneration is done by restarting all modules. The time of Edge CA renewal can't be guaranteed. If random module restarts are unacceptable for your use case, disable autorenewal by not including the [edge_ca.auto_renew] section.

+# Device Update for IoT Hub regional mapping for scan and failover

+When you're importing an update into the Device Update for IoT Hub service, that update content may be processed within different Azure regions. The region used for processing depends on the region that your Device Update Instance was created in.

+## Anti-malware scan

+When you're using the Azure portal for importing your update, there's now an option to enable anti-malware scan. If you select the option to enable anti-malware scan, your update is sent to the Azure region that corresponds to the "Default scan region" column table in the **Region mapping for default and failover cases** section. If you don't select the option to enable anti-malware scan, your update is processed in the same region as your Device Update Instance, but it isn't scanned for malware. **Optional anti-malware scan is in Public Preview**.

+If you're using the Azure CLI or directly calling Device Update APIs, your update isn't scanned for malware during the import process. It's processed in the same region as your Device Update Instance.

+## Failover and BCDR

+As an exception to the previous section, in cases where an Azure region is unavailable due to an outage, Device Update for IoT Hub supports business continuity and disaster recovery (BCDR) efforts with regional failover pairings. During an outage, data contained in the update files submitted to the Device Update service may be sent to a secondary Azure region for processing. This failover enables Device Update to continue scanning update files for malware if you select that option.

+## Region mapping for default and failover cases

+| Device Update Instance region|Default scan region|Failover scan region |

+| -- | -- | -- |

+| North Europe | North Europe | Sweden Central |

+|West Europe | North Europe | Sweden Central |

+| UK South| North Europe | Sweden Central |

+|Sweden Central|Sweden Central| North Europe |

+|East US| East US |East US 2 |

+|East US 2| East US 2 |East US |

+|West US 2|West US 2| East US 2 |

+|West US 3| West US 2| East US 2 |

+|South Central US|West US 2| East US 2 |

+|East US 2 (EUAP)|East US 2| East US|

+|Australia East|North Europe| Sweden Central|

+|Southeast Asia | West US 2| East US 2 |

+This endpoint is currently only exposed using the [AMQP](https://www.amqp.org/) protocol on port 5671 and [AMQP over WebSockets](http://docs.oasis-open.org/amqp-bindmap/amqp-wsb/v1.0/cs01/amqp-wsb-v1.0-cs01.html) on port 443. An IoT hub exposes the following properties to enable you to control the built-in Event Hubs-compatible messaging endpoint **messages/events**.

+| **Retention time** | This property specifies how long in days IoT Hub retains messages. The default is one day, but it can be increased to seven days. |

+IoT Hub allows data retention in the built-in endpoint for a maximum of seven days. You can set the retention time during creation of your IoT hub. Data retention time in IoT Hub depends on your IoT hub tier and unit type. In terms of size, the built-in endpoint can retain messages of the maximum message size up to at least 24 hours of quota. For example, one S1 unit IoT hub provides enough storage to retain at least 400,000 messages, at 4 KB per message. If your devices are sending smaller messages, they might be retained for longer (up to seven days) depending on how much storage is consumed. We guarantee to retain the data for the specified retention time as a minimum. After the retention time, messages expire and become inaccessible. You can modify the retention time, either programmatically using the [IoT Hub resource provider REST APIs](/rest/api/iothub/iothubresource), or with the Azure portal.

+When you use Event Hubs SDKs or product integrations that are unaware of IoT Hub, you need an Event Hubs-compatible endpoint and Event Hubs-compatible name. You can retrieve these values from the portal as follows:

+The SDKs you can use to connect to the built-in Event Hubs-compatible endpoint that IoT Hub exposes include:

+| Java | https://mvnrepository.com/artifact/com.azure/azure-messaging-eventhubs | [read-d2c-messages Java](https://github.com/Azure/azure-iot-service-sdk-java/tree/main/service/iot-service-samples/read-d2c-messages) |

+| Python | https://pypi.org/project/azure-eventhub/ | [read-d2c-messages Python](https://github.com/Azure-Samples/azure-iot-samples-python/tree/master/iot-hub/Quickstarts/read-d2c-messages) |

+## Connect to other service and products

+The product integrations you can use with the built-in Event Hubs-compatible endpoint that IoT Hub exposes include:

+Get started with the Azure Key Vault certificate client library for .NET. [Azure Key Vault](../general/overview.md) is a cloud service that provides a secure store for certificates. You can securely store keys, passwords, certificates, and other secrets. Azure key vaults may be created and managed through the Azure portal. In this quickstart, you learn how to create, retrieve, and delete certificates from an Azure key vault using the .NET client library.

+This quickstart is using `dotnet` and Azure CLI.

+The application obtains the key vault name from an environment variable called `KEY_VAULT_NAME`.

+1. **Create your lab account**. For instructions, see [Create a lab account](how-to-create-lab-accounts.md).

+1. **Add users to the Lab Creator role**. For instructions, see [Add a user to the Lab Creator role](how-to-add-lab-creator.md).

+Information technology (IT) administrators who manage a university's cloud resources are ordinarily responsible for setting up the lab account for their school. After they set up a lab account, administrators or educators create the labs that are contained within the account. This article provides a high-level overview of the Azure resources that are involved and the guidance for creating them.

+- Labs are hosted within an Azure subscription managed by Azure Lab Services.

+Labs and their virtual machines (VMs) are managed and hosted for you within a subscription managed Azure Lab Services.

+A subscription contains one or more resource groups. Resource groups are used to create logical groupings of Azure resources that are used together within the same solution.

+When you create a lab account, you can automatically create and attach a shared image gallery at the same time. This option results in the lab account and the shared image gallery being created in separate resource groups. You see this behavior when you follow the steps that are described in the [Configure shared image gallery at the time of lab account creation](how-to-attach-detach-shared-image-gallery-1.md#configure-at-the-time-of-lab-account-creation) tutorial. The image at the beginning of this article uses this configuration.

+We recommend that you invest time up front to plan the structure of your resource groups. It's *not* possible to change a lab account or shared image gallery resource group once after creation. If you need to change the resource group for these resources, you need to delete and re-create your lab account or shared image gallery.

+ Instead of reporting all lab costs through a single lab account, you might need a more clearly apportioned budget. For example, you can create separate lab accounts for your university's Math department, Computer Science department, and so forth, to distribute the budget across departments. You can then view the cost for each individual lab account by using [Azure Cost Management](../cost-management-billing/cost-management-billing-overview.md).

+A lab contains VMs that are each assigned to a single student. In general, you can expect to:

+ To set different quotas for users, you must create separate labs. However, it's possible to add more hours to specific users after you set the quota for the lab.

+By default, each lab has its own virtual network. If you have virtual network peering enabled, each lab has its own subnet peered with the specified virtual network.

+A shared image gallery is attached to a lab account and serves as a central repository for storing images. An image is saved in the gallery when an educator chooses to export it from a lab's template VM. Each time an educator makes changes to the template VM and exports it, new image definitions and\or versions are created in the gallery.

+Educators can publish an image version from the shared image gallery when they create a new lab. Although the gallery stores multiple versions of an image, educators can select only the most recent version during lab creation. The most recent version is chosen based on the highest value of MajorVersion, then MinorVersion, then Patch. For more information about versioning, see [Image versions](../virtual-machines/shared-image-galleries.md#image-versions).

+ It's useful to create a custom image or make changes (software, configuration, and so on) to an image from the Azure Marketplace gallery. For example, it's common for educators to require different software or tooling be installed. Rather than requiring students to manually install these prerequisites on their own, different versions of the template VM image can be exported to a shared image gallery. You can then use these image versions when you create new labs.

+ You can [upload custom images other environments outside of the context of labs](how-to-attach-detach-shared-image-gallery-1.md). For example, you can upload images from your own physical lab environment or from an Azure VM into shared image gallery. Once an image is imported into the gallery, you can then use the images to create labs.

+- Use a single shared image gallery shared by multiple lab accounts. In this case, each lab account can enable only images that are applicable to the labs in that account.

+As you get started with Azure Lab Services, we recommend that you establish naming conventions for Azure and Azure Lab Services related resources. Although the naming conventions that you establish are unique to the needs of your organization, the following table provides general guidelines:

+In the preceding table, we used some terms and tokens in the suggested name patterns. Let's go over those terms in a little more detail.

+A lab account's location indicates the region that a resource exists in.

+ You can [peer a lab account with a virtual network](./how-to-connect-peer-virtual-network.md) when they're in the same region. When a lab account is peered with a virtual network, labs are automatically created in the same region as both the lab account and the virtual network.

+ When *no* virtual network is peered with the lab account and [Lab Creators are *not allowed* to pick the lab location](./allow-lab-creator-pick-lab-location.md), labs are automatically created in a region that has available VM capacity. Specifically, Azure Lab Services looks for availability in [regions that are within the same geography as the lab account](https://azure.microsoft.com/global-infrastructure/regions).

+In the following table, notice that several of the VM sizes map to more than one VM series. Depending on capacity availability, Lab Services can use any of the VM series that are listed for a VM size. For example, the *Small* VM size maps to using either the [Standard_A2_v2](../virtual-machines/av2-series.md) or the [Standard_A2](../virtual-machines/sizes-previous-gen.md#a-series) VM series. When you choose *Small* as the VM size for your lab, Lab Services first attempts to use the *Standard_A2_v2* series. However, when there isn't sufficient capacity available, Lab Services uses the *Standard_A2* series. The pricing is determined by the VM size and is the same regardless of which VM series Lab Services uses for that specific size. For more information on pricing for each VM size, read the [Lab Services pricing guide](https://azure.microsoft.com/pricing/details/lab-services/).

+| Medium (nested virtualization) | 4 vCPUs | 16 GBs RAM | [Standard_D4s_v3](../virtual-machines/dv3-dsv3-series.md#dsv3-series) | Best suited for relational databases, in-memory caching, and analytics. This size also supports nested virtualization. |

+| Large (nested virtualization) | 8 vCPUs | 32 GB RAM | [Standard_D8s_v3](../virtual-machines/dv3-dsv3-series.md#dsv3-series) | Best suited for applications that need faster CPUs, better local disk performance, large databases, large memory caches. This size also supports nested virtualization. |

+ To create labs within a lab account, an educator must be a member of the Lab Creator role. An educator who creates a lab is automatically added as a lab Owner. For more information, see [Add a user to the Lab Creator role](how-to-add-lab-creator.md).

+- To give educators the ability to manage specific labs, but *not* the ability to create new labs, assign them either the Owner or Contributor role for each lab that they manage. For example, you might want to allow a professor and a teaching assistant to co-own a lab. For more information, see [Add Owners to a lab](./how-to-add-user-lab-owner.md).

+Your school might need to do content filtering to prevent students from accessing inappropriate websites. For example, to comply with the [Children's Internet Protection Act (CIPA)](https://www.fcc.gov/consumers/guides/childrens-internet-protection-act). Lab Services doesn't offer built-in support for content filtering.

+The first approach isn't currently supported by Lab Services. Lab Services hosts each lab's virtual network within a Microsoft-managed Azure subscription. As a result, you don't have access to the underlying virtual network to do content filtering at the network level. For more information on Lab Services' architecture, read the article [Architecture Fundamentals](./classroom-labs-fundamentals.md).

+Instead, we recommend the second approach, which is to install 3rd party software on each lab's template VM. There are a few key points to highlight as part of this solution:

+- If you plan to use the [auto-shutdown settings](./cost-management-guide.md#automatic-shutdown-settings-for-cost-control), you'll need to unblock several Azure host names with the 3rd party software. The auto-shutdown settings use a diagnostic extension that must be able to communicate back to Lab Services. Otherwise, the auto-shutdown settings fail to enable for the lab.

+- You may also want to have each student use a non-admin account on their VM so that they can't uninstall the content filtering software. By default, Lab Services creates an admin account that each student uses to sign into their VM. It is possible to add a non-admin account using a specialized image, but there are some known limitations.

+Many endpoint management tools, such as [Microsoft Configuration Manager](https://techcommunity.microsoft.com/t5/azure-lab-services/configuration-manager-azure-lab-services/ba-p/1754407), require Windows VMs to have unique machine security identifiers (SIDs). Using SysPrep to create a *generalized* image typically ensures that each Windows machine has a new, unique machine SID generated when the VM boots from the image.

+With Lab Services, even if you use a *generalized* image to create a lab, the template VM and student VMs will all have the same machine SID. The VMs have the same SID because the template VM's image is in a *specialized* state when it's published to create the student VMs.

+For example, the Azure Marketplace images are generalized. If you create a lab from the Win 10 marketplace image and publish the template VM, all of the student VMs within a lab have the same machine SID as the template VM. The machine SIDs can be verified by using a tool such as [PsGetSid](/sysinternals/downloads/psgetsid).

+If you plan to use an endpoint management tool or similar software, we recommend that you test it with lab VMs to ensure that it works properly when machine SIDs are the same.

+Creating a shared image gallery and attaching it to your lab account is free. No cost is incurred until you save an image version to the gallery. The pricing for using a shared image gallery is ordinarily fairly negligible, but it's important to understand how it's calculated, because it isn't included in the pricing for Azure Lab Services.

+To store image versions, a shared image gallery uses standard hard disk drive (HDD) managed disks by default. We recommend using HDD-managed disks when using shared image gallery with Lab Services. The size of the HDD-managed disk that's used depends on the size of the image version that's being stored. Lab Services supports image and disk sizes up to 128 GB. To learn about pricing, see [Managed disks pricing](https://azure.microsoft.com/pricing/details/managed-disks/).

+A network egress charge occurs when an image version is replicated from the source region to additional target regions. The amount charged is based on the size of the image version when the image's data is initially transferred outbound from the source region. For pricing details, see [Bandwidth pricing details](https://azure.microsoft.com/pricing/details/bandwidth/).

+- *Number of images &times; number of versions &times; number of replicas &times; managed disk price = total cost per month*

+- 1 custom image (32 GB) &times; 2 versions &times; 8 US regions &times; $1.54 = $24.64 per month

+ Title: 'How to add a lab creator to a lab account with Azure Lab Services'

+description: Learn how to grant a user access to create labs.

+# Add a user to the Lab Creator role

+To grant people the permission to create labs, add them to the Lab Creator role.

+Follow these steps to [assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.yml).

+> [!NOTE]

+> Azure Lab Services automatically assigns the Lab Creator role to the Azure account you use to create the lab account.

+1. On the **Lab Account** page, select **Access control (IAM)**.

+1. From the **Access control (IAM)** page, select **Add** > **Add role assignment**.

+ :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows the Access control (I A M) page with Add role assignment menu option highlighted.":::

+1. On the **Role** tab, select the **Lab Creator** role.

+ :::image type="content" source="../../includes/role-based-access-control/media/add-role-assignment-role-generic.png" alt-text="Screenshot that shows the Add role assignment page with Role tab selected.":::

+1. On the **Members** tab, select the user you want to add to the Lab Creators role.

+1. On the **Review + assign** tab, select **Review + assign** to assign the role.

+## Next steps

+In this article, you granted lab creation permissions to another user. To learn about how to create a lab, see [Manage labs in Azure Lab Services when using lab accounts](how-to-manage-classroom-labs.md).

+description: Learn how to connect your lab network with another network as a peer for lab accounts in Azure Lab Services. For example, connect your on-premises organization/university network with Lab's virtual network in Azure.

+You might need to connect your lab's network with a peer virtual network in some scenarios including the following ones:

+> When creating a Azure Virtual Network that will be peered with a lab account, it's important to understand how the virtual network's region impacts where labs are created. For more information, see the administrator guide's section on [regions/locations](./administrator-guide-1.md#regionslocations).

+> If your school needs to perform content filtering, such as for compliance with the [Children's Internet Protection Act (CIPA)](https://www.fcc.gov/consumers/guides/childrens-internet-protection-act), you will need to use 3rd party software. For more information, read guidance on [content filtering with Lab Services](./administrator-guide.md#content-filtering).

+When [creating a lab account](how-to-create-lab-accounts.md), you can pick an existing virtual network that shows in the **Peer virtual network** dropdown list on the **Advanced** tab. The list only shows virtual networks in the same region as the lab account. The selected virtual network is connected (peered) to labs created under the lab account. All the virtual machines in labs that are created after the making this change have access to the resources on the peered virtual network.

+There's also an option to provide an address range for virtual machines for the labs. The address range setting applies only if you enable a peer virtual network for the lab. If the address range is provided, all the virtual machines in the labs under the lab account are created in that address range. The address range should be in CIDR notation (for example, 10.20.0.0/20) and shouldn't overlap with any existing address ranges.

+When you provide an address range, it's important to think about the number of *labs* that you create. Azure Lab Services assumes a maximum of 512 virtual machines per lab. For example, an IP range with '/23' can create only one lab. A range with a '/21' allows for the creation of four labs.

+If the address range isn't specified, Azure Lab Services uses the default address range given to it by Azure when creating the virtual network to be peered with your virtual network. The range is often something like 10.x.0.0/16. Large IP ranges might lead to IP range overlap. Make sure to either specify an address range in the lab settings or check the address range of your virtual network being peered.

+> Lab creation can fail if the lab account is peered to a virtual network but has too narrow of an IP address range. You can run out of space in the address range if there are too many labs in the lab account (each lab uses 512 addresses).

+>

+> If the lab creation fails, contact your lab account owner/admin and request for the address range to be increased. The admin can increase the address range using steps mentioned in the [Specify an address range for VMs in a lab account](#specify-an-address-range-for-vms-in-the-lab-account) section.

+The following procedure has steps to specify an address range for VMs in the lab. If you update the range that you previously specified, the modified address range applies only to VMs that are created after the change was made.

+Here are some restrictions when specifying the address range that you should keep in mind.

+- The prefix must be smaller than or equal to 23.

+3. Select **Save** on the toolbar

+- [Configure other settings for a lab](how-to-configure-lab-accounts.md)

+To set up a lab in a lab account, you must be a member of the **Lab Creator** role in the lab account. The account you used to create a lab account is automatically added to this role. A lab owner can add other users to the Lab Creator role by using steps in the following article: [Add a user to the Lab Creator role](how-to-add-lab-creator.md).

+ An educator can choose to use the same password for all the VMs in the lab, or allow students to set passwords for their VMs. By default, this setting is enabled for all Windows and Linux images except for Ubuntu. When you select **Ubuntu** VM, this setting is disabled and students are prompted to set a password when they sign in for the first time.

+ 1. Connect to the template VM by selecting **Connect**. If it's a Linux template VM, you choose whether you want to connect using an SSH terminal or a graphical remote desktop. Extra setup is required to use a graphical remote desktop. For more information, see [Enable graphical remote desktop for Linux virtual machines in Azure Lab Services](how-to-enable-remote-desktop-linux.md).

+ 1. **Stop** the VM.

+| **Data** | **Description** | **Version introduced** |

+This article describes how to use Azure Load Balancer with multiple IP addresses on a secondary network interface (NIC). For this scenario, we have two VMs running Windows, each with a primary and a secondary NIC. Each of the secondary NICs has two IP configurations. Each VM hosts both websites contoso.com and fabrikam.com. Each website is bound to one of the IP configurations on the secondary NIC. We use Azure Load Balancer to expose two frontend IP addresses, one for each website, to distribute traffic to the respective IP configuration for the website. This scenario uses the same port number across both frontends, and both backend pool IP addresses.

+ You don't need to associate the secondary IP configurations with public IPs in this tutorial. Edit the command to remove the public IP association part.

+6. Complete steps 4 through 6 of this article again for VM2. Be sure to replace the VM name to VM2 when doing this. You don't need to create a virtual network for the second VM. You can create a new subnet based on your use case.

+13. Finally, you must configure DNS resource records to point to the respective frontend IP address of the Load Balancer. You can host your domains in Azure DNS. For more information about using Azure DNS with Load Balancer, see [Using Azure DNS with other Azure services](../dns/dns-for-azure-services.md).

+ | Setting | Value |

+ | Configure network security group | Select **Create new**.</br> In **Create network security group**, enter **myNSG** in **Name**.</br> In **Inbound rules**, select **+Add an inbound rule**.</br> In **Service**, select **HTTP**.</br> In **Priority**, enter **100**.</br> In **Name**, enter **myNSGrule**.</br> Select **Add**.</br> Select **OK**. |

+7. On the server desktop, navigate to **Start > Windows Administrative Tools > Windows PowerShell > Windows PowerShell**.

+ | Public IP address | Select **Create new**.</br> Enter **myPublicIP-contoso** for **Name** </br> Select **Zone-redundant** in **Availability zone**.</br> Leave the default of **Microsoft Network** for **Routing preference**.</br> Select **OK**. |

+ > In regions with [Availability Zones](../availability-zones/az-overview.md?toc=%2fazure%2fvirtual-network%2ftoc.json#availability-zones), you have the option to select no-zone (default option), a specific zone, or zone-redundant. The choice will depend on your specific domain failure requirements. In regions without Availability Zones, this field won't appear.</br> For more information on availability zones, see [Availability zones overview](../availability-zones/az-overview.md).

+ | Public IP address | Select **Create new**.</br> Enter **myPublicIP-fabrikam** for **Name** </br> Select **Zone-redundant** in **Availability zone**.</br> Leave the default of **Microsoft Network** for **Routing preference**.</br> Select **OK**. |

+ | Health probe | Select **Create new**.</br> In **Name**, enter **myHealthProbe-contoso**.</br> Select **TCP** in **Protocol**.</br> Leave the rest of the defaults, and select **OK**. |

+ | Health probe | Select **Create new**.</br> In **Name**, enter **myHealthProbe-fabrikam**.</br> Select **TCP** in **Protocol**.</br> Leave the rest of the defaults, and select **OK**. |

+> [Create a cross-region load balancer using the Azure portal](tutorial-cross-region-portal.md)

+ | Health probe | Select **Create new**.</br> In **Name**, enter **lb-health-probe**.</br> Select **TCP** in **Protocol**.</br> Leave the rest of the defaults, and select **Save**. |

+description: Learn how to create a public load balancer using the Azure portal.

+ > In regions with [Availability Zones](../availability-zones/az-overview.md?toc=%2fazure%2fvirtual-network%2ftoc.json#availability-zones), you have the option to select no-zone (default option), a specific zone, or zone-redundant. The choice will depend on your specific domain failure requirements. In regions without Availability Zones, this field won't appear.</br> For more information on availability zones, see [Availability zones overview](../availability-zones/az-overview.md).

+1. Select **Save**.

+1. Select **Save**.

+ | Health probe | Select **Create new**.</br> In **Name**, enter **lb-health-probe**.</br> Select **HTTP** in **Protocol**.</br> Leave the rest of the defaults, and select **Save**. |

+## June 28, 2024

+Image Version: 24.06.10

+SDK Version: 1.56.0

+Issue fixed: Compute Instance 20.04 image build with SDK 1.56.0

+Major: Image Version: 24.06.10

+- SDK（azureml-core):1.56.0

+- Python:3.9

+- CUDA: 12.2

+- CUDnn==9.1.1

+- Nvidia Driver: 535.171.04

+- PyTorch: 1.13.1

+- TensorFlow: 2.15.0

+- autokeras==1.0.16

+- keras=2.15.0

+- ray==2.2.0

+- docker version==24.0.9-1

+ Title: How to deploy JAIS models with Azure Machine Learning studio

+description: Learn how to deploy JAIS models with Azure Machine Learning studio.

+# How to deploy JAIS with Azure Machine Learning studio

+In this article, you learn how to use Azure Machine Learning studio to deploy the JAIS model as a service with pay-as you go billing.

+The JAIS model is available in Azure Machine Learning studio with pay-as-you-go token based billing with Models as a Service.

+- An Azure Machine Learning workspace. If you don't have these, use the steps in the [Quickstart: Create workspace resources](quickstart-create-resources.md) article to create them. The serverless API model deployment offering for JAIS is only available with workspaces created in these regions:

+ * East US

+ * East US 2

+ * North Central US

+ * South Central US

+ * West US

+ * West US 3

+ * Sweden Central

+ For a list of regions that are available for each of the models supporting serverless API endpoint deployments, see [Region availability for models in serverless API endpoints](concept-endpoint-serverless-availability.md).

+JAIS 30b Chat is an auto-regressive bi-lingual LLM for **Arabic** & **English**. The tuned versions use supervised fine-tuning (SFT). The model is fine-tuned with both Arabic and English prompt-response pairs. The fine-tuning datasets included a wide range of instructional data across various domains. The model covers a wide range of common tasks including question answering, code generation, and reasoning over textual content. To enhance performance in Arabic, the Core42 team developed an in-house Arabic dataset as well as translating some open-source English instructions into Arabic.

+- [Region availability for models in serverless API endpoints](concept-endpoint-serverless-availability.md)

+ client.connections.create_or_update(ServerlessConnection(

+- [Deploy models as serverless API endpoints](how-to-deploy-models-serverless.md)

+* If you're working on a compute instance, the CLI is already installed. If working on a different computer, install the [Azure CLI extension for Machine Learning service (v2)](https://aka.ms/sdk-v2-install).

+ml_client = MLClient(credential, subscription_id, resource_group, workspace)

+workspace = Workspace.get("chrjia-eastus", auth=auth, subscription_id=subscription_id, resource_group=resource_group, location="East US")

+- An Azure Machine Learning workspace. If you don't have these, use the steps in the [Quickstart: Create workspace resources](quickstart-create-resources.md) article to create them. The serverless API model deployment offering for Cohere Command is only available with workspaces created in these regions:

+ * East US

+ * East US 2

+ * North Central US

+ * South Central US

+ * West US

+ * West US 3

+ * Sweden Central

+ For a list of regions that are available for each of the models supporting serverless API endpoint deployments, see [Region availability for models in serverless API endpoints](concept-endpoint-serverless-availability.md).

+- [Region availability for models in serverless API endpoints](concept-endpoint-serverless-availability.md)

+- An Azure Machine Learning workspace. If you don't have these, use the steps in the [Quickstart: Create workspace resources](quickstart-create-resources.md) article to create them. The serverless API model deployment offering for Cohere Embed is only available with workspaces created in these regions:

+ * East US

+ * East US 2

+ * North Central US

+ * South Central US

+ * West US

+ * West US 3

+ * Sweden Central

+ For a list of regions that are available for each of the models supporting serverless API endpoint deployments, see [Region availability for models in serverless API endpoints](concept-endpoint-serverless-availability.md).

+- [Region availability for models in serverless API endpoints](concept-endpoint-serverless-availability.md)

+- An Azure Machine Learning workspace and a compute instance. If you don't have these, use the steps in the [Quickstart: Create workspace resources](quickstart-create-resources.md) article to create them. The serverless API model deployment offering for Jamba Instruct is only available with workspaces created in these regions:

+ * East US

+ * East US 2

+ * North Central US

+ * South Central US

+ * West US

+ * West US 3

+ * Sweden Central

+ For a list of regions that are available for each of the models supporting serverless API endpoint deployments, see [Region availability for models in serverless API endpoints](concept-endpoint-serverless-availability.md).

+- [Region availability for models in serverless API endpoints](concept-endpoint-serverless-availability.md)

+- An Azure Machine Learning workspace and a compute instance. If you don't have these, use the steps in the [Quickstart: Create workspace resources](quickstart-create-resources.md) article to create them. The serverless API model deployment offering for Meta Llama 3 is only available with workspaces created in these regions:

+ * East US

+ * East US 2

+ * North Central US

+ * South Central US

+ * West US

+ * West US 3

+ * Sweden Central

+

+ For a list of regions that are available for each of the models supporting serverless API endpoint deployments, see [Region availability for models in serverless API endpoints](concept-endpoint-serverless-availability.md).

+- An Azure Machine Learning workspace and a compute instance. If you don't have these, use the steps in the [Quickstart: Create workspace resources](quickstart-create-resources.md) article to create them. The serverless API model deployment offering for Meta Llama 2 is only available with workspaces created in these regions:

+ * East US

+ * East US 2

+ * North Central US

+ * South Central US

+ * West US

+ * West US 3

+

+ For a list of regions that are available for each of the models supporting serverless API endpoint deployments, see [Region availability for models in serverless API endpoints](concept-endpoint-serverless-availability.md).

+- [Region availability for models in serverless API endpoints](concept-endpoint-serverless-availability.md)

+- An Azure Machine Learning workspace. If you don't have a workspace, use the steps in the [Quickstart: Create workspace resources](quickstart-create-resources.md) article to create one. The serverless API model deployment offering for Phi-3 is only available with workspaces created in these regions:

+ * East US 2

+ * Sweden Central

+ For a list of regions that are available for each of the models supporting serverless API endpoint deployments, see [Region availability for models in serverless API endpoints](concept-endpoint-serverless-availability.md).

+- [Plan and manage costs for Azure AI Studio](concept-plan-manage-cost.md)

+- [Region availability for models in serverless API endpoints](concept-endpoint-serverless-availability.md)

+- [Plan and manage costs for Azure AI Studio](concept-plan-manage-cost.md)

+- [Region availability for models in serverless API endpoints](concept-endpoint-serverless-availability.md)

+Once you have verified that you have at least one custom environment, start a terminal and set up the CLI:

+After you've set up the CLI, use the following steps to build a container.

+This article offers you examples on how to create an RAG pipeline. For advanced scenarios, you can build your own custom Azure Machine Learning pipelines from code (typically notebooks) that allows you granular control of the RAG workflow. Azure Machine Learning provides several in-built pipeline components for data chunking, embeddings generation, test data creation, automatic prompt generation, prompt evaluation. These components can be used as per your needs using notebooks. You can even use the Vector Index created in Azure Machine Learning in LangChain.

+monitor-control-service 0.4.1

+connectedk8s 1.7.3

+k8s-configuration 2.0.0

+managednetworkfabric 6.2.0

+ssh 2.0.4

+ The service uses [Galois/Counter Mode (GCM)](https://en.wikipedia.org/wiki/Galois/Counter_Mode) mode with AES 256-bit cipher included in Azure storage encryption, and the keys are system managed. This is similar to other at-rest encryption technologies, like transparent data encryption in SQL Server or Oracle databases. Storage encryption is always on and can't be disabled.

+This article provides an overview of the autovacuum feature for [Azure Database for PostgreSQL flexible server](overview.md) and the feature troubleshooting guides that are available to monitor the database bloat, autovacuum blockers. It also provides information around how far the database is from emergency or wraparound situation.

+Autovacuum is a PostgreSQL background process that automatically cleans up dead tuples and updates statistics. It helps maintain the database performance by automatically running two key maintenance tasks:

+

+- VACUUM - Frees up disk space by removing dead tuples.

+- ANALYZE - Collects statistics to help the PostgreSQL Optimizer choose the best execution paths for queries.

+

+To ensure autovacuum works properly, the autovacuum server parameter should always be set to ON. When enabled, PostgreSQL automatically decides when to run VACUUM or ANALYZE on a table, ensuring the database remains efficient and optimized.

+Autovacuum reads pages looking for dead tuples, and if none are found, autovacuum discards the page. When autovacuum finds dead tuples, it removes them. The cost is based on:

+| Parameter | Description

+| -- | -- |

+`vacuum_cost_page_hit` | Cost of reading a page that is already in shared buffers and doesn't need a disk read. The default value is set to 1.

+`vacuum_cost_page_miss` | Cost of fetching a page that isn't in shared buffers. The default value is set to 10.

+`vacuum_cost_page_dirty` | Cost of writing to a page when dead tuples are found in it. The default value is set to 20.

+The amount of work autovacuum performs depend on two parameters:

+| Parameter | Description

+| -- | -- |

+`autovacuum_vacuum_cost_limit` | The amount of work autovacuum does in one go.

+`autovacuum_vacuum_cost_delay` | Number of milliseconds that autovacuum is asleep after it reaches the cost limit specified by the `autovacuum_vacuum_cost_limit` parameter.

+In all currently supported versions of Postgres the default value for `autovacuum_vacuum_cost_limit` is 200 (actually, set to -1, which makes it equals to the value of the regular `vacuum_cost_limit`, which by default, is 200).

+| Parameter | Description

+| -- | -- |

+`dead_pct` | Percentage of dead tuples when compared to live tuples.

+`last_autovacuum` | The date of the last time the table was autovacuumed.

+`last_autoanalyze` | The date of the last time the table was automatically analyzed.

+An autovacuum action (either *ANALYZE* or *VACUUM*) triggers when the number of dead tuples exceeds a particular number that is dependent on two factors: the total count of rows in a table, plus a fixed threshold. *ANALYZE*, by default, triggers when 10% of the table plus 50 row changes, while *VACUUM* triggers when 20% of the table plus 50 row changes. Since the *VACUUM* threshold is twice as high as the *ANALYZE* threshold, *ANALYZE* gets triggered earlier than *VACUUM*.

+For PG versions >=13; *ANALYZE* by default, triggers when 20% of the table plus 1000 row inserts.

+- **Autoanalyze** = autovacuum_analyze_scale_factor * tuples + autovacuum_analyze_threshold or

+ autovacuum_vacuum_insert_scale_factor * tuples + autovacuum_vacuum_insert_threshold (For PG versions >= 13)

+For example, if we have a table with 100 rows. The following equation then provides the information on when the analyze and vacuum triggers:

+For Updates/deletes:

+Analyze triggers after 60 rows are changed on a table, and Vacuum triggers when 70 rows are changed on a table.

+For Inserts:

+`Autoanalyze = 0.2 * 100 + 1000 = 1020`

+Analyze triggers after 1,020 rows are inserted on a table

+Here's the description of the parameters used in the equation:

+| Parameter | Description

+| -- | -- |

+| `autovacuum_analyze_scale_factor` | Percentage of inserts/updates/deletes which triggers ANALYZE on the table.

+| `autovacuum_analyze_threshold` | Specifies the minimum number of tuples inserted/updated/deleted to ANALYZE a table.

+| `autovacuum_vacuum_insert_scale_factor` | Percentage of inserts that triggers ANLYZE on the table.

+| `autovacuum_vacuum_insert_threshold` | Specifies the minimum number of tuples inserted to ANALYZE a table.

+| `autovacuum_vacuum_scale_factor` | Percentage of updates/deletes which triggers VACUUM on the table.

+If `autovacuum_vacuum_cost_limit` is set to `-1`, then autovacuum uses the `vacuum_cost_limit` parameter, but if `autovacuum_vacuum_cost_limit` itself is set to greater than `-1` then `autovacuum_vacuum_cost_limit` parameter is considered.

+| Parameter | Description

+> - The `autovacuum_vacuum_cost_limit` value is distributed proportionally among the running autovacuum workers, so that if there is more than one, the sum of the limits for each worker doesn't exceed the value of the `autovacuum_vacuum_cost_limit` parameter.

+> - `autovacuum_vacuum_scale_factor` is another parameter which could trigger vacuum on a table based on dead tuple accumulation. Default: `0.2`, Allowed range: `0.05 - 0.1`. The scale factor is workload-specific and should be set depending on the amount of data in the tables. Before changing the value, investigate the workload and individual table volumes.

+Continuously running autovacuum might affect CPU and IO utilization on the server. Here are some of the possible reasons:

+For example, if a server has 60 databases and `autovacuum_naptime` is set to 60 seconds, then the autovacuum worker starts every second [autovacuum_naptime/Number of databases].

+If autovacuum is consuming more resources, the following actions can be done:

+If autovacuum is too disruptive, consider the following actions:

+- Reduce the number of `autovacuum_max_workers` if set higher than the default of 3.

+Increasing the number of autovacuum workers doesn't increase the speed of vacuum. Having a high number of autovacuum workers isn't recommended.

+Increasing the number of autovacuum workers result in more memory consumption, and depending on the value of `maintenance_work_mem` , could cause performance degradation.

+However, if we set the parameter at table level `autovacuum_vacuum_cost_delay` or `autovacuum_vacuum_cost_limit` parameters then the workers running on those tables are exempted from being considered in the balancing algorithm [autovacuum_cost_limit/autovacuum_max_workers].

+When a database runs into transaction ID wraparound protection, an error message like the following error can be observed:

+The wraparound problem occurs when the database is either not vacuumed or there are too many dead tuples that aren't removed by autovacuum. The reasons for this issue might be:

+Any long-running transaction in the system doesn't allow dead tuples to be removed while autovacuum is running. They're a blocker to the vacuum process. Removing the long running transactions frees up dead tuples for deletion when autovacuum runs.

+When the database runs into transaction ID wraparound protection, check for any blockers as mentioned previously, and remove the blockers manually for autovacuum to continue and complete. You can also increase the speed of autovacuum by setting `autovacuum_cost_delay` to 0 and increasing the `autovacuum_cost_limit` to a value greater than 200. However, changes to these parameters do not apply to existing autovacuum workers. Either restart the database or kill existing workers manually to apply parameter changes.

+Autovacuum parameters might be set for individual tables. It's especially important for small and large tables. For example, for a small table that contains only 100 rows, autovacuum triggers VACUUM operation when 70 rows change (as calculated previously). If this table is frequently updated, you might see hundreds of autovacuum operations a day, preventing autovacuum from maintaining other tables on which the percentage of changes aren't as significant. Alternatively, a table containing a billion rows needs to change 200 million rows to trigger autovacuum operations. Setting autovacuum parameters appropriately prevents such scenarios.

+In versions of PostgreSQL <= 13, autovacuum doesn't run on tables with an insert-only workload, as there are no dead tuples and no free space that needs to be reclaimed. However, autoanalyze runs for insert-only workloads since there's new data. The disadvantages of this are:

+- Hint bits are not set.

+##### Postgres versions <= 13

+Autovacuum runs on tables with an insert-only workload. Two new server parameters `autovacuum_vacuum_insert_threshold` and  `autovacuum_vacuum_insert_scale_factor` help control when autovacuum can be triggered on insert-only tables.

+Using the feature troubleshooting guides that is available on the Azure Database for PostgreSQL flexible server portal it's possible to monitor bloat at database or individual schema level along with identifying potential blockers to autovacuum process. Two troubleshooting guides are available first one is autovacuum monitoring that can be used to monitor bloat at database or individual schema level. The second troubleshooting guide is autovacuum blockers and wraparound, which helps to identify potential autovacuum blockers. It also provides information on how far the databases on the server are from wraparound or emergency situation. The troubleshooting guides also share recommendations to mitigate potential issues. How to set up the troubleshooting guides to use them follow [setup troubleshooting guides](how-to-troubleshooting-guides.md).

+## Azure Advisor Recommendations

+Azure Advisor recommendations are a proactive way of identifying if a server has a high bloat ratio or the server is approaching transaction wraparound scenario. You can also set alerts for the recommendations using the [Create Azure Advisor alerts on new recommendations using the Azure portal](../../advisor/advisor-alerts-portal.md)

+The recommendations are:

+- **High Bloat Ratio**: A high bloat ratio can affect server performance in several ways. One significant issue is that the PostgreSQL Engine Optimizer might struggle to select the best execution plan, leading to degraded query performance. Therefore, a recommendation is triggered when the bloat percentage on a server reaches a certain threshold to avoid such performance issues.

+- **Transaction Wrap around**: This scenario is one of the most serious issues a server can encounter. Once your server is in this state it might stop accepting any more transactions, causing the server to become read-only. Hence, a recommendation is triggered when we see the server has crossed 1 billion transactions threshold.

+ Title: Activate eligible Azure role assignments (Preview) - Azure RBAC

+description: Learn how to activate eligible Azure role assignments in Azure role-based access control (Azure RBAC) using the Azure portal.

+# Activate eligible Azure role assignments (Preview)

+> [!IMPORTANT]

+> Azure role assignment integration with Privileged Identity Management is currently in PREVIEW.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+Eligible Azure role assignments provide just-in-time access to a role for a limited period of time. Microsoft Entra Privileged Identity Management (PIM) role activation has been integrated into the Access control (IAM) page in the Azure portal. If you have been made eligible for an Azure role, you can activate that role using the Azure portal. This capability is being deployed in stages, so it might not be available yet in your tenant or your interface might look different.

+## Prerequisites

+- Microsoft Entra ID P2 license or Microsoft Entra ID Governance license

+- [Eligible role assignment](./role-assignments-portal.yml#step-6-select-assignment-type-(preview))

+- `Microsoft.Authorization/roleAssignments/read` permission, such as [Reader](./built-in-roles/general.md#reader)

+## Activate group membership (if needed)

+If you have been made eligible for a group ([PIM for Groups](/entra/id-governance/privileged-identity-management/concept-pim-for-groups)) and this group has an eligible role assignment, you must first activate your group membership before you can see the eligible role assignment for the group. For this scenario, you must activate twice - first for the group and then for the role.

+For steps on how to activate your group membership, see [Activate your group membership or ownership in Privileged Identity Management](/entra/id-governance/privileged-identity-management/groups-activate-roles).

+## Activate role using the Azure portal

+These steps describe how to activate an eligible role assignment using the Azure portal.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Click **All services** and then select the scope. For example, you can select **Management groups**, **Subscriptions**, **Resource groups**, or a resource.

+1. Click the specific resource.

+1. Click **Access control (IAM)**.

+1. Click **Activate role**.

+ The **assignments** pane appears and lists your eligible role assignments.

+ :::image type="content" source="./media/role-assignments-eligible-activate/activate-role.png" alt-text="Screenshot of Access control page and Activate role assignments pane." lightbox="./media/role-assignments-eligible-activate/activate-role.png":::

+1. Add a check mark next to a role you want to activate and then click **Activate role**.

+ The **Activate** pane appears with activate settings.

+1. On the **Activate** tab, specify the start time, duration, and reason. If you want to customize the activation start time, check the **Custom activation start time** box.

+ :::image type="content" source="./media/role-assignments-eligible-activate/activate-role-settings.png" alt-text="Screenshot of Activate pane and Activate tab that shows start time, duration, and reason settings." lightbox="./media/role-assignments-eligible-activate/activate-role-settings.png":::

+1. (Optional) Click the **Scope** tab to specify the scope for the role assignment.

+ If your eligible role assignment was defined at a higher scope, you can select a lower scope to narrow your access. For example, if you have an eligible role assignment at subscription scope, you can choose resource groups in the subscription to narrow your scope.

+ :::image type="content" source="./media/role-assignments-eligible-activate/activate-role-scope.png" alt-text="Screenshot of Activate pane and Scope tab that shows scope settings." lightbox="./media/role-assignments-eligible-activate/activate-role-scope.png":::

+1. When finished, click the **Activate** button to activate the role with the selected settings.

+ Progress messages appear to indicate the status of the activation.

+ :::image type="content" source="./media/role-assignments-eligible-activate/activate-role-status.png" alt-text="Screenshot of Activate pane that shows activation status." lightbox="./media/role-assignments-eligible-activate/activate-role-status.png":::

+ When activation is complete, you see a message that the role was successfully activated.

+ Once an eligible role assignment has been activated, it will be listed as an active time-bound role assignment on the **Role assignments** tab. For more information, see [List Azure role assignments using the Azure portal](./role-assignments-list-portal.yml#list-role-assignments-at-a-scope).

+## Next steps

+- [Integration with Privileged Identity Management (Preview)](./role-assignments.md#integration-with-privileged-identity-management-preview)

+- [Activate my Azure resource roles in Privileged Identity Management](/entra/id-governance/privileged-identity-management/pim-resource-roles-activate-your-roles)

+You can have up to **4000** role assignments in each subscription. This limit includes role assignments at the subscription, resource group, and resource scopes. [Eligible role assignments](./role-assignments-portal.yml#step-6-select-assignment-type-(preview)) and role assignments scheduled in the future do not count towards this limit. You can have up to **500** role assignments in each management group. For more information, see [Troubleshoot Azure RBAC limits](troubleshoot-limits.md).

+## Integration with Privileged Identity Management (Preview)

+> [!IMPORTANT]

+> Azure role assignment integration with Privileged Identity Management is currently in PREVIEW.

+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+If you have a Microsoft Entra ID P2 or Microsoft Entra ID Governance license, [Microsoft Entra Privileged Identity Management (PIM)](/entra/id-governance/privileged-identity-management/pim-configure) is integrated into role assignment steps. For example, you can assign roles to users for a limited period of time. You can also make users eligible for role assignments so that they must activate to use the role, such as request approval. Eligible role assignments provide just-in-time access to a role for a limited period of time. You can't create eligible role assignments for applications, service principals, or managed identities because they can't perform the activation steps. This capability is being deployed in stages, so it might not be available yet in your tenant or your interface might look different.

+The assignment type options available to you might vary depending or your PIM policy. For example, PIM policy defines whether permanent assignments can be created, maximum duration for time-bound assignments, roles activations requirements (approval, multifactor authentication, or Conditional Access authentication context), and other settings. For more information, see [Configure Azure resource role settings in Privileged Identity Management](/entra/id-governance/privileged-identity-management/pim-resource-roles-configure-role-settings).

+To better understand PIM, you should review the following terms.

+| Term or concept | Role assignment category | Description |

+| | | |

+| eligible | Type | A role assignment that requires a user to perform one or more actions to use the role. If a user has been made eligible for a role, that means they can activate the role when they need to perform privileged tasks. There's no difference in the access given to someone with a permanent versus an eligible role assignment. The only difference is that some people don't need that access all the time. |

+| active | Type | A role assignment that doesn't require a user to perform any action to use the role. Users assigned as active have the privileges assigned to the role. |

+| activate | | The process of performing one or more actions to use a role that a user is eligible for. Actions might include performing a multifactor authentication (MFA) check, providing a business justification, or requesting approval from designated approvers. |

+| permanent eligible | Duration | A role assignment where a user is always eligible to activate the role. |

+| permanent active | Duration | A role assignment where a user can always use the role without performing any actions. |

+| time-bound eligible | Duration | A role assignment where a user is eligible to activate the role only within start and end dates. |

+| time-bound active | Duration | A role assignment where a user can use the role only within start and end dates. |

+| just-in-time (JIT) access | | A model in which users receive temporary permissions to perform privileged tasks, which prevents malicious or unauthorized users from gaining access after the permissions have expired. Access is granted only when users need it. |

+| principle of least privilege access | | A recommended security practice in which every user is provided with only the minimum privileges needed to accomplish the tasks they're authorized to perform. This practice minimizes the number of Global Administrators and instead uses specific administrator roles for certain scenarios. |

+For more information, see [What is Microsoft Entra Privileged Identity Management?](/entra/id-governance/privileged-identity-management/pim-configure).

+Azure supports up to **4000** role assignments per subscription. This limit includes role assignments at the subscription, resource group, and resource scopes, but not at the management group scope. [Eligible role assignments](./role-assignments-portal.yml#step-6-select-assignment-type-(preview)) and role assignments scheduled in the future do not count towards this limit. You should try to reduce the number of role assignments in the subscription.

+To create your production resources, you need to create a [user-assigned managed identity](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp#create-a-user-assigned-managed-identity) then assign that identity to your resources with the correct roles.

+* [Azure built-in roles](/azure/role-based-access-control/built-in-roles)

+* [Set environment variables](/azure/ai-services/cognitive-services-environment-variables)

+# Quickstart: Keyword search by using REST

+[Download a REST sample](https://github.com/Azure-Samples/azure-search-rest-samples/tree/main/Quickstart) from GitHub to send the requests in this quickstart. Instructions can be found at [Downloading files from GitHub](https://docs.github.com/get-started/start-your-journey/downloading-files-from-github).

+## Get a search service endpoint

+You can find the search service endpoint in the Azure portal.

+1. Sign in to the [Azure portal](https://portal.azure.com) and [find your search service](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.Search%2FsearchServices).

+1. On the **Overview** home page, find the URL. An example endpoint might look like `https://mydemo.search.windows.net`.

+ :::image type="content" source="media/search-get-started-rest/get-endpoint.png" lightbox="media/search-get-started-rest/get-endpoint.png" alt-text="Screenshot of the URL property on the overview page.":::

+You're pasting this endpoint into the `.rest` or `.http` file in a later step.

+## Configure access

+Requests to the search endpoint must be authenticated and authorized. You can use API keys or roles for this task. Keys are easier to start with, but roles are more secure.

+### Option 1: Use keys

+Select **Settings** > **Keys** and then copy an admin key. Admin keys are used to add, modify, and delete objects. There are two interchangeable admin keys. Copy either one. For more information, see [Connect to Azure AI Search using key authentication](search-security-api-keys.md).

+You're pasting this key into the `.rest` or `.http` file in a later step.

+### Option 2: Use roles

+Make sure your search service is [configured for role-based access](search-security-enable-roles.md). You must have preconfigured [role-assignments for developer access](search-security-rbac.md#assign-roles-for-development). Your role assignments must grant permission to create, load, and query a search index.

+In this section, obtain your personal identity token using either the Azure CLI, Azure PowerShell, or the Azure portal.

+#### [Azure CLI](#tab/azure-cli)

+1. Sign in to Azure CLI.

+ ```azurecli

+ az login

+ ```

+1. Get your personal identity.

+ ```azurecli

+ az ad signed-in-user show \

+ --query id -o tsv

+ ```

+#### [Azure PowerShell](#tab/azure-powershell)

+1. Sign in with PowerShell.

+ ```azurepowershell

+ Connect-AzAccount

+ ```

+1. Get your personal identity.

+ ```azurepowershell

+ (Get-AzContext).Account.ExtendedProperties.HomeAccountId.Split('.')[0]

+ ```

+#### [Azure portal](#tab/portal)

+Use the steps found here: [find the user object ID](/partner-center/find-ids-and-domain-names#find-the-user-object-id) in the Azure portal.

+You're pasting your personal identity token into the `.rest` or `.http` file in a later step.

+> [!NOTE]

+> This section assumes you're using a local client that connects to Azure AI Search on your behalf. An alternative approach is [getting a token for the client app](/entra/identity-platform/v2-oauth2-client-creds-grant-flow), assuming your application is [registered](/entra/identity-platform/quickstart-register-app) with Microsoft Entra ID.

+1. Paste in the following example if you're using API keys. Replace the `@baseUrl` and `@apiKey` placeholders with the values you copied earlier.

+1. Or, paste in this example if your using roles. Replace the `@baseUrl` and `@token` placeholders with the values you copied earlier.

+ ```http

+ @baseUrl = PUT-YOUR-SEARCH-SERVICE-ENDPOINT-HERE

+ @token = PUT-YOUR-PERSONAL-IDENTITY-TOKEN-HERE

+

+ ### List existing indexes by name

+ GET {{baseUrl}}/indexes?api-version=2023-11-01&$select=name HTTP/1.1

+ Content-Type: application/json

+ Authorization: Bearer {{token}}

+ ```

+You should have a tenant ID, subscription ID, and bearer token. You'll paste these values into the `.rest` or `.http` file that you create in the next step.

+Key-based authentication is the default. You can disable it if you opt in for [role-based authentication](search-security-enable-roles.md).

+If you want to use Azure role assignments for authorized access to Azure AI Search, this article explains how to enable role-based access for your search service.

+Role-based access for data plane operations is optional, but recommended as the more secure option. The alternative is [key-based authentication](search-security-api-keys.md), which is the default.

+Configure your search service to recognize an **authorization** header on data requests that provide an OAuth2 access token.

+When you enable roles for the data plane, the change is effective immediately, but wait a few seconds before assigning roles.

+The default failure mode for unauthorized requests is `http401WithBearerChallenge`. Alternatively, you can set the failure mode to `http403`.

+Outbound requests can be secured and managed by you. Outbound requests originate from a search service to other applications. These requests are typically made by indexers for text-based indexing, custom skills-based AI enrichment, and vectorizations at query time. Outbound requests include both read and write operations.

+Use the Search Index Data Reader role for apps and processes that only need read-access to an index.

+This is a very specific role. It grants [GET or POST access](/rest/api/searchservice/documents) to the *documents collection of a search index* for search, autocomplete, and suggestions. It doesn't support GET or LIST operations on an index or other top-level objects, or GET service statistics.

+This section provides basic steps for setting up the role assignment and is here for completeness, but we recommend [Use Azure AI Search without keys ](keyless-connections.md) for comprehensive instructions on configuring your app for role-based access.

+[Configure your application for keyless connections](keyless-connections.md) and have role assignments in place before testing.

+By default, Azure AI Search is configured to allow connections over a public endpoint. Access to a search service *through* the public endpoint is protected by authentication and authorization protocols, but the endpoint itself is open to the internet at the network layer for data plane requests.

+If you aren't hosting a public web site, you might want to configure network access to automatically refuse requests unless they originate from an approved set of devices and cloud services. There are two mechanisms:

+Network rules aren't required, but it's a security best practice to add them if you use Azure AI Search for surfacing private or internal corporate content.

+This article assumes the Azure portal to explain network access options. You can also use the [Management REST API](/rest/api/searchmanagement/), [Azure PowerShell](/powershell/module/az.search), or the [Azure CLI](/cli/azure/search).

+## Limitations

+There are a few drawbacks to locking down the public endpoint.

+Did you select the trusted services exception? If yes, your search service admits requests and responses from a trusted Azure resource without checking for an IP address. A trusted resource must have a managed identity (either system or user-assigned, but usually system). A trusted resource must have a role assignment on Azure AI Search that gives it permission to data and operations.

+Workflows for this network exception are requests originating *from* Azure AI Studio, Azure OpenAI Studio, or other AML features *to* Azure AI Search, typically in [Azure OpenAI On Your Data](/azure/ai-services/openai/concepts/use-your-data) scenarios for retrieval augmented generation (RAG) and playground environments.

+### Trusted resources must have a managed identity

+To set up managed identities for Azure OpenAI and Azure Machine Learning:

+To set up a managed identity for an Azure AI service:

+### Trusted resources must have a role assignment

+Once your Azure resource has a managed identity, [assign roles on Azure AI Search](keyless-connections.md) to grant permissions to data and operations.

+The trusted services are used for vectorization workloads: generating vectors from text and image content, and sending payloads back to the search service for query execution or indexing. Connections from a trusted service are used to deliver payloads to Azure AI search.

+- [Microsoft Sentinel operational guide](ops-guide.md)

+For more information, see the following articles:

+- [Ingest Syslog and CEF messages to Microsoft Sentinel with the Azure Monitor Agent](connect-cef-syslog-ama.md)

+- [CEF via AMA data connector - Configure specific appliance or device for Microsoft Sentinel data ingestion](unified-connector-cef-device.md)

+- [Syslog via AMA data connector - Configure specific appliance or device for Microsoft Sentinel data ingestion](unified-connector-syslog-device.md)

+ Title: Ingest syslog CEF messages to Microsoft Sentinel - AMA

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+#Customer intent: As a security operator, I want to ingest and filter syslog and CEF messages from Linux machines and from network and security devices and appliances to my Microsoft Sentinel workspace, so that security analysts can monitor activity on these systems and detect security threats.

+# Ingest syslog and CEF messages to Microsoft Sentinel with the Azure Monitor Agent

+This article describes how to use the **Syslog via AMA** and **Common Event Format (CEF) via AMA** connectors to quickly filter and ingest syslog messages, including messages in Common Event Format (CEF), from Linux machines and from network and security devices and appliances. To learn more about these data connectors, see [Syslog and Common Event Format (CEF) via AMA connectors for Microsoft Sentinel](cef-syslog-ama-overview.md).

+Install the appropriate Microsoft Sentinel solution and make sure you have the permissions to complete the steps in this article.

+- Install the appropriate solution from the **Content hub** in Microsoft Sentinel. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md).

+- Identify which data connector the Microsoft Sentinel solution requires &mdash; **Syslog via AMA** or **Common Event Format (CEF) via AMA** and whether you need to install the **Syslog** or **Common Event Format** solution. To fulfill this prerequisite,

+ - In the **Content hub**, select **Manage** on the installed solution and review the data connector listed.

+ - If either **Syslog via AMA** or **Common Event Format (CEF) via AMA** isn't installed with the solution, identify whether you need to install the **Syslog** or **Common Event Format** solution by finding your appliance or device from one of the following articles:

+ - [CEF via AMA data connector - Configure specific appliance or device for Microsoft Sentinel data ingestion](unified-connector-cef-device.md)

+ - [Syslog via AMA data connector - Configure specific appliance or device for Microsoft Sentinel data ingestion](unified-connector-syslog-device.md)

+ Then install either the **Syslog** or **Common Event Format** solution from the content hub to get the related AMA data connector.

+- Have an Azure account with the following Azure role-based access control (Azure RBAC) roles:

+- Your log sources, security devices, and appliances, must be configured to send their log messages to the log forwarder's syslog daemon instead of to their local syslog daemon.

+If your devices are sending syslog and CEF logs over TLS because, for example, your log forwarder is in the cloud, you need to configure the syslog daemon (`rsyslog` or `syslog-ng`) to communicate in TLS. For more information, see:

+1. If you're collecting logs from other machines using a log forwarder, [**run the "installation" script**](#run-the-installation-script) on the log forwarder to configure the syslog daemon to listen for messages from other machines, and to open the necessary local ports.

+To get started, open either the **Syslog via AMA** or **Common Event Format (CEF) via AMA** data connector in Microsoft Sentinel and create a data connector rule.

+Be aware that using the same facility for both syslog and CEF messages might result in data ingestion duplication. For more information, see [Data ingestion duplication avoidance](cef-syslog-ama-overview.md#data-ingestion-duplication-avoidance).

+ For an example, see [Syslog/CEF DCR creation request body](api-dcr-reference.md#syslogcef-dcr-creation-request-body). To collect syslog and CEF messages in the same data collection rule, see the example [Syslog and CEF streams in the same DCR](#syslog-and-cef-streams-in-the-same-dcr).

+ - Verify that the `streams` field is set to `Microsoft-Syslog` for syslog messages, or to `Microsoft-CommonSecurityLog` for CEF messages.

+This example shows how you can collect syslog and CEF messages in the same DCR.

+It collects syslog event messages for:

+If you're using a log forwarder, configure the syslog daemon to listen for messages from other machines, and open the necessary local ports.

+ The script configures the `rsyslog` or `syslog-ng` daemon to use the required protocol and restarts the daemon. The script opens port 514 to listen to incoming messages in both UDP and TCP protocols. To change this setting, refer to the syslog daemon configuration file according to the daemon type running on the machine:

+## Configure the security device or appliance

+Get specific instructions to configure your security device or appliance by going to one of the following articles:

+- [CEF via AMA data connector - Configure specific appliances and devices for Microsoft Sentinel data ingestion](unified-connector-cef-device.md)

+- [Syslog via AMA data connector - Configure specific appliances and devices for Microsoft Sentinel data ingestion](unified-connector-syslog-device.md)

+Contact the solution provider for more information or where information is unavailable for the appliance or device.

+- [CEF via AMA data connector - Configure specific appliance or device for Microsoft Sentinel data ingestion](unified-connector-cef-device.md)

+- [Syslog via AMA data connector - Configure specific appliance or device for the Microsoft Sentinel data ingestion](unified-connector-syslog-device.md)

+> - For connectors that use the Log Analytics agent, the agent will be [retired on **31 August, 2024**](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/). If you are using the Log Analytics agent in your Microsoft Sentinel deployment, we recommend that you migrate to the the Azure Monitor Agent (AMA). For more information, see [AMA migration for Microsoft Sentinel](ama-migrate.md).

+Log collection from many security appliances and devices are supported by the data connectors **Syslog via AMA** or **Common Event Format (CEF) via AMA** in Microsoft Sentinel. To forward data to your Log Analytics workspace for Microsoft Sentinel, complete the steps in [Ingest syslog and CEF messages to Microsoft Sentinel with the Azure Monitor Agent](connect-cef-syslog-ama.md). These steps include installing the Microsoft Sentinel solution for a security appliance or device from the **Content hub** in Microsoft Sentinel. Then, configure the **Syslog via AMA** or **Common Event Format (CEF) via AMA** data connector that's appropriate for the Microsoft Sentinel solution you installed. Complete the setup by configuring the security device or appliance. Find instructions to configure your security device or appliance in one of the following articles:

+- [CEF via AMA data connector - Configure specific appliance or device for Microsoft Sentinel data ingestion](unified-connector-cef-device.md)

+- [Syslog via AMA data connector - Configure specific appliance or device for Microsoft Sentinel data ingestion](unified-connector-syslog-device.md)

+Contact the solution provider for more information or where information is unavailable for the appliance or device.

+- [Build and monitor Zero Trust](sentinel-solution.md)

+Review the [Microsoft Sentinel operational guide](ops-guide.md) for the regular SOC activities we recommend that you perform daily, weekly, and monthly.

+ Title: Operational guide - Microsoft Sentinel

+description: Learn about the operational recommendations to help security operations teams to plan and run security activities.

+appliesto:

+ - Microsoft Sentinel in the Azure portal and the Microsoft Defender portal

+#Customer intent: As a security operations (SOC) team member or security administrator, I want to know what operational activities I should plan to do daily, weekly, and monthly with Microsoft Sentinel to help keep my organization's environment secure.

+# Microsoft Sentinel operational guide

+This article lists the operational activities that we recommend security operations (SOC) teams and security administrators plan for and run as part of their regular security activities with Microsoft Sentinel.

+## Daily tasks

+Schedule the following activities daily.

+|Task|description|

+|||

+|**Triage and investigate incidents**|Review the Microsoft Sentinel **Incidents** page to check for new incidents generated by the currently configured analytics rules, and start investigating any new incidents. For more information, see [Investigate incidents with Microsoft Sentinel](investigate-cases.md).|

+|**Explore hunting queries and bookmarks**|Explore results for all built-in queries, and update existing hunting queries and bookmarks. Manually generate new incidents or update old incidents if applicable. For more information, see:</br></br>- [Automatically create incidents from Microsoft security alerts](create-incidents-from-alerts.md)</br>- [Hunt for threats with Microsoft Sentinel](hunting.md)</br>- [Keep track of data during hunting with Microsoft Sentinel](bookmarks.md)|

+|**Analytic rules**|Review and enable new analytics rules as applicable, including both newly released or newly available rules from recently connected data connectors.|

+|**Data connectors**| Review the status, date, and time of the last log received from each data connector to ensure that data is flowing. Check for new connectors, and review ingestion to ensure set limits aren't exceeded. For more information, see [Data collection best practices](best-practices-data.md) and [Connect data sources](connect-data-sources.md).|

+|**Log Analytics Agent**| Verify that servers and workstations are actively connected to the workspace, and troubleshoot and remediate any failed connections. For more information, see [Log Analytics Agent overview](../azure-monitor/agents/log-analytics-agent.md).|

+|**Playbook failures**| Verify playbook run statuses and troubleshoot any failures. For more information, see [Tutorial: Respond to threats by using playbooks with automation rules in Microsoft Sentinel](tutorial-respond-threats-playbook.md).|

+## Weekly tasks

+Schedule the following activities weekly.

+|Task|description|

+|||

+|**Content review of solutions or standalone content**| Get any content updates for your installed solutions or standalone content from the [Content hub](sentinel-solutions-deploy.md). Review new solutions or standalone content that might be of value for your environment, such as analytics rules, workbooks, hunting queries, or playbooks.|

+|**Microsoft Sentinel auditing**| Review Microsoft Sentinel activity to see who updated or deleted resources, such as analytics rules, bookmarks, and so on. For more information, see [Audit Microsoft Sentinel queries and activities](audit-sentinel-data.md).|

+## Monthly tasks

+Schedule the following activities monthly.

+|Task|description|

+|||

+|**Review user access**| Review permissions for your users and check for inactive users. For more information, see [Permissions in Microsoft Sentinel](roles.md).|

+|**Log Analytics workspace review**| Review that the Log Analytics workspace data retention policy still aligns with your organization's policy. For more information, see [Data retention policy](/workplace-analytics/privacy/license-expiration) and [Integrate Azure Data Explorer for long-term log retention](store-logs-in-azure-data-explorer.md).|

+## Related content

+- [Deployment guide for Microsoft Sentinel](deploy-overview.md)

+ Title: CEF via AMA connector - Configure appliances and devices

+description: Learn how to configure specific devices that use the Common Event Format (CEF) via AMA data connector for Microsoft Sentinel.

+# CEF via AMA data connector - Configure specific appliance or device for Microsoft Sentinel data ingestion

+Log collection from many security appliances and devices are supported by the **Common Event Format (CEF) via AMA** data connector in Microsoft Sentinel. This article lists provider supplied installation instructions for specific security appliances and devices that use this data connector. Contact the provider for updates, more information, or where information is unavailable for your security appliance or device.

+To forward data to your Log Analytics workspace for Microsoft Sentinel, complete the steps in [Ingest syslog and CEF messages to Microsoft Sentinel with the Azure Monitor Agent](connect-cef-syslog-ama.md). As you complete those steps, install the **Common Event Format (CEF) via AMA** data connector in Microsoft Sentinel. Then, use the appropriate provider's instructions in this article to complete the setup.

+For more information about the related Microsoft Sentinel solution for each of these appliances or devices, search the [Azure Marketplace](https://azuremarketplace.microsoft.com/) for the **Product Type** > **Solution Templates** or review the solution from the **Content hub** in Microsoft Sentinel.

+## AI Analyst Darktrace

+Configure Darktrace to forward syslog messages in CEF format to your Azure workspace via the syslog agent.

+1. Within the Darktrace Threat Visualizer, navigate to the **System Config** page in the main menu under **Admin**.

+1. From the left-hand menu, select **Modules** and choose Microsoft Sentinel from the available **Workflow Integrations**.

+1. Locate Microsoft Sentinel syslog CEF and select **New** to reveal the configuration settings, unless already exposed.

+1. In the **Server** configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls.

+1. Configure any alert thresholds, time offsets or other settings as required.

+1. Review any other configuration options you might wish to enable that alter the syslog syntax.

+1. Enable **Send Alerts** and save your changes.

+## Akamai Security Events

+[Follow these steps](https://developer.akamai.com/tools/integrations/siem) to configure Akamai CEF connector to send syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.

+## AristaAwakeSecurity

+Complete the following steps to forward Awake Adversarial Model match results to a CEF collector listening on TCP port 514 at IP **192.168.0.1**:

+1. Navigate to the **Detection Management Skills** page in the Awake UI.

+1. Select **+ Add New Skill**.

+1. Set **Expression** to `integrations.cef.tcp { destination: "192.168.0.1", port: 514, secure: false, severity: Warning }`

+1. Set **Title** to a descriptive name like, *Forward Awake Adversarial Model match result to Microsoft Sentinel*.

+1. Set **Reference Identifier** to something easily discoverable like, *integrations.cef.sentinel-forwarder*.

+1. Select **Save**.

+Within a few minutes of saving the definition and other fields, the system begins to send new model match results to the CEF events collector as they're detected.

+For more information, see the **Adding a Security Information and Event Management Push Integration** page from the **Help Documentation** in the Awake UI.

+## Aruba ClearPass

+Configure Aruba ClearPass to forward syslog messages in CEF format to your Microsoft Sentinel workspace via the syslog agent.

+1. [Follow these instructions](https://www.arubanetworks.com/techdocs/ClearPass/6.7/PolicyManager/Content/CPPM_UserGuide/Admin/syslogExportFilters_add_syslog_filter_general.htm) to configure the Aruba ClearPass to forward syslog.

+2. Use the IP address or hostname for the Linux device with the Linux agent installed as the **Destination IP** address.

+## Barracuda WAF

+The Barracuda Web Application Firewall can integrate with and export logs directly to Microsoft Sentinel via the Azure Monitoring Agent (AMA).ΓÇï

+1. Go to [Barracuda WAF configuration](https://aka.ms/asi-barracuda-connector), and follow the instructions, using the following parameters to set up the connection.

+1. Web Firewall logs facility: Go to the advanced settings for your workspace and on the **Data** > **Syslog** tabs. Make sure that the facility exists.ΓÇï

+Notice that the data from all regions are stored in the selected workspace.

+## Broadcom SymantecDLP

+Configure Symantec DLP to forward syslog messages in CEF format to your Microsoft Sentinel workspace via the syslog agent.

+1. [Follow these instructions](https://knowledge.broadcom.com/external/article/159509/generating-syslog-messages-from-data-los.html) to configure the Symantec DLP to forward syslog

+1. Use the IP address or hostname for the Linux device with the Linux agent installed as the **Destination IP** address.

+## Cisco Firepower EStreamer

+Install and configure the Firepower eNcore eStreamer client. For more information, see the full install [guide](https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSentinelOperationsGuide_409.html).

+## CiscoSEG

+Complete the following steps to configure Cisco Secure Email Gateway to forward logs via syslog:

+1. Configure [Log Subscription](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1134718).

+1. Select **Consolidated Event Logs** in Log Type field.

+## Citrix Web App Firewall

+Configure Citrix WAF to send syslog messages in CEF format to the proxy machine.

+- Find guides to configure WAF and CEF logs from [Citrix Support](https://support.citrix.com/).

+- Follow [this guide](https://docs.citrix.com/en-us/citrix-adc/13/system/audit-logging/configuring-audit-logging.html) to forward the logs to proxy. Make sure you to send the logs to port 514 TCP on the Linux machine's IP address.

+## Claroty

+Configure log forwarding using CEF.

+1. Navigate to the **Syslog** section of the Configuration menu.

+1. Select **+Add**.

+1. In the **Add New Syslog Dialog** specify **Remote Server IP**, **Port**, **Protocol**.

+1. Select **Message Format** - **CEF**.

+1. Choose **Save** to exit the **Add Syslog dialog**.

+## Contrast Protect

+Configure the Contrast Protect agent to forward events to syslog as described here: https://docs.contrastsecurity.com/en/output-to-syslog.html. Generate some attack events for your application.

+## CrowdStrike Falcon

+Deploy the CrowdStrike Falcon SIEM Collector to forward syslog messages in CEF format to your Microsoft Sentinel workspace via the syslog agent.

+1. [Follow these instructions](https://www.crowdstrike.com/blog/tech-center/integrate-with-your-siem/) to deploy the **SIEM Collector** and forward syslog.

+1. Use the IP address or hostname for the Linux device with the Linux agent installed as the Destination IP address.

+## CyberArk Enterprise Password Vault (EPV) Events

+On the EPV, configure the dbparm.ini to send syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machines IP address.

+## Delinea Secret Server

+Set your security solution to send syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.

+## ExtraHop Reveal(x)

+Set your security solution to send syslog messages in CEF format to the proxy machine. Make sure to send the logs to port 514 TCP on the machine IP address.

+1. Follow the directions to install the [ExtraHop Detection SIEM Connector bundle](https://learn.extrahop.com/extrahop-detection-siem-connector-bundle) on your Reveal(x) system. The **SIEM Connector** is required for this integration.

+1. Enable the trigger for **ExtraHop Detection SIEM Connector - CEF**.

+1. Update the trigger with the ODS syslog targets you created. 

+The Reveal(x) system formats syslog messages in Common Event Format (CEF) and then sends data to Microsoft Sentinel.

+## F5 Networks

+Configure F5 to forward syslog messages in CEF format to your Microsoft Sentinel workspace via the syslog agent.

+Go to [F5 Configuring Application Security Event Logging](https://aka.ms/asi-syslog-f5-forwarding), follow the instructions to set up remote logging, using the following guidelines:

+1. Set the **Remote storage type** to **CEF**.

+1. Set the **Protocol setting** to **UDP**.

+1. Set the **IP address** to the syslog server IP address.

+1. Set the **port number** to **514**, or the port your agent uses.

+1. Set the **facility** to the one that you configured in the syslog agent. By default, the agent sets this value to **local4**.

+1. You can set the **Maximum Query String Size** to be the same as you configured.

+## FireEye Network Security

+Complete the following steps to send data using CEF:

+1. Sign into the FireEye appliance with an administrator account.

+1. Select **Settings**.

+1. Select **Notifications**. Select **rsyslog**.

+1. Check the **Event type** check box.

+1. Make sure Rsyslog settings are:

+ - Default format: **CEF**

+ - Default delivery: **Per event**

+ - Default send as: **Alert**

+## Forcepoint CASB

+Set your security solution to send syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.

+## Forcepoint CSG

+The integration is made available with two implementations options:

+1. Uses docker images where the integration component is already installed with all necessary dependencies.

+Follow the instructions provided in the [Integration Guide](https://frcpnt.com/csg-sentinel).

+1. Requires the manual deployment of the integration component inside a clean Linux machine. Follow the instructions provided in the [Integration Guide](https://frcpnt.com/csg-sentinel).

+## Forcepoint NGFW

+Set your security solution to send syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.

+## ForgeRock Common Audit for CEF

+In ForgeRock, install and configure this Common Audit (CAUD) for Microsoft Sentinel per the documentation at https://github.com/javaservlets/SentinelAuditEventHandler. Next, in Azure, follow the steps to configure the CEF via AMA data connector.

+## iboss

+Set your Threat Console to send syslog messages in CEF format to your Azure workspace. Make note of your **Workspace ID** and **Primary Key** within your Log Analytics workspace. Select the workspace from the Log Analytics workspaces menu in the Azure portal. Then select **Agents management** in the **Settings** section.

+1. Navigate to **Reporting & Analytics** inside your iboss Console.

+1. Select **Log Forwarding** > **Forward From Reporter**.

+1. Select **Actions** > **Add Service**.

+1. Toggle to Microsoft Sentinel as a **Service Type** and input your **Workspace ID/Primary Key** along with other criteria. If a dedicated proxy Linux machine was configured, toggle to **Syslog** as a **Service Type** and configure the settings to point to your dedicated proxy Linux machine.

+1. Wait one to two minutes for the setup to complete.

+1. Select your Microsoft Sentinel service and verify the Microsoft Sentinel setup status is successful. If a dedicated proxy Linux machine is configured, you might validate your connection.

+## Illumio Core

+Configure event format.

+1. From the PCE web console menu, choose **Settings > Event Settings** to view your current settings.

+1. Select **Edit** to change the settings.

+1. Set **Event Format** to CEF.

+1. (Optional) Configure **Event Severity** and **Retention Period**.

+Configure event forwarding to an external syslog server.

+1. From the PCE web console menu, choose **Settings** > **Event Settings**.

+1. Select **Add**.

+1. Select **Add Repository**.

+1. Complete the **Add Repository** dialog.

+1. Select **OK** to save the event forwarding configuration.

+## Illusive Platform

+1. Set your security solution to send syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.

+1. Sign into the Illusive Console, and navigate to **Settings** > **Reporting**.

+1. Find **Syslog Servers**.

+1. Supply the following information:

+ - Host name: *Linux Syslog agent IP address or FQDN host name*

+ - Port: *514*

+ - Protocol: *TCP*

+ - Audit messages: *Send audit messages to server*

+1. To add the syslog server, select **Add**.

+For more information about how to add a new syslog server in the Illusive platform, find the Illusive Networks Admin Guide in here: https://support.illusivenetworks.com/hc/en-us/sections/360002292119-Documentation-by-Version

+## Imperva WAF Gateway

+This connector requires an **Action Interface** and **Action Set** to be created on the Imperva SecureSphere MX. [Follow the steps](https://community.imperva.com/blogs/craig-burlingame1/2020/11/13/steps-for-enabling-imperva-waf-gateway-alert) to create the requirements.

+1. Create a new **Action Interface** that contains the required parameters to send WAF alerts to Microsoft Sentinel.

+1. Create a new **Action Set** that uses the **Action Interface** configured.

+1. Apply the Action Set to any security policies you wish to have alerts for sent to Microsoft Sentinel.

+## Infoblox Cloud Data Connector

+Complete the following steps to configure the Infoblox CDC to send BloxOne data to Microsoft Sentinel via the Linux syslog agent.

+1. Navigate to **Manage** > **Data Connector**.

+1. Select the **Destination Configuration** tab at the top.

+1. Select **Create > Syslog**.

+ - **Name**: Give the new Destination a meaningful name, such as *Microsoft-Sentinel-Destination*.

+ - **Description**: Optionally give it a meaningful description.

+ - **State**: Set the state to **Enabled**.

+ - **Format**: Set the format to **CEF**.

+ - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.

+ - **Port**: Leave the port number at **514**.

+ - **Protocol**: Select desired protocol and CA certificate if applicable.

+ - Select **Save & Close**.

+1. Select the **Traffic Flow Configuration** tab at the top.

+1. Select **Create**.

+ - **Name**: Give the new Traffic Flow a meaningful name, such as *Microsoft-Sentinel-Flow*.

+ - **Description**: Optionally give it a meaningful description.

+ - **State**: Set the state to **Enabled**.

+ - Expand the **Service Instance** section.

+ - **Service Instance**: Select your desired Service Instance for which the Data Connector service is enabled.

+ - Expand the **Source Configuration** section.

+ - **Source**: Select **BloxOne Cloud Source**.

+ - Select all desired **log types** you wish to collect. Currently supported log types are:

+ - Threat Defense Query/Response Log

+ - Threat Defense Threat Feeds Hits Log

+ - DDI Query/Response Log

+ - DDI DHCP Lease Log

+ - Expand the **Destination Configuration** section.

+ - Select the **Destination** you created.

+ - Select **Save & Close**.

+1. Allow the configuration some time to activate.

+## Infoblox SOC Insights

+Complete the following steps to configure the Infoblox CDC to send BloxOne data to Microsoft Sentinel via the Linux syslog agent.

+1. Navigate to **Manage > Data Connector**.

+1. Select the **Destination Configuration** tab at the top.

+1. Select **Create > Syslog**.

+ - **Name**: Give the new Destination a meaningful name, such as *Microsoft-Sentinel-Destination*.

+ - **Description**: Optionally give it a meaningful description.

+ - **State**: Set the state to **Enabled**.

+ - **Format**: Set the format to **CEF**.

+ - **FQDN/IP**: Enter the IP address of the Linux device on which the Linux agent is installed.

+ - **Port**: Leave the port number at **514**.

+ - **Protocol**: Select desired protocol and CA certificate if applicable.

+ - Select **Save & Close**.

+1. Select the **Traffic Flow Configuration** tab at the top.

+1. Select **Create**.

+ - **Name**: Give the new Traffic Flow a meaningful name, such as *Microsoft-Sentinel-Flow*.

+ - **Description**: Optionally give it a meaningful **description**.

+ - **State**: Set the state to **Enabled**.

+ - Expand the **Service Instance** section.

+ - **Service Instance**: Select your desired service instance for which the data connector service is enabled.

+ - Expand the **Source Configuration** section.

+ - **Source**: Select **BloxOne Cloud Source**.

+ - Select the **Internal Notifications** Log Type.

+ - Expand the **Destination Configuration** section.

+ - Select the **Destination** you created.

+ - Select **Save & Close**.

+1. Allow the configuration some time to activate.

+## KasperskySecurityCenter

+[Follow the instructions](https://support.kaspersky.com/KSC/13/en-US/89277.htm) to configure event export from Kaspersky Security Center.

+## Morphisec

+Set your security solution to send syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.

+## Netwrix Auditor

+[Follow the instructions](https://www.netwrix.com/download/QuickStart/Netwrix_Auditor_Add-on_for_HPE_ArcSight_Quick_Start_Guide.pdf) to configure event export from Netwrix Auditor.

+## NozomiNetworks

+Complete the following steps to configure Nozomi Networks device to send alerts, audit, and health logs via syslog in CEF format:

+1. Sign in to the Guardian console.

+1. Navigate to **Administration** > **Data Integration**.

+1. Select **+Add**.

+1. Select the **Common Event Format (CEF)** from the drop-down.

+1. Create **New Endpoint** using the appropriate host information.

+1. Enable **Alerts**, **Audit Logs**, and **Health Logs** for sending.

+## Onapsis Platform

+Refer to the Onapsis in-product help to set up log forwarding to the syslog agent.

+1. Go to **Setup** > **Third-party integrations** > **Defend Alarms** and follow the instructions for Microsoft Sentinel.

+2. Make sure your Onapsis Console can reach the proxy machine where the agent is installed. The logs should be sent to port 514 using TCP.

+## OSSEC

+[Follow these steps](https://www.ossec.net/docs/docs/manual/output/syslog-output.html) to configure OSSEC sending alerts via syslog.

+## Palo Alto - XDR (Cortex)

+Configure Palo Alto XDR (Cortex) to forward messages in CEF format to your Microsoft Sentinel workspace via the syslog agent.

+1. Go to **Cortex Settings and Configurations**.

+1. Select to add **New Server** under **External Applications**.

+1. Then specify the name and give the public IP of your syslog server in **Destination**.

+1. Give **Port number** as 514.

+1. From **Facility** field, select **FAC_SYSLOG** from dropdown.

+1. Select **Protocol** as **UDP**.

+1. Select **Create**.

+## PaloAlto-PAN-OS

+Configure Palo Alto Networks to forward syslog messages in CEF format to your Microsoft Sentinel workspace via the syslog agent.

+1. Go to [configure Palo Alto Networks NGFW for sending CEF events](https://aka.ms/sentinel-paloaltonetworks-readme).

+1. Go to [Palo Alto CEF Configuration](https://aka.ms/asi-syslog-paloalto-forwarding) and Palo Alto [Configure Syslog Monitoring](https://aka.ms/asi-syslog-paloalto-configure) steps 2, 3, choose your version, and follow the instructions using the following guidelines:

+ 1. Set the **Syslog server format** to **BSD**.

+ 1. Copy the text to an editor and remove any characters that might break the log format before pasting it. The copy/paste operations from the PDF might change the text and insert random characters.

+[Learn more](https://aka.ms/CEFPaloAlto)

+## PaloAltoCDL

+[Follow the instructions](https://docs.paloaltonetworks.com/cortex/cortex-data-lake/cortex-data-lake-getting-started/get-started-with-log-forwarding-app/forward-logs-from-logging-service-to-syslog-server.html) to configure logs forwarding from Cortex Data Lake to a syslog Server.

+## PingFederate

+[Follow these steps](https://docs.pingidentity.com/bundle/pingfederate-102/page/gsn1564002980953.html) to configure PingFederate sending audit log via syslog in CEF format.

+## RidgeSecurity

+Configure the RidgeBot to forward events to syslog server as described [here](https://portal.ridgesecurity.ai/downloadurl/89x72912). Generate some attack events for your application.

+## SonicWall Firewall

+Set your SonicWall Firewall to send syslog messages in CEF format to the proxy machine. Make sure you send the logs to port 514 TCP on the machine's IP address.

+Follow instructions. Then Make sure you select local use 4 as the facility. Then select ArcSight as the syslog format.

+## Trend Micro Apex One

+[Follow these steps](https://docs.trendmicro.com/en-us/enterprise/trend-micro-apex-central-2019-online-help/detections/logs_001/syslog-forwarding.aspx) to configure Apex Central sending alerts via syslog. While configuring, on step 6, select the log format **CEF**.

+## Trend Micro Deep Security

+Set your security solution to send syslog messages in CEF format to the proxy machine. Make sure to send the logs to port 514 TCP on the machine's IP address.

+1. Forward Trend Micro Deep Security events to the syslog agent.

+1. Define a new syslog Configuration that uses the CEF format by referencing [this knowledge article](https://aka.ms/Sentinel-trendmicro-kblink) for additional information.

+1. Configure the **Deep Security Manager** to use this new configuration to forward events to the syslog agent using [these instructions](https://aka.ms/Sentinel-trendMicro-connectorInstructions).

+1. Make sure to save the [TrendMicroDeepSecurity](https://aka.ms/TrendMicroDeepSecurityFunction) function so that it queries the Trend Micro Deep Security data properly.

+## Trend Micro TippingPoint

+Set your TippingPoint SMS to send syslog messages in ArcSight CEF Format v4.2 format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.

+## vArmour Application Controller

+Send syslog messages in CEF format to the proxy machine. Make sure you to send the logs to port 514 TCP on the machine's IP address.

+Download the user guide from https://support.varmour.com/hc/en-us/articles/360057444831-vArmour-Application-Controller-6-0-User-Guide. In the user guide, refer to "Configuring Syslog for Monitoring and Violations" and follow steps 1 to 3.

+## Vectra AI Detect

+Configure Vectra (X Series) Agent to forward syslog messages in CEF format to your Microsoft Sentinel workspace via the syslog agent.

+From the Vectra UI, navigate to Settings > Notifications and Edit syslog configuration. Follow below instructions to set up the connection:

+1. Add a new Destination (which is the host where the Microsoft Sentinel syslog agent is running).

+1. Set the **Port** as *514*.

+1. Set the **Protocol** as *UDP*.

+1. Set the **format** to *CEF*.

+1. Set **Log types**. Select all log types available.

+1. Select on **Save**.

+1. Select the **Test** button to send some test events.

+For more information, see the Cognito Detect Syslog Guide, which can be downloaded from the resource page in Detect UI.

+## Votiro

+Set Votiro Endpoints to send syslog messages in CEF format to the Forwarder machine. Make sure you to send the logs to port 514 TCP on the Forwarder machine's IP address.

+## WireX Network Forensics Platform

+Contact WireX support (https://wirexsystems.com/contact-us/) in order to configure your NFP solution to send syslog messages in CEF format to the proxy machine. Make sure that they central manager can send the logs to port 514 TCP on the machine's IP address.

+## WithSecure Elements via Connector

+Connect your WithSecure Elements Connector appliance to Microsoft Sentinel. The WithSecure Elements Connector data connector allows you to easily connect your WithSecure Elements logs with Microsoft Sentinel, to view dashboards, create custom alerts, and improve investigation.

+> [!NOTE]

+> Data is stored in the geographic location of the workspace on which you are running Microsoft Sentinel.

+Configure With Secure Elements Connector to forward syslog messages in CEF format to your Log Analytics workspace via the syslog agent.

+1. Select or create a Linux machine for Microsoft Sentinel to use as the proxy between your WithSecurity solution and Microsoft Sentinel. The machine can be an on-premises environment, Microsoft Azure, or other cloud based environment. Linux needs to have `syslog-ng` and `python`/`python3` installed.

+1. Install the Azure Monitoring Agent (AMA) on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP. You must have elevated permissions (sudo) on your machine.

+1. Go to **EPP** in WithSecure Elements Portal. Then navigate to **Downloads**. In **Elements Connector** section, select **Create subscription key**. You can check your subscription key in **Subscriptions**.

+1. In **Downloads** in WithSecure Elements **Connector** section, select the correct installer and download it.

+1. When in EPP, open account settings from the top right hand corner. Then select **Get management API key**. If the key was created earlier, it can be read there as well.

+1. To install Elements Connector, follow [Elements Connector Docs](https://help.f-secure.com/product.html#business/connector/latest/en/concept_BA55FDB13ABA44A8B16E9421713F4913-latest-en).

+1. If API access isn't configured during installation, follow [Configuring API access for Elements Connector](https://help.f-secure.com/product.html#business/connector/latest/en/task_F657F4D0F2144CD5913EE510E155E234-latest-en).

+1. Go to EPP, then **Profiles**, then use **For Connector** from where you can see the connector profiles. Create a new profile (or edit an existing not read-only profile). In **Event forwarding**, enable it. Set SIEM system address: **127.0.0.1:514**. Set format to **Common Event Format**. Protocol is **TCP**. Save profile and assign it to **Elements Connector** in **Devices** tab.

+1. To use the relevant schema in Log Analytics for the WithSecure Elements Connector, search for **CommonSecurityLog**.

+1. Continue with [validating your CEF connectivity](/azure/sentinel/troubleshooting-cef-syslog?tabs=rsyslog#validate-cef-connectivity).

+## Zscaler

+Set Zscaler product to send syslog messages in CEF format to your syslog agent. Make sure you to send the logs on port 514 TCP.

+For more information, see [Zscaler Microsoft Sentinel integration guide](https://aka.ms/ZscalerCEFInstructions).

+## Related content

+- [Ingest syslog and CEF messages to Microsoft Sentinel with the Azure Monitor Agent](connect-cef-syslog-ama.md)

+- [Syslog via AMA and Common Event Format (CEF) via AMA connectors for Microsoft Sentinel](cef-syslog-ama-overview.md)

+ Title: Syslog via AMA connector - configure appliances and devices

+description: Learn how to configure specific appliances and devices that use the Syslog via AMA data connector for Microsoft Sentinel.

+# Syslog via AMA data connector - Configure specific appliance or device for Microsoft Sentinel data ingestion

+Log collection from many security appliances and devices are supported by the **Syslog via AMA** data connector in Microsoft Sentinel. This article lists provider supplied installation instructions for specific security appliances and devices that use this data connector. Contact the provider for updates, more information, or where information is unavailable for your security appliance or device.

+To forward data to your Log Analytics workspace for Microsoft Sentinel, complete the steps in [Ingest syslog and CEF messages to Microsoft Sentinel with the Azure Monitor Agent](connect-cef-syslog-ama.md). As you complete those steps, install the **Syslog via AMA** data connector in Microsoft Sentinel. Then, use the appropriate provider's instructions in this article to complete the setup.

+For more information about the related Microsoft Sentinel solution for each of these appliances or devices, search the [Azure Marketplace](https://azuremarketplace.microsoft.com/) for the **Product Type** > **Solution Templates** or review the solution from the **Content hub** in Microsoft Sentinel.

+## Barracuda CloudGen Firewall

+[Follow instructions](https://aka.ms/sentinel-barracudacloudfirewall-connector) to configure syslog streaming. Use the IP address or hostname for the Linux machine with the Microsoft Sentinel agent installed for the **Destination IP** address.

+## Blackberry CylancePROTECT

+[Follow these instructions](https://docs.blackberry.com/en/unified-endpoint-security/blackberry-ues/cylance-syslog-guide/Configure_Syslog_Settings) to configure the CylancePROTECT to forward syslog. Use the IP address or hostname for the Linux device with the Linux agent installed as the **Destination IP** address.

+## Cisco Application Centric Infrastructure (ACI)

+Configure Cisco ACI system to send logs via syslog to the remote server where you install the agent.

+[Follow these steps](https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/basic-config/b_ACI_Config_Guide/b_ACI_Config_Guide_chapter_010.html#d2933e4611a1635) to configure **Syslog Destination**, **Destination Group**, and **Syslog Source**.

+This data connector was developed using Cisco ACI Release 1.x.

+## Cisco Identity Services Engine (ISE)

+[Follow these instructions](https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_maintain_monitor.html#ID58) to configure remote syslog collection locations in your Cisco ISE deployment.

+## Cisco Stealthwatch

+Complete the following configuration steps to get Cisco Stealthwatch logs into Microsoft Sentinel.

+1. Sign in to the Stealthwatch Management Console (SMC) as an administrator.

+1. In the menu bar, select **Configuration** > **Response Management**.

+1. From the **Actions** section in the **Response Management** menu, select **Add > Syslog Message**.

+1. In the **Add Syslog Message Action** window, configure parameters.

+1. Enter the following custom format:

+ `|Lancope|Stealthwatch|7.3|{alarm_type_id}|0x7C|src={source_ip}|dst={target_ip}|dstPort={port}|proto={protocol}|msg={alarm_type_description}|fullmessage={details}|start={start_active_time}|end={end_active_time}|cat={alarm_category_name}|alarmID={alarm_id}|sourceHG={source_host_group_names}|targetHG={target_host_group_names}|sourceHostSnapshot={source_url}|targetHostSnapshot={target_url}|flowCollectorName={device_name}|flowCollectorIP={device_ip}|domain={domain_name}|exporterName={exporter_hostname}|exporterIPAddress={exporter_ip}|exporterInfo={exporter_label}|targetUser={target_username}|targetHostname={target_hostname}|sourceUser={source_username}|alarmStatus={alarm_status}|alarmSev={alarm_severity_name}`

+1. Select the custom format from the list and **OK**.

+1. Select **Response Management > Rules**.

+1. Select **Add** and **Host Alarm**.

+1. Provide a rule name in the **Name** field.

+1. Create rules by selecting values from the **Type** and **Options** menus. To add more rules, select the ellipsis icon. For a **Host Alarm**, combine as many possible types in a statement as possible.

+This data connector was developed using Cisco Stealthwatch version 7.3.2

+## Cisco Unified Computing Systems (UCS)

+[Follow these instructions](https://www.cisco.com/c/en/us/support/docs/servers-unified-computing/ucs-manager/110265-setup-syslog-for-ucs.html#configsremotesyslog) to configure the Cisco UCS to forward syslog. Use the IP address or hostname for the Linux device with the Linux agent installed as the **Destination IP** address.

+> [!NOTE]

+> The functionality of this data connector is reliant on a Kusto Function-based parser, which is integral to its operation. This parser is deployed as part of the solution installation.

+>

+> Update the parser and specify the hostname of the source machines transmitting the logs in the parser's second line.

+>

+> To access the function code within Log Analytics, navigate to the Log Analytics/Microsoft Sentinel Logs section, select Functions, and search for the alias **CiscoUCS**. Alternatively, directly load the [function code](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cisco%20UCS/Parsers/CiscoUCS.txt). It might take about 15-minutes post-installation to update.

+## Cisco Web Security Appliance (WSA)

+Configure Cisco to forward logs via syslog to the remote server where you install the agent.

+[Follow these steps](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1134718) to configure Cisco WSA to forward logs via Syslog

+Select **Syslog Push** as a Retrieval Method.

+This data connector was developed using AsyncOS 14.0 for Cisco Web Security Appliance

+## Citrix Application Delivery Controller (ADC)

+Configure Citrix ADC (former NetScaler) to forward logs via Syslog.

+1. Navigate to **Configuration tab > System > Auditing > Syslog > Servers tab**

+2. Specify **Syslog action name**.

+3. Set IP address of remote Syslog server and port.

+4. Set **Transport type** as **TCP** or **UDP** depending on your remote syslog server configuration.

+5. For more information, see the [Citrix ADC (former NetScaler) documentation](https://docs.netscaler.com/).

+> [!NOTE]

+> The functionality of this data connector is reliant on a Kusto Function-based parser, which is integral to its operation. This parser is deployed as part of the solution installation. To access the function code within Log Analytics, navigate to the Log Analytics/Microsoft Sentinel Logs section, select Functions, and search for the alias **CitrixADCEvent**. Alternatively, you can directly load the [function code](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Citrix%20ADC/Parsers/CitrixADCEvent.txt). It might take about 15 minutes post-installation to update.

+>

+> This parser requires a watchlist named `Sources_by_SourceType`.

+>

+>i. If you don't have watchlist already created, create a watchlist from Microsoft Sentinel in the [Azure portal](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FASIM%2Fdeploy%2FWatchlists%2FASimSourceType.json).

+>

+> ii. Open watchlist `Sources_by_SourceType` and add entries for this data source.

+>

+> ii. The SourceType value for CitrixADC is `CitrixADC`.

+> For more information, see [Manage Advanced Security Information Model (ASIM) parsers](/azure/sentinel/normalization-manage-parsers?WT.mc_id=Portal-fx#configure-the-sources-relevant-to-a-source-specific-parser).

+## Digital Guardian Data Loss Prevention

+Complete the following steps to configure Digital Guardian to forward logs via Syslog:

+1. Sign in to the Digital Guardian Management Console.

+1. Select **Workspace** > **Data Export** > **Create Export**.

+1. From the **Data Sources** list, select **Alerts** or **Events** as the data source.

+1. From the **Export type** list, select **Syslog**.

+1. From the **Type list**, select **UDP, or TCP** as the transport protocol.

+1. In the **Server** field, type the IP address of your remote syslog server.

+1. In the **Port** field, type 514 (or other port if your syslog server was configured to use nondefault port).

+1. From the **Severity Level** list, select a severity level.

+1. Select the **Is Active** check box.

+1. Select **Next**.

+1. From the list of available fields, add Alert or Event fields for your data export.

+1. Select a Criteria for the fields in your data export and **Next**.

+1. Select a group for the criteria and **Next**.

+1. Select **Test Query**.

+1. Select **Next**.

+1. Save the data export.

+## ESET Protect integration

+Configure ESET PROTECT to send all events through Syslog.

+1. Follow [these instructions](https://help.eset.com/protect_admin/latest/en-US/admin_server_settings_syslog.html) to configure syslog output. Make sure to select **BSD** as the format and **TCP** as the transport.

+1. Follow [these instructions](https://help.eset.com/protect_admin/latest/en-US/admin_server_settings_export_to_syslog.html) to export all logs to syslog. Select **JSON** as the output format.

+## Exabeam Advanced Analytics

+[Follow these instructions](https://docs.exabeam.com/en/advanced-analytics/i56/advanced-analytics-administration-guide/125351-advanced-analytics.html#UUID-7ce5ff9d-56aa-93f0-65de-c5255b682a08) to send Exabeam Advanced Analytics activity log data via syslog.

+This data connector was developed using Exabeam Advanced Analytics i54 (Syslog)

+## Forescout

+Complete the following steps to get Forescout logs into Microsoft Sentinel.

+1. [Select an Appliance to Configure.](https://docs.forescout.com/bundle/syslog-3-6-1-h/page/syslog-3-6-1-h.Select-an-Appliance-to-Configure.html)

+1. [Follow these instructions](https://docs.forescout.com/bundle/syslog-3-6-1-h/page/syslog-3-6-1-h.Send-Events-To-Tab.html#pID0E0CE0HA) to forward alerts from the Forescout platform to a syslog server.

+1. [Configure](https://docs.forescout.com/bundle/syslog-3-6-1-h/page/syslog-3-6-1-h.Syslog-Triggers.html) the settings in the **Syslog Triggers** tab.

+This data connector was developed using Forescout Syslog Plugin version: v3.6

+## Gitlab

+[Follow these instructions](https://docs.gitlab.com/omnibus/settings/logs.html#udp-log-forwarding) to send Gitlab audit log data via syslog.

+## ISC Bind

+1. Follow these instructions to configure the ISC Bind to forward syslog: [DNS Logs](https://kb.isc.org/docs/aa-01526).

+1. Configure syslog to send the syslog traffic to the agent. Use the IP address or hostname for the Linux device with the Linux agent installed as the **Destination IP** address.

+## Infoblox Network Identity Operating System (NIOS)

+[Follow these instructions](https://www.infoblox.com/wp-content/uploads/infoblox-deployment-guide-slog-and-snmp-configuration-for-nios.pdf) to enable syslog forwarding of Infoblox NIOS Logs. Use the IP address or hostname for the Linux device with the Linux agent installed as the **Destination IP** address.

+> [!NOTE]

+> The functionality of this data connector is reliant on a Kusto Function-based parser, which is integral to its operation. This parser is deployed as part of the solution installation.

+>

+> To access the function code within Log Analytics, navigate to the Log Analytics/Microsoft Sentinel Logs section, select Functions, and search for the alias **Infoblox**. Alternatively, you can directly load the [function code](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Infoblox%20NIOS/Parser/Infoblox.txt). It might take about 15 minutes post-installation to update.

+>

+> This parser requires a watchlist named **`Sources_by_SourceType`**.

+>

+>i. If you don't have watchlist already created, create a watchlist from Microsoft Sentinel in the [Azure portal](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FASIM%2Fdeploy%2FWatchlists%2FASimSourceType.json).

+>

+>ii. Open watchlist **`Sources_by_SourceType`** and add entries for this data source.

+>

+>ii. The SourceType value for InfobloxNIOS is **`InfobloxNIOS`**.

+>

+> For more information, see [Manage Advanced Security Information Model (ASIM) parsers](/azure/sentinel/normalization-manage-parsers?WT.mc_id=Portal-fx#configure-the-sources-relevant-to-a-source-specific-parser).

+## Ivanti Unified Endpoint Management

+[Follow the instructions](https://help.ivanti.com/ld/help/en_US/LDMS/11.0/Windows/alert-t-define-action.htm) to set up Alert Actions to send logs to syslog server.

+This data connector was developed using Ivanti Unified Endpoint Management Release 2021.1 Version 11.0.3.374

+## Juniper SRX

+1. Complete the following instructions to configure the Juniper SRX to forward syslog:

+ - [Traffic Logs (Security Policy Logs)](https://kb.juniper.net/InfoCenter/index?page=content&id=KB16509&actp=METADATA)

+ - [System Logs](https://kb.juniper.net/InfoCenter/index?page=content&id=kb16502)

+

+2. Use the IP address or hostname for the Linux device with the Linux agent installed as the **Destination IP** address.

+## McAfee Network Security Platform

+Complete the following configuration steps to get McAfee® Network Security Platform logs into Microsoft Sentinel.

+1. Forward alerts from the manager to a syslog server.

+2. You must add a syslog notification profile. While creating profile, to make sure that events are formatted correctly, enter the following text in the Message text box:

+ ``<SyslogAlertForwarderNSP>:|SENSOR_ALERT_UUID|ALERT_TYPE|ATTACK_TIME|ATTACK_NAME|ATTACK_ID``

+``|ATTACK_SEVERITY|ATTACK_SIGNATURE|ATTACK_CONFIDENCE|ADMIN_DOMAIN|SENSOR_NAME|INTERFACE``

+``|SOURCE_IP|SOURCE_PORT|DESTINATION_IP|DESTINATION_PORT|CATEGORY|SUB_CATEGORY``

+``|DIRECTION|RESULT_STATUS|DETECTION_MECHANISM|APPLICATION_PROTOCOL|NETWORK_PROTOCOL|``

+This data connector was developed using McAfee® Network Security Platform version: 10.1.x.

+## McAfee ePolicy Orchestrator

+Contact the provider for guidance on how to register a syslog server.

+## Microsoft Sysmon For Linux

+This data connector depends on ASIM parsers based on a Kusto Functions to work as expected. [Deploy the parsers](https://aka.ms/ASimSysmonForLinuxARM).

+The following functions are deployed:

+- vimFileEventLinuxSysmonFileCreated, vimFileEventLinuxSysmonFileDeleted

+- vimProcessCreateLinuxSysmon, vimProcessTerminateLinuxSysmon

+- vimNetworkSessionLinuxSysmon

+[Read more](https://aka.ms/AboutASIM)

+## Nasuni

+Follow the instructions in the [Nasuni Management Console Guide](https://view.highspot.com/viewer/629a633ae5b4caaf17018daa?iid=5e6fbfcbc7143309f69fcfcf) to configure Nasuni Edge Appliances to forward syslog events. Use the IP address or hostname of the Linux device running the Azure Monitor Agent in the Servers configuration field for the syslog settings.

+## OpenVPN

+Install the agent on the Server where the OpenVPN are forwarded.

+OpenVPN server logs are written into common syslog file (depending on the Linux distribution used: e.g. /var/log/messages).

+## Oracle Database Audit

+Complete the following steps.

+

+1. Create the Oracle database [Follow these steps.](/azure/virtual-machines/workloads/oracle/oracle-database-quick-create)

+1. Sign in to the Oracle database you created. [Follow these steps](https://docs.oracle.com/cd/F49540_01/DOC/server.815/a67772/create.htm).

+1. Enable unified logging over syslog by **Alter the system to enable unified logging** [Following these steps](https://docs.oracle.com/en/database/oracle/oracle-database/21/refrn/UNIFIED_AUDIT_COMMON_SYSTEMLOG.html#GUID-9F26BC8E-1397-4B0E-8A08-3B12E4F9ED3A).

+1. Create and **enable an Audit policy for unified auditing** [Follow these steps](https://docs.oracle.com/en/database/oracle/oracle-database/19/sqlrf/CREATE-AUDIT-POLICY-Unified-Auditing.html#GUID-8D6961FB-2E50-46F5-81F7-9AEA314FC693).

+1. **Enabling syslog and Event Viewer** Captures for the Unified Audit Trail [Follow these steps](https://docs.oracle.com/en/database/oracle/oracle-database/18/dbseg/administering-the-audit-trail.html#GUID-3EFB75DB-AE1C-44E6-B46E-30E5702B0FC4).

+## Pulse Connect Secure

+[Follow the instructions](https://help.ivanti.com/ps/help/en_US/PPS/9.1R13/ag/configuring_an_external_syslog_server.htm) to enable syslog streaming of Pulse Connect Secure logs. Use the IP address or hostname for the Linux device with the Linux agent installed as the **Destination IP** address.

+> [!NOTE]

+> The functionality of this data connector is reliant on a Kusto Function-based parser, which is integral to its operation. This parser is deployed as part of the solution installation.

+>

+> Update the parser and specify the hostname of the source machines transmitting the logs in the parser's second line.

+>

+> To access the function code within Log Analytics, navigate to the Log Analytics/Microsoft Sentinel Logs section, select Functions, and search for the alias **PulseConnectSecure**. Alternatively, directly load the [function code](https://aka.ms/sentinel-PulseConnectSecure-parser). It might take about 15 minutes post-installation to update.

+## RSA SecurID

+Complete the following steps to get RSA® SecurID Authentication Manager logs into Microsoft Sentinel.

+[Follow these instructions](https://community.rsa.com/t5/rsa-authentication-manager/configure-the-remote-syslog-host-for-real-time-log-monitoring/ta-p/571374) to forward alerts from the Manager to a syslog server.

+> [!NOTE]

+> The functionality of this data connector is reliant on a Kusto Function-based parser, which is integral to its operation. This parser is deployed as part of the solution installation.

+>

+> Update the parser and specify the hostname of the source machines transmitting the logs in the parser's second line.

+>

+> To access the function code within Log Analytics, navigate to the Log Analytics/Microsoft Sentinel Logs section, select Functions, and search for the alias **RSASecurIDAMEvent**. Alternatively, you can directly load the [function code](https://aka.ms/sentinel-rsasecuridam-parser). It might take about 15 minutes post-installation to update.

+This data connector was developed using RSA SecurID Authentication Manager version: 8.4 and 8.5

+## Sophos XG Firewall

+[Follow these instructions](https://doc.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/SystemServices/LogSettings/SyslogServerAdd/https://docsupdatetracker.net/index.html) to enable syslog streaming. Use the IP address or hostname for the Linux device with the Linux agent installed as the **Destination IP** address.

+> [!NOTE]

+> The functionality of this data connector is reliant on a Kusto Function-based parser, which is integral to its operation. This parser is deployed as part of the solution installation.

+>

+> Update the parser and specify the hostname of the source machines transmitting the logs in the parser's second line.

+> To access the function code within Log Analytics, navigate to the Log Analytics/Microsoft Sentinel Logs section, select Functions, and search for the alias **SophosXGFirewall**. Alternatively, directly load the [function code](https://aka.ms/sentinel-SophosXG-parser). It might take about 15 minutes post-installation to update.

+## Symantec Endpoint Protection

+[Follow these instructions](https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Monitoring-Reporting-and-Enforcing-Compliance/viewing-logs-v7522439-d37e464/exporting-data-to-a-syslog-server-v8442743-d15e1107.html) to configure the Symantec Endpoint Protection to forward syslog. Use the IP address or hostname for the Linux device with the Linux agent installed as the **Destination IP** address.

+> [!NOTE]

+> The functionality of this data connector is reliant on a Kusto Function-based parser, which is integral to its operation. This parser is deployed as part of the solution installation.

+>

+> Update the parser and specify the hostname of the source machines transmitting the logs in the parser's second line.

+> To access the function code within Log Analytics, navigate to the Log Analytics/Microsoft Sentinel Logs section, select Functions, and search for the alias **SymantecEndpointProtection**. Alternatively, you can directly load the [function code](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Symantec%20Endpoint%20Protection/Parsers/SymantecEndpointProtection.yaml). It might take about 15 minutes post-installation to update.

+## Symantec ProxySG

+1. Sign in to the Blue Coat Management Console.

+1. Select **Configuration** > **Access Logging** > **Formats**.

+1. Select **New**.

+1. Enter a unique name in the **Format Name** field.

+1. Select the radio button for **Custom format string** and paste the following string into the field.

+ `` 1 $(date) $(time) $(time-taken) $(c-ip) $(cs-userdn) $(cs-auth-groups) $(x-exception-id) $(sc-filter-result) $(cs-categories) $(quot)$(cs(Referer))$(quot) $(sc-status) $(s-action) $(cs-method) $(quot)$(rs(Content-Type))$(quot) $(cs-uri-scheme) $(cs-host) $(cs-uri-port) $(cs-uri-path) $(cs-uri-query) $(cs-uri-extension) $(quot)$(cs(User-Agent))$(quot) $(s-ip) $(sr-bytes) $(rs-bytes) $(x-virus-id) $(x-bluecoat-application-name) $(x-bluecoat-application-operation) $(cs-uri-port) $(x-cs-client-ip-country) $(cs-threat-risk)``

+1. Select **OK**.

+1. Select **Apply**n.

+1. [Follow these instructions](https://knowledge.broadcom.com/external/article/166529/sending-access-logs-to-a-syslog-server.html) to enable syslog streaming of **Access** logs. Use the IP address or hostname for the Linux device with the Linux agent installed as the **Destination IP** address

+> [!NOTE]

+> The functionality of this data connector is reliant on a Kusto Function-based parser, which is integral to its operation. This parser is deployed as part of the solution installation.

+>

+> Update the parser and specify the hostname of the source machines transmitting the logs in the parser's second line.

+>

+> To access the function code within Log Analytics, navigate to the Log Analytics/Microsoft Sentinel Logs section, select Functions, and search for the alias **SymantecProxySG**. Alternatively, directly load the [function code](https://aka.ms/sentinel-SymantecProxySG-parser). It might take about 15 minutes post-installation to update.

+## Symantec VIP

+[Follow these instructions](https://aka.ms/sentinel-symantecvip-configurationsteps) to configure the Symantec VIP Enterprise Gateway to forward syslog. Use the IP address or hostname for the Linux device with the Linux agent installed as the **Destination IP** address.

+> [!NOTE]

+> The functionality of this data connector is reliant on a Kusto Function-based parser, which is integral to its operation. This parser is deployed as part of the solution installation.

+>

+> Update the parser and specify the hostname of the source machines transmitting the logs in the parser's second line.

+>

+> To access the function code within Log Analytics, navigate to the Log Analytics/Microsoft Sentinel Logs section, select Functions, and search for the alias **SymantecVIP**. Alternatively, directly load the [function code](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Symantec%20VIP/Parsers/SymantecVIP.txt). It might take about 15 minutes post-installation to update.

+## VMware ESXi

+1. Follow these instructions to configure the VMware ESXi to forward syslog:

+ - [VMware ESXi 3.5 and 4.x](https://kb.vmware.com/s/article/1016621)

+ - [VMware ESXi 5.0+](https://docs.vmware.com/en/VMware-vSphere/5.5/com.vmware.vsphere.monitoring.doc/GUID-9F67DB52-F469-451F-B6C8-DAE8D95976E7.html)

+1. Use the IP address or hostname for the Linux device with the Linux agent installed as the **Destination IP** address.

+> [!NOTE]

+> The functionality of this data connector is reliant on a Kusto Function-based parser, which is integral to its operation. This parser is deployed as part of the solution installation.

+>

+> Update the parser and specify the hostname of the source machines transmitting the logs in the parser's second line.

+>

+> To access the function code within Log Analytics, navigate to the Log Analytics/Microsoft Sentinel Logs section, select Functions, and search for the alias VMwareESXi. Alternatively, directly load the [function code](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/VMWareESXi/Parsers/VMwareESXi.yaml). It might take about 15 minutes post-installation to update.

+## WatchGuard Firebox

+[Follow these instructions](https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/Microsoft%20Azure%20Sentinel.html?#SetUptheFirebox) to send WatchGuard Firebox log data via syslog.

+## Related content

+- [Ingest syslog and CEF messages to Microsoft Sentinel with the Azure Monitor Agent](connect-cef-syslog-ama.md)

+- [Syslog via AMA and Common Event Format (CEF) via AMA connectors for Microsoft Sentinel](cef-syslog-ama-overview.md)

+## Diagnostic logging

+You can configure the diagnostic settings of your elastic SAN to send Azure platform logs and metrics to different destinations. Currently, there are two log configurations:

+- All - Every resource log offered by the resource.

+- Audit - All resource logs that record customer interactions with data or the settings of the service.

+Audit logs are an attempt by each resource provider to provide the most relevant audit data, but might not be considered sufficient from an auditing standards perspective.

+Available log categories:

+- Write Success Requests

+- Write Failed Requests

+- Read Success Requests

+- Read Failed Requests

+- Persistent Reservation Requests

+- SendTargets Requests

+# Azure Synapse Runtime for Apache Spark 3.2 (End of Support announced)

+Azure Synapse Analytics supports multiple runtimes for Apache Spark. This document will cover the runtime components and versions for the Azure Synapse Runtime for Apache Spark 3.2.

+> [!IMPORTANT]

+> * End of Support announced for Azure Synapse Runtime for Apache Spark 3.2 has been announced July 8, 2023.

+> * End of Support announced runtime will not have bug and feature fixes. Security fixes will be backported based on risk assessment.

+For guidance on migrating from older runtime versions to Azure Synapse Runtime for Apache Spark 3.3 or 3.4 please refer to [Runtime for Apache Spark Overview](./apache-spark-version-support.md).

+# About pre and post events (preview)

+The pre and post events (preview) in Azure Update Manager allow you to perform certain tasks automatically before and after a scheduled maintenance configuration. For more information on how to create schedule maintenance configurations, see [Schedule recurring updates for machines by using the Azure portal and Azure Policy](scheduled-patching.md). For example, using pre and post events, you can execute the following tasks on machines that are part of a schedule. The following list isn't exhaustive, and you can create pre and post events as per your need.

+

+## Sample tasks

+#### [Pre-events](#tab/preevent)

+|Notification email | Send a notification alert before triggering a patch. |

+|Stop services | Stop services like Gateway services, NPExServices, SQL services etc.|

+#### [Post-events](#tab/postevent)

+|Start services | Start services like SQL, health services etc. |

+## Schedule execution order with pre and post events

+For a given schedule, you can include a pre-event, post-event, or both. Additionally, you can have multiple pre and/or post-events. The sequence of execution for a schedule with pre and post events is as follows:

+1. **Pre-event** - Tasks that run before the schedule maintenance window begins. For example - Turn on the machines before patching.

+1. **Cancellation** - In this step, you can initiate the cancellation of the schedule run. Some scenarios where you might choose to cancel a schedule run include pre-event failures or pre-event didn't complete execution.

+ > [!NOTE]

+ > You must initiate cancellation as part of the pre-event; Azure Update Manager or maintenance configuration will not automatically cancel the schedule. If you fail to cancel, the schedule run will proceed with installing updates during the user-defined maintenance window.

+1. **Updates installation** - Updates are installed as part of the user-defined schedule maintenance window.

+1. **Post-event** - The post-event runs immediately after updates are installed. It occurs either within the maintenance window if update installation is complete and there's window left or outside the window if the maintenance window has ended. For example: Turn off the VMs post completion of the patching.

+ > [!NOTE]

+ > In Azure Update Manager, the pre-events run outside of the maintenance window and post events may run outside of the maintenance window. You must plan for this additional time required to complete the schedule execution on your machines.

+1. **Schedule status** - The success or failure status of a schedule run refers only to the update installation on the machines that are part of the schedule. The schedule run status doesn't include the pre and post event status. If pre-event has failed and you called the cancellation API, the schedule run status is displayed as **canceled**.

+

+ Azure Update Manager uses [Event Grid](../event-grid/overview.md) to create and manage pre and post events on scheduled maintenance configurations. In Event Grid, you can choose from event handlers such as Azure Webhooks, Azure Functions etc., to trigger your pre and post activity.

+ :::image type="content" source="./media/pre-post-scripts-overview/overview.png" alt-text="Screenshot that shows the sequence of execution for a schedule with pre and post." lightbox="./media/pre-post-scripts-overview/overview.png":::

+ > [!NOTE]

+ > If you're using Runbooks in pre and post events in Azure Automation Update management and plan to reuse them in Azure Update Manager, we recommend that you use Azure Webhooks linked to Automation Runbooks. [Learn more](tutorial-webhooks-using-runbooks.md).

+## Timeline of schedules for pre and post events

+We recommend you go through the following table to understand the timeline of the schedule for pre and post events.

+For example, if a maintenance schedule is set to start at **3:00 PM**, with the maintenance window of 3 hours and 55 minutes for **Guest** maintenance scope. The schedule has one pre-event and one post-event and following are the details:

+| **Time**| **Details** |

+|-|-|

+| 2:19 PM | Since the schedule run starts at 3:00 PM, you can modify the machines or scopes 40 mins before the start time (i.e) at 2:19 PM. </br> **Note** This applies if you're creating a new schedule or editing an existing schedule with a pre-event.

+| 2:20 PM - 2:30 PM | Since the pre-event gets triggered at least 30 mins prior, it can get triggered anytime between 2:20 PM to 2:30 PM. |

+| 2:30 PM - 2:50 PM | The pre-event runs from 2:30 PM to 2:50 PM. The pre-event must complete the tasks by 2:50 PM. </br> **Note** If you have more than one pre-event configured, all the events must run within 20 minutes. In case of multiple pre-events, all of them will execute independently of each other. You can customize as per your needs by defining the logic in the pre-events. For example, if you want two pre-events to run sequentially, you can include a delayed start time in your second pre-eventΓÇÖs logic. </br> If the pre-event continues to run beyond 20 mins or fails, you can choose to cancel the schedule run otherwise the patch installation proceeds irrespective of the pre-event run status.|

+| 2:50 PM | The latest time that can invoke the cancellation API is 2:50 PM. </br> **Note** If cancellation API fails to get invoked or hasn't been set up, the patch installation proceeds to run.|

+| 3:00 PM | The schedule run is triggered at 3:00 PM. |

+| 6:55 PM | At 6:55 PM, the schedule completes installing the updates during the 3 hours 55-mins maintenance window. </br> The post event triggers at 6:55 PM once the updates are installed. </br> **Note** If you have defined a shorter maintenance window of 2 hours, the post maintenance event will trigger after 2 hours and if the update installation is completed before the stipulated time of 2 hours (i.e) 1 hours 50 mins, the post event will start immediately.

+We recommend that you're watchful of the following:

+- If you're creating a new schedule or editing an existing schedule with a pre-event, you need at least 40 minutes prior to the start of maintenance window (3:00 PM in the above example) for the pre-event to run otherwise it leads to auto-cancellation of the current scheduled run.

+- Invoking a cancellation API from your script or code cancels the schedule run and not the entire schedule.

+- The status of the pre and post event run can be checked in the event handler you chose.

+- To learn on how to configure pre and post events or to cancel a schedule run, see [pre and post maintenance configuration events](manage-pre-post-events.md).

+

+description: Learn how to design and implement a disaster recovery plan for Azure Virtual Desktop to keep your organization up and running.

+# Azure Virtual Desktop business continuity and disaster recovery concepts

+Many users now work remotely, so organizations require solutions with high availability, rapid deployment speed, and reduced costs. Users also need to have a remote work environment with guaranteed availability and resiliency that lets them access their resources even during disasters.

+To prevent system outages or downtime, every system and component in your Azure Virtual Desktop deployment must be fault-tolerant. Fault tolerance is when you have a duplicate configuration or system in another Azure region that takes over for the main configuration during an outage. This secondary configuration or system reduces the impact of a localized outage. There are many ways you can set up fault tolerance, but this article focuses on the methods currently available in Azure for dealing with business continuity and disaster recovery (BCDR).

+Responsibility for components that make up Azure Virtual Desktop are divided between those components that are Microsoft-managed, and those components that are customer-managed, or partner managed.

+The following components are customer-managed or partner-managed:

+- Session host virtual machines

+- Profile management, usually with FSLogix

+- Applications

+- User data

+- User identities

+To learn about the Microsoft-managed components and how they're designed to be resilient, see [Azure Virtual Desktop service architecture and resilience](service-architecture-resilience.md).

+## Business continuity and disaster recovery basics

+- High availability: distributed infrastructure so smaller, more localized outages don't interrupt your entire deployment. Designing with high availability in mind can minimize outage impact and avoid the need for a full disaster recovery.

+Azure Virtual Desktop doesn't have any native features for managing disaster recovery scenarios, but you can use many other Azure services for each scenario depending on your requirements, such as [Availability sets](../virtual-machines/availability-set-overview.md), [availability zones](../availability-zones/az-region.md), Azure Site Recovery, and [Azure Files data redundancy](../storage/files/files-redundancy.md) options for user profiles and data.

+You can also distribute session hosts across multiple [Azure regions](../best-practices-availability-paired-regions.md) provides even more geographical distribution, which further reduces outage impact. All these and other Azure features provide a certain level of protection within Azure Virtual Desktop, and you should carefully consider them along with any cost implications.

+We have further documentation that goes into much more detail about each of the technology areas you need to consider as part of your business continuity and disaster recovery strategy and how to plan for and mitigate disruption to your organization based on your requirements. The following table lists the technology areas you need to consider as part of your disaster recovery strategy and links to other Microsoft documentation that provides guidance for each area:

+| Technology area | Documentation link |

+|--|--|

+| Active-passive vs active-active plans | [Active-Active vs. Active-Passive](/azure/architecture/example-scenario/azure-virtual-desktop/azure-virtual-desktop-multi-region-bcdr#active-active-vs-active-passive) |

+| Session host resiliency | [Multiregion Business Continuity and Disaster Recovery](/azure/architecture/example-scenario/azure-virtual-desktop/azure-virtual-desktop-multi-region-bcdr) |

+| Disaster recovery plans | [Multiregion Business Continuity and Disaster Recovery](/azure/architecture/example-scenario/azure-virtual-desktop/azure-virtual-desktop-multi-region-bcdr#architecture-diagrams) |

+| Azure Site Recovery | [Failover and failback](/azure/architecture/example-scenario/azure-virtual-desktop/azure-virtual-desktop-multi-region-bcdr#failover-and-failback) |

+| Network connectivity | [Multiregion Business Continuity and Disaster Recovery](/azure/architecture/example-scenario/azure-virtual-desktop/azure-virtual-desktop-multi-region-bcdr#prerequisites) |

+| User profiles | [Design recommendations](/azure/cloud-adoption-framework/scenarios/azure-virtual-desktop/eslz-business-continuity-and-disaster-recovery#design-recommendations) |

+| Files share storage | [Storage](/azure/architecture/example-scenario/azure-virtual-desktop/azure-virtual-desktop-multi-region-bcdr#storage) |

+| Identity provider | [Identity](/azure/architecture/example-scenario/azure-virtual-desktop/azure-virtual-desktop-multi-region-bcdr#identity) |

+| Backup | [Backup](/azure/architecture/example-scenario/azure-virtual-desktop/azure-virtual-desktop-multi-region-bcdr#backup) |

+## Related content

+- [Cloud Adoption Framework: Azure Virtual Desktop business continuity and disaster recovery documentation](/azure/cloud-adoption-framework/scenarios/wvd/eslz-business-continuity-and-disaster-recovery)

+- [Azure Architecture Center: Multiregion Business Continuity and Disaster Recovery (BCDR) for Azure Virtual Desktop](/azure/architecture/example-scenario/azure-virtual-desktop/azure-virtual-desktop-multi-region-bcdr)

+Using Azure Virtual Desktop Insights can help you understand your deployments of Azure Virtual Desktop. It can help with checks such as which client versions are connecting, opportunities for cost saving, or knowing if you have resource limitations or connectivity issues. If you make changes, you can continually validate that the changes have the intended effect, and iterate if needed. This article provides some use cases for Azure Virtual Desktop Insights and example scenarios using the Azure portal.

+- You need to have active sessions for a period of time before you can make informed decisions.

+There are several possibilities for why latency might be higher than anticipated for some users, such as a poor Wi-Fi connection, or issues with their Internet Service Provider (ISP). However, with a list of impacted users, you have the ability to proactively contact and attempt to resolve end-user experience problems by understanding their network connectivity.

+### Connection reliability

+The reliability of a connection can have a significant impact on the end-user experience. Azure Virtual Desktop Insights can help you understand disconnection events and correlations between errors that affect end users.

+Connection reliability provides two main views to help you understand the reliability of your connections:

+- A graph showing the number of disconnections over the concurrent connections in a given time range. This graph enables you to easily detect clusters of disconnects that are impacting connection reliability.

+- A table of the top 20 disconnection events, listing the top 20 specific time intervals where the most disconnections occurred. You can select a row in the table to highlight specific segments of the connection graph to view the disconnections that occurred at those specific time segments.

+You can also analyze connection errors by different pivots to determine the root cause of disconnects and improve connection reliability. Here are the available pivots:

+ | Pivot | Description |

+ |--|--|

+ | Subscription | Groups events by the subscription that contains related resources. When more than one subscription has Azure Virtual Desktop resources, it helps to determine whether issues are scoped to one or more subscriptions. |

+ | Resource group | Groups events by the resource group that contains related resources. |

+ | Host pool | Groups events by host pool. |

+ | Transport | Groups events by the network transport layer used for connections, either UDP or TCP.<br /><br />For UDP, valid values are `Relay`, `ShortpathPublic`, and `ShortpathPrivate`.<br /><br />For TCP, valid values are `NotUsed` and `<>` |

+ | Session host | Groups events by session host. |

+ | Session host IP/16 | Groups events by the IPv4 address of each session host, collated by the first two octets, for example (**1.2**.3.4). |

+ | Client type | Groups events by the client used to connect to a remote session, including platform and processor architecture of the connecting device. |

+ | Client version | Groups events by the version number of Windows App or the Remote Desktop app used to connect to a remote session. |

+ | Client IP/16 | Groups events by the IPv4 address of each client device connecting to a remote session, collated by the first two octets, for example (**1.2**.3.4). |

+ | Gateway region | Groups events by the Azure Virtual Desktop gateway region a client device connected through. For a list of gateway regions, see [Gateway region codes](insights-glossary.md#gateway-region-codes). |

+To view connection reliability information:

+1. Sign in to Azure Virtual Desktop Insights in the Azure portal by browsing to [https://aka.ms/avdi](https://aka.ms/avdi).

+1. From the drop-down lists, select one or more **subscriptions**, **resource groups**, **host pools**, and specify a **time range**, then select the **Connection Reliability** tab. The table and graph populate with the top 20 disconnection events and a graph of concurrent connections and disconnections over time.

+1. In the graph, review the number of disconnections (shown in red) over the count of concurrent connections (shown in green).

+ :::image type="content" source="media/insights-use-cases/insights-connection-reliability-top-20-table-graph-disconnects.png" alt-text="A screenshot showing the connection reliability tab of Azure Virtual Desktop Insights with the top 20 disconnection events table and concurrent connection graph with disconnects. " lightbox="media/insights-use-cases/insights-connection-reliability-top-20-table-graph-disconnects.png":::

+1. In the table, review the top 20 disconnection events. Select a row to highlight the specific time segment and neighboring time segments in the graph when the disconnections occurred.

+ :::image type="content" source="media/insights-use-cases/insights-connection-reliability-top-20-table-graph-disconnects-selection.png" alt-text="A screenshot showing the connection reliability tab of Azure Virtual Desktop Insights with the top 20 disconnection events table and concurrent connection graph with disconnects with an entry selected. " lightbox="media/insights-use-cases/insights-connection-reliability-top-20-table-graph-disconnects-selection.png":::

+1. When you select a row in the table, you can select one of the pivots to analyze the connection errors in further detail. You might need to scroll down to see all the relevant data available. By reviewing the connection errors across different pivots, you can look for commonalities of disconnections.

+ :::image type="content" source="media/insights-use-cases/insights-connection-reliability-pivots-events.png" alt-text="A screenshot showing the connection reliability tab of Azure Virtual Desktop Insights with list of pivoted events. " lightbox="media/insights-use-cases/insights-connection-reliability-pivots-events.png":::

+1. Select a specific time slice to view its details with the full list of connections in the time slice, their start and end dates, their duration, an indication of their success or failure, and the impacted user and session host.

+ :::image type="content" source="media/insights-use-cases/insights-connection-reliability-time-slice.png" alt-text="A screenshot showing the connection reliability tab of Azure Virtual Desktop Insights with the list of events for the time slice. " lightbox="media/insights-use-cases/insights-connection-reliability-time-slice.png":::

+1. To see the detailed history of a specific connection, select an entry in the **Details** section of a time slice. Selecting an entry generates a list of steps in the connection and any errors.

+ :::image type="content" source="media/insights-use-cases/insights-connection-reliability-connection-details.png" alt-text="A screenshot showing the connection reliability tab of Azure Virtual Desktop Insights with the details of a connection. " lightbox="media/insights-use-cases/insights-connection-reliability-connection-details.png":::

+ In this example, there are some periods of higher disk read times that correlate with the higher user input delay.

+1. Review the section for **Performance counters** to see a quick summary of any devices that crossed the specified thresholds for:

+A common source of issues for end-users of Azure Virtual Desktop is using older clients that might either be missing new or updated features, or contain known issues that are resolved with more recent versions. Azure Virtual Desktop Insights contains a list of the different clients in use, and identifying clients that might be out of date.

+ In the below example, the newest version of the Microsoft Remote Desktop Client for Windows (MSRDC) is 1.2.4487.0, and 993 users are currently using a version older. It also shows a count of connections and the number of days behind the latest version the older clients are.

+1. Review the **Session history** chart, which displays the number of active and idle (disconnected) sessions over time. Identify any periods of high activity, and periods of low activity from the peak user session count and the time period in which the peaks occur. If you find a regular, repeated pattern of activity, it usually implies there's a good opportunity to implement a scaling plan.

+ In this example, the graph shows the number of users sessions over the course of a week. Peaks occur at around midday on weekdays, and there's a noticeable lack of activity over the weekend. This pattern suggests that there's an opportunity to scale session hosts to meet demand during the week, and reduce the number of session hosts over the weekend.

+1. Use the drop-down lists to reduce the scope to a single host pool and repeat the analysis for **session history** and **session host count**. At this scope, you can identify patterns that are specific to the session hosts in a particular host pool to help develop a scaling plan for that host pool.

+1. [Create a scaling plan](autoscale-scaling-plan.md) based on the usage patterns you identify, then [assign the scaling plan to your host pool](autoscale-new-existing-host-pool.md).

+description: Learn how to enable screen capture protection in Azure Virtual Desktop (preview) to help prevent sensitive information from being captured on client devices.

+Screen capture protection, alongside [watermarking](watermarking.md), helps prevent sensitive information from being captured on client endpoints through a specific set of operating system (OS) features and Application Programming Interfaces (APIs). When you enable screen capture protection, remote content is automatically blocked in screenshots and screen sharing. You can configure screen capture protection using Microsoft Intune or Group Policy on your session hosts.

+- **Block screen capture on client**: the session host instructs a supported Remote Desktop client to enable screen capture protection for a remote session. This option prevents screen capture from the client of applications running in the remote session.

+- **Block screen capture on client and server**: the session host instructs a supported Remote Desktop client to enable screen capture protection for a remote session. This option prevents screen capture from the client of applications running in the remote session, but also prevents tools and services within the session host from capturing the screen.

+- Users must connect to Azure Virtual Desktop with Windows App or the Remote Desktop app to use screen capture protection. The following table shows supported scenarios. If a user tries to connect with a different app or version, the connection is denied and shows an error message with the code `0x1151`.

+ | App | Version | Desktop session | RemoteApp session |

+ | Windows App on Windows | Any | Yes | Yes. Client device OS must be Windows 11, version 22H2 or later. |

+ | Remote Desktop client on Windows | 1.2.1672 or later | Yes | Yes. Client device OS must be Windows 11, version 22H2 or later. |

+ | Windows App on macOS | Any | Yes | Yes |

+ | Remote Desktop client on macOS | 10.7.0 or later | Yes | Yes |

+- To configure Microsoft Intune, you need:

+ - Microsoft Entra ID account that is assigned the [Policy and Profile manager](/mem/intune/fundamentals/role-based-access-control-reference#policy-and-profile-manager) built-in RBAC role.

+ - A group containing the devices you want to configure.

+- To configure Group Policy, you need:

+ - A domain account that is a member of the **Domain Admins** security group.

+ - A security group or organizational unit (OU) containing the devices you want to configure.

+Screen capture protection is configured on session hosts and enforced by the client. Select the relevant tab for your scenario.

+# [Microsoft Intune](#tab/intune)

+To configure screen capture protection using Microsoft Intune:

+1. Sign in to the [Microsoft Intune admin center](https://endpoint.microsoft.com/).

+1. [Create or edit a configuration profile](/mem/intune/configuration/administrative-templates-windows) for **Windows 10 and later** devices, with the **Settings catalog** profile type.

+1. In the settings picker, browse to **Administrative templates** > **Windows Components** > **Remote Desktop Services** > **Remote Desktop Session Host** > **Azure Virtual Desktop**.

+ :::image type="content" source="media/administrative-template/azure-virtual-desktop-intune-settings-catalog.png" alt-text="A screenshot showing the Azure Virtual Desktop options in the Microsoft Intune portal." lightbox="media/administrative-template/azure-virtual-desktop-intune-settings-catalog.png":::

+1. Check the box for **Enable screen capture protection**, then close the settings picker.

+1. Expand the **Administrative templates** category, then toggle the switch for **Enable screen capture protection** to **Enabled**.

+ :::image type="content" source="media/screen-capture-protection/screen-capture-protection-intune.png" alt-text="A screenshot showing the screen capture protection settings in Microsoft Intune." lightbox="media/screen-capture-protection/screen-capture-protection-intune.png":::

+1. Toggle the switch for **Screen Capture Protection Options (Device)** to **off** for **Block screen capture on client**, or **on** for **Block screen capture on client and server** based on your requirements, then select **OK**.

+1. Select **Next**.

+1. *Optional*: On the **Scope tags** tab, select a scope tag to filter the profile. For more information about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).

+1. On the **Assignments** tab, select the group containing the computers providing a remote session you want to configure, then select **Next**.

+1. On the **Review + create** tab, review the settings, then select **Create**.

+1. Once the policy applies to the computers providing a remote session, restart them for the settings to take effect.

+# [Group Policy](#tab/group-policy)

+To configure screen capture protection using Group Policy:

+1. Follow the steps to make the [Administrative template for Azure Virtual Desktop](administrative-template.md) available to Group Policy.

+1. Open the **Group Policy Management** console on device you use to manage the Active Directory domain.

+1. Create or edit a policy that targets the computers providing a remote session you want to configure.

+1. Navigate to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Remote Desktop Services** > **Remote Desktop Session Host** > **Azure Virtual Desktop**.

+ :::image type="content" source="media/administrative-template/azure-virtual-desktop-gpo.png" alt-text="A screenshot showing the Azure Virtual Desktop options in Group Policy." lightbox="media/administrative-template/azure-virtual-desktop-gpo.png":::

+1. Double-click the policy setting **Enable screen capture protection** to open it, then select **Enabled**.

+ :::image type="content" source="media/screen-capture-protection/screen-capture-protection-group-policy.png" alt-text="A screenshot showing the screen capture protection settings in Group Policy." lightbox="media/screen-capture-protection/screen-capture-protection-group-policy.png":::

+1. From the drop-down menu, select the screen capture protection scenario you want to use from **Block screen capture on client** or **Block screen capture on client and server** based on your requirements, then select **OK**.

+1. Ensure the policy is applied to the computers providing a remote session, then restart them for the settings to take effect.

+## Verify screen capture protection

+To verify screen capture protection is working:

+1. Connect to a remote session with a supported client.

+1. Take a screenshot or share your screen in a Teams call or meeting. The content should be blocked or hidden. Any existing sessions need to sign out and back in again for the change to take effect.

+## Related content

+- Enable [watermarking](watermarking.md), where admins can use a QR code to trace the session.

+- Learn about how to secure your Azure Virtual Desktop deployment at [Security best practices](security-guide.md).

+Microsoft Teams on Azure Virtual Desktop supports chat and collaboration. With media optimizations, it also supports calling and meeting functionality by redirecting it to the local device when using Windows App or the Remote Desktop client on a supported platform. You can still use Microsoft Teams on Azure Virtual Desktop with other clients without optimized calling and meetings. Teams chat and collaboration features are supported on all platforms.

+There are two versions of Teams, *Classic Teams* and *[New Teams](/microsoftteams/new-teams-desktop-admin)*, and you can use either with Azure Virtual Desktop. New Teams has with feature parity with Classic Teams, but improves performance, reliability, and security.

+To redirect calling and meeting functionality to the local device, Azure Virtual Desktop uses an extra component. This component is either *SlimCore* or the *WebRTC Redirector Service*. The option you use depends on the following:

+- New Teams can use either SlimCore or the WebRTC Redirector Service. SlimCore is available in preview and you need [to opt in to the preview](/microsoftteams/public-preview-doc-updates?tabs=new-teams-client) to use it. If you use SlimCore, you should also install the WebRTC Redirector Service. This allows a user to fall back to WebRTC, such as if they roam between different devices that don't support the new optimization architecture. For more information about SlimCore and how to opt into the preview, see [New VDI solution for Teams](/microsoftteams/vdi-2).

+- Classic Teams uses the WebRTC Redirector Service.

+Before you can use Microsoft Teams on Azure Virtual Desktop, you need:

+- Install the latest version of [Windows App](/windows-app/get-started-connect-devices-desktops-apps) or the [Remote Desktop client](./users/connect-windows.md) on Windows or macOS that meets the [hardware requirements for Microsoft Teams](/microsoftteams/hardware-requirements-for-the-teams-app#hardware-requirements-for-teams-on-a-windows-pc/).

+ SlimCore is available on Windows with the following apps and versions:

+

+ - Windows App for Windows, version 1.3.252 or later

+ - Remote Desktop client for Windows, version 1.2.5405.0 or later

+This section shows you how to install the Teams desktop app on your Windows 10 or 11 Enterprise multi-session or Windows 10 or 11 Enterprise VM image.

+To enable media optimization for Teams, set the following registry key on each session host:

+You need to install the WebRTC Redirector Service on each session host. You can install the [MSI file](https://aka.ms/msrdcwebrtcsvc/msi) using a management tool such [Configuration Manager](/mem/configmgr/apps/get-started/create-and-deploy-an-application), or manually.

+To install the WebRTC Redirector Service manually:

+> [!TIP]

+> If you want to use SlimCore, all of its required components come bundled with new Teams and Windows App or the Remote Desktop client.

+You can deploy the Teams desktop app per-machine or per-user. For session hosts in a pooled host pool, you need to install Teams per-machine. To install Teams on your session hosts follow the steps in the relevant article:

+1. Connect to a remote session.

+ If media optimizations loaded, the banner shows you **AVD SlimCore Media Optimized** or **AVD Media Optimized**. If the banner shows you **AVD Media not connected**, quit the Teams app and try again.

+ If media optimizations loaded, the audio devices and cameras available locally will be enumerated in the device menu. If the menu shows **Remote audio**, quit the Teams app and try again. If the devices still don't appear in the menu, check the Privacy settings on your local PC. Ensure the under **Settings** > **Privacy** > **App permissions - Microphone** the setting **"Allow apps to access your microphone"** is toggled **On**. Disconnect from the remote session, then reconnect and check the audio and video devices again. To join calls and meetings with video, you must also grant permission for apps to access your camera.

+ If media optimizations don't load, uninstall then reinstall Teams and check again.

+If you want to use certain optional features for Teams on Azure Virtual Desktop, you need to enable certain registry keys. The following instructions only apply to Windows client devices and session host VMs.

+Hardware encode lets you increase video quality for the outgoing camera during Teams calls. In order to enable this feature, your client needs to be running version 1.2.3213 or later of the [Windows Desktop client](whats-new-client-windows.md). You need to repeat the following instructions for every client device.

+description: Learn how to use the Guest Attestation extension to secure boot your virtual machine and how to handle traffic blocking.

+To help Azure Trusted Launch better prevent malicious rootkit attacks on virtual machines (VMs), guest attestation through an Azure Attestation endpoint is used to monitor the boot sequence integrity. This attestation is critical to provide the validity of a platform's states.

+Your [Trusted Launch VM](trusted-launch.md) needs Secure Boot and virtual Trusted Platform Module (vTPM) to be enabled so that the attestation extensions can be installed. Microsoft Defender for Cloud offers reports based on Guest Attestation verifying status and that the boot integrity of your VM is set up correctly. To learn more about Microsoft Defender for Cloud integration, see [Trusted Launch integration with Microsoft Defender for Cloud](trusted-launch.md#microsoft-defender-for-cloud-integration).

+> Automatic Extension Upgrade is now available for the Boot Integrity Monitoring - Guest Attestation extension. For more information, see [Automatic Extension Upgrade](automatic-extension-upgrade.md).

+You need an active Azure subscription and a Trusted Launch VM.

+To enable integrity monitoring, follow the steps in this section.

+1. Under **Settings**, select **Configuration**. On the **Security type** pane, select **Integrity monitoring**.

+ :::image type="content" source="media/trusted-launch/verify-integrity-boot-on.png" alt-text="Screenshot that shows Integrity monitoring selected.":::

+On the VM **Overview** page, the security type for integrity monitoring should appear as **Enabled**.

+This action installs the Guest Attestation extension, which you can refer to via the settings on the **Extensions + Applications** tab.

+You can deploy the Guest Attestation extension for Trusted Launch VMs by using a quickstart template.

+1. Create a VM with Trusted Launch that has Secure Boot and vTPM capabilities through initial deployment of a Trusted Launch VM. To deploy the Guest Attestation extension, use `--enable-integrity-monitoring`. As the VM owner, you can customize VM configuration by using `az vm create`.

+1. For existing VMs, you can enable boot integrity monitoring settings by updating to make sure that integrity monitoring is turned on. You can use `--enable-integrity-monitoring`.

+> The Guest Attestation extension must be configured explicitly.

+If Secure Boot and vTPM are set to **ON**, then boot integrity is also set to **ON**.

+1. Create a VM with Trusted Launch that has Secure Boot and vTPM capabilities through initial deployment of a Trusted Launch VM. As the VM owner, you can customize VM configuration.

+1. For existing VMs, you can enable boot integrity monitoring settings by updating. Make sure that both Secure Boot and vTPM are set to **ON**.

+For more information on creating or updating a VM to include boot integrity monitoring through the Guest Attestation extension, see [Deploy a VM with Trusted Launch enabled (PowerShell)](trusted-launch-portal.md#deploy-a-trusted-launch-vm).

+## Troubleshooting guide for Guest Attestation extension installation

+This section addresses attestation errors and solutions.

+The Azure Attestation extension won't work properly when you set up a network security group (NSG) or a proxy. An error appears that looks similar to "`Microsoft.Azure.Security.WindowsAttestation.GuestAttestation` provisioning failed."

+In Azure, NSGs are used to help filter network traffic between Azure resources. NSGs contain security rules that either allow or deny inbound network traffic, or outbound network traffic from several types of Azure resources. The Azure Attestation endpoint should be able to communicate with the Guest Attestation extension. Without this endpoint, Trusted Launch can't access guest attestation, which allows Microsoft Defender for Cloud to monitor the integrity of the boot sequence of your VMs.

+To unblock Azure Attestation traffic in NSGs by using service tags:

+1. Go to the VM that you want to allow outbound traffic.

+1. On the leftmost pane, under **Networking**, select **Networking settings**.

+1. Then select **Create port rule** > **Outbound port rule**.

+ :::image type="content" source="./media/trusted-launch/tvm-portrule.png" lightbox="./media/trusted-launch/tvm-portrule.png" alt-text="Screenshot that shows adding the Outbound port rule.":::

+1. To allow Azure Attestation, you make the destination a service tag. This setting allows for the range of IP addresses to update and automatically set rules that allow Azure Attestation. Set **Destination service tag** to **AzureAttestation** and set **Action** to **Allow**.

+ :::image type="content" source="media/trusted-launch/unblocking-NSG.png" alt-text="Screenshot that shows how to make the destination a service tag.":::

+Firewalls protect a virtual network, which contains multiple Trusted Launch VMs. To unblock Azure Attestation traffic in a firewall by using an application rule collection:

+1. Go to the Azure Firewall instance that has traffic blocked from the Trusted Launch VM resource.

+1. Under **Settings**, select **Rules (classic)** to begin unblocking guest attestation behind the firewall.

+1. Under **Network rule collection**, select **Add network rule collection**.

+ :::image type="content" source="./media/trusted-launch/firewall-network-rule-collection.png" lightbox="./media/trusted-launch/firewall-network-rule-collection.png" alt-text="Screenshot that shows adding an application rule.":::

+1. Configure the name, priority, source type, and destination ports based on your needs. Set **Service tag name** to **AzureAttestation** and set **Action** to **Allow**.

+To unblock Azure Attestation traffic in a firewall by using an application rule collection:

+1. Go to the Azure Firewall instance that has traffic blocked from the Trusted Launch VM resource.

+ :::image type="content" source="./media/trusted-launch/firewall-rule.png" lightbox="./media/trusted-launch/firewall-rule.png" alt-text="Screenshot that shows adding traffic for the application rule route.":::

+ The rules collection must contain at least one rule that targets fully qualified domain names (FQDNs).

+1. Select the application rule collection and add an application rule.

+1. Select a name and a numeric priority for your application rules. Set **Action** for the rule collection to **Allow**.

+ :::image type="content" source="./media/trusted-launch/firewall-application-rule.png" lightbox="./media/trusted-launch/firewall-application-rule.png" alt-text="Screenshot that shows adding the application rule route.":::

+1. Configure the name, source, and protocol. The source type is for a single IP address. Select the IP group to allow multiple IP addresses through the firewall.

+### Regional shared providers

+Azure Attestation provides a [regional shared provider](https://maainfo.azurewebsites.net/) in each available region. You can choose to use the regional shared provider for attestation or create your own providers with custom policies. Any Microsoft Entra user can access shared providers. The policy associated with it can't be changed.

+> [!NOTE]

+> You can configure the source type, service, destination port ranges, protocol, priority, and name.

+## Related content

+Learn more about [Trusted Launch](trusted-launch.md) and [deploying a Trusted Launch VM](trusted-launch-portal.md).

+ Invoke-AzVMRunCommand -ResourceGroupName 'myResourceGroup' -VMName 'myVM' -CommandId 'RunShellScript' -ScriptString

+ Title: Explore Azure Hybrid Benefit for Linux virtual machines

+You can create the base Azure Debian cloud image with the [fully automatic installation (FAI) cloud image builder](https://salsa.debian.org/cloud-team/debian-cloud-images). To prepare an image without FAI, check out the [generic steps article](./create-upload-generic.md).

+Then proceed to [Step 6: Assign role](../../role-based-access-control/role-assignments-portal.yml#step-7-assign-role) to assign the role.

+ > [!WARNING]

+ > Many 'v5' and newer VM sizes require Accelerated Networking. If it isn't enabled, NetworkManager will assign the same IP address to all virtual function interfaces. To prevent duplicate IP addresses, make sure to include this udev rule when migrating to a newer size.

+ Title: Enable Trusted Launch on existing VMs

+description: Learn how to enable Trusted Launch on existing Azure virtual machines (VMs).

+# Enable Trusted Launch on existing Azure VMs

+Azure Virtual Machines supports enabling Azure Trusted Launch on existing [Azure Generation 2](generation-2.md) virtual machines (VMs) by upgrading to the [Trusted Launch](trusted-launch.md) security type.

+[Trusted Launch](trusted-launch.md) is a way to enable foundational compute security on [Azure Generation 2 VMs](generation-2.md) VMs and protects against advanced and persistent attack techniques like boot kits and rootkits. It does so by combining infrastructure technologies like Secure Boot, virtual Trusted Platform Module (vTPM), and boot integrity monitoring on your VM.

+> Support for *enabling Trusted Launch on existing Azure Generation 1 VMs* is currently in private preview. You can gain access to preview by using the [registration form](https://aka.ms/Gen1ToTLUpgrade).

+ - [Trusted Launch supported size family](trusted-launch.md#virtual-machines-sizes).

+ - [Trusted Launch supported operating system (OS) image](trusted-launch.md#operating-systems-supported). For custom OS images or disks, the base image should be *Trusted Launch capable*.

+- Azure Generation 2 VM isn't using [features currently not supported with Trusted Launch](trusted-launch.md#unsupported-features).

+- Azure Generation 2 VMs should be *stopped and deallocated* before you enable the Trusted Launch security type.

+- Azure Backup, if enabled, for VMs should be configured with the [Enhanced Backup policy](../backup/backup-azure-vms-enhanced-policy.md). The Trusted Launch security type can't be enabled for Generation 2 VMs configured with *Standard policy* backup protection.

+ - Existing Azure VM backup can be migrated from the *Standard* to the *Enhanced* policy. Follow the steps in [Migrate Azure VM backups from Standard to Enhanced policy (preview)](../backup/backup-azure-vm-migrate-enhanced-policy.md).

+- Enable Trusted Launch on a test Generation 2 VM and determine if any changes are required to meet the prerequisites before you enable Trusted Launch on Generation 2 VMs associated with production workloads.

+- [Create restore points](create-restore-points.md) for Azure Generation 2 VMs associated with production workloads before you enable the Trusted Launch security type. You can use the restore points to re-create the disks and Generation 2 VM with the previous well-known state.

+## Enable Trusted Launch on an existing VM

+> - After you enable Trusted Launch, currently VMs can't be rolled back to the Standard security type (non-Trusted Launch configuration).

+> - vTPM is enabled by default.

+> - We recommend that you enable Secure Boot, if you aren't using custom unsigned kernel or drivers. It's not enabled by default. Secure Boot preserves boot integrity and enables foundational security for VMs.

+Enable Trusted Launch on an existing Azure Generation 2 VM by using the Azure portal.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Confirm that the VM generation is **V2** and select **Stop** for the VM.

+ :::image type="content" source="./media/trusted-launch/02-generation-2-to-trusted-launch-stop-vm.png" alt-text="Screenshot that shows the Gen2 VM to be deallocated.":::

+1. On the **Overview** page in the VM properties, under **Security type**, select **Standard**. The **Configuration** page for the VM opens.

+ :::image type="content" source="./media/trusted-launch/03-generation-2-to-trusted-launch-click-standard.png" alt-text="Screenshot that shows the Security type as Standard.":::

+1. On the **Configuration** page, under the **Security type** section, select the **Security type** dropdown list.

+ :::image type="content" source="./media/trusted-launch/04-generation-2-to-trusted-launch-select-dropdown.png" alt-text="Screenshot that shows the Security type dropdown list.":::

+1. Under the dropdown list, select **Trusted launch**. Select checkboxes to enable **Secure Boot** and **vTPM**. After you make the changes, select **Save**.

+ > - Generation 2 VMs created by using [Azure Compute Gallery (ACG)](azure-compute-gallery.md), [Managed image](capture-image-resource.yml), or an [OS disk](./scripts/create-vm-from-managed-os-disks.md) can't be upgraded to Trusted Launch by using the portal. Ensure that the [OS version is supported for Trusted Launch](trusted-launch.md#operating-systems-supported). Use PowerShell, the Azure CLI, or an Azure Resource Manager template (ARM template) to run the upgrade.

+ :::image type="content" source="./media/trusted-launch/05-generation-2-to-trusted-launch-select-uefi-settings.png" alt-text="Screenshot that shows the Secure Boot and vTPM settings.":::

+1. After the update successfully finishes, close the **Configuration** page. On the **Overview** page in the VM properties, confirm the **Security type** settings.

+ :::image type="content" source="./media/trusted-launch/06-generation-2-to-trusted-launch-validate-uefi.png" alt-text="Screenshot that shows the Trusted Launch upgraded VM.":::

+1. Start the upgraded Trusted Launch VM. Verify that you can sign in to the VM by using either the Remote Desktop Protocol (RDP) for Windows VMs or the Secure Shell Protocol (SSH) for Linux VMs.

+Follow the steps to enable Trusted Launch on an existing Azure Generation 2 VM by using the Azure CLI.

+Make sure that you install the latest [Azure CLI](/cli/azure/install-az-cli2) and are signed in to an Azure account with [az login](/cli/azure/reference-index).

+1. Sign in to the VM Azure subscription.

+1. Deallocate the VM.

+1. Enable Trusted Launch by setting `--security-type` to `TrustedLaunch`.

+1. Validate the output of the previous command. Ensure that the `securityProfile` configuration is returned with the command output.

+1. Validate the output of the previous command. Ensure that the `securityProfile` configuration is returned with the command output.

+1. Start the VM.

+1. Start the upgraded Trusted Launch VM. Verify that you can sign in to the VM by using either RDP (for Windows VMs) or SSH (for Linux VMs).

+Follow the steps to enable Trusted Launch on an existing Azure Generation 2 VM by using Azure PowerShell.

+Make sure that you install the latest [Azure PowerShell](/powershell/azure/install-azps-windows) and are signed in to an Azure account with [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount).

+1. Sign in to the VM Azure subscription.

+1. Deallocate the VM.

+1. Enable Trusted Launch by setting `-SecurityType` to `TrustedLaunch`.

+1. Validate `securityProfile` in the updated VM configuration.

+1. Start the VM.

+1. Start the upgraded Trusted Launch VM. Verify that you can sign in to the VM by using either RDP (for Windows VMs) or SSH (for Linux VMs).

+Follow the steps to enable Trusted Launch on an existing Azure Generation 2 VM by using an ARM template.

+1. Edit the `parameters` JSON file with VMs to be updated with the `TrustedLaunch` security type.

+ Property | Description of property | Example template value

+ vmName | Name of Azure Generation 2 VM. | `myVm`

+ location | Location of Azure Generation 2 VM. | `westus3`

+ secureBootEnabled | Enable Secure Boot with the Trusted Launch security type. | `true`

+1. Deallocate all Azure Generation 2 VMs to be updated.

+1. Run the ARM template deployment.

+ :::image type="content" source="./media/trusted-launch/generation-2-trusted-launch-settings.png" alt-text="Screenshot that shows the Trusted Launch properties of the VM.":::

+ :::image type="content" source="./media/trusted-launch/generation-2-trusted-launch-settings.png" alt-text="Screenshot that shows the Trusted Launch properties of the VM.":::

+1. Start the upgraded Trusted Launch VM. Verify that you can sign in to the VM by using either RDP (for Windows VMs) or SSH (for Linux VMs).

+## Related content

+- After the upgrades, we recommend that you enable [boot integrity monitoring](trusted-launch.md#microsoft-defender-for-cloud-integration) to monitor the health of the VM by using Microsoft Defender for Cloud.

+- Learn more about [Trusted Launch](trusted-launch.md) and review [frequently asked questions](trusted-launch-faq.md).

+> This article references CentOS, a Linux distribution that's nearing end-of-life (EOL) status. Consider your use and plan accordingly. For more information, see the [CentOS EOL guidance](~/articles/virtual-machines/workloads/centos/centos-end-of-life.md).

+Frequently asked questions (FAQs) about Azure Trusted Launch feature use cases, support for other Azure features, and fixes for common errors.

+This section answers questions about use cases for Trusted Launch.

+### Why should I use Trusted Launch? What does Trusted Launch guard against?

+Trusted Launch guards against boot kits, rootkits, and kernel-level malware. These sophisticated types of malware run in kernel mode and remain hidden from users. For example:

+- **Firmware rootkits**: These kits overwrite the firmware of the virtual machine (VM) BIOS, so the rootkit can start before the operating system (OS).

+- **Boot kits**: These kits replace the OS's bootloader so that the VM loads the boot kit before the OS.

+- **Kernel rootkits**: These kits replace a portion of the OS kernel, so the rootkit can start automatically when the OS loads.

+- **Driver rootkits**: These kits pretend to be one of the trusted drivers that the OS uses to communicate with the VM's components.

+### How does Trusted Launch compare to Hyper-V Shielded VM?

+Hyper-V Shielded VM is currently available on Hyper-V only. [Hyper-V Shielded VM](/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms) is typically deployed with Guarded Fabric. A Guarded Fabric consists of a Host Guardian Service (HGS), one or more guarded hosts, and a set of Shielded VMs. Hyper-V Shielded VMs are used in fabrics where the data and state of the VM must be protected from various actors. These actors are both fabric administrators and untrusted software that might be running on the Hyper-V hosts.

+Trusted Launch, on the other hand, can be deployed as a standalone VM or as virtual machine scale sets on Azure without other deployment and management of HGS. All of the Trusted Launch features can be enabled with a simple change in deployment code or a checkbox on the Azure portal.

+### Can I disable Trusted Launch for a new VM deployment?

+Trusted Launch VMs provide you with foundational compute security. We recommend that you don't disable them for new VM or virtual machine scale set deployments except if your deployments have dependency on:

+- [A VM size currently not supported](trusted-launch.md#virtual-machines-sizes)

+- [Unsupported features with Trusted Launch](trusted-launch.md#unsupported-features)

+- [An OS that doesn't support Trusted Launch](trusted-launch.md#operating-systems-supported)

+You can use the `securityType` parameter with the `Standard` value to disable Trusted Launch in new VM or virtual machine scale set deployments by using Azure PowerShell (v10.3.0+) and the Azure CLI (v2.53.0+).

+> [!NOTE]

+> We don't recommend disabling Secure Boot unless you're using custom unsigned kernel or drivers.

+If you need to disable Secure Boot, under the VM's configuration, clear the **Enable Secure Boot** option.

+This section discusses Trusted Launch supported features and deployments.

+### Is Azure Compute Gallery supported by Trusted Launch?

+Trusted Launch now allows images to be created and shared through the [Azure Compute Gallery](trusted-launch-portal.md#trusted-launch-vm-supported-images) (formerly Shared Image Gallery). The image source can be:

+- An existing Azure VM that is either generalized or specialized.

+- An existing managed disk or a snapshot.

+- A VHD or an image version from another gallery.

+For more information about deploying a Trusted Launch VM by using the Azure Compute Gallery, see [Deploy Trusted Launch VMs](trusted-launch-portal.md#deploy-a-trusted-launch-vm-from-an-azure-compute-gallery-image).

+### Is Azure Backup supported by Trusted Launch?

+Trusted Launch now supports Azure Backup. For more information, see [Support matrix for Azure VM backup](../backup/backup-support-matrix-iaas.md#vm-compute-support).

+### Will Azure Backup continue working after I enable Trusted Launch?

+Backups configured with the [Enhanced policy](../backup/backup-azure-vms-enhanced-policy.md) continue to take backups of VMs after you enable Trusted Launch.

+### Are ephemeral OS disks supported by Trusted Launch?

+Trusted Launch supports ephemeral OS disks. For more information, see [Trusted Launch for ephemeral OS disks](ephemeral-os-disks.md#trusted-launch-for-ephemeral-os-disks).

+> When you use ephemeral disks for Trusted Launch VMs, keys and secrets generated or sealed by the virtual Trusted Platform Module (vTPM) after the creation of the VM might not be persisted across operations like reimaging and platform events like service healing.

+### Can a VM be restored by using backups taken before Trusted Launch was enabled?

+Backups taken before you [upgrade an existing Generation 2 VM to Trusted Launch](trusted-launch-existing-vm.md) can be used to restore the entire VM or individual data disks. They can't be used to restore or replace the OS disk only.

+### How can I find VM sizes that support Trusted Launch?

+See the list of [Generation 2 VM sizes that support Trusted Launch](trusted-launch.md#virtual-machines-sizes).

+Use the following commands to check if a [Generation 2 VM size](../virtual-machines/generation-2.md#generation-2-vm-sizes) doesn't support Trusted Launch.

+The response is similar to the following form. Output that includes `TrustedLaunchDisabled True` indicates that the Generation 2 VM size doesn't support Trusted Launch. If it's a Generation 2 VM size and `TrustedLaunchDisabled` isn't part of the output, Trusted Launch is supported for that VM size.

+### How can I validate that my OS image supports Trusted Launch?

+See the list of [OS versions supported with Trusted Launch](trusted-launch.md#operating-systems-supported).

+#### Marketplace OS images

+Use the following commands to check if an Azure Marketplace OS image supports Trusted Launch.

+The response is similar to the following form. If `hyperVGeneration` is `v2` and `SecurityType` contains `TrustedLaunch` in the output, the Generation 2 OS image supports Trusted Launch.

+You can use the output of the command with [Virtual machines - Get API](/rest/api/compute/virtual-machine-images/get). The response is similar to the following form. If `hyperVGeneration` is `v2` and `SecurityType` contains `TrustedLaunch` in the output, the Generation 2 OS image supports Trusted Launch.

+#### Azure Compute Gallery OS image

+Use the following commands to check if an [Azure Compute Gallery](trusted-launch-portal.md#trusted-launch-vm-supported-images) OS image supports Trusted Launch.

+The response is similar to the following form. If `hyperVGeneration` is `v2` and `SecurityType` contains `TrustedLaunch` in the output, the Generation 2 OS image supports Trusted Launch.

+The response is similar to the following form. If `hyperVGeneration` is `v2` and `SecurityType` contains `TrustedLaunch` in the output, the Generation 2 OS image supports Trusted Launch.

+### How do external communication drivers work with Trusted Launch VMs?

+Adding COM ports requires that you disable Secure Boot. COM ports are disabled by default in Trusted Launch VMs.

+This section answers questions about specific states, boot types, and common boot issues.

+### What is VM Guest State (VMGS)?

+VM Guest State (VMGS) is specific to Trusted Launch VMs. It's a blob managed by Azure and contains the unified extensible firmware interface (UEFI) Secure Boot signature databases and other security information. The lifecycle of the VMGS blob is tied to that of the OS disk.

+### What are the differences between Secure Boot and measured boot?

+In a Secure Boot chain, each step in the boot process checks a cryptographic signature of the subsequent steps. For example, the BIOS checks a signature on the loader, and the loader checks signatures on all the kernel objects that it loads, and so on. If any of the objects are compromised, the signature doesn't match and the VM doesn't boot. For more information, see [Secure Boot](/windows-hardware/design/device-experiences/oem-secure-boot).

+### Why is the Trusted Launch VM not booting correctly?

+If unsigned components are detected from the UEFI (guest firmware), bootloader, OS, or boot drivers, a Trusted Launch VM won't boot. The [Secure Boot](/windows-server/virtualization/hyper-v/learn-more/generation-2-virtual-machine-security-settings-for-hyper-v#secure-boot-setting-in-hyper-v-manager) setting in the Trusted Launch VM fails to boot if unsigned or untrusted boot components are encountered during the boot process and reports as a Secure Boot failure.

+

+> Trusted Launch VMs that are created directly from an Azure Marketplace image should not encounter Secure Boot failures. Azure Compute Gallery images with an original image source of Azure Marketplace and snapshots created from Trusted Launch VMs should also not encounter these errors.

+When a VM becomes unavailable from a Secure Boot failure, "no-boot" means that VM has an OS component that's signed by a trusted authority, which blocks booting a Trusted Launch VM. On VM deployment, you might see information from resource health within the Azure portal stating that there's a validation error in Secure Boot.

+To access resource health from the VM configuration page, go to **Resource Health** under the **Help** pane.