+Before you get started with Application Proxy Complex application scenario apps, make sure your environment is ready with the following settings and configurations:

+| Swissbit | ![n] | ![y]| ![y]| ![n]| ![n] | https://www.swissbit.com/en/products/ishield-fido2/ |

+description: Learn how to configure and enable users to register Passwordless authentication methods by using a Temporary Access Pass

+# Configure Temporary Access Pass in Azure AD to register Passwordless authentication methods

+A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.

+Before anyone can sign-in with a Temporary Access Pass, you need to enable Temporary Access Pass in the authentication method policy and choose which users and groups can sign in by using a Temporary Access Pass.

+1. Sign in to the Azure portal as a Global admin or Authentication Policy admin and click **Azure Active Directory** > **Security** > **Authentication methods** > **Temporary Access Pass**.

+

+1. Set Enable to **Yes** to enable the policy, select which users have the policy applied.

+

+1. (Optional) Click **Configure** and modify the default Temporary Access Pass settings, such as setting maximum lifetime, or length.

+

+1. Click **Save** to apply the policy.

+ | Maximum lifetime | 8 hours | 10 ΓÇô 43200 Minutes (30 days) | Maximum number of minutes that the Temporary Access Pass is valid. |

+1. Below **Choose method**, click **Temporary Access Pass**.

+ 

+ 

+$properties.startDateTime = '2022-05-23 06:00:00'

+c5dbd20a-8b8f-4791-a23f-488fcbde3b38 5/22/2022 11:19:17 PM False True 60 NotYetValid 23/05/2022 6:00:00 AM TAPRocks!

+c5dbd20a-8b8f-4791-a23f-488fcbde3b38 5/22/2022 11:19:17 PM False True 60 NotYetValid 23/05/2022 6:00:00 AM

+The most common use for a Temporary Access Pass is for a user to register authentication details during the first sign-in or device setup, without the need to complete additional security prompts. Authentication methods are registered at [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo). Users can also update existing authentication methods here.

+ 

+### User management of Temporary Access Pass

+Users managing their security information at [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo) will see an entry for the Temporary Access Pass. If a user does not have any other registered methods they will be presented a banner at the top of the screen requesting them to add a new sign-in method. Users can additionally view the TAP expiration time, and delete the TAP if no longer needed.

+

+### Windows device setup

+Users with a Temporary Access Pass can navigate the setup process on Windows 10 and 11 to perform device join operations and configure Windows Hello For Business. Temporary Access Pass usage for setting up Windows Hello for Business varies based on the devices joined state:

+- During Azure AD Join setup, users can authenticate with a TAP (no password required) and setup Windows Hello for Business.

+- On already Azure AD Joined devices, users must first authenticate with another method such as a password, smartcard or FIDO2 key, before using TAP to setup Windows Hello for Business.

+- On Hybrid Azure AD Joined devices, users must first authenticate with another method such as a password, smartcard or FIDO2 key, before using TAP to setup Windows Hello for Business.

+

+

+1. On the right-hand side of the **Temporary Access Pass** authentication method shown in the list, select **Delete**.

+ - If the existing Temporary Access Pass is valid, the admin can create a new Temporary Access Pass which will override the existing valid Temporary Access Pass.

+- A Temporary Access Pass cannot be used with the Network Policy Server (NPS) extension and Active Directory Federation Services (AD FS) adapter.

+ Title: Frequently asked questions (FAQs) about Permissions Management

+description: Frequently asked questions (FAQs) about Permissions Management.

+> Entra Permissions Management is currently in PREVIEW.

+> The Permissions Management PREVIEW is currently not available for tenants hosted in the European Union (EU).

+This article answers frequently asked questions (FAQs) about Permissions Management.

+## What's Permissions Management?

+Permissions Management is a cloud infrastructure entitlement management (CIEM) solution that provides comprehensive visibility into permissions assigned to all identities. For example, over-privileged workload and user identities, actions, and resources across multi-cloud infrastructures in Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP). Permissions Management detects, automatically right-sizes, and continuously monitors unused and excessive permissions. It deepens the Zero Trust security strategy by augmenting the least privilege access principle.

+## What are the prerequisites to use Permissions Management?

+Permissions Management supports data collection from AWS, GCP, and/or Microsoft Azure. For data collection and analysis, customers are required to have an Azure Active Directory (Azure AD) account to use Permissions Management.

+## Can a customer use Permissions Management if they have other identities with access to their IaaS platform that aren't yet in Azure AD (for example, if part of their business has Okta or AWS Identity & Access Management (IAM))?

+## Where can customers access Permissions Management?

+Customers can access the Permissions Management interface with a link from the Azure AD extension in the Azure portal.

+## Can non-cloud customers use Permissions Management on-premises?

+No, Permissions Management is a hosted cloud offering.

+## Can non-Azure customers use Permissions Management?

+Yes, non-Azure customers can use our solution. Permissions Management is a multi-cloud solution so even customers who have no subscription to Azure can benefit from it.

+## Is Permissions Management available for tenants hosted in the European Union (EU)?

+No, the Permissions Management Permissions Management PREVIEW is currently not available for tenants hosted in the European Union (EU).

+## If I'm already using Azure AD Privileged Identity Management (PIM) for Azure, what value does Permissions Management provide?

+Permissions Management complements Azure AD PIM. Azure AD PIM provides just-in-time access for admin roles in Azure (as well as Microsoft Online Services and apps that use groups), while Permissions Management allows multi-cloud discovery, remediation, and monitoring of privileged access across Azure, AWS, and GCP.

+## What languages does Permissions Management support?

+Permissions Management currently supports English.

+## What public cloud infrastructures are supported by Permissions Management?

+Permissions Management currently supports the three major public clouds: Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.

+## Does Permissions Management support hybrid environments?

+Permissions Management currently doesn't support hybrid environments.

+## What types of identities are supported by Permissions Management?

+Permissions Management supports user identities (for example, employees, customers, external partners) and workload identities (for example, virtual machines, containers, web apps, serverless functions).

+<!## Is Permissions Management General Data Protection Regulation (GDPR) compliant?

+Permissions Management is currently not GDPR compliant.>

+## Is Permissions Management available in Government Cloud?

+No, Permissions Management is currently not available in Government clouds.

+## Is Permissions Management available for sovereign clouds?

+No, Permissions Management is currently not available in sovereign Clouds.

+## How does Permissions Management collect insights about permissions usage?

+Permissions Management has a data collector that collects access permissions assigned to various identities, activity logs, and resources metadata. This gathers full visibility into permissions granted to all identities to access the resources and details on usage of granted permissions.

+## How does Permissions Management evaluate cloud permissions risk?

+Permissions Management offers granular visibility into all identities and their permissions granted versus used, across cloud infrastructures to uncover any action performed by any identity on any resource. This isn't limited to just user identities, but also workload identities such as virtual machines, access keys, containers, and scripts. The dashboard gives an overview of permission profile to locate the riskiest identities and resources.

+## How can customers use Permissions Management to delete unused or excessive permissions?

+Permissions Management allows users to right-size excessive permissions and automate least privilege policy enforcement with just a few clicks. The solution continuously analyzes historical permission usage data for each identity and gives customers the ability to right-size permissions of that identity to only the permissions that are being used for day-to-day operations. All unused and other risky permissions can be automatically removed.

+## How can customers grant permissions on-demand with Permissions Management?

+## How can customers monitor permissions usage with Permissions Management?

+Customers only need to track the evolution of their Permission Creep Index to monitor permissions usage. They can do this in the "Analytics" tab in their Permissions Management dashboard where they can see how the PCI of each identity or resource is evolving over time.

+Yes, Permissions Management has various types of system report available that capture specific data sets. These reports allow customers to:

+## Does Permissions Management integrate with third-party ITSM (Information Technology Security Management) tools?

+Permissions Management integrates with ServiceNow.

+## How is Permissions Management being deployed?

+Customers with Global Admin role have first to onboard Permissions Management on their Azure AD tenant, and then onboard their AWS accounts, GCP projects, and Azure subscriptions. More details about onboarding can be found in our product documentation.

+## How long does it take to deploy Permissions Management?

+## Once Permissions Management is deployed, how fast can I get permissions insights?

+## Is Permissions Management collecting and storing sensitive personal data?

+No, Permissions Management doesn't have access to sensitive personal data.

+## Where can I find more information about Permissions Management?

+- [Permissions Management web page](https://microsoft.com/security/business/identity-access-management/permissions-management)

+- For an overview of Permissions Management, see [What's Permissions Management Permissions Management?](overview.md).

+- For information on how to onboard Permissions Management in your organization, see [Enable Permissions Management in your organization](onboard-enable-tenant.md).

+ codeVerifier: verifier, // PKCE Code Verifier

+- `user.city -contains "ago"`

+- `user.city -startswith "Lag"`

+1. On the Configuration tab, enter the following information:

+| where ResourceDisplayName == "Device Registration Service"

+| where conditionalAccessStatus == "success"

+| where AuthenticationRequirement <> "multiFactorAuthentication"

+| Sign-ins by non-compliant devices| High| Sign-in logs| DeviceDetail.isCompliant == false| If requiring sign-in from compliant devices, alert when:<br><li> any sign in by non-compliant devices.<li> any access without MFA or a trusted location.<p>If working toward requiring devices, monitor for suspicious sign-ins.<br>[Azure Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuspiciousSignintoPrivilegedAccount.yaml) |

+| where DeviceDetail.isCompliant == false

+| where conditionalAccessStatus == "success"

+| Key retrieval| Medium| Audit logs| OperationName == "Read BitLocker key"| Look for <br><li>key retrieval`<li> other anomalous behavior by users retrieving keys. |

+| where OperationName == "Read BitLocker key"

+## May 2022

+### New articles

+- [My Apps portal overview](myapps-overview.md)

+### Updated articles

+- [Tutorial: Configure Datawiza with Azure Active Directory for secure hybrid access](datawiza-with-azure-ad.md)

+- [Tutorial: Manage certificates for federated single sign-on](tutorial-manage-certificates-for-federated-single-sign-on.md)

+- [Tutorial: Migrate Okta federation to Azure Active Directory-managed authentication](migrate-okta-federation-to-azure-active-directory.md)

+- [Tutorial: Migrate Okta sync provisioning to Azure AD Connect-based synchronization](migrate-okta-sync-provisioning-to-azure-active-directory.md)

+ Title: Configure security alerts for Azure roles in Privileged Identity Management - Azure Active Directory | Microsoft Docs

+# Configure security alerts for Azure roles in Privileged Identity Management

+Alert | Severity | Trigger | Recommendation

+ | | |

+**Too many owners assigned to a resource** | Medium | Too many users have the owner role. | Review the users in the list and reassign some to less privileged roles.

+**Too many permanent owners assigned to a resource** | Medium | Too many users are permanently assigned to a role. | Review the users in the list and re-assign some to require activation for role use.

+**Duplicate role created** | Medium | Multiple roles have the same criteria. | Use only one of these roles.

+**Roles are being assigned outside of Privileged Identity Management (Preview)** | High | A role is managed directly through the Azure IAM resource blade or the Azure Resource Manager API | Review the users in the list and remove them from privileged roles assigned outside of Privilege Identity Management.

+> [!NOTE]

+> During the public preview of the **Roles are being assigned outside of Privileged Identity Management (Preview)** alert, Microsoft supports only permissions that are assigned at the subscription level.

+1. Click on your workspace in the top left hand corner of the screen and select **Settings** in the dropdown menu.

+ [](media/blinq-provisioning-tutorial/blinq-settings.png#lightbox)

+ [](media/blinq-provisioning-tutorial/blinq-integrations-page.png#lightbox)

+> [!NOTE]

+> When using dynamic allocation of IPs, exposing an application as a Private Link Service using a Kubernetes Load Balancer Service is not supported.

+apiVersion: v1

+[az-provider-register]: /cli/azure/provider#az-provider-register

+[keda-event-docs]: https://keda.sh/docs/2.7/operate/events/

+Azure NAT Gateway allows up to 64,512 outbound UDP and TCP traffic flows per IP address with a maximum of 16 IP addresses.

+- Integrates with existing ingress solutions such as [NGINX][nginx], [Contour][contour], and [Web Application Routing][web-app-routing]. For more details on how ingress works with OSM, see [Using Ingress to manage external access to services within the cluster][osm-ingress]. For an example on integrating OSM with Contour for ingress, see [Ingress with Contour][osm-contour]. For an example on integrating OSM with ingress controllers that use the `networking.k8s.io/v1` API, such as NGINX, see [Ingress with Kubernetes Nginx Ingress Controller][osm-nginx]. For more details on using Web Application Routing, which automatically integrates with OSM, see [Web Application Routing][web-app-routing].

+[web-app-routing]: web-app-routing.md

+Ingress allows for traffic external to the mesh to be routed to services within the mesh. With OSM, you can configure most ingress solutions to work with your mesh, but OSM works best with [Web Application Routing][web-app-routing], [NGINX ingress][osm-nginx], or [Contour ingress][osm-contour]. Open source projects integrating with OSM, including NGINX ingress and Contour ingress, are not covered by the [AKS support policy][aks-support-policy].

+[osm-tresor]: https://release-v1-0.docs.openservicemesh.io/docs/guides/certificates/#using-osms-tresor-certificate-issuer

+[web-app-routing]: web-app-routing.md

+>

+> The above command escapes the `value` parameter for running the Azure CLI on a Linux shell. When running the Azure CLI command on Windows PowerShell, you don't need to escape characters in the `value` parameter.

+> [!CAUTION]

+> Use care when configuring a wildcard operation. This configuration may make an API more vulnerable to certain [API security threats](mitigate-owasp-api-threats.md#improper-assets-management).

+- [Get authorization context](#GetAuthorizationContext) - Gets the authorization context of a specified [authorization](authorizations-overview.md) configured in the API Management instance.

+- [Validate JWT](#ValidateJWT) - Enforces existence and validity of a JWT extracted from either a specified HTTP header or a specified query parameter.

+| header-name | The name of the HTTP header to check. | Yes | N/A |

+## <a name="GetAuthorizationContext"></a> Get authorization context

+Use the `get-authorization-context` policy to get the authorization context of a specified [authorization](authorizations-overview.md) (preview) configured in the API Management instance.

+The policy fetches and stores authorization and refresh tokens from the configured authorization provider.

+If `identity-type=jwt` is configured, a JWT token is required to be validated. The audience of this token must be https://azure-api.net/authorization-manager.

+### Policy statement

+```xml

+<get-authorization-context

+ provider-id="authorization provider id"

+ authorization-id="authorization id"

+ context-variable-name="variable name"

+ identity-type="managed | jwt"

+ identity="JWT bearer token"

+ ignore-error="true | false" />

+```

+### Examples

+#### Example 1: Get token back

+```xml

+<!-- Add to inbound policy. -->

+<get-authorization-context

+ provider-id="github-01"

+ authorization-id="auth-01"

+ context-variable-name="auth-context"

+ identity-type="managed"

+ identity="@(context.Request.Headers["Authorization"][0].Replace("Bearer ", ""))"

+ ignore-error="false" />

+<!-- Return the token -->

+<return-response>

+ <set-status code="200" />

+ <set-body template="none">@(((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</set-body>

+</return-response>

+```

+#### Example 2: Get token back with dynamically set attributes

+```xml

+<!-- Add to inbound policy. -->

+<get-authorization-context

+ provider-id="@(context.Request.Url.Query.GetValueOrDefault("authorizationProviderId"))"

+ authorization-id="@(context.Request.Url.Query.GetValueOrDefault("authorizationId"))" context-variable-name="auth-context"

+ ignore-error="false"

+ identity-type="managed" />

+<!-- Return the token -->

+<return-response>

+ <set-status code="200" />

+ <set-body template="none">@(((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</set-body>

+</return-response>

+```

+#### Example 3: Attach the token to the backend call

+```xml

+<!-- Add to inbound policy. -->

+<get-authorization-context

+ provider-id="github-01"

+ authorization-id="auth-01"

+ context-variable-name="auth-context"

+ identity-type="managed"

+ ignore-error="false" />

+<!-- Attach the token to the backend call -->

+<set-header name="Authorization" exists-action="override">

+ <value>@("Bearer " + ((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</value>

+</set-header>

+```

+#### Example 4: Get token from incoming request and return token

+```xml

+<!-- Add to inbound policy. -->

+<get-authorization-context

+ provider-id="github-01"

+ authorization-id="auth-01"

+ context-variable-name="auth-context"

+ identity-type="jwt"

+ identity="@(context.Request.Headers["Authorization"][0].Replace("Bearer ", ""))"

+ ignore-error="false" />

+<!-- Return the token -->

+<return-response>

+ <set-status code="200" />

+ <set-body template="none">@(((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</set-body>

+</return-response>

+```

+### Elements

+| Name | Description | Required |

+| -- | - | -- |

+| get-authorization-context | Root element. | Yes |

+### Attributes

+| Name | Description | Required | Default |

+|||||

+| provider-id | The authorization provider resource identifier. | Yes | |

+| authorization-id | The authorization resource identifier. | Yes | |

+| context-variable-name | The name of the context variable to receive the [`Authorization` object](#authorization-object). | Yes | |

+| identity-type | Type of identity to be checked against the authorization access policy. <br> - `managed`: managed identity of the API Management service. <br> - `jwt`: JWT bearer token specified in the `identity` attribute. | No | managed |

+| identity | An Azure AD JWT bearer token to be checked against the authorization permissions. Ignored for `identity-type` other than `jwt`. <br><br>Expected claims: <br> - audience: https://azure-api.net/authorization-manager <br> - `oid`: Permission object id <br> - `tid`: Permission tenant id | No | |

+| ignore-error | Boolean. If acquiring the authorization context results in an error (for example, the authorization resource is not found or is in an error state): <br> - `true`: the context variable is assigned a value of null. <br> - `false`: return `500` | No | false |

+### Authorization object

+The Authorization context variable receives an object of type `Authorization`.

+```c#

+class Authorization

+{

+ public string AccessToken { get; }

+ public IReadOnlyDictionary<string, object> Claims { get; }

+}

+```

+| Property Name | Description |

+| -- | -- |

+| AccessToken | Bearer access token to authorize a backend HTTP request. |

+| Claims | Claims returned from the authorization serverΓÇÖs token response API (see [RFC6749#section-5.1](https://datatracker.ietf.org/doc/html/rfc6749#section-5.1)). |

+### Usage

+This policy can be used in the following policy [sections](./api-management-howto-policies.md#sections) and [scopes](./api-management-howto-policies.md#scopes).

+- **Policy sections:** inbound

+- **Policy scopes:** all scopes

+The `validate-jwt` policy enforces existence and validity of a JSON web token (JWT) extracted from either a specified HTTP header or a specified query parameter.

+> [!CAUTION]

+> Use the `*` wildcard with care in policy settings. This configuration may be overly permissive and may make an API more vulnerable to certain [API security threats](mitigate-owasp-api-threats.md#security-misconfiguration).

+> [!CAUTION]

+> Use the `*` wildcard with care in policy settings. This configuration may be overly permissive and may make an API more vulnerable to certain [API security threats](mitigate-owasp-api-threats.md#security-misconfiguration).

+1. When you create a release, the `--notes` parameter is optional. You can add or change the notes later using the [az apim api release update](/cli/azure/apim/api/release#az-apim-api-release-update) command:

+> [!CAUTION]

+> Use care when configuring a product that doesn't require a subscription. This configuration may be overly permissive and may make the product's APIs more vulnerable to certain [API security threats](mitigate-owasp-api-threats.md#security-misconfiguration).

+> [!CAUTION]

+> Use care when configuring a product that doesn't require a subscription. This configuration may be overly permissive and may make the product's APIs more vulnerable to certain [API security threats](mitigate-owasp-api-threats.md#security-misconfiguration).

+|--|-|--|

+| ContosoHeaderValue2 | `This is a header value.` | False |

+String interpolation can also be used with named values.

+```xml

+<set-header name="CustomHeader" exists-action="override">

+ <value>@($"The URL encoded value is {System.Net.WebUtility.UrlEncode("{{ContosoHeaderValue2}}")}")</value>

+</set-header>

+```

+The value for `CustomHeader` will be `The URL encoded value is This+is+a+header+value.`.

+- [Get authorization context](api-management-access-restriction-policies.md#GetAuthorizationContext) - Gets the authorization context of a specified [authorization](authorizations-overview.md) configured in the API Management instance.

+> [!CAUTION]

+> Use care when configuring a product or an API that doesn't require a subscription. This configuration may be overly permissive and may make an API more vulnerable to certain [API security threats](mitigate-owasp-api-threats.md#security-misconfiguration).

+ Title: Create and use authorization in Azure API Management | Microsoft Docs

+description: Learn how to create and use an authorization in Azure API Management. An authorization manages authorization tokens to OAuth 2.0 backend services. The example uses GitHub as an identity provider.

+# Configure and use an authorization

+In this article, you learn how to create an [authorization](authorizations-overview.md) (preview) in API Management and call a GitHub API that requires an authorization token. The authorization code grant type will be used.

+Four steps are needed to set up an authorization with the authorization code grant type:

+

+1. Register an application in the identity provider (in this case, GitHub).

+1. Configure an authorization in API Management.

+1. Authorize with GitHub and configure access policies.

+1. Create an API in API Management and configure a policy.

+## Prerequisites

+- A GitHub account is required.

+- Complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md).

+- Enable a [managed identity](api-management-howto-use-managed-service-identity.md) for API Management in the API Management instance.

+## Step 1: Register an application in GitHub

+1. Sign in to GitHub.

+1. In your account profile, go to **Settings > Developer Settings > OAuth Apps > Register a new application**.

+

+ :::image type="content" source="media/authorizations-how-to/register-application.png" alt-text="Screenshot of registering a new OAuth application in GitHub.":::

+ 1. Enter an **Application name** and **Homepage URL** for the application.

+ 1. Optionally, add an **Application description**.

+ 1. In **Authorization callback URL** (the redirect URL), enter `https://authorization-manager-test.consent.azure-apim.net/redirect/apim/<YOUR-APIM-SERVICENAME>`, substituting the API Management service name that is used.

+1. Select **Register application**.

+1. In the **General** page, copy the **Client ID**, which you'll use in a later step.

+1. Select **Generate a new client secret**. Copy the secret, which won't be displayed again, and which you'll use in a later step.

+ :::image type="content" source="media/authorizations-how-to/generate-secret.png" alt-text="Screenshot showing how to get client ID and client secret for the application in GitHub.":::

+## Step 2: Configure an authorization in API Management

+1. Sign into Azure portal and go to your API Management instance.

+1. In the left menu, select **Authorizations** > **+ Create**.

+

+ :::image type="content" source="media/authorizations-how-to/create-authorization.png" alt-text="Screenshot of creating an API Management authorization in the Azure portal.":::

+1. In the **Create authorization** window, enter the following settings, and select **Create**:

+

+ |Settings |Value |

+ |||

+ |**Provider name** | A name of your choice, such as *github-01* |

+ |**Identity provider** | Select **GitHub** |

+ |**Grant type** | Select **Authorization code** |

+ |**Client id** | Paste the value you copied earlier from the app registration |

+ |**Client secret** | Paste the value you copied earlier from the app registration |

+ |**Scope** | Set the scope to `User` |

+ |**Authorization name** | A name of your choice, such as *auth-01* |

+

+1. After the authorization provider and authorization are created, select **Next**.

+1. On the **Login** tab, select **Login with GitHub**. Before the authorization will work, it needs to be authorized at GitHub.

+ :::image type="content" source="media/authorizations-how-to/authorize-with-github.png" alt-text="Screenshot of logging into the GitHub authorization from the portal.":::

+## Step 3: Authorize with GitHub and configure access policies

+1. Sign in to your GitHub account if you're prompted to do so.

+1. Select **Authorize** so that the application can access the signed-in userΓÇÖs account.

+

+ :::image type="content" source="media/authorizations-how-to/consent-to-authorization.png" alt-text="Screenshot of consenting to authorize with Github.":::

+ After authorization, the browser is redirected to API Management and the window is closed. If prompted during redirection, select **Allow access**. In API Management, select **Next**.

+1. On the **Access policy** page, create an access policy so that API Management has access to use the authorization. Ensure that a managed identity is configured for API Management. [Learn more about managed identities in API Management](api-management-howto-use-managed-service-identity.md#create-a-system-assigned-managed-identity).

+1. Select **Managed identity** **+ Add members** and then select your subscription.

+1. In **Managed identity**, select **API Management service**, and then select the API Management instance that is used. Click **Select** and then **Complete**.

+

+ :::image type="content" source="media/authorizations-how-to/select-managed-identity.png" alt-text="Screenshot of selecting a managed identity to use the authorization.":::

+

+## Step 4: Create an API in API Management and configure a policy

+1. Sign into Azure portal and go to your API Management instance.

+1. In the left menu, select **APIs > + Add API**.

+1. Select **HTTP** and enter the following settings. Then select **Create**.

+ |Setting |Value |

+ |||

+ |**Display name** | *github* |

+ |**Web service URL** | https://api.github.com/users/ |

+ |**API URL suffix** | *github* |

+2. Navigate to the newly created API and select **Add Operation**. Enter the following settings and select **Save**.

+ |Setting |Value |

+ |||

+ |**Display name** | *getdata* |

+ |**URL** | /data |

+ :::image type="content" source="media/authorizations-how-to/add-operation.png" alt-text="Screenshot of adding a getdata operation to the API in the portal.":::

+1. In the **Inbound processing** section, select the (**</>**) (code editor) icon.

+1. Copy the following, and paste in the policy editor. Make sure the provider-id and authorization-id correspond to the names in step 2.3. Select **Save**.

+ ```xml

+ <policies>

+ <inbound>

+ <base />

+ <get-authorization-context provider-id="github-01" authorization-id="auth-01" context-variable-name="auth-context" identity-type="managed" ignore-error="false" />

+ <set-header name="Authorization" exists-action="override">

+ <value>@("Bearer " + ((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</value>

+ </set-header>

+ <rewrite-uri template="@(context.Request.Url.Query.GetValueOrDefault("username",""))" copy-unmatched-params="false" />

+ <set-header name="User-Agent" exists-action="override">

+ <value>API Management</value>

+ </set-header>

+ </inbound>

+ <backend>

+ <base />

+ </backend>

+ <outbound>

+ <base />

+ </outbound>

+ <on-error>

+ <base />

+ </on-error>

+ </policies>

+ ```

+ The policy to be used consists of four parts.

+ - Fetch an authorization token.

+ - Create an HTTP header with the fetched authorization token.

+ - Create an HTTP header with a `User-Agent` header (GitHub requirement). [Learn more](https://docs.github.com/rest/overview/resources-in-the-rest-api#user-agent-required)

+ - Because the incoming request to API Management will consist of a query parameter called *username*, add the username to the backend call.

+ > [!NOTE]

+ > The `get-authorization-context` policy references the authorization provider and authorization that were created earlier. [Learn more](api-management-access-restriction-policies.md#GetAuthorizationContext) about how to configure this policy.

+ :::image type="content" source="media/authorizations-how-to/policy-configuration-cropped.png" lightbox="media/authorizations-how-to/policy-configuration.png" alt-text="Screenshot of configuring policy in the portal.":::

+1. Test the API.

+ 1. On the **Test** tab, enter a query parameter with the name *username*.

+ 1. As value, enter the username that was used to sign into GitHub, or another valid GitHub username.

+ 1. Select **Send**.

+ :::image type="content" source="media/authorizations-how-to/test-api.png" alt-text="Screenshot of testing the API successfully in the portal.":::

+ A successful response returns user data from the GitHub API.

+## Next steps

+Learn more about [access restriction policies](api-management-access-restriction-policies.md).

+ Title: About OAuth 2.0 authorizations in Azure API Management | Microsoft Docs

+description: Learn about authorizations in Azure API Management, a feature that simplifies the process of managing OAuth 2.0 authorization tokens to APIs

+# Authorizations overview

+API Management authorizations (preview) simplify the process of managing authorization tokens to OAuth 2.0 backend services.

+By configuring any of the supported identity providers and creating an authorization using the standardized OAuth 2.0 flow, API Management can retrieve and refresh access tokens to be used inside of API management or sent back to a client.

+This feature enables APIs to be exposed with or without a subscription key, and the authorization to the backend service uses OAuth 2.0.

+Some example scenarios that will be possible through this feature are:

+- Citizen/low code developers using Power Apps or Power Automate can easily connect to SaaS providers that are using OAuth 2.0.

+- Unattended scenarios such as an Azure function using a timer trigger can utilize this feature to connect to a backend API using OAuth 2.0.

+- A marketing team in an enterprise company could use the same authorization for interacting with a social media platform using OAuth 2.0.

+- Exposing APIs in API Management as a custom connector in Logic Apps where the backend service requires OAuth 2.0 flow.

+- On behalf of a scenario where a service such as Dropbox or any other service protected by OAuth 2.0 flow is used by multiple clients.

+- Connect to different services that require OAuth 2.0 authorization using synthetic GraphQL in API Management.

+- Enterprise Application Integration (EAI) patterns using service-to-service authorization can use the client credentials grant type against backend APIs that use OAuth 2.0.

+- Single-page applications that only want to retrieve an access token to be used in a client's SDK against an API using OAuth 2.0.

+The feature consists of two parts, management and runtime:

+* The **management** part takes care of configuring identity providers, enabling the consent flow for the identity provider, and managing access to the authorizations.

+* The **runtime** part uses the [`get-authorization-context`](api-management-access-restriction-policies.md#GetAuthorizationContext) policy to fetch and store access and refresh tokens. When a call comes into API Management, and the `get-authorization-context` policy is executed, it will first validate if the existing authorization token is valid. If the authorization token has expired, the refresh token is used to try to fetch a new authorization and refresh token from the configured identity provider. If the call to the backend provider is successful, the new authorization token will be used, and both the authorization token and refresh token will be stored encrypted.

+ During the policy execution, access to the tokens is also validated using access policies.

+### Requirements

+- Managed system-assigned identity must be enabled for the API Management instance.

+- API Management instance must have outbound connectivity to internet on port `443` (HTTPS).

+### Limitations

+For public preview the following limitations exist:

+- Authorizations feature will be available in the Consumption tier in the coming weeks.

+- Authorizations feature is not supported in the following regions: swedencentral, australiacentral, australiacentral2, jioindiacentral.

+- Supported identity providers: Azure AD, DropBox, Generic OAuth 2.0, GitHub, Google, LinkedIn, Spotify

+- Maximum configured number of authorization providers per API Management instance: 50

+- Maximum configured number of authorizations per authorization provider: 500

+- Maximum configured number of access policies per authorization: 100

+- Maximum requests per minute per authorization: 100

+- Authorization code PKCE flow with code challenge isn't supported.

+- Authorizations feature isn't supported on self-hosted gateways.

+- API documentation is not available yet. Please see [this](https://github.com/Azure/APIManagement-Authorizations) GitHub repository with samples.

+### Authorization providers

+

+Authorization provider configuration includes which identity provider and grant type are used. Each identity provider requires different configurations.

+* An authorization provider configuration can only have one grant type.

+* One authorization provider configuration can have multiple authorizations.

+The following identity providers are supported for public preview:

+- Azure AD, DropBox, Generic OAuth 2.0, GitHub, Google, LinkedIn, Spotify

+With the Generic OAuth 2.0 provider, other identity providers that support the standards of OAuth 2.0 flow can be used.

+### Authorizations

+To use an authorization provider, at least one *authorization* is required. The process of configuring an authorization differs based on the used grant type. Each authorization provider configuration only supports one grant type. For example, if you want to configure Azure AD to use both grant types, two authorization provider configurations are needed.

+**Authorization code grant type**

+Authorization code grant type is bound to a user context, meaning a user needs to consent to the authorization. As long as the refresh token is valid, API Management can retrieve new access and refresh tokens. If the refresh token becomes invalid, the user needs to reauthorize. All identity providers support authorization code. [Read more about Authorization code grant type](https://www.rfc-editor.org/rfc/rfc6749?msclkid=929b18b5d0e611ec82a764a7c26a9bea#section-1.3.1).

+**Client credentials grant type**

+Client credentials grant type isn't bound to a user and is often used in application-to-application scenarios. No consent is required for client credentials grant type, and the authorization doesn't become invalid. [Read more about Client Credentials grant type](https://www.rfc-editor.org/rfc/rfc6749?msclkid=929b18b5d0e611ec82a764a7c26a9bea#section-1.3.4).

+### Access policies

+Access policies determine which identities can use the authorization that the access policy is related to. The supported identities are managed identities, user identities, and service principals. The identities must belong to the same tenant as the API Management tenant.

+- **Managed identities** - System- or user-assigned identity for the API Management instance that is being used.

+- **User identities** - Users in the same tenant as the API Management instance.

+- **Service principals** - Applications in the same Azure AD tenant as the API Management instance.

+### Process flow for creating authorizations

+The following image shows the process flow for creating an authorization in API Management using the grant type authorization code. For public preview no API documentation is available. Please see [this](https://aka.ms/apimauthorizations/postmancollection) Postman collection.

+1. Client sends a request to create an authorization provider.

+1. Authorization provider is created, and a response is sent back.

+1. Client sends a request to create an authorization.

+1. Authorization is created, and a response is sent back with the information that the authorization is not "connected".

+1. Client sends a request to retrieve a login URL to start the OAuth 2.0 consent at the identity provider. The request includes a post-redirect URL to be used in the last step.

+1. Response is returned with a login URL that should be used to start the consent flow.

+1. Client opens a browser with the login URL that was provided in the previous step. The browser is redirected to the identity provider OAuth 2.0 consent flow.

+1. After the consent is approved, the browser is redirected with an authorization code to the redirect URL configured at the identity provider.

+1. API Management uses the authorization code to fetch access and refresh tokens.

+1. API Management receives the tokens and encrypts them.

+1. API Management redirects to the provided URL from step 5.

+### Process flow for runtime

+The following image shows the process flow to fetch and store authorization and refresh tokens based on a configured authorization. After the tokens have been retrieved a call is made to the backend API.

+1. Client sends request to API Management instance.

+1. The policy [`get-authorization-context`](api-management-access-restriction-policies.md#GetAuthorizationContext) checks if the access token is valid for the current authorization.

+1. If the access token has expired but the refresh token is valid, API Management tries to fetch new access and refresh tokens from the configured identity provider.

+1. The identity provider returns both an access token and a refresh token, which are encrypted and saved to API Management.

+1. After the tokens have been retrieved, the access token is attached using the `set-header` policy as an authorization header to the outgoing request to the backend API.

+1. Response is returned to API Management.

+1. Response is returned to the client.

+### Error handling

+If acquiring the authorization context results in an error, the outcome depends on how the attribute `ignore-error` is configured in the policy `get-authorization-context`. If the value is set to `false` (default), an error with `500 Internal Server Error` will be returned. If the value is set to `true`, the error will be ignored and execution will proceed with the context variable set to `null`.

+If the value is set to `false`, and the on-error section in the policy is configured, the error will be available in the property `context.LastError`. By using the on-error section, the error that is sent back to the client can be adjusted. Errors from API Management can be caught using standard Azure alerts. Read more about [handling errors in policies](api-management-error-handling-policies.md).

+### Authorizations FAQ

+##### How can I provide feedback and influence the roadmap for this feature?

+Please use [this](https://aka.ms/apimauthorizations/feedback) form to provide feedback.

+##### How are the tokens stored in API Management?

+The access token and other secrets (for example, client secrets) are encrypted with an envelope encryption and stored in an internal, multitenant storage. The data are encrypted with AES-128 using a key that is unique per data; those keys are encrypted asymmetrically with a master certificate stored in Azure Key Vault and rotated every month.

+##### When are the access tokens refreshed?

+When the policy `get-authorization-context` is executed at runtime, API Management checks if the stored access token is valid. If the token has expired or is near expiry, API Management uses the refresh token to fetch a new access token and a new refresh token from the configured identity provider. If the refresh token has expired, an error is thrown, and the authorization needs to be reauthorized before it will work.

+##### What happens if the client secret expires at the identity provider?

+At runtime API Management can't fetch new tokens, and an error will occur.

+* If the authorization is of type authorization code, the client secret needs to be updated on authorization provider level.

+* If the authorization is of type client credentials, the client secret needs to be updated on authorizations level.

+##### Is this feature supported using API Management running inside a VNet?

+Yes, as long as API Management gateway has outbound internet connectivity on port `443`.

+##### What happens when an authorization provider is deleted?

+All underlying authorizations and access policies are also deleted.

+##### Are the access tokens cached by API Management?

+The access token is cached by the API management until 3 minutes before the token expiration time.

+##### What grant types are supported?

+For public preview, the Azure AD identity provider supports authorization code and client credentials.

+The other identity providers support authorization code. After public preview, more identity providers and grant types will be added.

+### Next steps

+- Learn how to [configure and use an authorization](authorizations-how-to.md).

+- See [reference](authorizations-reference.md) for supported identity providers in authorizations.

+- Use [policies]() together with authorizations.

+- Authorizations [samples](https://github.com/Azure/APIManagement-Authorizations) GitHub repository.

+- Learn more about OAuth 2.0:

+ * [OAuth 2.0 overview](https://aaronparecki.com/oauth-2-simplified/)

+ * [OAuth 2.0 specification](https://oauth.net/2/)

+ Title: Reference for OAuth 2.0 authorizations - Azure API Management | Microsoft Docs

+description: Reference for identity providers supported in authorizations in Azure API Management. API Management authorizations manage OAuth 2.0 authorization tokens to APIs.

+# Authorizations reference

+This article is a reference for the supported identity providers in API Management [authorizations](authorizations-overview.md) (preview) and their configuration options.

+## Azure Active Directory

+**Supported grant types**: authorization code and client credentials

+### Authorization provider - Authorization code grant type

+| Name | Required | Description | Default |

+|||||

+| Provider name | Yes | Name of Authorization provider. | |

+| Client id | Yes | The id used to identify this application with the service provider. | |

+| Client secret | Yes | The shared secret used to authenticate this application with the service provider. ||

+| Login URL | No | The Azure Active Directory login URL. | https://login.windows.net |

+| Tenant ID | No | The tenant ID of your Azure Active Directory application. | common |

+| Resource URL | Yes | The resource to get authorization for. | |

+| Scopes | No | Scopes used for the authorization. Multiple scopes could be defined separate with a space, for example, "User.Read User.ReadBasic.All" | |

+### Authorization - Authorization code grant type

+| Name | Required | Description | Default |

+|||||

+| Authorization name | Yes | Name of Authorization. | |

+

+### Authorization provider - Client credentials code grant type

+| Name | Required | Description | Default |

+|||||

+| Provider name | Yes | Name of Authorization provider. | |

+| Login URL | No | The Azure Active Directory login URL. | https://login.windows.net |

+| Tenant ID | No | The tenant ID of your Azure Active Directory application. | common |

+| Resource URL | Yes | The resource to get authorization for. | |

+### Authorization - Client credentials code grant type

+| Name | Required | Description | Default |

+|||||

+| Authorization name | Yes | Name of Authorization. | |

+| Client id | Yes | The id used to identify this application with the service provider. | |

+| Client secret | Yes | The shared secret used to authenticate this application with the service provider. ||

+

+## Google, LinkedIn, Spotify, Dropbox, GitHub

+**Supported grant types**: authorization code

+### Authorization provider - Authorization code grant type

+| Name | Required | Description | Default |

+|||||

+| Provider name | Yes | Name of Authorization provider. | |

+| Client id | Yes | The id used to identify this application with the service provider. | |

+| Client secret | Yes | The shared secret used to authenticate this application with the service provider. ||

+| Scopes | No | Scopes used for the authorization. Depending on the identity provider, multiple scopes are separated by space or comma. Default for most identity providers is space. | |

+### Authorization - Authorization code grant type

+| Name | Required | Description | Default |

+|||||

+| Authorization name | Yes | Name of Authorization. | |

+

+## Generic OAuth 2

+**Supported grant types**: authorization code

+### Authorization provider - Authorization code grant type

+| Name | Required | Description | Default |

+|||||

+| Provider name | Yes | Name of Authorization provider. | |

+| Client id | Yes | The id used to identify this application with the service provider. | |

+| Client secret | Yes | The shared secret used to authenticate this application with the service provider. ||

+| Authorization URL | No | The authorization endpoint URL. | |

+| Token URL | No | The token endpoint URL. | |

+| Refresh URL | No | The token refresh endpoint URL. | |

+| Scopes | No | Scopes used for the authorization. Depending on the identity provider, multiple scopes are separated by space or comma. Default for most identity providers is space. | |

+### Authorization - Authorization code grant type

+| Name | Required | Description | Default |

+|||||

+| Authorization name | Yes | Name of Authorization. | |

+## Next steps

+Learn more about [authorizations](authorizations-overview.md) and how to [create and use authorizations](authorizations-how-to.md)

+ Title: Mitigate OWASP API security top 10 in Azure API Management

+description: Learn how to protect against common API-based vulnerabilities, as identified by the OWASP API Security Top 10 threats, using Azure API Management.

+# Recommendations to mitigate OWASP API Security Top 10 threats using API Management

+The Open Web Application Security Project ([OWASP](https://owasp.org/about/)) Foundation works to improve software security through its community-led open source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences.

+The OWASP [API Security Project](https://owasp.org/www-project-api-security/) focuses on strategies and solutions to understand and mitigate the unique *vulnerabilities and security risks of APIs*. In this article, we'll discuss recommendations to use Azure API Management to mitigate the top 10 API threats identified by OWASP.

+## Broken object level authorization

+API objects that aren't protected with the appropriate level of authorization may be vulnerable to data leaks and unauthorized data manipulation through weak object access identifiers. For example, an attacker could exploit an integer object identifier, which can be iterated.

+More information about this threat: [API1:2019 Broken Object Level Authorization](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa1-broken-object-level-authorization.md)

+### Recommendations

+* The best place to implement object level authorization is within the backend API itself. At the backend, the correct authorization decisions can be made at the request (or object) level, where applicable, using logic applicable to the domain and API. Consider scenarios where a given request may yield differing levels of detail in the response, depending on the requestor's permissions and authorization.

+* If a current vulnerable API can't be changed at the backend, then API Management could be used as a fallback. For example:

+

+ * Use a custom policy to implement object-level authorization, if it's not implemented in the backend.

+ * Implement a custom policy to map identifiers from request to backend and from backend to client, so that internal identifiers aren't exposed.

+ In these cases, the custom policy could be a [policy expression](api-management-policy-expressions.md) with a look-up (for example, a dictionary) or integration with another service through the [send request](api-management-advanced-policies.md#SendRequest) policy.

+* For GraphQL scenarios, enforce object-level authorization through the [validate GraphQL request](graphql-policies.md#validate-graphql-request) policy, using the `authorize` element.

+## Broken user authentication

+Authentication mechanisms are often implemented incorrectly or missing, allowing attackers to exploit implementation flaws to access data.

+More information about this threat: [API2:2019 Broken User Authentication](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa2-broken-user-authentication.md)

+### Recommendations

+Use API Management for user authentication and authorization:

+* **Authentication** - API Management supports the following [authentication methods](api-management-authentication-policies.md):

+ * [Basic authentication](api-management-authentication-policies.md#Basic) policy - Username and password credentials.

+ * [Subscription key](api-management-subscriptions.md) - A subscription key provides a similar level of security as basic authentication and may not be sufficient alone. If the subscription key is compromised, an attacker may get unlimited access to the system.

+ * [Client certificate](api-management-authentication-policies.md#ClientCertificate) policy - Using client certificates is more secure than basic credentials or subscription key, but it doesn't allow the flexibility provided by token-based authorization protocols such as OAuth 2.0.

+* **Authorization** - API Management supports a [validate JWT](api-management-access-restriction-policies.md#ValidateJWT) policy to check the validity of an incoming OAuth 2.0 JWT access token based on information obtained from the OAuth identity provider's metadata endpoint. Configure the policy to check relevant token claims, audience, and expiration time. Learn more about protecting an API using [OAuth 2.0 authorization and Azure Active Directory](api-management-howto-protect-backend-with-aad.md).

+More recommendations:

+* Use [access restriction policies](api-management-access-restriction-policies.md) in API Management to increase security. For example, [call rate limiting](api-management-access-restriction-policies.md#LimitCallRate) slows down bad actors using brute force attacks to compromise credentials.

+* APIs should use TLS/SSL (transport security) to protect the credentials or tokens. Credentials and tokens should be sent in request headers and not as query parameters.

+* In the API Management [developer portal](api-management-howto-developer-portal.md), configure [Azure Active Directory](api-management-howto-aad.md) or [Azure Active Directory B2C](api-management-howto-aad-b2c.md) as the identity provider to increase the account security. The developer portal uses CAPTCHA to mitigate brute force attacks.

+### Related information

+* [Authentication vs. authorization](../active-directory/develop/authentication-vs-authorization.md)

+## Excessive data exposure

+Good API interface design is deceptively challenging. Often, particularly with legacy APIs that have evolved over time, the request and response interfaces contain more data fields than the consuming applications require.

+A bad actor could attempt to access the API directly (perhaps by replaying a valid request), or sniff the traffic between server and API. Analysis of the API actions and the data available could yield sensitive data to the attacker, which isn't surfaced to, or used by, the frontend application.

+More information about this threat: [API3:2019 Excessive Data Exposure](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa3-excessive-data-exposure.md)

+### Recommendations

+* The best approach to mitigating this vulnerability is to ensure that the external interfaces defined at the backend API are designed carefully and, ideally, independently of the data persistence. They should contain only the fields required by consumers of the API. APIs should be reviewed frequently, and legacy fields deprecated, then removed.

+ In API Management, use:

+ * [Revisions](api-management-revisions.md) to gracefully control nonbreaking changes, for example, the addition of a field to an interface. You may use revisions along with a versioning implementation at the backend.

+ * [Versions](api-management-versions.md) for breaking changes, for example, the removal of a field from an interface.

+* If it's not possible to alter the backend interface design and excessive data is a concern, use API Management [transformation policies](transform-api.md) to rewrite response payloads and mask or filter data. For example, [remove unneeded JSON properties](./policies/filter-response-content.md) from a response body.

+* [Response content validation](validation-policies.md#validate-content) in API Management can be used with an XML or JSON schema to block responses with undocumented properties or improper values. The policy also supports blocking responses exceeding a specified size.

+* Use the [validate status code](validation-policies.md#validate-status-code) policy to block responses with errors undefined in the API schema.

+* Use the [validate headers](validation-policies.md#validate-headers) policy to block responses with headers that aren't defined in the schema or don't comply to their definition in the schema. Remove unwanted headers with the [set header](api-management-transformation-policies.md#SetHTTPheader) policy.

+* For GraphQL scenarios, use the [validate GraphQL request](graphql-policies.md#validate-graphql-request) policy to validate GraphQL requests, authorize access to specific query paths, and limit response size.

+## Lack of resources and rate limiting

+Lack of rate limiting may lead to data exfiltration or successful DDoS attacks on backend services, causing an outage for all consumers.

+More information about this threat: [API4:2019 Lack of resources and rate limiting](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa4-lack-of-resources-and-rate-limiting.md)

+### Recommendations

+* Use [rate limit](api-management-access-restriction-policies.md#LimitCallRate) (short-term) and [quota limit](api-management-access-restriction-policies.md#SetUsageQuota) (long-term) policies to control the allowed number of API calls or bandwidth per consumer.

+* Define strict request object definitions and their properties in the OpenAPI definition. For example, define the max value for paging integers, maxLength and regular expression (regex) for strings. Enforce those schemas with the [validate content](validation-policies.md#validate-content) and [validate parameters](validation-policies.md#validate-parameters) policies in API Management.

+* Enforce maximum size of the request with the [validate content](validation-policies.md#validate-content) policy.

+* Optimize performance with [built-in caching](api-management-howto-cache.md), thus reducing the consumption of CPU, memory, and networking resources for certain operations.

+* Enforce authentication for API calls (see [Broken user authentication](#broken-user-authentication)). Revoke access for abusive users. For example, deactivate the subscription key, block the IP address with the [restrict caller IPs](api-management-access-restriction-policies.md#RestrictCallerIPs) policy, or reject requests for a certain user claim from a [JWT token](api-management-access-restriction-policies.md#ValidateJWT).

+* Apply a [CORS](api-management-cross-domain-policies.md#CORS) policy to control the websites that are allowed to load the resources served through the API. To avoid overly permissive configurations, donΓÇÖt use wildcard values (`*`) in the CORS policy.

+* Minimize the time it takes a backend service to respond. The longer the backend service takes to respond, the longer the connection is occupied in API Management, therefore reducing the number of requests that can be served in a given timeframe.

+ * Define `timeout` in the [forward request](api-management-advanced-policies.md#ForwardRequest) policy.

+ * Use the [validate GraphQL request](graphql-policies.md#validate-graphql-request) policy for GraphQL APIs and configure `max-depth` and `max-size` parameters.

+ * Limit the number of parallel backend connections with the [limit concurrency](api-management-advanced-policies.md#LimitConcurrency) policy.

+* While API Management can protect backend services from DDoS attacks, it may be vulnerable to those attacks itself. Deploy a bot protection service in front of API Management (for example, [Azure Application Gateway](api-management-howto-integrate-internal-vnet-appgateway.md), [Azure Front Door](../frontdoor/front-door-overview.md), or [Azure DDoS Protection Service](../ddos-protection/ddos-protection-overview.md)) to better protect against DDoS attacks. When using a WAF with Azure Application Gateway or Azure Front Door, consider using [Microsoft_BotManagerRuleSet_1.0](../web-application-firewall/afds/afds-overview.md#bot-protection-rule-set).

+## Broken function level authorization

+Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions lead to authorization flaws. By exploiting these issues, attackers gain access to other usersΓÇÖ resources or administrative functions.

+More information about this threat: [API5:2019 Broken function level authorization](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa5-broken-function-level-authorization.md)

+### Recommendations

+

+* By default, protect all API endpoints in API Management with [subscription keys](api-management-subscriptions.md).

+* Define a [validate JWT](api-management-access-restriction-policies.md#ValidateJWT) policy and enforce required token claims. If certain operations require stricter claims enforcement, define extra `validate-jwt` policies for those operations only.

+* Use an Azure virtual network or Private Link to hide API endpoints from the internet. Learn more about [virtual network options](virtual-network-concepts.md) with API Management.

+* Don't define [wildcard API operations](add-api-manually.md#add-and-test-a-wildcard-operation) (that is, "catch-all" APIs with `*` as the path). Ensure that API Management only serves requests for explicitly defined endpoints, and requests to undefined endpoints are rejected.

+* Don't publish APIs with [open products](api-management-howto-add-products.md#access-to-product-apis) that don't require a subscription.

+## Mass assignment

+If an API offers more fields than the client requires for a given action, an attacker may inject excessive properties to perform unauthorized operations on data. Attackers may discover undocumented properties by inspecting the format of requests and responses or other APIs, or guessing them. This vulnerability is especially applicable if you donΓÇÖt use strongly typed programming languages.

+More information about this threat: [API6:2019 Mass assignment](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md)

+### Recommendations

+* External API interfaces should be decoupled from the internal data implementation. Avoid binding API contracts directly to data contracts in backend services. Review the API design frequently, and deprecate and remove legacy properties using [versioning](/api-management-versions.md) in API Management.

+* Precisely define XML and JSON contracts in the API schema and use [validate content](validation-policies.md#validate-content) and [validate parameters](validation-policies.md#validate-parameters) policies to block requests and responses with undocumented properties. Blocking requests with undocumented properties mitigates attacks, while blocking responses with undocumented properties makes it harder to reverse-engineer potential attack vectors.

+* If the backend interface can't be changed, use [transformation policies](transform-api.md) to rewrite request and response payloads and decouple the API contracts from backend contracts. For example, mask or filter data or [remove unneeded JSON properties](./policies/filter-response-content.md).

+## Security misconfiguration

+Attackers may attempt to exploit security misconfiguration vulnerabilities such as:

+* Missing security hardening

+* Unnecessary enabled features

+* Network connections unnecessarily open to the internet

+* Use of weak protocols or ciphers

+* Other settings or endpoints that may allow unauthorized access to the system

+More information about this threat: [API7:2019 Security misconfiguration](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa7-security-misconfiguration.md)

+### Recommendations

+* Correctly configure [gateway TLS](api-management-howto-manage-protocols-ciphers.MD). Don't use vulnerable protocols (for example, TLS 1.0, 1.1) or ciphers.

+* Configure APIs to accept encrypted traffic only, for example through HTTPS or WSS protocols.

+* Consider deploying API Management behind a [private endpoint](private-endpoint.md) or attached to a [virtual network deployed in internal mode](api-management-using-with-internal-vnet.md). In internal networks, access can be controlled from within the private network (via firewall or network security groups) and from the internet (via a reverse proxy).

+* Use Azure API Management policies:

+ * Always inherit parent policies through the `<base>` tag.

+ * When using OAuth 2.0, configure and test the [validate JWT](api-management-access-restriction-policies.md#ValidateJWT) policy to check the existence and validity of the JWT token before it reaches the backend. Automatically check the token expiration time, token signature, and issuer. Enforce claims, audiences, token expiration, and token signature through policy settings.

+ * Configure the [CORS](api-management-cross-domain-policies.md#CORS) policy and don't use wildcard `*` for any configuration option. Instead, explicitly list allowed values.

+ * Set [validation policies](validation-policies.md) to `prevent` in production environments to validate JSON and XML schemas, headers, query parameters, and status codes, and to enforce the maximum size for request or response.

+ * If API Management is outside a network boundary, client IP validation is still possible using the [restrict caller IPs](api-management-access-restriction-policies.md#RestrictCallerIPs) policy. Ensure that it uses an allowlist, not a blocklist.

+ * If client certificates are used between caller and API Management, use the [validate client certificate](api-management-access-restriction-policies.md#validate-client-certificate) policy. Ensure that the `validate-revocation`, `validate-trust`, `validate-not-before`, and `validate-not-after` attributes are all set to `true`.

+ * Client certificates (mutual TLS) can also be applied between API Management and the backend. The backend should:

+ * Have authorization credentials configured

+ * Validate the certificate chain where applicable

+ * Validate the certificate name where applicable

+* For GraphQL scenarios, use the [validate GraphQL request](graphql-policies.md#validate-graphql-request) policy. Ensure that the `authorization` element and `max-size` and `max-depth` attributes are set.

+* Don't store secrets in policy files or in source control. Always use API Management [named values](api-management-howto-properties.md) or fetch the secrets at runtime using custom policy expressions.

+ * Named values should be [integrated with Key Vault](api-management-howto-properties.md#key-vault-secrets) or encrypted within API Management by marking them "secret". Never store secrets in plain-text named values.

+* Publish APIs through [products](api-management-howto-add-products.md), which require subscriptions. Don't use [open products](api-management-howto-add-products.md#access-to-product-apis) that don't require a subscription.

+* Use Key Vault integration to manage all certificates ΓÇô this centralizes certificate management and can help to ease operations management tasks such as certificate renewal or revocation.

+* When using the [self-hosted-gateway](self-hosted-gateway-overview.md), ensure that there's a process in place to update the image to the latest version periodically.

+* Represent backend services as [backend entities](backends.md). Configure authorization credentials, certificate chain validation, and certificate name validation where applicable.

+* When using the [developer portal](api-management-howto-developer-portal.md):

+ * If you choose to [self-host](developer-portal-self-host.md) the developer portal, ensure there's a process in place to periodically update the self-hosted portal to the latest version. Updates for the default managed version are automatic.

+ * Use [Azure Active Directory (Azure AD)](api-management-howto-aad.md) or [Azure Active Directory B2C](api-management-howto-aad-b2c.md) for user sign-up and sign-in. Disable the default username and password authentication, which is less secure.

+ * Assign [user groups](api-management-howto-create-groups.md#-associate-a-group-with-a-product) to products, to control the visibility of APIs in the portal.

+* Use [Azure Policy](security-controls-policy.md) to enforce API Management resource-level configuration and role-based access control (RBAC) permissions to control resource access. Grant minimum required privileges to every user.

+* Use a [DevOps process](devops-api-development-templates.md) and infrastructure-as-code approach outside of a development environment to ensure consistency of API Management content and configuration changes and to minimize human errors.

+* Don't use any deprecated features.

+## Injection

+Any endpoint accepting user data is potentially vulnerable to an injection exploit. Examples include, but aren't limited to:

+* [Command injection](https://owasp.org/www-community/attacks/Command_Injection), where a bad actor attempts to alter the API request to execute commands on the operating system hosting the API

+* [SQL injection](https://owasp.org/www-community/attacks/SQL_Injection), where a bad actor attempts to alter the API request to execute commands and queries against the database an API depends on

+More information about this threat: [API8:2019 Injection](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa8-injection.md)

+### Recommendations

+* [Modern Web Application Firewall (WAF) policies](https://github.com/SpiderLabs/ModSecurity) cover many common injection vulnerabilities. While API Management doesnΓÇÖt have a built-in WAF component, deploying a WAF upstream (in front) of the API Management instance is strongly recommended. For example, use [Azure Application Gateway](/azure/architecture/reference-architectures/apis/protect-apis) or [Azure Front Door](../frontdoor/front-door-overview.md).

+ > [!IMPORTANT]

+ > Ensure that a bad actor can't bypass the gateway hosting the WAF and connect directly to the API Management gateway or backend API itself. Possible mitigations include: [network ACLs](../virtual-network/network-security-groups-overview.md), using API Management policy to [restrict inbound traffic by client IP](api-management-access-restriction-policies.md#RestrictCallerIPs), removing public access where not required, and [client certificate authentication](api-management-howto-mutual-certificates-for-clients.md) (also known as mutual TLS or mTLS).

+* Use schema and parameter [validation](validation-policies.md) policies, where applicable, to further constrain and validate the request before it reaches the backend API service.

+ The schema supplied with the API definition should have a regex pattern constraint applied to vulnerable fields. Each regex should be tested to ensure that it constrains the field sufficiently to mitigate common injection attempts.

+### Related information

+* [Deployment stamps pattern with Azure Front Door and API Management](/azure/architecture/patterns/deployment-stamp)

+* [Deploy Azure API Management with Azure Application Gateway](api-management-howto-integrate-internal-vnet-appgateway.md)

+## Improper assets management

+Vulnerabilities related to improper assets management include:

+* Lack of proper API documentation or ownership information

+* Excessive numbers of older API versions, which may be missing security fixes

+More information about this threat: [API9:2019 Improper assets management](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa9-improper-assets-management.md)

+### Recommendations

+* Use a well-defined [OpenAPI specification](https://swagger.io/specification/) as the source for importing REST APIs. The specification allows encapsulation of the API definition, including self-documenting metadata.

+ * Use API interfaces with precise paths, data schemas, headers, query parameters, and status codes. Avoid [wildcard operations](add-api-manually.md#add-and-test-a-wildcard-operation). Provide descriptions for each API and operation and include contact and license information.

+ * Avoid endpoints that donΓÇÖt directly contribute to the business objective. They unnecessarily increase the attack surface area and make it harder to evolve the API.

+* Use [revisions](api-management-revisions.md) and [versions](api-management-versions.md) in API Management to govern and control the API endpoints. Have a strong backend versioning strategy and commit to a maximum number of supported API versions (for example, 2 or 3 prior versions). Plan to quickly deprecate and ultimately remove older, often less secure, API versions.

+* Use an API Management instance per environment (such as development, test, and production). Ensure that each API Management instance connects to its dependencies in the same environment. For example, in the test environment, the test API Management resource should connect to a test Azure Key Vault resource and the test versions of backend services. Use [DevOps automation and infrastructure-as-code practices](devops-api-development-templates.md) to help maintain consistency and accuracy between environments and reduce human errors.

+* Use tags to organize APIs and products and group them for publishing.

+* Publish APIs for consumption through the built-in [developer portal](api-management-howto-developer-portal.md). Make sure the API documentation is up-to-date.

+* Discover undocumented or unmanaged APIs and expose them through API Management for better control.

+## Insufficient logging and monitoring

+Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, and extract or destroy data. Most breach studies demonstrate that the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

+More information about this threat: [API10:2019 Insufficient logging and monitoring](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xaa-insufficient-logging-monitoring.md)

+### Recommendations

+* Understand [observability options](observability.md) in Azure API Management and [best practices](/azure/architecture/best-practices/monitoring) for monitoring in Azure.

+* Monitor API traffic with [Azure Monitor](api-management-howto-use-azure-monitor.md).

+* Log to [Application Insights](api-management-howto-app-insights.md) for debugging purposes. Correlate [transactions in Application Insights](../azure-monitor/app/transaction-diagnostics.md) between API Management and the backend API to [trace them end-to-end](../azure-monitor/app/correlation.md).

+* If needed, forward custom events to [Event Hubs](api-management-howto-log-event-hubs.md).

+* Set alerts in Azure Monitor and Application Insights - for example, for the [capacity metric](api-management-howto-autoscale.md) or for excessive requests or bandwidth transfer.

+* Use the [emit metrics](api-management-advanced-policies.md#emit-metrics) policy for custom metrics.

+* Use the Azure Activity log for tracking activity in the service.

+* Use custom events in [Azure Application Insights](../azure-monitor/app/api-custom-events-metrics.md) and [Azure Monitor](../azure-monitor/app/custom-data-correlation.md) as needed.

+* Configure [OpenTelemetry](how-to-deploy-self-hosted-gateway-kubernetes-opentelemetry.md#introduction-to-opentelemetry) for [self-hosted gateways](self-hosted-gateway-overview.md) on Kubernetes.

+## Next steps

+* [Security baseline for API Management](/security/benchmark/azure/baselines/api-management-security-baseline)

+* [Security controls by Azure policy](security-controls-policy.md)

+* [Landing zone accelerator for API Management](/azure/cloud-adoption-framework/scenarios/app-platform/api-management/landing-zone-accelerator)

+1. Find the object ID of the Azure AD user using the [`az ad user list`](/cli/azure/ad/user#az-ad-user-list) and replace *\<user-principal-name>*. The result is saved to a variable.

+3. Add this Azure AD user as an Active Directory administrator using [`az sql server ad-admin create`](/cli/azure/sql/server/ad-admin#az-sql-server-ad-admin-create) command in the Cloud Shell. In the following command, replace *\<group-name>* and *\<server-name>* with your own parameters.

+3. Add this Azure AD user as an Active Directory administrator using [`az mysql server ad-admin create`](/cli/azure/mysql/server/ad-admin#az-mysql-server-ad-admin-create) command in the Cloud Shell. In the following command, replace *\<group-name>* and *\<server-name>* with your own parameters.

+3. Add this Azure AD user as an Active Directory administrator using [`az postgres server ad-admin create`](/cli/azure/postgres/server/ad-admin#az-postgres-server-ad-admin-create) command in the Cloud Shell. In the following command, replace *\<group-name>* and *\<server-name>* with your own parameters.

+1. Enable a managed identity for your App Service app with the [az webapp identity assign](/cli/azure/webapp/identity#az-webapp-identity-assign) command in the Cloud Shell. In the following command, replace *\<app-name>*.

+> This how-to guide references Form Recognizer v3.0 (preview). To use Form Recognizer v2.1 (GA), see [Compose custom models v2.1](compose-custom-models.md).

+A composed model is created by taking a collection of custom models and assigning them to a single model ID. You can assign up to 100 trained custom models to a single composed model ID. When a document is submitted to a composed model, the service performs a classification step to decide which custom model accurately represents the form presented for analysis. Composed models are useful when you've trained several models and want to group them to analyze similar form types. For example, your composed model might include custom models trained to analyze your supply, equipment, and furniture purchase orders. Instead of manually trying to select the appropriate model, you can use a composed model to determine the appropriate custom model for each analysis and extraction.

+To learn more, see [Composed custom models](concept-composed-models.md).

+* **An Azure subscription**. You can [create a free Azure subscription](https://azure.microsoft.com/free/cognitive-services/).

+First, you'll need a set of custom models to compose. You can use the Form Recognizer Studio, REST API, or client-library SDKs. The steps are as follows:

+To create custom models, start with configuring your project:

+1. From the Studio homepage, select [**Create new**](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects) from the Custom model card.

+Training with labels leads to better performance in some scenarios. To train with labels, you need to have special label information files (*\<filename\>.pdf.labels.json*) in your blob storage container alongside the training documents.

+|**Java**| [**beginBuildModel**](/java/api/com.azure.ai.formrecognizer.administration.documentmodeladministrationclient.beginbuildmodel?view=azure-java-preview&preserve-view=true)|

+To make an [**Analyze document**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v3-0-preview-2/operations/AnalyzeDocument) request, use a unique model name in the request parameters.

+Once you've built your composed model, you can use it to analyze forms and documents. Use your composed `model ID` and let the service decide which of your aggregated custom models fits best according to the document provided.

+You can manage a custom models at each stage in its life cycles. You can view a list of all custom models under your subscription, retrieve information about a specific custom model, and delete custom models from your account.

+Try one of our Form Recognizer quickstarts:

+Try extracting data from custom forms using our Sample Labeling tool. You'll need the following resources:

+ :::image type="content" source="media/label-tool/fott-use-custom.png" alt-text="Screenshot of the FOTT tool select custom model option.":::

+ :::image type="content" source="media/label-tool/fott-new-project.png" alt-text="Screenshot of the FOTT tool select new project option.":::

+Form Recognizer uses the [Layout](concept-layout.md) API to learn the expected sizes and positions of typeface and handwritten text elements and extract tables. Then it uses user-specified labels to learn the key/value associations and tables in the documents. We recommend that you use five manually labeled forms of the same type (same structure) to get started when training a new model. Add more labeled data as needed to improve the model accuracy. Form Recognizer enables training a model to extract key value pairs and tables using supervised learning capabilities.

+The [**REST API**](./quickstarts/try-sdk-rest-api.md?pivots=programming-language-rest-api#train-a-custom-model) will return a `201 (Success)` response with a **Location** header. The value of the last parameter in this header is the model ID for the newly trained model:

+After you've gathered your custom models corresponding to a single form type, you can compose them into a single model.

+1. On the left rail menu, select the **Model Compose** icon (merging arrow).

+ :::image type="content" source="media/custom-model-compose.png" alt-text="Screenshot of the model compose window." lightbox="media/custom-model-compose-expanded.png":::

+1. On the tool's left-pane menu, select the **Analyze icon** (light bulb).

+Test your newly trained models by [analyzing forms](./quickstarts/try-sdk-rest-api.md#analyze-forms-with-a-custom-model) that weren't part of the training dataset. Depending on the reported accuracy, you may want to do further training to improve the model. You can continue further training to [improve results](label-tool.md#improve-results).

+Great! You've learned the steps to create custom and composed models and use them in your Form Recognizer projects and applications.

+description: Concepts related to data extraction and analysis using the prebuilt business card model.

+|**Business card model**| <ul><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com)</li><li>[**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-06-30-preview/operations/AnalyzeDocument)</li><li>[**C# SDK**](quickstarts/try-v3-csharp-sdk.md)</li><li>[**Python SDK**](quickstarts/try-v3-python-sdk.md)</li><li>[**Java SDK**](quickstarts/try-v3-java-sdk.md)</li><li>[**JavaScript SDK**](quickstarts/try-v3-javascript-sdk.md)</li></ul>|**prebuilt-businessCard**|

+|Business card| <ul><li>English (United States)ΓÇöen-US</li><li> English (Australia)ΓÇöen-AU</li><li>English (Canada)ΓÇöen-CA</li><li>English (United Kingdom)ΓÇöen-GB</li><li>English (India)ΓÇöen-IN</li><li>English (Japan)ΓÇöen-JP</li><li>Japanese (Japan)ΓÇöja-JP</li></ul> | Autodetected (en-US or ja-JP) |

+* ```Custom form```and ```Custom document``` models can be composed together into a single composed model when they're trained with the same API version or an API version later than ```2021-06-30-preview```. For more information on composing custom template and custom neural models, see [compose model limits](#compose-model-limits).

+ |Custom model type | API Version |Custom form 2021-06-30-preview (v3.0)| Custom document 2021-06-30-preview(v3.0) | Custom form GA version (v2.1) or earlier|

+|**Custom template** (updated custom form)| 2021-06-30-preview | &#10033;| Γ£ô | X |

+|**Custom neural**| trained with current API version (2021-06-30-preview) |Γ£ô |Γ£ô | X |

+description: Learn about custom neural (neural) model type, its features and how you train a model with high accuracy to extract data from structured and unstructured documents.

+Custom neural models share the same labeling format and strategy as [custom template](concept-custom-template.md) models. Currently custom neural models only support a subset of the field types supported by custom template models.

+| Form fields | Selection marks | Tabular fields | Signature | Region |

+|:--:|:--:|:--:|:--:|:--:|

+| Supported | Supported | Supported | Unsupported | Unsupported |

+## Tabular fields

+With the release of API version **2022-06-30-preview**, custom neural models will support tabular fields (tables):

+* Models trained with API version 2022-06-30-preview or later will accept tabular field labels.

+* Documents analyzed with custom neural models using API version 2022-06-30-preview or later will produce tabular fields aggregated across the tables.

+* The results can be found in the ```analyzeResult``` object's ```documents``` array that is returned following an analysis operation.

+Tabular fields support **cross page tables** by default:

+* To label a table that spans multiple pages, label each row of the table across the different pages in a single table.

+* As a best practice, ensure that your dataset contains a few samples of the expected variations. For example, include samples where the entire table is on a single page and where tables span two or more pages.

+Tabular fields are also useful when extracting repeating information within a document that isn't recognized as a table. For example, a repeating section of work experiences in a resume can be labeled and extracted as a tabular field.

+For the **2022-06-30-preview**, custom neural models can only be trained in the following Azure regions:

+> [!TIP]

+> You can copy a model trained in one of the select regions listed above to **any other region** and use it accordingly.

+Custom neural models differ from custom template models in a few different ways. The custom template or model relies on a consistent visual template to extract the labeled data. Custom neural models support structured, semi-structured, and unstructured documents to extract fields. When you're choosing between the two model types, start with a neural model and test to determine if it supports your functional needs.

+### Dealing with variations

+| Custom document | [Form Recognizer 3.0 (preview)](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-06-30-preview/operations/AnalyzeDocument)| [Form Recognizer Preview SDK](quickstarts/try-v3-python-sdk.md)| [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio)

+https://{endpoint}/formrecognizer/documentModels:build?api-version=2022-06-30

+Custom template models support key-value pairs, selection marks, tables, signature fields, and selected regions.

+| Form fields | Selection marks | Tabular fields (Tables) | Signature | Selected regions |

+|:--:|:--:|:--:|:--:|:--:|

+## Tabular fields

+With the release of API version **2022-06-30-preview**, custom template models will support tabular fields (tables):

+* Models trained with API version 2022-06-30-preview or later will accept tabular field labels.

+* Documents analyzed with custom neural models using API version 2022-06-30-preview or later will produce tabular fields aggregated across the tables.

+* The results can be found in the ```analyzeResult``` object's ```documents``` array that is returned following an analysis operation.

+Tabular fields support **cross page tables** by default:

+* To label a table that spans multiple pages, label each row of the table across the different pages in a single table.

+* As a best practice, ensure that your dataset contains a few samples of the expected variations. For example, include samples where the entire table is on a single page and where tables span two or more pages.

+Tabular fields are also useful when extracting repeating information within a document that isn't recognized as a table. For example, a repeating section of work experiences in a resume can be labeled and extracted as a tabular field.

+## Dealing with variations

+Template models rely on a defined visual template, changes to the template will result in lower accuracy. In those instances, split your training dataset to include at least five samples of each template and train a model for each of the variations. You can then [compose](concept-composed-models.md) the models into a single endpoint. For subtle variations, like digital PDF documents and images, it's best to include at least five examples of each type in the same training dataset.

+| Custom template (preview) | [Form Recognizer 3.0 (preview)](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-06-30-preview/operations/AnalyzeDocument)| [Form Recognizer Preview SDK](quickstarts/try-v3-python-sdk.md)| [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio)|

+https://{endpoint}/formrecognizer/documentModels:build?api-version=2022-06-30

+The custom neural (custom document) model uses deep learning models and base model trained on a large collection of documents. This model is then fine-tuned or adapted to your data when you train the model with a labeled dataset. Custom neural models support structured, semi-structured, and unstructured documents to extract fields. Custom neural models currently support English-language documents. When you're choosing between the two model types, start with a neural model to determine if it meets your functional needs. See [neural models](concept-custom-neural.md) to learn more about custom document models.

+Try extracting data from your specific or unique documents using custom models. You need the following resources:

+| Custom template 3.0 | [Form Recognizer 3.0 (preview)](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-06-30-preview/operations/AnalyzeDocument)| [Form Recognizer Preview SDK](quickstarts/try-v3-python-sdk.md)| [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio)|

+| Custom neural | [Form Recognizer 3.0 (preview)](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-06-30-preview/operations/AnalyzeDocument)| [Form Recognizer Preview SDK](quickstarts/try-v3-python-sdk.md)| [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio)

+* [REST API (preview)](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-06-30-preview/operations/AnalyzeDocument): This API shows you more about the preview version and new capabilities.

+|[v3.0 Studio quickstart](quickstarts/try-v3-form-recognizer-studio.md) |[Form Recognizer v3.0 API 2022-06-30](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v3-0-preview-2/operations/AnalyzeDocument)|

+description: Concepts related to data extraction and analysis using prebuilt general document preview model

+> The ```2022-06-30``` update to the general document model adds support for selection marks.

+* The general document model is a pre-trained model; it doesn't require labels or training.

+* A single API extracts key-value pairs, selection marks, entities, text, tables, and structure from documents.

+|🆕 **General document model**|<ul ><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com)</li><li>[**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-06-30-preview/operations/AnalyzeDocument)</li><li>[**C# SDK**](quickstarts/try-v3-csharp-sdk.md)</li><li>[**Python SDK**](quickstarts/try-v3-python-sdk.md)</li><li>[**Java SDK**](quickstarts/try-v3-java-sdk.md)</li><li>[**JavaScript SDK**](quickstarts/try-v3-javascript-sdk.md)</li></ul>|

+Try extracting data from forms and documents using the Form Recognizer Studio.

+Key-value pairs are specific spans within the document that identify a label or key and its associated response or value. In a structured form, these pairs could be the label and the value the user entered for that field. In an unstructured document, they could be the date a contract was executed on based on the text in a paragraph. The AI model is trained to extract identifiable keys and values based on a wide variety of document types, formats, and structures.

+Keys can also exist in isolation when the model detects that a key exists, with no associated value or when processing optional fields. For example, a middle name field may be left blank on a form in some instances. Key-value pairs are spans of text contained in the document. If you have documents where the same value is described in different ways, for example, customer and user, the associated key will be either customer or user based on context.

+The key-value pair extraction model and entity identification model are run in parallel on the entire documentΓÇönot just on the values of the extracted key-value pairs. This process ensures that complex structures where a key can't be identified are still enriched by identifying the entities referenced. You can still match keys or values to entities based on the offsets of the identified spans.

+description: Concepts related to data extraction and analysis using the prebuilt ID document model

+|**ID document model**|<ul><li> [**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com)</li><li>[**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-06-30-preview/operations/AnalyzeDocument)</li><li>[**C# SDK**](quickstarts/try-v3-csharp-sdk.md)</li><li>[**Python SDK**](quickstarts/try-v3-python-sdk.md)</li><li>[**Java SDK**](quickstarts/try-v3-java-sdk.md)</li><li>[**JavaScript SDK**](quickstarts/try-v3-javascript-sdk.md)</li></ul>|**prebuilt-idDocument**|

+Extract data, including name, birth date, machine-readable zone, and expiration date, from ID documents using the Form Recognizer Studio or our Sample Labeling tool. You'll need the following resources:

+ The Form Recognizer preview v3.0 introduces several new features and capabilities:

+* **ID document (v3.0)** prebuilt model supports extraction of endorsement, restriction, and vehicle class codes from US driver's licenses.

+* The ID Document **2022-06-30-preview** release supports the following data extraction from US driver's licenses:

+ * Date issued

+ * Height

+ * Weight

+ * Eye color

+ * Hair color

+ * Document discriminator security code

+| 🆕 DateOfIssue | Date | Issue date | yyyy-mm-dd |

+| 🆕 Height | String | Height of the holder. | |

+| 🆕 Weight | String | Weight of the holder. | |

+| 🆕 EyeColor | String | Eye color of the holder. | |

+| 🆕 HairColor | String | Hair color of the holder. | |

+| 🆕 DocumentDiscriminator | String | Document discriminator is a security code that identifies where and when the license was issued. | |

+| Endorsements | String | More driving privileges granted to a driver such as Motorcycle or School bus. | |

+| Restrictions | String | Restricted driving privileges applicable to suspended or revoked licenses.| |

+| VehicleClassification | String | Types of vehicles that can be driven by a driver. ||

+description: Concepts related to data extraction and analysis using prebuilt invoice model

+|**Invoice model** | <ul><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com)</li><li>[**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-06-30-preview/operations/AnalyzeDocument)</li><li>[**C# SDK**](quickstarts/try-v3-csharp-sdk.md)</li><li>[**Python SDK**](quickstarts/try-v3-python-sdk.md)</li><li>[**Java SDK**](quickstarts/try-v3-java-sdk.md)</li><li>[**JavaScript SDK**](quickstarts/try-v3-javascript-sdk.md)</li></ul>|**prebuilt-invoice**|

+|Invoice (preview)| <ul><li>GermanΓÇöde</li></ul>| German (Germany)-de|

+|Invoice (preview)| <ul><li>FrenchΓÇöfr</li></ul>| French (France)ΓÇöfr|

+|Invoice (preview)| <ul><li>ItalianΓÇöit</li></ul>| Italian (Italy)ΓÇöit|

+|Invoice (preview)| <ul><li>PortugueseΓÇöpt</li></ul>| Portuguese (Portugal)ΓÇöpt|

+|Invoice (preview)| <ul><li>DutchΓÇönl</li></ul>| Dutch (Netherlands)ΓÇönl|

+| VAT | Number | Stands for Value added tax. VAT is a flat tax levied on an item. Common in European countries | &euro;20.00 | |

+The invoice key-value pairs and line items extracted are in the `documentResults` section of the JSON output.

+### Key-value pairs (Preview)

+The prebuilt invoice **2022-06-30-preview** release returns key-value pairs at no extra cost. Key-value pairs are specific spans within the invoice that identify a label or key and its associated response or value. In an invoice, these pairs could be the label and the value the user entered for that field or telephone number. The AI model is trained to extract identifiable keys and values based on a wide variety of document types, formats, and structures.

+Keys can also exist in isolation when the model detects that a key exists, with no associated value or when processing optional fields. For example, a middle name field may be left blank on a form in some instances. key-value pairs are always spans of text contained in the document. If you have documents where the same value is described in different ways, for example, a customer or a user, the associated key will be either customer or user based on context.

+* Explore our [**REST API (preview)**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-06-30-preview/operations/AnalyzeDocument) to learn more about the preview version and new capabilities.

+ > [Form Recognizer API v3.0 (Preview)](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-06-30-preview/operations/AnalyzeDocument)

+## Supported document types

+| **Model** | **Images** | **PDF** | **TIFF** |

+### Data extraction

+| **Model** | **Text** | **Selection Marks** | **Tables** | **Paragraphs** | **Paragraph roles** |

+| | | | | | |

+| Layout | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+**Supported paragraph roles**:

+* title

+* sectionHeading

+* footnote

+* pageHeader

+* pageFooter

+* pageNumber

+For a richer semantic analysis, paragraph roles are best used with unstructured documents to better understand the layout of the extracted content.

+|**Layout model**| <ul><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com)</li><li>[**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-06-30-preview/operations/AnalyzeDocument)</li><li>[**C# SDK**](quickstarts/try-v3-csharp-sdk.md)</li><li>[**Python SDK**](quickstarts/try-v3-python-sdk.md)</li><li>[**Java SDK**](quickstarts/try-v3-java-sdk.md)</li><li>[**JavaScript SDK**](quickstarts/try-v3-javascript-sdk.md)</li></ul>|**prebuilt-layout**|

+## Try Form Recognizer

+Try extracting data from forms and documents using the Form Recognizer Studio. You'll need the following resources:

+### Form Recognizer Studio (preview)

+* Supported file formats: JPEG/JPG, PNG, BMP, TIFF, and PDF (text-embedded or scanned).

+* The file size must be less than 500 MB for paid (S0) tier and 4 MB for free (F0) tier.

+* The minimum height of the text to be extracted is 12 pixels for a 1024 X 768 image. This dimension corresponds to about eight font point text at 150 DPI.

+## Model extraction

+The layout model extracts text, selection marks, tables, paragraphs, and paragraph types (`roles`) from your documents.

+### Text lines and words

+Layout API extracts print and handwritten style text as `lines` and `words`. The model outputs bounding `polygon` coordinates and `confidence` for the extracted words. The `styles` collection includes any handwritten style for lines, if detected, along with the spans pointing to the associated text. This feature applies to [supported handwritten languages](language-support.md).

+Layout API also extracts selection marks from documents. Extracted selection marks appear within the `pages` collection for each page. They include the bounding `polygon`, `confidence`, and selection `state` (`selected/unselected`). Any associated text if extracted is also included as the starting index (`offset`) and `length` that references the top level `content` property that contains the full text from the document.

+### Tables and table headers

+Layout API extracts tables in the `pageResults` section of the JSON output. Documents can be scanned, photographed, or digitized. Extracted table information includes the number of columns and rows, row span, and column span. Each cell with its bounding `polygon` is output along with information whether it's recognized as a `columnHeader` or not. The API also works with rotated tables. Each table cell contains the row and column index and bounding polygon coordinates. For the cell text, the model outputs the `span` information containing the starting index (`offset`). The model also outputs the `length` within the top level `content` that contains the full text from the document.

+### Paragraphs

+The Layout model extracts all identified blocks of text in the `paragraphs` collection as a top level object under `analyzeResults`. Each entry in this collection represents a text block and includes the extracted text as`content`and the bounding `polygon` coordinates. The `span` information points to the text fragment within the top level `content` property that contains the full text from the document.

+### Paragraph roles

+The Layout model may flag certain paragraphs with their specialized type or `role` as predicted by the model. They're best used with unstructured documents to help understand the layout of the extracted content for a richer semantic analysis. The following paragraph roles are supported:

+| **Predicted role** | **Description** |

+| | |

+| `title` | The main heading(s) in the page |

+| `sectionHeading` | One or more subheading(s) on the page |

+| `footnote` | Text near the bottom of the page |

+| `pageHeader` | Text near the top edge of the page |

+| `pageFooter` | Text near the bottom edge of the page |

+| `pageNumber` | Page number |

+For large multi-page documents, use the `pages` query parameter to indicate specific page numbers or page ranges for text extraction.

+description: Concepts related to data extraction and analysis using prebuilt models.

+ Azure Form Recognizer supports a wide variety of models that enable you to add intelligent document processing to your apps and flows. You can use a prebuilt document analysis or domain specific model or train a custom model tailored to your specific business needs and use cases. Form Recognizer can be used with the REST API or Python, C#, Java, and JavaScript SDKs.

+The Layout API analyzes and extracts text, tables and headers, selection marks, and structure information from documents.

+>

+The invoice model analyzes and extracts key information from sales invoices. The API analyzes invoices in various formats and extracts key information such as customer name, billing address, due date, and amount due. Currently, the model supports English, Spanish, German, French, Italian, Portuguese, and Dutch invoices.

+* The receipt model analyzes and extracts key information from printed and handwritten sales receipts.

+* The preview version v3.0 also supports single-page hotel receipt processing.

+* Custom models analyze and extract data from forms and documents specific to your business. The API is a machine-learning program trained to recognize form fields within your distinct content and extract key-value pairs and table data. You only need five examples of the same form type to get started and your custom model can be trained with or without labeled datasets.

+* The preview version v3.0 custom model supports signature detection in custom forms (template model) and cross-page tables in both template and neural models.

+***Composed model dialog window in [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio/customform/projects)***:

+ | **Model ID** | **Text extraction** | **Selection Marks** | **Tables** | **Paragraphs** | **Key-Value pairs** | **Fields** |**Entities** |

+ |:--|:-:|:-:|:-:|:-:|:-:|:-:|:-:|

+|🆕 [prebuilt-read](concept-read.md#data-extraction) | ✓ | | | ✓ | | | |

+|🆕 [prebuilt-tax.us.w2](concept-w2.md#field-extraction) | ✓ | ✓ | | ✓ | | ✓ | |

+|🆕 [prebuilt-document](concept-general-document.md#data-extraction)| ✓ | ✓ | ✓ | ✓ | ✓ | | ✓ |

+| [prebuilt-layout](concept-layout.md#data-extraction) | Γ£ô | Γ£ô | Γ£ô | Γ£ô | | | |

+| [prebuilt-invoice](concept-invoice.md#field-extraction) | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | |

+| [prebuilt-receipt](concept-receipt.md#field-extraction) | Γ£ô | | | Γ£ô | | Γ£ô | |

+| [prebuilt-idDocument](concept-id-document.md#field-extraction) | Γ£ô | | | Γ£ô | | Γ£ô | |

+| [prebuilt-businessCard](concept-business-card.md#field-extraction) | Γ£ô | | | Γ£ô | | Γ£ô | |

+| [Custom](concept-custom.md#compare-model-features) | Γ£ô | Γ£ô | Γ£ô | Γ£ô | | Γ£ô | |

+ Title: Read OCR - Form Recognizer

+description: Learn concepts related to Read OCR API analysis with Form Recognizer APIΓÇöusage and limits.

+# Form Recognizer Read OCR model

+Form Recognizer v3.0 preview includes the new Read Optical Character Recognition (OCR) model. The Read OCR model extracts typeface and handwritten text including mixed languages in documents. The Read OCR model can detect lines, words, locations, and languages and is the core of all other Form Recognizer models. Layout, general document, custom, and prebuilt models all use the Read OCR model as a foundation for extracting texts from documents.

+## Supported document types

+| **Model** | **Images** | **PDF** | **TIFF** | **Word** | **Excel** | **PowerPoint** | **HTML** |

+| | | | | | | | |

+| Read | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+### Data extraction

+| **Read model** | **Text** | **[Language detection](language-support.md#detected-languages-read-api)** |

+| | | |

+prebuilt-read | Γ£ô |Γ£ô |

+## Try Form Recognizer

+Try extracting text from forms and documents using the Form Recognizer Studio. You'll need the following assets:

+### Form Recognizer Studio (preview)

+> Form Recognizer studio is available with the preview (v3.0) API. The latest service preview is currently not enabled for analyzing Microsoft Word, Excel, PowerPoint, and HTML file formats using the Form Recognizer Studio.

+* Supported file formats: These include JPEG/JPG, PNG, BMP, TIFF, PDF (text-embedded or scanned). Additionally, Microsoft Word, Excel, PowerPoint, and HTML files are supported with the Read API in **2022-06-30-preview**.

+* The file size must be less than 500 MB for paid (S0) tier and 4 MB for free (F0) tier.

+* The minimum height of the text to be extracted is 12 pixels for a 1024X768 image. This dimension corresponds to about eight font point text at 150 DPI.

+## Data detection and extraction

+### Pages

+With the added support for Microsoft Word, Excel, PowerPoint, and HTML files, the page units in the model output are computed as shown:

+ **File format** | **Computed page unit** | **Total pages** |

+| | | |

+|Images | Each image = 1 page unit | Total images |

+|PDF | Each page in the PDF = 1 page unit | Total pages in the PDF |

+|Word | Up to 3,000 characters = 1 page unit, Each embedded image = 1 page unit | Total pages of up to 3,000 characters each + Total embedded images |

+|Excel | Each worksheet = 1 page unit, Each embedded image = 1 page unit | Total worksheets + Total images

+|PowerPoint| Each slide = 1 page unit, Each embedded image = 1 page unit | Total slides + Total images

+|HTML| Up to 3,000 characters = 1 page unit, embedded or linked images not supported | Total pages of up to 3,000 characters each |

+### Text lines and words

+Read extracts print and handwritten style text as `lines` and `words`. The model outputs bounding `polygon` coordinates and `confidence` for the extracted words. The `styles` collection includes any handwritten style for lines if detected along with the spans pointing to the associated text. This feature applies to [supported handwritten languages](language-support.md).

+For Microsoft Word, Excel, PowerPoint, and HTML file formats, Read will extract all embedded text as is. For any embedded images, it will run OCR on the images to extract text and append the text from each image as an added entry to the `pages` collection. These added entries will include the extracted text lines and words, their bounding polygons, confidences, and the spans pointing to the associated text.

+### Language detection

+Read adds [language detection](language-support.md#detected-languages-read-api) as a new feature for text lines. Read will predict all detected languages for text lines along with the `confidence` in the `languages` collection under `analyzeResult`.

+For large multi-page PDF documents, use the `pages` query parameter to indicate specific page numbers or page ranges for text extraction.

+> [!NOTE]

+> For Microsoft Word, Excel, PowerPoint, and HTML file formats, the Read API ignores the pages parameter and extracts all pages by default.

+description: Concepts related to data extraction and analysis using the prebuilt receipt model

+The receipt model combines powerful Optical Character Recognition (OCR) capabilities with deep learning models to analyze and extract key information from sales receipts. Receipts can be of various formats and quality including printed and handwritten receipts. The API extracts key information such as merchant name, merchant phone number, transaction date, total tax, and transaction total and returns a structured JSON data representation.

+|**Receipt model**| <ul><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com)</li><li>[**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-06-30-preview/operations/AnalyzeDocument)</li><li>[**C# SDK**](quickstarts/try-v3-csharp-sdk.md)</li><li>[**Python SDK**](quickstarts/try-v3-python-sdk.md)</li></ul>|**prebuilt-receipt**|

+You'll need a receipt document. You can use our [sample receipt document](https://raw.githubusercontent.com/Azure-Samples/cognitive-services-REST-api-samples/master/curl/form-recognizer/contoso-receipt.png).

+* Image dimensions must be between 50 x 50 pixels and 10,000 x 10,000 pixels.

+ | Tax | Number (USD) | Total tax on receipt (often sales tax or equivalent). **Renamed to "TotalTax" in 2022-06-30-preview version**. | Two-decimal float |

+| Name | String | Item description. **Renamed to "Description" in 2022-06-30-preview version**. | |

+| Quantity | Number | Quantity of each item | Two-decimal float |

+| TotalPrice | Number | Total price of line item | Two-decimal float |

+| Items.*.TotalPrice | Number | Item total price | Two-decimal float |

+ Title: Form Recognizer W-2 prebuilt model

+description: Data extraction and analysis extraction using the prebuilt W-2 model

+The prebuilt W-2 model is supported by Form Recognizer v3.0 with the following tools:

+Try extracting data from W-2 forms using the Form Recognizer Studio. You'll need the following resources:

+1. On the [Form Recognizer Studio home page](https://formrecognizer.appliedai.azure.com/studio), select **W-2**.

+|prebuilt-tax.us.w2|<ul><li>English (United States)</li></ul>|English (United States)ΓÇöen-US|

+> [!div class="checklist"]

+>

+> * [**REST API**](quickstarts/try-v3-rest-api.md)

+> * [**C# SDK**](quickstarts/try-v3-csharp-sdk.md#prebuilt-model)

+> * [**Python SDK**](quickstarts/try-v3-python-sdk.md#prebuilt-model)

+> * [**Java SDK**](quickstarts/try-v3-java-sdk.md#prebuilt-model)

+> * [**JavaScript**](quickstarts/try-v3-javascript-sdk.md#prebuilt-model)</li></ul>

+With Azure Form Recognizer containers, you can build an application architecture that's optimized to take advantage of both robust cloud capabilities and edge locality. Containers provide a minimalist, isolated environment that can be easily deployed on-premise and in the cloud. In this article, you'll learn to configure the Form Recognizer container run-time environment by using the `docker compose` command arguments. Form Recognizer features are supported by six Form Recognizer feature containersΓÇö**Layout**, **Business Card**,**ID Document**, **Receipt**, **Invoice**, **Custom**. These containers have both required and optional settings. For a few examples, see the [Example docker-compose.yml file](#example-docker-composeyml-file) section.

+|Yes|[Billing](#key-and-billing-configuration-setting)|Specifies the endpoint URI of the service resource on Azure. For more information, _see_ [Billing](form-recognizer-container-install-run.md#billing). For more information and a complete list of regional endpoints, _see_ [Custom subdomain names for Cognitive Services](../../../cognitive-services/cognitive-services-custom-subdomains.md).|

+|No|[ApplicationInsights](#applicationinsights-setting)|Enables adding [Azure Application Insights](/azure/application-insights) customer content support to your container.|

+1. If your overview page doesn't have the keys and endpoint visible, you can select the **Keys and Endpoint** button on the left navigation bar and retrieve them there.

+* Complete a Form Recognizer quickstart and get started creating a document processing app in the development language of your choice:

+ * [C#](quickstarts/try-v3-csharp-sdk.md)

+ * [Python](quickstarts/try-v3-python-sdk.md)

+ * [Java](quickstarts/try-v3-java-sdk.md)

+ * [JavaScript](quickstarts/try-v3-javascript-sdk.md)

+The current API version is ```2022-06-30```.

+## Business card model

+The **2022-06-30-preview** release includes Japanese language support:

+|Language| Locale code |

+|:--|:-:|

+| Japanese | `ja` |

+|English (United States) |en-US|

+|Spanish| es|

+|German (**2022-06-30-preview**)| de|

+|French (**2022-06-30-preview**)| fr|

+|Italian (**2022-06-30-preview**)|it|

+|Portuguese (**2022-06-30-preview**)|pt|

+|Dutch (**2022-06-30-preview**)| nl|

+* [**Read model**](concept-read.md) | Extract text lines, words, locations, and detected languages from documents and images.

+* [**Layout model**](concept-layout.md) | Extract text, tables, selection marks, and structure information from documents and images.

+|<ul><li>**Primarily text content**</li></yl>| Is your document _printed_ in a [supported language](language-support.md#read-layout-and-custom-form-template-model) and are you only interested in text and not tables, selection marks, and the structure?|<ul><li>If **Yes** to text-only extraction, use the [**Read**](concept-read.md) model.<li>If **No**, because you also need structure information, use the [**Layout**](concept-layout.md) model.</li></ul>

+|<ul><li>**General structured document**</li></yl>| Is your document mostly structured and does it contain a few fields and values that may not be covered by the other prebuilt models?|<ul><li>If **Yes**, use the [**General document (preview)**](concept-general-document.md) model.</li><li> If **No**, because the fields and values are complex and highly variable, train and build a [**Custom**](how-to-guides/build-custom-model-v3.md) model.</li></ul>

+|<ul><li>**Invoice**</li></yl>| Is your invoice document composed in a [supported language](language-support.md#invoice-model) text?|<ul><li>If **Yes**, use the [**Invoice**](concept-invoice.md) model.<li>If **No**, use the [**Layout**](concept-layout.md) or [**General document (preview)**](concept-general-document.md) model.</li></ul>

+|[**Invoice model**](concept-invoice.md) | Automated data processing and extraction of key information from sales invoices. | <ul><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=invoice)</li><li>[**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-06-30-preview/operations/AnalyzeDocument)</li><li>[**C# SDK**](quickstarts/try-v3-csharp-sdk.md#prebuilt-model)</li><li>[**Python SDK**](quickstarts/try-v3-python-sdk.md#prebuilt-model)</li></ul>|

+> * Explore the [**REST API reference documentation**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-06-30-preview/operations/AnalyzeDocument) to learn more.

+Get started with Azure Form Recognizer using the JavaScript programming language. Azure Form Recognizer is a cloud-based Azure Applied AI Service that uses machine learning to extract key-value pairs, text, and tables from your documents. You can easily call Form Recognizer models by integrating our client library SDKs into your workflows and applications. We recommend that you use the free service when you're learning the technology. Remember that the number of free pages is limited to 500 per month.

+* [🆕 **General document**](#general-document-model)—Analyze and extract key-value pairs, selection marks, and entities from documents.

+* [**Prebuilt Invoice**](#prebuilt-model)ΓÇöAnalyze and extract common fields from specific document types using a pre-trained invoice model.

+ // set `<your-key>` and `<your-endpoint>` variables with the values from the Azure portal.

+ const key = "<your-key>";

+ const endpoint = "<your-endpoint>";

+ // set `<your-key>` and `<your-endpoint>` variables with the values from the Azure portal.

+ const key = "<your-key>";

+ const endpoint = "<your-endpoint>";

+ // set `<your-key>` and `<your-endpoint>` variables with the values from the Azure portal.

+ const key = "<your-key>";

+ const endpoint = "<your-endpoint>";

+> [REST API v3.0reference documentation](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-06-30-preview/operations/AnalyzeDocument)

+# Get started: Form Recognizer REST API 2022-06-30-preview

+The current API version is **2022-06-30-preview**.

+| [Form Recognizer REST API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-06-30-preview/operations/AnalyzeDocument) | [Azure SDKS](https://azure.github.io/azure-sdk/releases/latest/https://docsupdatetracker.net/index.html) |

+* Composed customΓÇöCompose a collection of custom models and assign them to a single model ID.

+curl -v -i POST "{endpoint}/formrecognizer/documentModels/{modelID}:analyze?api-version=2022-06-30" -H "Content-Type: application/json" -H "Ocp-Apim-Subscription-Key: {key}" --data-ascii "{'urlSource': '{your-document-url}'}"

+After you've called the [**Analyze document**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-06-30-preview/operations/AnalyzeDocument) API, call the [**Get analyze result**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-06-30-preview/operations/GetAnalyzeDocumentResult) API to get the status of the operation and the extracted data. Before you run the command, make these changes:

+1. Replace `{modelID}` with the same modelID you used to analyze your document.

+<<<<<<< HEAD

+curl -v -X GET "{endpoint}/formrecognizer/documentModels/{model name}/analyzeResults/{resultId}?api-version=2022-06-30" -H "Ocp-Apim-Subscription-Key: {key}"

+=======

+curl -v -X GET "{endpoint}/formrecognizer/documentModels/{modelID}/analyzeResults/{resultId}?api-version=2022-01-30-preview" -H "Ocp-Apim-Subscription-Key: {key}"

+>>>>>>> resolve-merge-conflict

+ "apiVersion": "2022-06-30",

+| **Max number of Template models** | 500 | 5000 |

+| Adjustable | No | No |

+| **Max number of Neural models** | 100 | 500 |

+| Adjustable | No | No |

+* [**Custom model API (v3.0)**](concept-custom.md) supports signature detection for custom template models.

+* [**Custom model API (v3.0)**](overview.md) supports analysis of all the newly added prebuilt models. For a complete list of prebuilt models, see the [overview](overview.md) page.

+> [!CAUTION]

+>

+> * REST API **2022-06-30-preview** release includes a breaking change in the REST API analyze response JSON.

+> * The `boundingBox` property is renamed to `polygon` in each instance.

+https://{your-form-recognizer-endpoint}/formrecognizer/documentModels/{modelId}?api-version=2022-06-30

+https://{your-form-recognizer-endpoint}/formrecognizer/documentModels/{modelId}/AnalyzeResult/{resultId}?api-version=2022-06-30

+|🆕 **General document**|N/A|`/documentModels/prebuilt-document:analyze` |

+| **Layout**| /layout/analyze |`/documentModels/prebuilt-layout:analyze`|

+|**Custom**| /custom/{modelId}/analyze |`/documentModels/{modelId}:analyze` |

+| **Invoice** | /prebuilt/invoice/analyze | `/documentModels/prebuilt-invoice:analyze` |

+| **Receipt** | /prebuilt/receipt/analyze | `/documentModels/prebuilt-receipt:analyze` |

+| **ID document** | /prebuilt/idDocument/analyze | `/documentModels/prebuilt-idDocument:analyze` |

+|**Business card**| /prebuilt/businessCard/analyze| `/documentModels/prebuilt-businessCard:analyze`|

+|**W-2**| /prebuilt/w-2/analyze| `/documentModels/prebuilt-w-2:analyze`|

+* `pages` : Analyze only a specific subset of pages in the document. List of page numbers indexed from the number `1` to analyze. Ex. "1-3,5,7-9"

+* `locale` : Locale hint for text recognition and document analysis. Value may contain only the language code (ex. "en", "fr") or BCP 47 language tag (ex. "en-US").

+Parameters no longer supported:

+"apiVersion": "2022-06-30", // REST API version used

+"unit": "pixel", // Unit for width, height, and polygon coordinates

+"boundingRegions": [ // Polygons or Bounding boxes potentially across pages covered by table

+"polygon": [ ... ], // Previously Bounding box, renamed to polygon in the 2022-06-30-preview API

+* ```buildMode``` is a new property with values of ```template``` for custom form models or ```neural``` for custom document models.

+The ```build``` operation is invoked to train a model. The request payload and call pattern remain unchanged. The build operation specifies the model and training dataset, it returns the result via the Operation-Location header in the response. Poll this model operation URL, via a GET request to check the status of the build operation (minimum recommended interval between requests is 1 second). Unlike v2.1, this URL isn't the resource location of the model. Instead, the model URL can be constructed from the given modelId, also retrieved from the resourceLocation property in the response. Upon success, status is set to ```succeeded``` and result contains the custom model info. If errors are encountered, status is set to ```failed``` and the error is returned.

+POST https://{your-form-recognizer-endpoint}/formrecognizer/documentModels:build?api-version=2022-06-30

+POST https://{your-form-recognizer-endpoint}/formrecognizer/documentModels:compose?api-version=2022-06-30

+POST https://{targetHost}/formrecognizer/documentModels:authorizeCopy?api-version=2022-06-30

+POST https://{sourceHost}/formrecognizer/documentModels/{sourceModelId}:copy-to?api-version=2022-06-30

+GET https://{your-form-recognizer-endpoint}/formrecognizer/documentModels?api-version=2022-06-30

+GET https://{your-form-recognizer-endpoint}/formrecognizer/documentModels/{modelId}?api-version=2022-06-30

+GET https://{your-form-recognizer-endpoint}/formrecognizer/info? api-version=2022-06-30

+* [Review the new REST API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-06-30-preview/operations/AnalyzeDocument)

+## June 2022

+### Form Recognizer v3.0 preview release (beta.3)

+The **2022-06-30-preview** release is the latest update to the Form Recognizer service for v3.0 capabilities. There are considerable updates across the feature APIs:

+* [🆕 **Layout extends structure extraction**](concept-layout.md). Layout now includes added structure elements including sections, section headers, and paragraphs. This update enables finer grain document segmentation scenarios. For a complete list of structure elements identified, _see_ [enhanced structure](concept-layout.md#data-extraction).

+* [🆕 **Custom neural model tabular fields support**](concept-custom-neural.md). Custom document models now support tabular fields. Tabular fields by default are also multi page. To learn more about tabular fields in custom neural models, _see_ [tabular fields](concept-custom-neural.md#tabular-fields).

+* [🆕 **Custom template model tabular fields support for cross page tables**](concept-custom-template.md). Custom form models now support tabular fields across pages. To learn more about tabular fields in custom template models, _see_ [tabular fields](concept-custom-neural.md#tabular-fields).

+* [🆕 **Invoice model output now includes general document key-value pairs**](concept-custom-template.md). Where invoices contain required fields beyond the fields included in the prebuilt model, the general document model supplements the output with key-value pairs. _See_ [key value pairs](concept-invoice.md#key-value-pairs-preview).

+* [🆕 **Invoice language expansion**](concept-custom-template.md). The invoice model includes expanded language support. _See_ [supported languages](concept-invoice.md#supported-languages-and-locales).

+* [🆕 **Prebuilt business card**](concept-business-card.md). The business card model now includes Japanese language support. _See_ [supported languages](concept-business-card.md#supported-languages-and-locales).

+* [🆕 **Read model now supports common Microsoft Office document types**](concept-read.md). Document types like Word (docx) and PowerPoint (ppt) are now supported with the Read API. See [page extraction](concept-read.md#pages).

+* [**Language Expansion**](language-support.md) Form Recognizer Read, Layout, and Custom Form add support for 42 new languages including Arabic, Hindi, and other languages using Arabic and Devanagari scripts to expand the coverage to 164 languages. Handwritten language support expands to Japanese and Korean.

+ | **Model** | **Text extraction** |**Key-Value pairs** |**Selection Marks** | **Tables** |**Entities** |**Signatures**|

+ |🆕Read | ✓ | | | | | |

+ |🆕General document | ✓ | ✓ | ✓ | ✓ | ✓ | |

+ | Layout | Γ£ô | | Γ£ô | Γ£ô | | |

+ | Invoice | Γ£ô | Γ£ô | Γ£ô | Γ£ô || |

+ |Receipt | Γ£ô | Γ£ô | | || |

+ | ID document | Γ£ô | Γ£ô | | || |

+ | Business card | Γ£ô | Γ£ô | | || |

+ | Custom template |Γ£ô | Γ£ô | Γ£ô | Γ£ô | | Γ£ô |

+ | Custom neural |Γ£ô | Γ£ô | Γ£ô | Γ£ô | | |

+* **New prebuilt ID model** The new prebuilt ID model enables customers to take IDs and return structured data to automate processing. It combines our powerful Optical Character Recognition (OCR) capabilities with ID understanding models to extract key information from passports and U.S. driver licenses.

+ In addition to labeling tables, you can now label empty values and regions. If some documents in your training set don't have values for certain fields, you can label them so that your model will know to extract values properly from analyzed documents.

+* **Auto Label Documents** - Automatically labels added documents based on previous labeled documents in the project.

+* **SDK-specific changes** - This change includes both minor feature additions and breaking changes. For more information, _see_ the SDK changelogs.

+ The new SDK supports all the features of the v2.0 REST API for Form Recognizer. You can share your feedback on the SDKs through the [SDK Feedback form](https://aka.ms/FR_SDK_v1_feedback).

+* **Copy Custom Model** You can now copy models between regions and subscriptions using the new Copy Custom Model feature. Before invoking the Copy Custom Model API, you must first obtain authorization to copy into the target resource. This authorization is secured by calling the Copy Authorization operation against the target resource endpoint.

+ If you want the runbook to execute with the system-assigned managed identity, leave the code as-is. If you run the runbook in an Azure sandbox instead of Hybrid Runbook Worker and you want to use a user-assigned managed identity, then:

+* To learn about security guidelines, see [Security best practices in Azure Automation](automation-security-guidelines.md).

+description: This article describes how to use Azure role-based access control (Azure RBAC), which enables access management and role permissions for Azure resources.

+# Manage role permissions and security in Azure Automation

+* To learn about security guidelines, see [Security best practices in Azure Automation](automation-security-guidelines.md).

+- To learn about security guidelines, see [Security best practices in Azure Automation](automation-security-guidelines.md).

+ Title: Azure Automation security guidelines, security best practices Automation jobs.

+# Security best practices in Azure Automation

+description: This article tells what are the Automation services in Azure and how to compare and use it to automate the lifecycle of infrastructure and applications.

+ Title: How to disable public access in Azure App Configuration

+description: How to disable public access to your Azure App Configuration store.

+# Disable public access in Azure App Configuration

+In this article, you'll learn how to disable public access for your Azure App Configuration store. Setting up private access can offer a better security for your configuration store.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/dotnet).

+- We assume you already have an App Configuration store. If you want to create one, [create an App Configuration store](quickstart-aspnet-core-app.md).

+## Sign in to Azure

+You will need to sign in to Azure first to access the App Configuration service.

+### [Portal](#tab/azure-portal)

+Sign in to the Azure portal at [https://portal.azure.com/](https://portal.azure.com/) with your Azure account.

+### [Azure CLI](#tab/azure-cli)

+Sign in to Azure using the `az login` command in the [Azure CLI](/cli/azure/install-azure-cli).

+```azurecli-interactive

+az login

+```

+This command will prompt your web browser to launch and load an Azure sign-in page. If the browser fails to open, use device code flow with `az login --use-device-code`. For more sign in options, go to [sign in with the Azure CLI](/cli/azure/authenticate-azure-cli).

+## Disable public access to a store

+Azure App Configuration offers three public access options:

+- Automatic public access: public network access is enabled, as long as you don't have a private endpoint present. Once you create a private endpoint, App Configuration disables public network access and enables private access. This option can only be selected when creating the store.

+- Disabled: public access is disabled and no traffic can access this resource unless it's through a private endpoint.

+- Enabled: all networks can access this resource.

+To disable access to the App Configuration store from public network, follow the process below.

+### [Portal](#tab/azure-portal)

+1. In your App Configuration store, under **Settings**, select **Networking**.

+1. Under **Public Access**, select **Disabled** to disable public access to the App Configuration store and only allow access through private endpoints. If you already had public access disabled and instead wanted to enable public access to your configuration store, you would select **Enabled**.

+ > [!NOTE]

+ > Once you've switched **Public Access** to **Disabled** or **Enabled**, you won't be able to select **Public Access: Automatic** anymore, as this option can only be selected when creating the store.

+1. Select **Apply**.

+### [Azure CLI](#tab/azure-cli)

+In the CLI, run the following code:

+```azurecli-interactive

+az appconfig update --name <name-of-the-appconfig-store> --enable-public-network false

+```

+> [!NOTE]

+> When you create an App Config store without specifying if you want public access to be enabled or disabled, public access is set to automatic by default. After you've run the `--enable-public-network` command, you won't be able to switch to an automatic public access anymore.

+## Next steps

+> [!div class="nextstepaction"]

+>[Using private endpoints for Azure App Configuration](./concept-private-endpoint.md)

+## Create an instance of Azure Arc-enabled SQL Managed Instance

+[Upload usage data, metrics, and logs to Azure](upload-metrics-and-logs-to-azure-monitor.md).

+ Title: Delete an Azure Arc-enabled SQL Managed Instance

+description: Learn how to delete an Azure Arc-enabled SQL Managed Instance and optionally, reclaim associated Kubernetes persistent volume claims (PVCs).

+# Delete an Azure Arc-enabled SQL Managed Instance

+In this how-to guide, you'll find and then delete an Azure Arc-enabled SQL Managed Instance. Optionally, after deleting managed instances, you can reclaim associated Kubernetes persistent volume claims (PVCs).

+1. Find existing Azure Arc-enabled SQL Managed Instances:

+ ```azurecli

+ az sql mi-arc list --k8s-namespace <namespace> --use-k8s

+ ```

+ Example output:

+ ```console

+ Name Replicas ServerEndpoint State

+ - - -

+ demo-mi 1/1 10.240.0.4:32023 Ready

+ ```

+1. Delete the SQL Managed Instance, run one of the commands appropriate for your deployment type:

+ 1. **Indirectly connected mode**:

+ ```azurecli

+ az sql mi-arc delete --name <instance_name> --k8s-namespace <namespace> --use-k8s

+ ```

+ Example output:

+ ```azurecli

+ # az sql mi-arc delete --name demo-mi --k8s-namespace <namespace> --use-k8s

+ Deleted demo-mi from namespace arc

+ ```

+ 1. **Directly connected mode**:

+ ```azurecli

+ az sql mi-arc delete --name <instance_name> --resource-group <resource_group>

+ ```

+ Example output:

+ ```azurecli

+ # az sql mi-arc delete --name demo-mi --resource-group my-rg

+ Deleted demo-mi from namespace arc

+ ```

+## Optional - Reclaim Kubernetes PVCs

+A Persistent Volume Claim (PVC) is a request for storage by a user from a Kubernetes cluster while creating and adding storage to a SQL Managed Instance. Deleting PVCs is recommended but it isn't mandatory. However, if you don't reclaim these PVCs, you'll eventually end up with errors in your Kubernetes cluster. For example, you might be unable to create, read, update, or delete resources from the Kubernetes API. You might not be able to run commands like `az arcdata dc export` because the controller pods were evicted from the Kubernetes nodes due to storage issues (normal Kubernetes behavior). You can see messages in the logs similar to:

+- Annotations: microsoft.com/ignore-pod-health: true

+- Status: Failed

+- Reason: Evicted

+- Message: The node was low on resource: ephemeral-storage. Container controller was using 16372Ki, which exceeds its request of 0.

+By design, deleting a SQL Managed Instance doesn't remove its associated [PVCs](https://kubernetes.io/docs/concepts/storage/persistent-volumes/). The intention is to ensure that you can access the database files in case the deletion was accidental.

+1. To reclaim the PVCs, take the following steps:

+ 1. Find the PVCs for the server group you deleted.

+ ```console

+ kubectl get pvc

+ ```

+ In the example below, notice the PVCs for the SQL Managed Instances you deleted.

+ ```console

+ # kubectl get pvc -n arc

+ NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE

+ data-demo-mi-0 Bound pvc-1030df34-4b0d-4148-8986-4e4c20660cc4 5Gi RWO managed-premium 13h

+ logs-demo-mi-0 Bound pvc-11836e5e-63e5-4620-a6ba-d74f7a916db4 5Gi RWO managed-premium 13h

+ ```

+ 1. Delete the data and log PVCs for each of the SQL Managed Instances you deleted.

+ The general format of this command is:

+ ```console

+ kubectl delete pvc <name of pvc>

+ ```

+ For example:

+ ```console

+ kubectl delete pvc data-demo-mi-0 -n arc

+ kubectl delete pvc logs-demo-mi-0 -n arc

+ ```

+ Each of these kubectl commands will confirm the successful deleting of the PVC. For example:

+ ```console

+ persistentvolumeclaim "data-demo-mi-0" deleted

+ persistentvolumeclaim "logs-demo-mi-0" deleted

+ ```

+

+az sql mi-arc create -n sqldemo --k8s-namespace my-namespace --use-k8s --tier BusinessCritical --replicas 3

+az sql mi-arc create --name sqldemo --resource-group rg --location uswest2 ΓÇôsubscription xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --custom-location private-location --tier BusinessCritical --replcias 3

+az arcdata dc export -t logs --path logs.json --k8s-namespace namespace --use-k8s

+1. In the [Azure portal](https://ms.portal.azure.com/#home), navigate to **Kubernetes - Azure Arc** and select your cluster.

+| [`.pipelines/az-vote-pr-pipeline.yaml`](https://github.com/Azure/arc-cicd-demo-src/blob/master/.pipelines/az-vote-pr-pipeline.yaml) | The application PR pipeline, named **arc-cicd-demo-src PR** |

+| [`.pipelines/az-vote-ci-pipeline.yaml`](https://github.com/Azure/arc-cicd-demo-src/blob/master/.pipelines/az-vote-cd-pipeline.yaml) | The application CI pipeline, named **arc-cicd-demo-src CI** |

+| [`.pipelines/az-vote-cd-pipeline.yaml`](https://github.com/Azure/arc-cicd-demo-src/blob/master/.pipelines/az-vote-cd-pipeline.yaml) | The application CD pipeline, named **arc-cicd-demo-src CD** |

+Your deployment is now complete. This ends the CI/CD workflow. Refer to the [Azure DevOps GitOps Flow diagram](https://github.com/Azure/arc-cicd-demo-src/blob/master/docs/azdo-gitops.md) in the application repository that explains in details the steps and techniques implemented in the CI/CD pipelines used in this tutorial.

+Your deployment is now complete. This ends the CI/CD workflow. Refer to the [GitHub GitOps Flow diagram](https://github.com/Azure/arc-cicd-demo-src/blob/master/docs/azdo-gitops-githubfluxv2.md) in the application repository that explains in details the steps and techniques implemented in the CI/CD workflows used in this tutorial.

+keywords: "GitOps, Flux, Flux v2, Kubernetes, K8s, Azure, Arc, AKS, Azure Kubernetes Service, containers, devops"

+### Red Hat OpenShift onboarding guidance

+Flux controllers require a **nonroot** [Security Context Constraint](https://access.redhat.com/documentation/en-us/openshift_container_platform/4.2/html/authentication/managing-pod-security-policies) to properly provision pods on the cluster. These constraints must be added to the cluster prior to onboarding of the `microsoft.flux` extension.

+```console

+NS="flux-system"

+oc adm policy add-scc-to-user nonroot system:serviceaccount:$NS:kustomize-controller

+oc adm policy add-scc-to-user nonroot system:serviceaccount:$NS:helm-controller

+oc adm policy add-scc-to-user nonroot system:serviceaccount:$NS:source-controller

+oc adm policy add-scc-to-user nonroot system:serviceaccount:$NS:notification-controller

+oc adm policy add-scc-to-user nonroot system:serviceaccount:$NS:image-automation-controller

+oc adm policy add-scc-to-user nonroot system:serviceaccount:$NS:image-reflector-controller

+```

+For more information on OpenShift guidance for onboarding Flux, refer to the [Flux documentation](https://fluxcd.io/docs/use-cases/openshift/#openshift-setup).

+1. [Go to the Azure portal page for adding servers with Azure Arc](https://portal.azure.com/#view/Microsoft_Azure_HybridCompute/HybridVmAddBlade). Select the **Add a single server** tile, then select **Generate script**.

+In this article, you'll learn how to configure the Redis software version to be used with your cache instance. Azure Cache for Redis offers the latest major version of Redis and at least one previous version. It will update these versions regularly as newer Redis software is released. You can choose between the two available versions. Keep in mind that your cache will be upgraded to the next version automatically if the version it's using currently is no longer supported.

+1. Select **Create**.

+ It takes a while for the cache to create. You can monitor progress on the Azure Cache for Redis **Overview** page. When **Status** shows as **Running**, the cache is ready to use.

+Azure Cache for Redis supports upgrading your Redis cache server major version from Redis 4 to Redis 6. Upgrading is permanent and it might cause a brief connection blip. As a precautionary step, we recommend exporting the data from your existing Redis 4 cache and testing your client application with a Redis 6 cache in a lower environment before upgrading. For more information, see [here](cache-how-to-import-export-data.md) for details on how to export.

+### Upgrade using the Azure portal

+1. A dialog box displays a popup notifying you that upgrading is permanent and might cause a brief connection blip. Select **Yes** if you would like to upgrade your cache instance.

+### Upgrade using Azure CLI

+To upgrade a cache from 4 to 6 using the Azure CLI, use the following command:

+```azurecli-interactive

+az redis update --name cacheName --resource-group resourceGroupName --set redisVersion=6

+```

+### Upgrade using PowerShell

+To upgrade a cache from 4 to 6 using PowerShell, use the following command:

+```powershell-interactive

+Set-AzRedisCache -Name "CacheName" -ResourceGroupName "ResourceGroupName" -RedisVersion "6"

+```

+At this time, Redis 6 doesn't support ACL, and geo-replication between a Redis 4 and 6 cache.

+You can upgrade your existing Redis 4 caches to Redis 6, see [here](#upgrade-an-existing-redis-4-cache-to-redis-6) for details. Upgrading your cache instance is permanent and you cannot downgrade your Redis 6 caches to Redis 4 caches.

+- To learn more about Azure Cache for Redis features: [Azure Cache for Redis Premium service tiers](cache-overview.md#service-tiers)

+- Make sure that all the other prerequisites related to the product that you're ordering are met. For example, if ordering Azure Stack Edge device, ensure that all the [Azure Stack Edge prerequisites](../databox-online/azure-stack-edge-gpu-deploy-prep.md#prerequisites) are completed.

+func new --template "Azure Queue Storage Trigger" --name MyQueueTrigger

+> [!NOTE]

+> If you are using Log Serch alert notice that the query should project a ΓÇ£ComputerΓÇ¥ column with the configurtaion items list in order to have them as a part of the payload.

+ms.pmowner: vitalyg

+ms.pmowner: casocha

+|appId|string|ResourceGUID|string|

+|appId|string|ResourceGUID|string|

+|appId|string|ResourceGUID|string|

+|appId|string|ResourceGUID|string|

+|appId|string|ResourceGUID|string|

+|appId|string|ResourceGUID|string|

+|appId|string|ResourceGUID|string|

+|appId|string|ResourceGUID|string|

+|appId|string|ResourceGUID|string|

+|appId|string|ResourceGUID|string|

+ Title: Application Insights SDK support guidance

+description: Support guidance for Application Insights legacy and preview SDKs

+# Application Insights SDK support guidance

+Microsoft announces feature deprecations or breaking changes at least three years in advance and strives to provide a seamless process for migration to the replacement experience.

+The [Microsoft Azure SDK lifecycle policy](https://docs.microsoft.com/lifecycle/faq/azure) is followed when features are enhanced in a new SDK or before an SDK is designated as legacy. Microsoft strives to retain legacy SDK functionality, but newer features may not be available with older versions.

+> [!NOTE]

+> Diagnostic tools often provide better insight into the root cause of a problem when the latest stable SDK version is used.

+Support engineers are expected to provide SDK update guidance according to the following table, referencing the current SDK version in use and any alternatives.

+|Current SDK version in use |Alternative version available |Update policy for support |

+||||

+|Stable and less than one year old | Newer supported stable version | **UPDATE RECOMMENDED** |

+|Stable and more than one year old | Newer supported stable version | **UPDATE REQUIRED** |

+|Unsupported ([support policy](https://docs.microsoft.com/lifecycle/faq/azure)) | Any supported version | **UPDATE REQUIRED** |

+|Preview | Stable version | **UPDATE REQUIRED** |

+|Preview | Older stable version | **UPDATE RECOMMENDED** |

+|Preview | Newer preview version, no older stable version | **UPDATE RECOMMENDED** |

+> [!TIP]

+> Switching to [auto-instrumentation](codeless-overview.md) eliminates the need for manual SDK updates.

+> [!WARNING]

+> Only commercially reasonable support is provided for Preview versions of the SDK. If a support incident requires escalation to development for further guidance, customers will be asked to use a fully supported SDK version to continue support. Commercially reasonable support does not include an option to engage Microsoft product development resources; technical workarounds may be limited or not possible.

+To see the current version of Application Insights SDKs and previous versions release dates, reference the [release notes](release-notes.md).

+ | [Azure SQL insights (preview)](./insights/sql-insights-overview.md) | Preview | [Yes](https://portal.azure.com/#blade/Microsoft_Azure_Monitoring/AzureMonitoringBrowseBlade/sqlWorkloadInsights) | A comprehensive interface for monitoring any product in the Azure SQL family. SQL insights uses dynamic management views to expose the data you need to monitor health, diagnose problems, and tune performance. Note: If you are just setting up SQL monitoring, use this instead of the SQL Analytics solution. |

+ Title: Azure Policy definitions for Azure NetApp Files | Microsoft Docs

+description: Describes the Azure Policy custom definitions and built-in definitions that you can use with Azure NetApp Files.

+documentationcenter: ''

+editor: ''

+ms.assetid:

+ na

+ms.devlang: na

+# Azure Policy definitions for Azure NetApp Files

+[Azure Policy](../governance/policy/overview.md) helps to enforce organizational standards and to assess compliance at-scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources.

+Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. Policy definitions for these common use cases are already available in your Azure environment as built-ins to help you get started.

+The process of [creating and implementing a policy in Azure Policy](../governance/policy/tutorials/create-and-manage.md) begins with creating a (built-in or custom) [policy definition](../governance/policy/overview.md#policy-definition). Every policy definition has conditions under which it's enforced. It also has a defined [***effect***](../governance/policy/concepts/effects.md) that takes place if the conditions are met. Azure NetApp Files is supported with both Azure Policy custom and built-in policy definitions.

+## Custom policy definitions

+Azure NetApp Files supports Azure Policy. You can integrate Azure NetApp Files with Azure Policy through [creating custom policy definitions](../governance/policy/tutorials/create-custom-policy-definition.md). You can find examples in [Enforce Snapshot Policies with Azure Policy](https://anfcommunity.com/2021/08/30/enforce-snapshot-policies-with-azure-policy/) and [Azure Policy now available for Azure NetApp Files](https://anfcommunity.com/2021/04/19/azure-policy-now-available-for-azure-netapp-files/).

+## Built-in policy definitions

+The Azure Policy built-in definitions for Azure NetApp Files enable organization admins to restrict creation of unsecure volumes or audit existing volumes. Each policy definition in Azure Policy has a single *effect*. That effect determines what happens when the policy rule is evaluated to match.

+The following effects of Azure Policy can be used with Azure NetApp Files:

+* *Deny* creation of non-compliant volumes

+* *Audit* existing volumes for compliance

+* *Disable* a policy definition

+The following Azure Policy built-in definitions are available for use with Azure NetApp Files:

+* *Azure NetApp Files volumes should not use NFSv3 protocol type.*

+ This policy definition disallows the use of the NFSv3 protocol type to prevent unsecure access to volumes. NFSv4.1 or NFSv4.1 with Kerberos protocol should be used to access NFS volumes to ensure data integrity and encryption.

+

+* *Azure NetApp Files volumes of type NFSv4.1 should use Kerberos data encryption.*

+ This policy definition allows only the use of Kerberos privacy (`krb5p`) security mode to ensure that data is encrypted.

+

+* *Azure NetApp Files volumes of type NFSv4.1 should use Kerberos data integrity or data privacy.*

+ This policy definition ensures that either Kerberos integrity (`krb5i`) or Kerberos privacy (`krb5p`) is selected to ensure data integrity and data privacy.

+* *Azure NetApp Files SMB volumes should use SMB3 encryption.*

+ This policy definition disallows the creation of SMB volumes without SMB3 encryption to ensure data integrity and data privacy.

+To learn how to assign a policy to resources and view compliance report, see [Assign the Policy](../storage/common/transport-layer-security-configure-minimum-version.md#assign-the-policy).

+## Next steps

+* [Azure Policy documentation](/azure/governance/policy/)

+## June 2022

+* [Azure Policy built-in definitions for Azure NetApp](azure-policy-definitions.md#built-in-policy-definitions)

+ Azure Policy helps to enforce organizational standards and assess compliance at scale. Through its compliance dashboard, it provides an aggregated view to evaluate the overall state of the environment, with the ability to drill down to the per-resource, per-policy granularity. It also helps to bring your resources to compliance through bulk remediation for existing resources and automatic remediation for new resources. Azure NetApp Files already supports Azure Policy via custom policy definitions. Azure NetApp Files now also provides built-in policy to enable organization admins to restrict creation of unsecure NFS volumes or audit existing volumes more easily.

+- The HTTP endpoint of the SignalR service instance

+- How to authenticate with the service endpoint

+Connection string contains such information.

+## What connection string looks like

+A connection string consists of a series of key/value pairs separated by semicolons(;) and we use an equal sign(=) to connect each key and its value. Keys aren't case sensitive.

+For example, a typical connection string may look like this:

+- `Endpoint=https://<resource_name>.service.signalr.net` is the endpoint URL of the resource

+- `AccessKey=<access_key>` is the key to authenticate with the service. When access key is specified in connection string, SignalR service SDK will use it to generate a token that can be validated by the service.

+The following table lists all the valid names for key/value pairs in the connection string.

+| key | Description | Required | Default value | Example value |

+| -- | -- | -- | -- | |

+| Endpoint | The URI of your ASRS instance. | Y | N/A | https://foo.service.signalr.net |

+| Port | The port that your ASRS instance is listening on. | N | 80/443, depends on endpoint uri schema | 8080 |

+| Version | The version of given connection string. | N | 1.0 | 1.0 |

+| ClientEndpoint | The URI of your reverse proxy, like App Gateway or API Management | N | null | https://foo.bar |

+| AuthType | The auth type, we'll use AccessKey to authorize requests by default. **Case insensitive** | N | null | azure, azure.msi, azure.app |

+### Use AccessKey

+Local auth method will be used when `AuthType` is set to null.

+| key | Description | Required | Default value | Example value |

+| | - | -- | - | - |

+| AccessKey | The key string in base64 format for building access token usage. | Y | null | ABCDEFGHIJKLMNOPQRSTUVWEXYZ0123456789+=/ |

+### Use Azure Active Directory

+Azure AD auth method will be used when `AuthType` is set to `azure`, `azure.app` or `azure.msi`.

+| key | Description | Required | Default value | Example value |

+| -- | | -- | - | |

+| ClientId | A guid represents an Azure application or an Azure identity. | N | null | `00000000-0000-0000-0000-000000000000` |

+| TenantId | A guid represents an organization in Azure Active Directory. | N | null | `00000000-0000-0000-0000-000000000000` |

+| ClientSecret | The password of an Azure application instance. | N | null | `***********************.****************` |

+| ClientCertPath | The absolute path of a cert file to an Azure application instance. | N | null | `/usr/local/cert/app.cert` |

+Different `TokenCredential` will be used to generate Azure AD tokens with the respect of params you have given.

+- `type=azure`

+ [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) will be used.

+ ```

+ Endpoint=xxx;AuthType=azure

+ ```

+- `type=azure.msi`

+ 1. User-assigned managed identity will be used if `clientId` has been given in connection string.

+ ```

+ Endpoint=xxx;AuthType=azure.msi;ClientId=00000000-0000-0000-0000-000000000000

+ ```

+

+ - [ManagedIdentityCredential(clientId)](/dotnet/api/azure.identity.managedidentitycredential) will be used.

+ 2. Otherwise system-assigned managed identity will be used.

+ ```

+ Endpoint=xxx;AuthType=azure.msi;

+ ```

+ - [ManagedIdentityCredential()](/dotnet/api/azure.identity.managedidentitycredential) will be used.

+

+- `type=azure.app`

+ `clientId` and `tenantId` are required to use [Azure AD application with service principal](/azure/active-directory/develop/howto-create-service-principal-portal).

+ 1. [ClientSecretCredential(clientId, tenantId, clientSecret)](/dotnet/api/azure.identity.clientsecretcredential) will be used if `clientSecret` is given.

+ ```

+ Endpoint=xxx;AuthType=azure.msi;ClientId=00000000-0000-0000-0000-000000000000;TenantId=00000000-0000-0000-0000-000000000000;clientScret=******

+ ```

+ 2. [ClientCertificateCredential(clientId, tenantId, clientCertPath)](/dotnet/api/azure.identity.clientcertificatecredential) will be used if `clientCertPath` is given.

+ ```

+ Endpoint=xxx;AuthType=azure.msi;ClientId=00000000-0000-0000-0000-000000000000;TenantId=00000000-0000-0000-0000-000000000000;clientCertPath=/path/to/cert

+ ```

+## How to get my connection strings

+### From Azure portal

+Open your SignalR service resource in Azure portal and go to `Keys` tab.

+You'll see two connection strings (primary and secondary) in the following format:

+> Endpoint=https://<resource_name>.service.signalr.net;AccessKey=<access_key>;Version=1.0;

+### From Azure CLI

+You can also use Azure CLI to get the connection string:

+```bash

+az signalr key list -g <resource_group> -n <resource_name>

+```

+### For using Azure AD application

+To use Azure AD authentication, you need to remove `AccessKey` from connection string and add `AuthType=azure.app`. You also need to specify the credentials of your Azure AD application, including client ID, client secret and tenant ID. The connection string will look as follows:

+Endpoint=https://<resource_name>.service.signalr.net;AuthType=azure.app;ClientId=<client_id>;ClientSecret=<client_secret>;TenantId=<tenant_id>;Version=1.0;

+### For using Managed identity

+There are two types of managed identities, to use system assigned identity, you just need to add `AuthType=azure.msi` to the connection string:

+Endpoint=https://<resource_name>.service.signalr.net;AuthType=azure.msi;Version=1.0;

+Endpoint=https://<resource_name>.service.signalr.net;AuthType=azure.msi;ClientId=<client_id>;Version=1.0;

+### Use connection string generator

+It may be cumbersome and error-prone to build connection strings manually.

+To avoid making mistakes, we built a tool to help you generate connection string with Azure AD identities like `clientId`, `tenantId`, etc.

+To use connection string generator, open your SignalR resource in Azure portal, go to `Connection strings` tab:

+In this page you can choose different authentication types (access key, managed identity or Azure AD application) and input information like client endpoint, client ID, client secret, etc. Then connection string will be automatically generated. You can copy and use it in your application.

+> [!NOTE]

+> Everything you input on this page won't be saved after you leave the page (since they're only client side information), so please copy and save it in a secure place for your application to use.

+> [!NOTE]

+> For more information about how access tokens are generated and validated, see this [article](https://github.com/Azure/azure-signalr/blob/dev/docs/rest-api.md#authenticate-via-azure-signalr-service-accesskey).

+But in some applications there may be an extra component in front of SignalR service and all client connections need to go through that component first (to gain extra benefits like network security, [Azure Application Gateway](../application-gateway/overview.md) is a common service that provides such functionality).

+In a local development environment, the config is stored in file (appsettings.json or secrets.json) or environment variables, so you can use one of the following ways to configure connection string:

+- Use .NET secret manager (`dotnet user-secrets set Azure:SignalR:ConnectionString "<connection_string>"`)

+- Set connection string to environment variable named `Azure__SignalR__ConnectionString` (colon needs to replaced with double underscore in [environment variable config provider](/dotnet/core/extensions/configuration-providers#environment-variable-configuration-provider)).

+Azure SignalR Service also allows server to connect to multiple service endpoints at the same time, so it can handle more connections, which are beyond one service instance's limit. Also if one service instance is down, other service instances can be used as backup. For more information about how to use multiple instances, see this [article](signalr-howto-scale-multi-instances.md).

+- Through code

+ ```cs

+ services.AddSignalR().AddAzureSignalR(options =>

+ {

+ options.Endpoints = new ServiceEndpoint[]

+ {

+ new ServiceEndpoint("<connection_string_1>", name: "name_a"),

+ new ServiceEndpoint("<connection_string_2>", name: "name_b", type: EndpointType.Primary),

+ new ServiceEndpoint("<connection_string_3>", name: "name_c", type: EndpointType.Secondary),

+ };

+ });

+ ```

+ You can assign a name and type to each service endpoint so you can distinguish them later.

+- Through config

+ You can use any supported config provider (secret manager, environment variables, key vault, etc.) to store connection strings. Take secret manager as an example:

+ ```bash

+ dotnet user-secrets set Azure:SignalR:ConnectionString:name_a <connection_string_1>

+ dotnet user-secrets set Azure:SignalR:ConnectionString:name_b:primary <connection_string_2>

+ dotnet user-secrets set Azure:SignalR:ConnectionString:name_c:secondary <connection_string_3>

+ ```

+ You can also assign name and type to each endpoint, by using a different config name in the following format:

+ ```

+ Azure:SignalR:ConnectionString:<name>:<type>

+ ```

+ Title: Attach Azure NetApp Files datastores to Azure VMware Solution hosts (Preview)

+description: Learn how to create Azure NetApp Files-based NSF datastores for Azure VMware Solution hosts.

+# Attach Azure NetApp Files datastores to Azure VMware Solution hosts (Preview)

+[Azure NetApp Files](/azure/azure-netapp-files/azure-netapp-files-introduction?) is an enterprise-class, high-performance, metered file storage service. The service supports the most demanding enterprise file-workloads in the cloud: databases, SAP, and high-performance computing applications, with no code changes. For more information on Azure NetApp Files, see [Azure NetApp Files](https://docs.microsoft.com/azure/azure-netapp-files/) documentation.

+[Azure VMware Solution](/azure/azure-vmware/introduction) supports attaching Network File System (NFS) datastores as a persistent storage option. You can create NFS datastores with Azure NetApp Files volumes and attach them to clusters of your choice. You can also create virtual machines (VMs) for optimal cost and performance.

+> [!IMPORTANT]

+> Azure NetApp Files datastores for Azure VMware Solution hosts is currently in public preview. This version is provided without a service-level agreement and is not recommended for production workloads. Some features may not be supported or may have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+By using NFS datastores backed by Azure NetApp Files, you can expand your storage instead of scaling the clusters. You can also use Azure NetApp Files volumes to replicate data from on-premises or primary VMware environments for the secondary site.

+Create your Azure VMware Solution and create Azure NetApp Files NFS volumes in the virtual network connected to it using an ExpressRoute. Ensure there's connectivity from the private cloud to the NFS volumes created. Use those volumes to create NFS datastores and attach the datastores to clusters of your choice in a private cloud. As a native integration, no other permissions configured via vSphere are needed.

+The following diagram demonstrates a typical architecture of Azure NetApp Files backed NFS datastores attached to an Azure VMware Solution private cloud via ExpressRoute.

+## Prerequisites

+Before you begin the prerequisites, review the [Performance best practices](#performance-best-practices) section to learn about optimal performance of NFS datastores on Azure NetApp Files volumes.

+1. [Deploy Azure VMware Solution](https://docs.microsoft.com/azure/azure-vmware/deploy-azure-vmware-solution?) private cloud in a configured virtual network. For more information, see [Network planning checklist](/azure/azure-vmware/tutorial-network-checklist) and [Configure networking for your VMware private cloud](https://review.docs.microsoft.com/azure/azure-vmware/tutorial-configure-networking?).

+1. Create an [NFSv3 volume for Azure NetApp Files](/azure/azure-netapp-files/azure-netapp-files-create-volumes) in the same virtual network as the Azure VMware Solution private cloud.

+ 1. Verify connectivity from the private cloud to Azure NetApp Files volume by pinging the attached target IP.

+ 2. Verify the subscription is registered to the `ANFAvsDataStore` feature in the `Microsoft.NetApp` namespace. If the subscription isn't registered, register it now.

+

+ `az feature register --name "ANFAvsDataStore" --namespace "Microsoft.NetApp"`

+ `az feature show --name "ANFAvsDataStore" --namespace "Microsoft.NetApp" --query properties.state`

+ 1. Based on your performance requirements, select the correct service level needed for the Azure NetApp Files capacity pool. For optimal performance, it's recommended to use the Ultra tier. Select option **Azure VMware Solution Datastore** listed under the **Protocol** section.

+ 1. Create a volume with **Standard** [network features](/azure/azure-netapp-files/configure-network-features) if available for ExpressRoute FastPath connectivity.

+ 1. Under the **Protocol** section, select **Azure VMware Solution Datastore** to indicate the volume is created to use as a datastore for Azure VMware Solution private cloud.

+ 1. If you're using [export policies](/azure/azure-netapp-files/azure-netapp-files-configure-export-policy) to control access to Azure NetApp Files volumes, enable the Azure VMware private cloud IP range, not individual host IPs. Faulty hosts in a private cloud could get replaced so if the IP isn't enabled, connectivity to datastore will be impacted.

+## Supported regions

+Azure VMware Solution currently supports the following regions: East US, Australia East, Australia Southeast, Brazil South, Canada Central, Canada East, Central US, France Central, Germany West Central, Japan West, North Central US, North Europe, Southeast Asia, Switzerland West, UK South, UK West, US South Central, and West US. The list of supported regions will expand as the preview progresses.

+## Performance best practices

+There are some important best practices to follow for optimal performance of NFS datastores on Azure NetApp Files volumes.

+- Create Azure NetApp Files volumes using **Standard** network features to enable optimized connectivity from Azure VMware Solution private cloud via ExpressRoute FastPath connectivity.

+- For optimized performance, choose **UltraPerformance** gateway and enable [ExpressRoute FastPath](/azure/expressroute/expressroute-howto-linkvnet-arm#configure-expressroute-fastpath) from a private cloud to Azure NetApp Files volumes virtual network. View more detailed information on gateway SKUs at [About ExpressRoute virtual network gateways](/azure/expressroute/expressroute-about-virtual-network-gateways).

+- Based on your performance requirements, select the correct service level needed for the Azure NetApp Files capacity pool. For best performance, it's recommended to use the Ultra tier.

+- Create multiple datastores of 4-TB size for better performance. The default limit is 8 but it can be increased up to a maximum of 256 by submitting a support ticket. To submit a support ticket, go to [Create an Azure support request](/azure/azure-portal/supportability/how-to-create-azure-support-request).

+- Work with your Microsoft representative to ensure that the Azure VMware Solution private cloud and the Azure NetApp Files volumes are deployed within same [Availability Zone](https://docs.microsoft.com/azure/availability-zones/az-overview#availability-zones).

+## Attach an Azure NetApp Files volume to your private cloud

+### [Portal](#tab/azure-portal)

+To attach an Azure NetApp Files volume to your private cloud using Portal, follow these steps:

+1. Sign in to the Azure portal.

+1. Select **Subscriptions** to see a list of subscriptions.

+1. From the list, select the subscription you want to use.

+1. Under Settings, select **Resource providers**.

+1. Search for **Microsoft.AVS** and select it.

+1. Select **Register**.

+1. Under **Settings**, select **Preview features**.

+ 1. Verify you're registered for both the `CloudSanExperience` and `AfnDatstoreExperience` features.

+1. Navigate to your Azure VMware Solution.

+Under **Manage**, select **Storage (preview)**.

+1. Select **Connect Azure NetApp Files volume**.

+1. In **Connect Azure NetApp Files volume**, select the **Subscription**, **NetApp account**, **Capacity pool**, and **Volume** to be attached as a datastore.

+ :::image type="content" source="media/attach-netapp-files-to-cloud/connect-netapp-files-portal-experience-1.png" alt-text="Image shows the navigation to Connect Azure NetApp Files volume pop-up window." lightbox="media/attach-netapp-files-to-cloud/connect-netapp-files-portal-experience-1.png":::

+1. Verify the protocol is NFS. You'll need to verify the virtual network and subnet to ensure connectivity to the Azure VMware Solution private cloud.

+1. Under **Associated cluster**, select the **Client cluster** to associate the NFS volume as a datastore

+1. Under **Data store**, create a personalized name for your **Datastore name**.

+ 1. When the datastore is created, you should see all of your datastores in the **Storage (preview)**.

+ 2. You'll also notice that the NFS datastores are added in vCenter.

+### [Azure CLI](#tab/azure-cli)

+To attach an Azure NetApp Files volume to your private cloud using Azure CLI, follow these steps:

+1. Verify the subscription is registered to `CloudSanExperience` feature in the **Microsoft.AVS** namespace. If it's not already registered, then register it.

+ `az feature show --name "CloudSanExperience" --namespace "Microsoft.AVS"`

+ `az feature register --name "CloudSanExperience" --namespace "Microsoft.AVS"`

+1. The registration should take approximately 15 minutes to complete. You can also check the status.

+ `az feature show --name "CloudSanExperience" --namespace "Microsoft.AVS" --query properties.state`

+1. If the registration is stuck in an intermediate state for longer than 15 minutes, unregister, then re-register the flag.

+ `az feature unregister --name "CloudSanExperience" --namespace "Microsoft.AVS"`

+ `az feature register --name "CloudSanExperience" --namespace "Microsoft.AVS"`

+1. Verify the subscription is registered to `AnfDatastoreExperience` feature in the **Microsoft.AVS** namespace. If it's not already registered, then register it.

+ `az feature register --name " AnfDatastoreExperience" --namespace "Microsoft.AVS"`

+ `az feature show --name "AnfDatastoreExperience" --namespace "Microsoft.AVS" --query properties.state`

+1. Verify the VMware extension is installed. If the extension is already installed, verify you're using the latest version of the Azure CLI extension. If an older version is installed, update the extension.

+ `az extension show --name vmware`

+ `az extension list-versions -n vmware`

+ `az extension update --name vmware`

+1. If the VMware extension isn't already installed, install it.

+ `az extension add --name vmware`

+1. Create a datastore using an existing ANF volume in Azure VMware Solution private cloud cluster.

+ `az vmware datastore netapp-volume create --name MyDatastore1 --resource-group MyResourceGroup ΓÇô-cluster Cluster-1 --private-cloud MyPrivateCloud ΓÇô-volume-id /subscriptions/<Subscription Id>/resourceGroups/<Resourcegroup name>/providers/Microsoft.NetApp/netAppAccounts/<Account name>/capacityPools/<pool name>/volumes/<Volume name>`

+1. If needed, you can display the help on the datastores.

+ `az vmware datastore -h`

+1. Show the details of an ANF-based datastore in a private cloud cluster.

+ `az vmware datastore show --name ANFDatastore1 --resource-group MyResourceGroup --cluster Cluster-1 --private-cloud MyPrivateCloud`

+1. List all of the datastores in a private cloud cluster.

+ `az vmware datastore list --resource-group MyResourceGroup --cluster Cluster-1 --private-cloud MyPrivateCloud`

+## Disconnect an Azure NetApp Files-based datastore from your private cloud

+You can use the instructions provided to disconnect an Azure NetApp Files-based (ANF) datastore using either Azure portal or Azure CLI. There's no maintenance window required for this operation. The disconnect action only disconnects the ANF volume as a datastore, it doesn't delete the data or the ANF volume.

+**Disconnect an ANF datastore using the Azure Portal**

+1. Select the datastore you want to disconnect from.

+1. Right-click on the datastore and select **disconnect**.

+**Disconnect an ANF datastore using Azure CLI**

+ `az vmware datastore delete --name ANFDatastore1 --resource-group MyResourceGroup --cluster Cluster-1 --private-cloud MyPrivateCloud`

+## Next steps

+Now that you've attached a datastore on Azure NetApp Files-based NFS volume to your Azure VMware Solution hosts, you can create your VMs. Use the following resources to learn more.

+- [Service levels for Azure NetApp Files](/azure/azure-netapp-files/azure-netapp-files-service-levels)

+- Datastore protection using [Azure NetApp Files snapshots](/azure/azure-netapp-files/snapshots-introduction)

+- [About ExpressRoute virtual network gateways](https://docs.microsoft.com/azure/expressroute/expressroute-about-virtual-network-gateways)

+- [Understand Azure NetApp Files backup](/azure/azure-netapp-files/backup-introduction)

+- [Guidelines for Azure NetApp Files network planning](https://docs.microsoft.com/azure/azure-netapp-files/azure-netapp-files-network-topologies)

+## FAQs

+- **Are there any special permissions required to create the datastore with the Azure NetApp Files volume and attach it onto the clusters in a private cloud?**

+

+ No other special permissions are needed. The datastore creation and attachment is implemented via Azure VMware Solution control plane.

+- **Which NFS versions are supported?**

+

+ NFSv3 is supported for datastores on Azure NetApp Files.

+- **Should Azure NetApp Files be in the same subscription as the private cloud?**

+ It's recommended to create the Azure NetApp Files volumes for the datastores in the same VNet that has connectivity to the private cloud.

+- **How many datastores are we supporting with Azure VMware Solution?**

+ The default limit is 8 but it can be increased up to a maximum of 256 by submitting a support ticket. To submit a support ticket, go to [Create an Azure support request](/azure/azure-portal/supportability/how-to-create-azure-support-request).

+- **What latencies and bandwidth can be expected from the datastores backed by Azure NetApp Files?**

+ We're currently validating and working on benchmarking. For now, follow the [Performance best practices](#performance-best-practices) outlined in this article.

+- **What are my options for backup and recovery?**

+

+ Azure NetApp Files (ANF) supports [snapshots](/azure/azure-netapp-files/azure-netapp-files-manage-snapshots) of datastores for quick checkpoints for near term recovery or quick clones. ANF backup lets you offload your ANF snapshots to Azure storage. This feature is available in public preview. Only for this technology are copies and stores-changed blocks relative to previously offloaded snapshots in an efficient format. This ability decreases Recovery Point Objective (RPO) and Recovery Time Objective (RTO) while lowering backup data transfer burden on the Azure VMware Solution service.

+- **How do I monitor Storage Usage?**

+

+ Use [Metrics for Azure NetApp Files](/azure/azure-netapp-files/azure-netapp-files-metrics) to monitor storage and performance usage for the Datastore volume and to set alerts.

+- **What metrics are available for monitoring?**

+ Usage and performance metrics are available for monitoring the Datastore volume. Replication metrics are also available for ANF datastore that can be replicated to another region using Cross Regional Replication. For more information about metrics, see [Metrics for Azure NetApp Files](/azure/azure-netapp-files/azure-netapp-files-metrics).

+- **What happens if a new node is added to the cluster, or an existing node is removed from the cluster?**

+ When you add a new node to the cluster, it will automatically gain access to the datastore. Removing an existing node from the cluster won't affect the datastore.

+- **How are the datastores charged, is there an additional charge?**

+ Azure NetApp Files NFS volumes that are used as datastores will be billed following the [capacity pool based billing model](/azure/azure-netapp-files/azure-netapp-files-cost-model). Billing will depend on the service level. There's no extra charge for using Azure NetApp Files NFS volumes as datastores.

+Azure VMware Solution private clouds are provisioned with a vCenter Server and NSX-T Manager. You'll use vCenter to manage virtual machine (VM) workloads and NSX-T Manager to manage and extend the private cloud. The CloudAdmin role is used for vCenter Server and the administrator role (with restricted permissions) is used for NSX-T Manager.

+> Azure VMware Solution offers custom roles on vCenter Server but currently doesn't offer them on the Azure VMware Solution portal. For more information, see the [Create custom roles on vCenter Server](#create-custom-roles-on-vcenter-server) section later in this article.

+1. Sign into the vSphere Client and go to **Menu** > **Administration**.

+1. From the list of roles, select **CloudAdmin** and then select **Privileges**.

+Azure VMware Solution supports the use of custom roles with equal or lesser privileges than the CloudAdmin role.

+You'll use the CloudAdmin role to create, modify, or delete custom roles with privileges lesser than or equal to their current role. You can create roles with privileges greater than CloudAdmin. You can't assign the role to any users or groups or delete the role.

+ >[!NOTE]

+When a private cloud is provisioned using Azure portal, Software Defined Data Center (SDDC) management components like vCenter and NSX-T Manager are provisioned for customers.

+Microsoft is responsible for the lifecycle management of NSX-T appliances like NSX-T Managers and NSX-T Edges. They're responsible for bootstrapping network configuration, like creating the Tier-0 gateway.

+You're responsible for NSX-T software-defined networking (SDN) configuration, for example:

+- Network segments

+- Other Tier-1 gateways

+- Distributed firewall rules

+- Stateful services like gateway firewall

+- Load balancer on Tier-1 gateways

+You can access NSX-T Manager using the built-in local user "admin" assigned to **Enterprise admin** role that gives full privileges to a user to manage NSX-T. While Microsoft manages the lifecycle of NSX-T, certain operations aren't allowed by a user. Operations not allowed include editing the configuration of host and edge transport nodes or starting an upgrade. For new users, Azure VMware Solution deploys them with a specific set of permissions needed by that user. The purpose is to provide a clear separation of control between the Azure VMware Solution control plane configuration and Azure VMware Solution private cloud user.

+For new private cloud deployments (in US West and Australia East) starting **June 2022**, NSX-T access will be provided with a built-in local user `cloudadmin` with a specific set of permissions to use only NSX-T functionality for workloads. The new **cloudadmin** user role will be rolled out in other regions in phases.

+> [!NOTE]

+> Admin access to NSX-T will not be provided to users for private cloud deployments created after **June 2022**.

+### NSX-T cloud admin user permissions

+The following permissions are assigned to the **cloudadmin** user in Azure VMware Solution NSX-T.

+| Category | Type | Operation | Permission |

+|--|--|-||

+| Networking | Connectivity | Tier-0 Gateways<br>Tier-1 Gateways<br>Segments | Read-only<br>Full Access<br>Full Access |

+| Networking | Network Services | VPN<br>NAT<br>Load Balancing<br>Forwarding Policy<br>Statistics | Full Access<br>Full Access<br>Full Access<br>Read-only<br>Full Access |

+| Networking | IP Management | DNS<br>DHCP<br>IP Address Pools | Full Access<br>Full Access<br>Full Access |

+| Networking | Profiles | | Full Access |

+| Security | East West Security | Distributed Firewall<br>Distributed IDS and IPS<br>Identity Firewall | Full Access<br>Full Access<br>Full Access |

+| Security | North South Security | Gateway Firewall<br>URL Analysis | Full Access<br>Full Access |

+| Security | Network Introspection | | Read-only |

+| Security | Endpoint Protection | | Read-only |

+| Security | Settings | | Full Access |

+| Inventory | | | Full Access |

+| Troubleshooting | IPFIX | | Full Access |

+| Troubleshooting | Port Mirroring | | Full Access |

+| Troubleshooting | Traceflow | | Full Access |

+| System | Configuration<br>Settings<br>Settings<br>Settings | Identity firewall<br>Users and Roles<br>Certificate Management<br>User Interface Settings | Full Access<br>Full Access<br>Full Access<br>Full Access |

+| System | All other | | Read-only |

+You can view the permissions granted to the Azure VMware Solution CloudAdmin role using the following steps:

+1. Log in to the NSX-T Manager.

+1. Navigate to **Systems** > **Users and Roles** and locate **User Role Assignment**.

+1. The **Roles** column for the CloudAdmin user provides information on the NSX role-based access control (RBAC) roles assigned.

+1. Select the the **Roles** tab to view specific permissions associated with each of the NSX RBAC roles.

+1. To view **Permissions**, expand the **CloudAdmin** role and select a category like, Networking or Security.

+> [!NOTE]

+> The current Azure VMware Solution with **NSX-T admin user** will eventually switch from **admin** user to **cloudadmin** user. You'll receive a notification through Azure Service Health that includes the timeline of this change so you can change the NSX-T credentials you've used for the other integration.

+|Server Load|Percent|Max / Avg|The percentage of server load|No Dimensions|

+## Quick evaluation using metrics

+ Before going through the factors that impact the performance, let's first introduce an easy way to monitor the pressure of your service. There's a metrics called **Server Load** on the Portal.

+

+ <kbd></kbd>

+ It shows the computing pressure of your Azure Web PubSub service. You could test on your own scenario and check this metrics to decide whether to scale up. The latency inside Azure Web PubSub service would remain low if the Server Load is below 70%.

+

+> [!NOTE]

+> If you are using unit 50 or unit 100 **and** your scenario is mainly sending to small groups (group size <100), you need to check [sending to small group](#small-group) for reference. In those scenarios there is large routing cost which is not included in the Server Load.

+

+ Below are detailed concepts for evaluating performance.

+A recovery point becomes archivable only if all the above conditions are met.

+## Archive tier pricing

+1. Select **Bastion** in the left menu. You can view some of the values that will be used when creating the bastion host for your virtual network. Select **Create Azure Bastion using defaults**.

+ "allowModelOverride": true,

+|zh-CN-XiaoxiaoNeural|`affectionate`, `angry`, `assistant`, `calm`, `chat`, `cheerful`, `customerservice`, `disgruntled`, `fearful`, `gentle`, `lyrical`, `newscast`, `poetry-reading`, `sad`, `serious`|Supported||

+|`style="poetry-reading"`|Expresses an emotional and rhythmic tone while reading a poem.|

+> |[Custom text classification](custom-classification/overview.md) | Build an AI model to classify unstructured text into custom classes that you define. | * [Language Studio](custom-classification/quickstart.md?pivots=language-studio)<br> * [REST API](language-detection/quickstart.md?pivots=rest-api) |

+> | [Conversational language understanding](conversational-language-understanding/overview.md) | Build an AI model to bring the ability to understand natural language into apps, bots, and IoT devices. | * [Language Studio](conversational-language-understanding/quickstart.md)

+For more information, and additional key terms, please refer to the [Personalizer Terminology](terminology.md) and [conceptual documentation](how-personalizer-works.md).

+ Title: Azure Communication Services in Azure Government

+description: Learn about using Azure Communication Services in US Government regions

+# Azure Communication Services for US Government

+Azure Communication Services can be used within [Azure Government](https://azure.microsoft.com/global-infrastructure/government/) to provide compliance with US government requirements for cloud services. In addition to enjoying the features and capabilities of Messaging, Voice and Video calling, developers benefit from the following features that are unique to Azure Government:

+- Your personal data is logically segregated from customer content in the commercial Azure cloud.

+- Your resourceΓÇÖs customer content is stored within the United States.

+- Access to your organization's customer content is restricted to screened Microsoft personnel.

+You can find more information about the Office 365 Government ΓÇô GCC High offering for US Government customers at [Office 365 Government plans](https://products.office.com/government/compare-office-365-government-plans). Please see [eligibility requirements](https://azure.microsoft.com/global-infrastructure/government/how-to-buy/) for Azure Government.

+ Title: How to verify if your application is running in a web browser supported by Azure Communication Services

+description: Learn how to get current browser environment details using the Azure Communication Services Calling SDK for JavaScript

+# How to verify if your application is running in a web browser supported by Azure Communication Services

+There are many different browsers available in the market today, but not all of them can properly support audio and video calling. To determine if the browser your application is running on is a supported browser you can use the `getEnvironmentInfo` to check for browser support.

+A `CallClient` instance is required for this operation. When you have a `CallClient` instance, you can use the `getEnvironmentInfo` method on the `CallClient` instance to obtain details about the current environment of your app:

+```javascript

+const callClient = new CallClient(options);

+const environmentInfo = await callClient.getEnvironmentInfo();

+```

+The `getEnvironmentInfo` method asynchronously returns an object of type `EnvironmentInfo`.

+- The `EnvironmentInfo` type is defined as:

+```javascript

+{

+ environment: Environment;

+ isSupportedPlatform: boolean;

+ isSupportedBrowser: boolean;

+ isSupportedBrowserVersion: boolean;

+ isSupportedEnvironment: boolean;

+}

+```

+- The `Environment` type within the `EnvironmentInfo` type is defined as:

+```javascript

+{

+ platform: string;

+ browser: string;

+ browserVersion: string;

+}

+```

+A supported environment is a combination of an operating system, a browser, and the minimum version required for that browser.

+ --registry MyRegistry \

+ --registry MyRegistry \

+ --registry MyRegistry \

+ --registry MyRegistry \

+ --registry MyRegistry \

+ --registry MyRegistry \

+ --registry MyRegistry \

+|restoreTimestampInUtc | Point in time in UTC to restore the account. |

+| operationType | The operation type of this database event. Here are the possible values:<br/><ul><li>Create: database creation event</li><li>Delete: database deletion event</li><li>Replace: database modification event</li><li>SystemOperation: database modification event triggered by the system. This event isn't initiated by the user</li></ul> |

+| operationType | The operation type of this container event. Here are the possible values: <br/><ul><li>Create: container creation event</li><li>Delete: container deletion event</li><li>Replace: container modification event</li><li>SystemOperation: container modification event triggered by the system. This event isn't initiated by the user</li></ul> |

+| operationType | The operation type of this database event. Here are the possible values:<br/><ul><li> Create: database creation event</li><li> Delete: database deletion event</li><li> Replace: database modification event</li><li> SystemOperation: database modification event triggered by the system. This event isn't initiated by the user </li></ul> |

+| operationType |The operation type of this collection event. Here are the possible values:<br/><ul><li>Create: collection creation event</li><li>Delete: collection deletion event</li><li>Replace: collection modification event</li><li>SystemOperation: collection modification event triggered by the system. This event isn't initiated by the user</li></ul> |

+To get a list of all container mutations under the same database see [Restorable Mongodb Collections - List](/rest/api/cosmos-db-resource-provider/2021-04-01-preview/restorable-mongodb-collections/list) article.

+| operationType | The operation type of this database event. Here are the possible values:<br/><ul><li> Create: database creation event</li><li> Delete: database deletion event</li><li> Replace: database modification event</li><li> SystemOperation: database modification event triggered by the system. This event isn't initiated by the user. </li></ul> |

+To get an event feed of all mutations on the Gremlin database for the account, see theΓÇ»[Restorable Graph Databases - List]( /rest/api/cosmos-db-resource-provider/2021-11-15-preview/restorable-gremlin-databases/list) article.

+| operationType |The operation type of this collection event. Here are the possible values:<br/><ul><li>Create: Graph creation event</li><li>Delete: Graph deletion event</li><li>Replace: Graph modification event</li><li>SystemOperation: collection modification event triggered by the system. This event isn't initiated by the user.</li></ul> |

+Lists all the restorable Azure Cosmos DB Tables available for a specific database account at a given time and location. Note the Table API doesn't specify an explicit database.

+To get a list of tables that exist on the account at the given timestamp and location, see [Restorable Table Resources - List](/rest/api/cosmos-db-resource-provider/2021-11-15-preview/restorable-table-resources/list) article.

+| operationType | The operation type of this Table event. Here are the possible values:<br/><ul><li> Create: Table creation event</li><li> Delete: Table deletion event</li><li> Replace: Table modification event</li><li> SystemOperation: database modification event triggered by the system. This event isn't initiated by the user </li></ul> |

+>[!IMPORTANT]

+> The [Custom Migration Service using ChangeFeed](https://github.com/Azure-Samples/azure-cosmosdb-live-data-migrator) is an open-source tool for live container migrations that implements change feed and bulk support. However, please note that the user interface application code for this tool is not supported or actively maintained by Microsoft. For Azure Cosmos DB SQL API live container migrations, we recommend using the Spark Connector + Change Feed as illustrated in the [sample](https://github.com/Azure/azure-sdk-for-jav) is fully supported by Microsoft.

+|Online|[Azure Cosmos DB Spark connector + Change Feed](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/cosmos/azure-cosmos-spark_3_2-12/Samples/DatabricksLiveContainerMigration)|Azure Cosmos DB SQL API. <br/><br/>Uses Azure Cosmos DB Change Feed to stream all historic data as well as live updates.| Azure Cosmos DB SQL API. <br/><br/>You can use other targets with additional connectors from the Spark ecosystem.| &bull; Makes use of the Azure Cosmos DB bulk executor library. <br/>&bull; Suitable for large datasets. <br/>&bull; Needs a custom Spark setup. <br/>&bull; Spark is sensitive to schema inconsistencies and this can be a problem during migration. |

+|Offline|[Copy table with Spark](cassandr#migrate-data-by-using-spark) | &bull;Apache Cassandra<br/> | Azure Cosmos DB Cassandra API | &bull; Can make use of Spark capabilities to parallelize transformation and ingestion. <br/>&bull; Needs configuration with a custom retry policy to handle throttles.|

+|Online|[Dual-write proxy + Spark](cassandr)| &bull;Apache Cassandra<br/>|&bull;Azure Cosmos DB Cassandra API <br/>| &bull; Supports larger datasets, but careful attention required for setup and validation. <br/>&bull; Open-source tools, no purchase required.|

+* Contact the Azure Cosmos DB product team by opening a support ticket under the "General Advisory" problem type and "Large (TB+) migrations" problem subtype for additional help with large scale migrations.

+- **Database operations**: The way you get charged for your database operations depends on the type of Azure Cosmos account you're using.

+ - **Provisioned Throughput**: [Provisioned throughput](set-throughput.md) (also called reserved throughput) provides high performance at any scale. You specify the throughput that you need in [Request Units](request-units.md) per second (RU/s), and Azure Cosmos DB dedicates the resources required to provide the configured throughput. You can [provision throughput on either a database or a container](set-throughput.md). Based on your workload needs, you can scale throughput up/down at any time or use [autoscale](provision-throughput-autoscale.md) (although there's a minimum throughput required on a database or a container to guarantee the SLAs). You're billed hourly for the maximum provisioned throughput for a given hour.

+ - **Serverless**: In [serverless](serverless.md) mode, you don't have to provision any throughput when creating resources in your Azure Cosmos account. At the end of your billing period, you get billed for the number of Request Units that has been consumed by your database operations.

+- **Storage**: You're billed a flat rate for the total amount of storage (in GBs) consumed by your data and indexes for a given hour. Storage is billed on a consumption basis, so you don't have to reserve any storage in advance. You're billed only for the storage you consume.

+If you deploy your Azure Cosmos DB account to a non-government region in the US, there's a minimum price for both database and container-based throughput in provisioned throughput mode. There's no minimum price in serverless mode. The pricing varies depending on the region you're using, see the [Azure Cosmos DB pricing page](https://azure.microsoft.com/pricing/details/cosmos-db/) for latest pricing information.

+* **Azure Cosmos DB free tier**: Azure Cosmos DB free tier makes it easy to get started, develop and test your applications, or even run small production workloads for free. When free tier is enabled on an account, you'll get the first 1000 RU/s and 25 GB of storage in the account free, for the lifetime of the account. You can have up to one free tier account per Azure subscription and must opt in when creating the account. To learn more, see how to [create a free tier account](free-tier.md) article.

+* **Azure Cosmos DB emulator**: Azure Cosmos DB emulator provides a local environment that emulates the Azure Cosmos DB service for development purposes. Emulator is offered at no cost and with high fidelity to the cloud service. Using Azure Cosmos DB emulator, you can develop and test your applications locally, without creating an Azure subscription or incurring any costs. You can develop your applications by using the emulator locally before going into production. After you're satisfied with the functionality of the application against the emulator, you can switch to using the Azure Cosmos DB account in the cloud and significantly save on cost. For more information about dev/test, see [using Azure Cosmos DB for development and testing](local-emulator.md).

+Azure Cosmos DB [reserved capacity](cosmos-db-reserved-capacity.md) helps you save money when using the provisioned throughput mode by pre-paying for Azure Cosmos DB resources for either one year or three years. You can significantly reduce your costs with one-year or three-year upfront commitments and save between 20-65% discounts when compared to the regular pricing. Azure Cosmos DB reserved capacity helps you lower costs by pre-paying for the provisioned throughput (RU/s) for one year or three years and you get a discount on the throughput provisioned.

+Reserved capacity provides a billing discount and doesn't affect the runtime state of your Azure Cosmos DB resources. Reserved capacity is available consistently to all APIs, which includes MongoDB, Cassandra, SQL, Gremlin, and Azure Tables and all regions worldwide. You can learn more about reserved capacity in [Prepay for Azure Cosmos DB resources with reserved capacity](cosmos-db-reserved-capacity.md) article and buy reserved capacity from the [Azure portal](https://portal.azure.com/).

+To use the Azure Cosmos DB RBAC in your application, you have to update the way you initialize the Azure Cosmos DB SDK. Instead of passing your account's primary key, you have to pass an instance of a `TokenCredential` class. This instance provides the Azure Cosmos DB SDK with the context required to fetch an Azure AD token on behalf of the identity you wish to use.

+* You can use this API to identify that your data has been successfully backed up before deleting the account. If the timestamp returned by this API is less than the last write timestamp, then it means that there's some data that hasn't been backed up yet. In such case, you must call this API until the timestamp becomes equal to or greater than the last write timestamp. If an account exists in multiple locations, you must get the latest restorable timestamp in all the locations to make sure that data has been backed up in all regions before deleting the account.

+The latest restorable timestamp for a container is the minimum timestamp upto, which all its partitions have taken backup successfully in the given location. This Api calculates the latest restorable timestamp by retrieving the latest backup timestamp for each partition of the given container in given location and returns the minimum of all these timestamps. If the data for all its partitions is backed up and there was no new data written to those partitions, then it will return the maximum of current timestamp and the last data backup timestamp.

+If a partition hasn't taken any backup yet but it has some data to be backed up, then it will return the minimum Unix (epoch) timestamp that is, January 1, 1970, midnight UTC (Coordinated Universal Time). In such cases, user must retry until it gives a timestamp greater than epoch timestamp.

+The following example describes the expected outcome of latest restorable timestamp Api in different scenarios. In each scenario, we'll discuss about the current log backup state of partition, pending data to be backed up and how it affects the overall latest restorable timestamp calculation for a container.

+Let's say, we have an account, which exists in two regions (East US and West US). We have a container "cont1", which has two partitions (Partition1 and Partition2). If we send a request to get the latest restorable timestamp for this container at timestamp 't3', the overall latest restorable timestamp for this container will be calculated as follows:

+##### Case1: Data for all the partitions hasn't been backed up yet

+##### Case3: When one or more partitions hasn't taken any backup yet

+No. It applies only to live accounts. You can get the restorable timestamp to trigger the live account restore or monitor that your data is being backed up on time.

+description: Azure Cosmos DB currently supports a one-way migration from periodic to continuous mode and itΓÇÖs irreversible. After migrating from periodic to continuous mode, you can apply the benefits of continuous mode.

+Azure Cosmos DB accounts with periodic mode backup policy can be migrated to continuous mode using [Azure portal](#portal), [CLI](#cli), [PowerShell](#powershell), or [Resource Manager templates](#ARM-template). Migration from periodic to continuous mode is a one-way migration and itΓÇÖs not reversible. After migrating from periodic to continuous mode, you can apply the benefits of continuous mode.

+* The ability to restore container, database, or the full account when it's deleted or modified.

+After you migrate your account to continuous backup mode, the cost with this mode is different when compared to the periodic backup mode. The continuous mode backup cost is cheaper than periodic mode. To learn more, see the [continuous backup mode pricing](continuous-backup-restore-introduction.md#continuous-backup-pricing) example.

+1. When the migration is in progress, the status shows **Pending.** After itΓÇÖs complete, the status changes to **On.** Migration time depends on the size of data in your account.

+1. Sign in to your Azure account and run the following command to migrate your account to continuous mode:

+When migrating from periodic mode to continuous mode, you can't run any control plane operations that performs account level updates or deletes. For example, operations such as adding or removing regions, account failover, updating backup policy etc. can't be run while the migration is in progress. The time for migration depends on the size of data and the number of regions in your account. Restore action on the migrated accounts only succeeds from the time when migration successfully completes.

+Currently, SQL API and API for MongoDB accounts with single write region that have shared, provisioned, or autoscale provisioned throughput support migration. Table API and Gremlin API are in preview.

+Accounts enabled with analytical storage and multiple-write regions aren't supported for migration.

+Migration takes time and it depends on the size of data and the number of regions in your account. You can get the migration status using Azure CLI or PowerShell commands. For large accounts with tens of terabytes of data, the migration can take up to few days to complete.

+No, the migration operation takes place in the background, so the client requests aren't impacted. However, we need to perform some backend operations during the migration, and it might take extra time if the account is under heavy load.

+#### If the migration fails for some underlying issue, would it still block the control plane operation until it's retried and completed successfully?

+Failed migration won't block any control plane operations. If migration fails, itΓÇÖs recommended to retry until it succeeds before performing any other control plane operations.

+It isn't possible to cancel the migration because it isn't a reversible operation.

+ * If all you know is the number of vCores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](convert-vcore-to-request-unit.md)

+|Checked | Subject |Details/Links |

+| <input type="checkbox"/> | Regions | Make sure to run your application in the same [Azure region](../distribute-data-globally.md) as your Azure Cosmos DB account, whenever possible to reduce latency. Enable 2-4 regions and replicate your accounts in multiple regions for [best availability](../distribute-data-globally.md). For production workloads, enable [automatic failover](../how-to-manage-database-account.md#configure-multiple-write-regions). In the absence of this configuration, the account will experience loss of write availability for all the duration of the write region outage, as manual failover won't succeed due to lack of region connectivity. To learn how to add multiple regions using the .NET SDK visit [here](tutorial-global-distribution-sql-api.md) |

+| <input type="checkbox"/> | Availability and Failovers | Set the [ApplicationPreferredRegions](/dotnet/api/microsoft.azure.cosmos.cosmosclientoptions.applicationpreferredregions?view=azure-dotnet&preserve-view=true) or [ApplicationRegion](/dotnet/api/microsoft.azure.cosmos.cosmosclientoptions.applicationregion?view=azure-dotnet&preserve-view=true) in the v3 SDK, and the [PreferredLocations](/dotnet/api/microsoft.azure.documents.client.connectionpolicy.preferredlocations?view=azure-dotnet&preserve-view=true) in the v2 SDK using the [preferred regions list](./tutorial-global-distribution-sql-api.md?tabs=dotnetv3%2capi-async#preferred-locations). During failovers, write operations are sent to the current write region and all reads are sent to the first region within your preferred regions list. For more information about regional failover mechanics, see the [availability troubleshooting guide](troubleshoot-sdk-availability.md). |

+| <input type="checkbox"/> | CPU | You may run into connectivity/availability issues due to lack of resources on your client machine. Monitor your CPU utilization on nodes running the Azure Cosmos DB client, and scale up/out if usage is high. |

+|<input type="checkbox"/> | Retry Logic | A transient error is an error that has an underlying cause that soon resolves itself. Applications that connect to your database should be built to expect these transient errors. To handle them, implement retry logic in your code instead of surfacing them to users as application errors. The SDK has built-in logic to handle these transient failures on retryable requests like read or query operations. The SDK won't retry on writes for transient failures as writes aren't idempotent. The SDK does allow users to configure retry logic for throttles. For details on which errors to retry on [visit](troubleshoot-dot-net-sdk.md#retry-logics) |

+| <input type="checkbox"/> | Parallel Queries | The Cosmos DB SDK supports [running queries in parallel](performance-tips-query-sdk.md?pivots=programming-language-csharp) for better latency and throughput on your queries. We recommend setting the `MaxConcurrency` property within the `QueryRequestsOptions` to the number of partitions you have. If you aren't aware of the number of partitions, start by using `int.MaxValue`, which will give you the best latency. Then decrease the number until it fits the resource restrictions of the environment to avoid high CPU issues. Also, set the `MaxBufferedItemCount` to the expected number of results returned to limit the number of pre-fetched results. |

+| <input type="checkbox"/> | Enabling Query Metrics | For more logging of your backend query executions, you can enable SQL Query Metrics using our .NET SDK. For instructions on how to collect SQL Query Metrics [visit](profile-sql-api-query.md) |

+| <input type="checkbox"/> | SDK Logging | Use SDK logging to capture extra diagnostics information and troubleshoot latency issues. Log the [diagnostics string](/dotnet/api/microsoft.azure.documents.client.resourceresponsebase.requestdiagnosticsstring?view=azure-dotnet&preserve-view=true) in the V2 SDK or [`Diagnostics`](/dotnet/api/microsoft.azure.cosmos.responsemessage.diagnostics?view=azure-dotnet&preserve-view=true) in v3 SDK for more detailed cosmos diagnostic information for the current request to the service. As an example use case, capture Diagnostics on any exception and on completed operations if the `Diagnostics.ElapsedTime` is greater than a designated threshold value (that is, if you have an SLA of 10 seconds, then capture diagnostics when `ElapsedTime` > 10 seconds). It's advised to only use these diagnostics during performance testing. |

+| <input type="checkbox"/> | DefaultTraceListener | The DefaultTraceListener poses performance issues on production environments causing high CPU and I/O bottlenecks. Make sure you're using the latest SDK versions or [remove the DefaultTraceListener from your application](performance-tips-dotnet-sdk-v3-sql.md#logging-and-tracing) |

+* If all you know is the number of vCores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](../convert-vcore-to-request-unit.md)

+The strategy, when working with relational databases, is to normalize all your data. Normalizing your data typically involves taking an entity, such as a person, and breaking it down into discrete components. In the example above, a person may have multiple contact detail records, and multiple address records. Contact details can be further broken down by further extracting common fields like a type. The same applies to address, each record can be of type *Home* or *Business*.

+Write operations across many individual tables are required to update a single person's contact details and addresses.

+Retrieving a complete person record from the database is now a **single read operation** against a single container and for a single item. Updating the contact details and addresses of a person record is also a **single write operation** against a single item.

+* There's embedded data that won't grow **without bound**.

+As the size of the item grows the ability to transmit the data over the wire and reading and updating the item, at scale, will be impacted.

+This model has a document for each comment with a property that contains the post identifier. This allows posts to contain any number of comments and can grow efficiently. Users wanting to see more

+than the most recent comments would query this container passing the postId, which should be the partition key for the comments container.

+ "stock": { "symbol": "zbzb", "open": 1, "high": 2, "low": 0.5 }

+Stock *zbzb* may be traded many hundreds of times in a single day and thousands of users could have *zbzb* on their portfolio. With a data model like the above we would have to update many thousands of portfolio documents many times every day leading to a system that won't scale well.

+ "symbol": "zbzb",

+Because there's currently no concept of a constraint, foreign-key or otherwise, any inter-document relationships that you have in documents are effectively "weak links" and won't be verified by the database itself. If you want to ensure that the data a document is referring to actually exists, then you need to do this in your application, or by using server-side triggers or stored procedures on Azure Cosmos DB.

+In the above example, we've dropped the unbounded collection on the publisher document. Instead we just have a reference to the publisher on each book document.

+### How do I model many-to-many relationships?

+In a relational database *many-to-many* relationships are often modeled with join tables, which just join records from other tables together.

+Sure, if the author's name changed or they wanted to update their photo we'd have to update every book they ever published but for our application, based on the assumption that authors don't change their names often, this is an acceptable design decision.

+The ability to have a model with pre-calculated fields is made possible because Azure Cosmos DB supports **multi-document transactions**. Many NoSQL stores can't do transactions across documents and therefore advocate design decisions, such as "always embed everything", due to this limitation. With Azure Cosmos DB, you can use server-side triggers, or stored procedures that insert books and update authors all within an ACID transaction. Now you don't **have** to embed everything into one document just to be sure that your data remains consistent.

+With Azure Synapse Link, you can now directly connect to your Azure Cosmos DB containers from Azure Synapse Analytics and access the analytical store, at no Request Units (request units) costs. Azure Synapse Analytics currently supports Azure Synapse Link with Synapse Apache Spark and serverless SQL pools. If you have a globally distributed Azure Cosmos DB account, after you enable analytical store for a container, it will be available in all regions for that account.

+Note that these last two factors, fewer properties and fewer levels, help in the performance of your analytical queries but also decrease the chances of parts of your data not being represented in the analytical store. As described in the article on automatic schema inference rules, there are limits to the number of levels and properties that are represented in analytical store.

+In a hypothetical global IoT scenario, `device id` is a good PK since all devices have a similar data volume and with that you won't have a hot partition problem. But if you want to analyze the data of more than one device, like "all data from yesterday" or "totals per city", you may have problems since those are cross-partition queries. Those queries can hurt your transactional performance since they use part of your throughput in request units to run. But with Azure Synapse Link, you can run these analytical queries at no request units costs. Analytical store columnar format is optimized for analytical queries and Azure Synapse Link applies this characteristic to allow great performance with Azure Synapse Analytics runtimes.

+ * No ETL jobs running in your environment, meaning that you don't need to provision request units for them.

+This is a great alternative for situations when a data model already exists and can't be changed. And the existing data model doesn't fit well into analytical store due to automatic schema inference rules like the limit of nested levels or the maximum number of properties. If this is your case, you can use [Azure Cosmos DB Change Feed](../change-feed.md) to replicate your data into another container, applying the required transformations for an Azure Synapse Link friendly data model. Let's see an example:

+Another perspective of the problem is the big data volume. Billions of rows are constantly used by the Analytics Department, what prevents them to use tttl for old data deletion. Maintaining the entire data history in the transactional database because of analytical needs forces them to constantly increase request units provisioning, impacting costs. Transactional and analytical workloads compete for the same resources at the same time.

+* The engineering team decided to use Change Feed to populate three new containers: `Customers`, `Orders`, and `Items`. With Change Feed they're normalizing and flattening the data. Unnecessary information is removed from the data model and each container has close to 100 properties, avoiding data loss due to automatic schema inference limits.

+* These new containers have analytical store enabled and now the Analytics Department is using Synapse Analytics to read the data, reducing the request units usage since the analytical queries are happening in Synapse Apache Spark and serverless SQL pools.

+* Container `CustomersOrdersAndItems` now has tttl set to keep data for six months only, which allows for another request units usage reduction, since there's a minimum of 10 request units per GB in Azure Cosmos DB. Less data, fewer request units.

+Just as there's no single way to represent a piece of data on a screen, there's no single way to model your data. You need to understand your application and how it will produce, consume, and process the data. Then, by applying some of the guidelines presented here you can set about creating a model that addresses the immediate needs of your application. When your applications need to change, you can use the flexibility of a schema-free database to embrace that change and evolve your data model easily.

+Cosmos DB accounts are created using the [az Cosmos DB create](/cli/azure/cosmosdb#az-cosmosdb-create) command. You must include the `--capabilities EnableTable` option to enable table storage within your Cosmos DB. As all Azure resource must be contained in a resource group, the following code snippet also creates a resource group for the Cosmos DB account.

+Tables in Cosmos DB are created using the [az Cosmos DB table create](/cli/azure/cosmosdb/table#az-cosmosdb-table-create) command.

+To get the primary table storage connection string using Azure CLI, use the [az Cosmos DB keys list](/cli/azure/cosmosdb/keys#az-cosmosdb-keys-list) command with the option `--type connection-strings`. This command uses a [JMESPath query](https://jmespath.org/) to display only the primary table connection string.

+To delete a resource group using the Azure CLI, use the [az group delete](/cli/azure/group#az-group-delete) command with the name of the resource group to be deleted. Deleting a resource group will also remove all Azure resources contained in the resource group.

+ Title: Reservation discount for Azure Data Explorer

+# How the reservation discount is applied to Azure Data Explorer

+## Reservation discount usage

+A reservation discount is on a "*use-it-or-lose-it*" basis. So, if you don't have matching resources for any hour, then you lose a reservation quantity for that hour. You can't carry forward discounts for unused reserved hours.

+## Discount for other resources

+* [What are reservations for Azure?](save-compute-costs-reservations.md)

+* [Understand reservation usage for your pay-as-you-go subscription](understand-reserved-instance-usage.md)

+ Title: Azure Stack Edge 2205 release notes

+description: Describes critical open issues and resolutions for the Azure Stack Edge running 2205 release.

+

+# Azure Stack Edge 2205 release notes

+The following release notes identify the critical open issues and the resolved issues for the 2205 release for your Azure Stack Edge devices. Features and issues that correspond to a specific model of Azure Stack Edge are called out wherever applicable.

+The release notes are continuously updated, and as critical issues requiring a workaround are discovered, they're added. Before you deploy your device, carefully review the information contained in the release notes.

+This article applies to the **Azure Stack Edge 2205** release, which maps to software version number **2.2.1981.5086**. This software can be applied to your device if you're running at least Azure Stack Edge 2106 (2.2.1636.3457) software.

+## What's new

+The 2205 release has the following features and enhancements:

+- **Kubernetes changes** - Beginning this release, compute enablement is moved to a dedicated Kubernetes page in the local UI.

+- **Generation 2 virtual machines** - Starting this release, Generation 2 virtual machines can be deployed on Azure Stack Edge. For more information, see [Supported VM sizes and types](azure-stack-edge-gpu-virtual-machine-overview.md#operating-system-disks-and-images).

+- **GPU extension update** - In this release, the GPU extension packages are updated. These updates will fix some issues that were encountered in a previous release during the installation of the extension. For more information, see how to [Update GPU extension of your Azure Stack Edge](azure-stack-edge-gpu-deploy-virtual-machine-install-gpu-extension.md).

+- **No IP option** - Going forward, there's an option to not set an IP for a network interface on your Azure Stack Edge device. For more information, see [Configure network](azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy.md#configure-network).

+## Issues fixed in 2205 release

+The following table lists the issues that were release noted in previous releases and fixed in the current release.

+| No. | Feature | Issue |

+| | | |

+|**1.**|GPU Extension installation | In the previous releases, there were issues that caused the GPU extension installation to fail. These issues are described in [Troubleshooting GPU extension issues](azure-stack-edge-gpu-troubleshoot-virtual-machine-gpu-extension-installation.md). These are fixed in the 2205 release and both the Windows and Linux installation packages are updated. More information on 2205 specific installation changes is covered in [Install GPU extension on your Azure Stack Edge device](azure-stack-edge-gpu-deploy-virtual-machine-install-gpu-extension.md). |

+## Known issues in 2205 release

+The following table provides a summary of known issues in this release.

+| No. | Feature | Issue | Workaround/comments |

+| | | | |

+|**1.**|Preview features |For this release, the following features are available in preview: <br> - Clustering and Multi-Access Edge Computing (MEC) for Azure Stack Edge Pro GPU devices only. <br> - VPN for Azure Stack Edge Pro R and Azure Stack Edge Mini R only. <br> - Local Azure Resource Manager, VMs, Cloud management of VMs, Kubernetes cloud management, and Multi-process service (MPS) for Azure Stack Edge Pro GPU, Azure Stack Edge Pro R, and Azure Stack Edge Mini R. |These features will be generally available in later releases. |

+|**2.**|HPN VMs |For this release, the Standard_F12_HPN can only support one network interface and can't be used for Multi-Access Edge Computing (MEC) deployments. | |

+## Known issues from previous releases

+The following table provides a summary of known issues carried over from the previous releases.

+| No. | Feature | Issue | Workaround/comments |

+| | | | |

+| **1.** |Azure Stack Edge Pro + Azure SQL | Creating SQL database requires Administrator access. |Do the following steps instead of Steps 1-2 in [Create-the-sql-database](../iot-edge/tutorial-store-data-sql-server.md#create-the-sql-database). <br> - In the local UI of your device, enable compute interface. Select **Compute > Port # > Enable for compute > Apply.**<br> - Download `sqlcmd` on your client machine from [SQL command utility](/sql/tools/sqlcmd-utility). <br> - Connect to your compute interface IP address (the port that was enabled), adding a ",1401" to the end of the address.<br> - Final command will look like this: sqlcmd -S {Interface IP},1401 -U SA -P "Strong!Passw0rd". After this, steps 3-4 from the current documentation should be identical. |

+| **2.** |Refresh| Incremental changes to blobs restored via **Refresh** are NOT supported |For Blob endpoints, partial updates of blobs after a Refresh, may result in the updates not getting uploaded to the cloud. For example, sequence of actions such as:<br> 1. Create blob in cloud. Or delete a previously uploaded blob from the device.<br> 2. Refresh blob from the cloud into the appliance using the refresh functionality.<br> 3. Update only a portion of the blob using Azure SDK REST APIs. These actions can result in the updated sections of the blob to not get updated in the cloud. <br>**Workaround**: Use tools such as robocopy, or regular file copy through Explorer or command line, to replace entire blobs.|

+|**3.**|Throttling|During throttling, if new writes to the device aren't allowed, writes by the NFS client fail with a "Permission Denied" error.| The error will show as below:<br>`hcsuser@ubuntu-vm:~/nfstest$ mkdir test`<br>mkdir: can't create directory 'test': Permission deniedΓÇï|

+|**4.**|Blob Storage ingestion|When using AzCopy version 10 for Blob storage ingestion, run AzCopy with the following argument: `Azcopy <other arguments> --cap-mbps 2000`| If these limits aren't provided for AzCopy, it could potentially send a large number of requests to the device, resulting in issues with the service.|

+|**5.**|Tiered storage accounts|The following apply when using tiered storage accounts:<br> - Only block blobs are supported. Page blobs aren't supported.<br> - There's no snapshot or copy API support.<br> - Hadoop workload ingestion through `distcp` isn't supported as it uses the copy operation heavily.||

+|**6.**|NFS share connection|If multiple processes are copying to the same share, and the `nolock` attribute isn't used, you may see errors during the copy.ΓÇï|The `nolock` attribute must be passed to the mount command to copy files to the NFS share. For example: `C:\Users\aseuser mount -o anon \\10.1.1.211\mnt\vms Z:`.|

+|**7.**|Kubernetes cluster|When applying an update on your device that is running a Kubernetes cluster, the Kubernetes virtual machines will restart and reboot. In this instance, only pods that are deployed with replicas specified are automatically restored after an update. |If you have created individual pods outside a replication controller without specifying a replica set, these pods won't be restored automatically after the device update. You'll need to restore these pods.<br>A replica set replaces pods that are deleted or terminated for any reason, such as node failure or disruptive node upgrade. For this reason, we recommend that you use a replica set even if your application requires only a single pod.|

+|**8.**|Kubernetes cluster|Kubernetes on Azure Stack Edge Pro is supported only with Helm v3 or later. For more information, go to [Frequently asked questions: Removal of Tiller](https://v3.helm.sh/docs/faq/).|

+|**9.**|Kubernetes |Port 31000 is reserved for Kubernetes Dashboard. Port 31001 is reserved for Edge container registry. Similarly, in the default configuration, the IP addresses 172.28.0.1 and 172.28.0.10, are reserved for Kubernetes service and Core DNS service respectively.|Don't use reserved IPs.|

+|**10.**|Kubernetes |Kubernetes doesn't currently allow multi-protocol LoadBalancer services. For example, a DNS service that would have to listen on both TCP and UDP. |To work around this limitation of Kubernetes with MetalLB, two services (one for TCP, one for UDP) can be created on the same pod selector. These services use the same sharing key and spec.loadBalancerIP to share the same IP address. IPs can also be shared if you have more services than available IP addresses. <br> For more information, see [IP address sharing](https://metallb.universe.tf/usage/#ip-address-sharing).|

+|**11.**|Kubernetes cluster|Existing Azure IoT Edge marketplace modules may require modifications to run on IoT Edge on Azure Stack Edge device.|For more information, see [Run existing IoT Edge modules from Azure Stack Edge Pro FPGA devices on Azure Stack Edge Pro GPU device](azure-stack-edge-gpu-modify-fpga-modules-gpu.md).|

+|**12.**|Kubernetes |File-based bind mounts aren't supported with Azure IoT Edge on Kubernetes on Azure Stack Edge device.|IoT Edge uses a translation layer to translate `ContainerCreate` options to Kubernetes constructs. Creating `Binds` maps to `hostpath` directory and thus file-based bind mounts can't be bound to paths in IoT Edge containers. If possible, map the parent directory.|

+|**13.**|Kubernetes |If you bring your own certificates for IoT Edge and add those certificates on your Azure Stack Edge device after the compute is configured on the device, the new certificates aren't picked up.|To work around this problem, you should upload the certificates before you configure compute on the device. If the compute is already configured, [Connect to the PowerShell interface of the device and run IoT Edge commands](azure-stack-edge-gpu-connect-powershell-interface.md#use-iotedge-commands). Restart `iotedged` and `edgehub` pods.|

+|**14.**|Certificates |In certain instances, certificate state in the local UI may take several seconds to update. |The following scenarios in the local UI may be affected. <br> - **Status** column in **Certificates** page. <br> - **Security** tile in **Get started** page. <br> - **Configuration** tile in **Overview** page.</li></ul> |

+|**15.**|Certificates|Alerts related to signing chain certificates aren't removed from the portal even after uploading new signing chain certificates.| |

+|**16.**|Web proxy |NTLM authentication-based web proxy isn't supported. ||

+|**17.**|Internet Explorer|If enhanced security features are enabled, you may not be able to access local web UI pages. | Disable enhanced security, and restart your browser.|

+|**18.**|Kubernetes |Kubernetes doesn't support ":" in environment variable names that are used by .NET applications. This is also required for Event Grid IoT Edge module to function on Azure Stack Edge device and other applications. For more information, see [ASP.NET core documentation](/aspnet/core/fundamentals/configuration/?tabs=basicconfiguration#environment-variables).|Replace ":" by double underscore. For more information,see [Kubernetes issue](https://github.com/kubernetes/kubernetes/issues/53201)|

+|**19.** |Azure Arc + Kubernetes cluster |By default, when resource `yamls` are deleted from the Git repository, the corresponding resources aren't deleted from the Kubernetes cluster. |To allow the deletion of resources when they're deleted from the git repository, set `--sync-garbage-collection` in Arc OperatorParams. For more information, see [Delete a configuration](../azure-arc/kubernetes/tutorial-use-gitops-connected-cluster.md#additional-parameters). |

+|**20.**|NFS |Applications that use NFS share mounts on your device to write data should use Exclusive write. That ensures the writes are written to the disk.| |

+|**21.**|Compute configuration |Compute configuration fails in network configurations where gateways or switches or routers respond to Address Resolution Protocol (ARP) requests for systems that don't exist on the network.| |

+|**22.**|Compute and Kubernetes |If Kubernetes is set up first on your device, it claims all the available GPUs. Hence, it isn't possible to create Azure Resource Manager VMs using GPUs after setting up the Kubernetes. |If your device has 2 GPUs, then you can create one VM that uses the GPU and then configure Kubernetes. In this case, Kubernetes will use the remaining available one GPU. |

+|**23.**|Custom script VM extension |There's a known issue in the Windows VMs that were created in an earlier release and the device was updated to 2103. <br> If you add a custom script extension on these VMs, the Windows VM Guest Agent (Version 2.7.41491.901 only) gets stuck in the update causing the extension deployment to time out. | To work around this issue: <br> - Connect to the Windows VM using remote desktop protocol (RDP). <br> - Make sure that the `waappagent.exe` is running on the machine: `Get-Process WaAppAgent`. <br> - If the `waappagent.exe` isn't running, restart the `rdagent` service: `Get-Service RdAgent` \| `Restart-Service`. Wait for 5 minutes.<br> - While the `waappagent.exe` is running, kill the `WindowsAzureGuest.exe` process. <br> - After you kill the process, the process starts running again with the newer version. <br> - Verify that the Windows VM Guest Agent version is 2.7.41491.971 using this command: `Get-Process WindowsAzureGuestAgent` \| `fl ProductVersion`.<br> - [Set up custom script extension on Windows VM](azure-stack-edge-gpu-deploy-virtual-machine-custom-script-extension.md). |

+|**24.**|GPU VMs |Prior to this release, GPU VM lifecycle wasn't managed in the update flow. Hence, when updating to 2103 release, GPU VMs aren't stopped automatically during the update. You'll need to manually stop the GPU VMs using a `stop-stayProvisioned` flag before you update your device. For more information, see [Suspend or shut down the VM](azure-stack-edge-gpu-deploy-virtual-machine-powershell.md#suspend-or-shut-down-the-vm).<br> All the GPU VMs that are kept running before the update, are started after the update. In these instances, the workloads running on the VMs aren't terminated gracefully. And the VMs could potentially end up in an undesirable state after the update. <br>All the GPU VMs that are stopped via the `stop-stayProvisioned` before the update, are automatically started after the update. <br>If you stop the GPU VMs via the Azure portal, you'll need to manually start the VM after the device update.| If running GPU VMs with Kubernetes, stop the GPU VMs right before the update. <br>When the GPU VMs are stopped, Kubernetes will take over the GPUs that were used originally by VMs. <br>The longer the GPU VMs are in stopped state, higher the chances that Kubernetes will take over the GPUs. |

+|**25.**|Multi-Process Service (MPS) |When the device software and the Kubernetes cluster are updated, the MPS setting isn't retained for the workloads. |[Re-enable MPS](azure-stack-edge-gpu-connect-powershell-interface.md#connect-to-the-powershell-interface) and redeploy the workloads that were using MPS. |

+|**26.**|Wi-Fi |Wi-Fi doesn't work on Azure Stack Edge Pro 2 in this release. | This functionality may be available in a future release. |

+## Next steps

+- [Update your device](azure-stack-edge-gpu-install-update.md)

+ The virtual machine can be a Generation 1 or Generation 2 VM. The OS disk that you use to create your VM image must be a fixed-size VHD of any size that Azure supports. For VM size options, see [Supported VM sizes](azure-stack-edge-gpu-virtual-machine-sizes.md#supported-vm-sizes).

+ You can use any Windows Gen1 or Gen2 VM with a fixed-size VHD in Azure Marketplace. For a list Azure Marketplace images that could work, see [Commonly used Azure Marketplace images for Azure Stack Edge](azure-stack-edge-gpu-create-virtual-machine-marketplace-image.md#commonly-used-marketplace-images).

+ You can use any Gen1 or Gen2 VM with a fixed-size VHD in Azure Marketplace to create Linux custom images. This excludes Red Hat Enterprise Linux (RHEL) images, which require extra steps and can only be used to create a Gen1 VM image. For a list of Azure Marketplace images that could work, see [Commonly used Azure Marketplace images for Azure Stack Edge](azure-stack-edge-gpu-create-virtual-machine-marketplace-image.md#commonly-used-marketplace-images). For guidance on RHEL images, see [Using RHEL BYOS images](#using-rhel-byos-images), below.

+- Use the local UI to enable compute on one of the physical network interfaces on your device as per the instructions in [Enable compute network](azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy.md#configure-virtual-switches) on your device.

+- Make sure that you've followed the instructions in [Enable compute network](azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy.md#configure-virtual-switches) and:

+ On your physical device, there are six network interfaces. PORT 1 and PORT 2 are 1-Gbps network interfaces. PORT 3, PORT 4, PORT 5, and PORT 6 are all 25-Gbps network interfaces that can also serve as 10-Gbps network interfaces. PORT 1 is automatically configured as a management-only port, and PORT 2 to PORT 6 are all data ports. For a new device, the **Network** page is as shown below.

+ - By default for all the ports, it is expected that you'll set an IP. If you decide not to set an IP for a network interface on your device, you can set the IP to **No** and then **Modify** the settings.

+ 

+

+## Configure virtual switches

+Follow these steps to add or delete virtual switches and virtual networks.

+1. In the **Virtual switch** section, you'll add or delete virtual switches. Select **Add virtual switch** to create a new switch.

+ 1. Select **Apply**. You can see that the specified virtual switch is created.

+1. You can create more than one switch by following the steps described earlier.

+1. To delete a virtual switch, under the **Virtual switch** section, select **Delete virtual switch**. When a virtual switch is deleted, the associated virtual networks will also be deleted.

+You can now create virtual networks and associate with the virtual switches you created.

+## Configure virtual networks

+ 1. Select **Apply**. A virtual network is created on the specified virtual switch.

+1. To delete a virtual network, under the **Virtual network** section, select **Delete virtual network** and select the virtual network you want to delete.

+1. Select **Next: Kubernetes >** to next configure your compute IPs for Kubernetes.

+## Configure compute IPs

+Follow these steps to configure compute IPs for your Kubernetes workloads.

+1. In the local UI, go to the **Kubernetes** page.

+1. From the dropdown select a virtual switch that you will use for Kubernetes compute traffic. <!--By default, all switches are configured for management. You can't configure storage intent as storage traffic was already configured based on the network topology that you selected earlier.-->

+

+1. Assign **Kubernetes node IPs**. These static IP addresses are for the Kubernetes VMs.

+ For an *n*-node device, a contiguous range of a minimum of *n+1* IPv4 addresses (or more) are provided for the compute VM using the start and end IP addresses. For a 1-node device, provide a minimum of 2 contiguous IPv4 addresses.

+

+ > [!IMPORTANT]

+ > - Kubernetes on Azure Stack Edge uses 172.27.0.0/16 subnet for pod and 172.28.0.0/16 subnet for service. Make sure that these are not in use in your network. If these subnets are already in use in your network, you can change these subnets by running the `Set-HcsKubeClusterNetworkInfo` cmdlet from the PowerShell interface of the device. For more information, see [Change Kubernetes pod and service subnets](azure-stack-edge-gpu-connect-powershell-interface.md#change-kubernetes-pod-and-service-subnets).

+ > - DHCP mode is not supported for Kubernetes node IPs. If you plan to deploy IoT Edge/Kubernetes, you must assign static Kubernetes IPs and then enable IoT role. This will ensure that static IPs are assigned to Kubernetes node VMs.

+ > - If your datacenter firewall is restricting or filtering traffic based on source IPs or MAC addresses, make sure that the compute IPs (Kubernetes node IPs) and MAC addresses are on the allowed list. The MAC addresses can be specified by running the `Set-HcsMacAddressPool` cmdlet on the PowerShell interface of the device.

+1. Assign **Kubernetes external service IPs**. These are also the load-balancing IP addresses. These contiguous IP addresses are for services that you want to expose outside of the Kubernetes cluster and you specify the static IP range depending on the number of services exposed.

+

+ > [!IMPORTANT]

+ > We strongly recommend that you specify a minimum of 1 IP address for Azure Stack Edge Hub service to access compute modules. You can then optionally specify additional IP addresses for other services/IoT Edge modules (1 per service/module) that need to be accessed from outside the cluster. The service IP addresses can be updated later.

+

+1. Select **Apply**.

+ 

+1. The configuration takes a couple minutes to apply and you may need to refresh the browser.

+1. Select **Next: Web proxy** to configure web proxy.

+ By default for all the ports, it is expected that you'll set an IP. If you decide not to set an IP for a network interface on your device, you can set the IP to **No** and then **Modify** the settings.

+ 

+### Configure virtual switches

+After the cluster is formed and configured, you can now create new virtual switches.

+1. In the **Virtual switch** section, add or delete virtual switches. Select **Add virtual switch** to create a new switch.

+ 1. Provide a name for your virtual switch.

+ 1. Select **Apply**.

+1. The configuration will take a couple minutes to apply and once the virtual switch is created, the list of virtual switches updates to reflect the newly created switch. You can see that the specified virtual switch is created and enabled for compute.

+1. You can create more than one switch by following the steps described earlier.

+1. To delete a virtual switch, under the **Virtual switch** section, select **Delete virtual switch**. When a virtual switch is deleted, the associated virtual networks will also be deleted.

+You can next create and associate virtual networks with your virtual switches.

+You can add or delete virtual networks associated with your virtual switches. To add a virtual network, follow these steps:

+ 

+1. To delete a virtual network, under the **Virtual network** section, select **Delete virtual network** and select the virtual network you want to delete.

+Select **Next: Kubernetes >** to next configure your compute IPs for Kubernetes.

+## Configure compute IPs

+After the virtual switches are created, you can enable these switches for Kubernetes compute traffic.

+1. In the local UI, go to the **Kubernetes** page.

+1. From the dropdown list, select the virtual switch you want to enable for Kubernetes compute traffic.

+1. Assign **Kubernetes node IPs**. These static IP addresses are for the Kubernetes VMs.

+ For an *n*-node device, a contiguous range of a minimum of *n+1* IPv4 addresses (or more) are provided for the compute VM using the start and end IP addresses. For a 1-node device, provide a minimum of 2 contiguous IPv4 addresses. For a two-node cluster, provide a minimum of 3 contiguous IPv4 addresses.

+

+ > [!IMPORTANT]

+ > - Kubernetes on Azure Stack Edge uses 172.27.0.0/16 subnet for pod and 172.28.0.0/16 subnet for service. Make sure that these are not in use in your network. If these subnets are already in use in your network, you can change these subnets by running the `Set-HcsKubeClusterNetworkInfo` cmdlet from the PowerShell interface of the device. For more information, see [Change Kubernetes pod and service subnets](azure-stack-edge-gpu-connect-powershell-interface.md#change-kubernetes-pod-and-service-subnets).

+ > - DHCP mode is not supported for Kubernetes node IPs. If you plan to deploy IoT Edge/Kubernetes, you must assign static Kubernetes IPs and then enable IoT role. This will ensure that static IPs are assigned to Kubernetes node VMs.

+1. Assign **Kubernetes external service IPs**. These are also the load-balancing IP addresses. These contiguous IP addresses are for services that you want to expose outside of the Kubernetes cluster and you specify the static IP range depending on the number of services exposed.

+

+ > [!IMPORTANT]

+ > We strongly recommend that you specify a minimum of 1 IP address for Azure Stack Edge Hub service to access compute modules. You can then optionally specify additional IP addresses for other services/IoT Edge modules (1 per service/module) that need to be accessed from outside the cluster. The service IP addresses can be updated later.

+

+1. Select **Apply**.

+ 

+1. The configuration takes a couple minutes to apply and you may need to refresh the browser.

+ .

+For a list of supported operating systems, drivers, and VM sizes for GPU VMs, see [What are GPU virtual machines?](azure-stack-edge-gpu-overview-gpu-virtual-machines.md) For deployment considerations, see [GPU VMs and Kubernetes](azure-stack-edge-gpu-overview-gpu-virtual-machines.md#gpu-vms-and-kubernetes).

+> - Gen2 VMs are not supported for GPU.

+> - If your device will be running Kubernetes, do not configure Kubernetes before you deploy your GPU VMs. If you configure Kubernetes first, it claims all the available GPU resources, and GPU VM creation will fail. For Kubernetes deployment considerations on 1-GPU and 2-GPU devices, see [GPU VMs and Kubernetes](azure-stack-edge-gpu-overview-gpu-virtual-machines.md#gpu-vms-and-kubernetes).

+> - If you're running a Windows 2016 VHD, you must enable TLS 1.2 inside the VM before you install the GPU extension on 2205 and higher. For detailed steps, see [Troubleshoot GPU extension issues for GPU VMs on Azure Stack Edge Pro GPU](azure-stack-edge-gpu-troubleshoot-virtual-machine-gpu-extension-installation.md#failure-to-install-gpu-extension-on-a-windows-2016-vhd).

+1. In the Azure portal of your Azure Stack Edge resource, [Add a VM image](azure-stack-edge-gpu-deploy-virtual-machine-portal.md#add-a-vm-image). You'll use this VM image to create a VM in the next step. You can choose either Gen1 or Gen2 for the VM.

+> - In the Azure portal, you can install a GPU extension during VM creation or after the VM is deployed. For steps and requirements, see [Deploy GPU virtual machines](azure-stack-edge-gpu-deploy-gpu-virtual-machine.md).

+> - If you're running a Windows 2016 VHD, you must enable TLS 1.2 inside the VM before you install the GPU extension on 2205 and higher. For detailed steps, see [Troubleshoot GPU extension issues for GPU VMs on Azure Stack Edge Pro GPU](azure-stack-edge-gpu-troubleshoot-virtual-machine-gpu-extension-installation.md#failure-to-install-gpu-extension-on-a-windows-2016-vhd).

+ Here's an example where Port 2 was connected to the internet and was used to enable the compute network. If Kubernetes isn't deployed on your environment, you can skip the Kubernetes node IP and external service IP assignment.

+1. Verify that the client you'll use to access your device is still connected to the Azure Resource Manager over Azure PowerShell. The connection to Azure Resource Manager expires every 1.5 hours or if your Azure Stack Edge device restarts. If this happens, any cmdlets that you execute will return error messages to the effect that you aren't connected to Azure anymore. You'll need to sign in again. For detailed instructions, see [Connect to Azure Resource Manager on your Azure Stack Edge device](azure-stack-edge-gpu-connect-resource-manager.md).

+#### Version 2205 and higher

+The file `addGPUExtWindowsVM.parameters.json` takes the following parameters:

+```json

+"parameters": {

+ "vmName": {

+ "value": "<name of the VM>"

+ },

+ "extensionName": {

+ "value": "<name for the extension. Example: windowsGpu>"

+ },

+ "publisher": {

+ "value": "Microsoft.HpcCompute"

+ },

+ "type": {

+ "value": "NvidiaGpuDriverWindows"

+ },

+ "typeHandlerVersion": {

+ "value": "1.5"

+ },

+ "settings": {

+ "value": {

+ "DriverURL" : "http://us.download.nvidia.com/tesla/511.65/511.65-data-center-tesla-desktop-winserver-2016-2019-2022-dch-international.exe",

+ "DriverCertificateUrl" : "https://go.microsoft.com/fwlink/?linkid=871664",

+ "DriverType":"CUDA"

+ }

+ }

+ }

+```

+#### Versions lower than 2205

+

+To deploy Nvidia GPU drivers for an existing Linux VM, edit the `addGPUExtWindowsVM.parameters.json` parameters file and then deploy the template `addGPUextensiontoVM.json`.

+#### Version 2205 and higher

+If using Ubuntu or Red Hat Enterprise Linux (RHEL), the `addGPUExtLinuxVM.parameters.json` file takes the following parameters:

+```powershell

+"parameters": {

+ "vmName": {

+ "value": "<name of the VM>"

+ },

+ "extensionName": {

+ "value": "<name for the extension. Example: linuxGpu>"

+ },

+ "publisher": {

+ "value": "Microsoft.HpcCompute"

+ },

+ "type": {

+ "value": "NvidiaGpuDriverLinux"

+ },

+ "typeHandlerVersion": {

+ "value": "1.8"

+ },

+ "settings": {

+ }

+ }

+ }

+```

+#### Versions lower than 2205

+Here's a sample Ubuntu parameter file that was used in this article:

+- After you created the GPU VM, register and subscribe the VM with the Red Hat Customer portal. If your VM isn't properly registered, installation doesn't proceed as the VM isn't entitled. See [Register and automatically subscribe in one step using the Red Hat Subscription Manager](https://access.redhat.com/solutions/253273). This step allows the installation script to download relevant packages for the GPU driver.

+Deploy the template `addGPUextensiontoVM.json` to install the extension on an existing VM.

+Run the following command:

+RGName = "<Name of your resource group>"

+Here's a sample output:

+ ```powershell

+ PS C:\WINDOWS\system32> "C:\12-09-2020\ExtensionTemplates\addGPUextensiontoVM.json"

+ C:\12-09-2020\ExtensionTemplates\addGPUextensiontoVM.json

+ PS C:\WINDOWS\system32> $templateFile = "C:\12-09-2020\ExtensionTemplates\addGPUextensiontoVM.json"

+ PS C:\WINDOWS\system32> $templateParameterFile = "C:\12-09-2020\ExtensionTemplates\addGPUExtWindowsVM.parameters.json"

+ PS C:\WINDOWS\system32> $RGName = "myasegpuvm1"

+ PS C:\WINDOWS\system32> New-AzureRmResourceGroupDeployment -ResourceGroupName $RGName -TemplateFile $templateFile -TemplateParameterFile $templateParameterFile -Name "deployment3"

+ DeploymentName : deployment3

+ ResourceGroupName : myasegpuvm1

+ ProvisioningState : Succeeded

+ Timestamp : 12/16/2020 12:18:50 AM

+ Mode : Incremental

+ TemplateLink :

+ Parameters :

+ Outputs :

+ DeploymentDebugLogLevel :

+ PS C:\WINDOWS\system32>

+ ```

+Deploy the template `addGPUextensiontoVM.json` to install the extension to an existing VM.

+Run the following command:

+Here's a sample output:

+To check the deployment state of extensions for a given VM, open another PowerShell session (run as administrator), and then run the following command:

+Here's a sample output:

+To check the deployment state of extensions for a given VM, open another PowerShell session (run as administrator), and then run the following command:

+Here's a sample output:

+Sign in to the VM and run the nvidia-smi command-line utility installed with the driver.

+#### Version 2205 and higher

+The `nvidia-smi.exe` is located at `C:\Windows\System32\nvidia-smi.exe`. If you don't see the file, it's possible that the driver installation is still running in the background. Wait for 10 minutes and check again.

+#### Versions lower than 2205

+The `nvidia-smi.exe` is located at `C:\Program Files\NVIDIA Corporation\NVSMI\nvidia-smi.exe`. If you don't see the file, it's possible that the driver installation is still running in the background. Wait for 10 minutes and check again.

+If the driver is installed, you see an output similar to the following sample:

+ Here's a sample output:

+2. Run the nvidia-smi command-line utility installed with the driver. If the driver is successfully installed, you'll be able to run the utility and see the following output:

+Here's a sample output:

+ |VM generation |Choose Gen 1 or Gen 2 as the generation of the image you'll use to create the VM. |

+ 

+ 

+ New-AzureRmImage -Image Microsoft.Azure.Commands.Compute.Automation.Models.PSImage -ImageName ig201221071831 -ResourceGroupName rg201221071831 -HyperVGeneration V1

+ $hyperVGeneration = "<Generation of the image: V1 or V2>"

+ $imageConfig = New-AzImageConfig -Location DBELocal -HyperVGeneration $hyperVGeneration

+# Deploy VMs on your Azure Stack Edge Pro GPU device via templates

+ "hyperVGeneration": {

+ "type": "string",

+ "value": "<Generation of the VM, V1 or V2>

+ },

+1. Provide the OS type and Hyper V Generation corresponding to the VHD you'll upload. The OS type can be Windows or Linux and the VM Generation can be V1 or V2.

+ },

+ "hyperVGeneration": {

+ "value": "V2"

+ },

+ }

+ "hyperVGeneration": {

+ "value": "V1"

+ },

+ }

+4. Under **Specify Generation**, select **Generation 1** or **Generation 2**. Then select **Next >**.

+1. On the **Specify generation** page, choose **Generation 1** or **Generation 2** for the .vhd device image type, and then select **Next**.

+ Kubernetes is required to deploy all containerized workloads. See more information on [Compute network settings](azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy.md#configure-virtual-switches).

+## In versions lower than 2205, Linux GPU extension installs old signing keys: signature and/or required key missing

+**Error description:** The Linux GPU extension installs old signing keys, preventing download of the required GPU driver. In this case, you'll see the following error in the syslog of the Linux VM:

+

+ ```powershell

+ /var/log/syslog and /var/log/waagent.log

+ May  5 06:04:53 gpuvm12 kernel: [  833.601805] nvidia:module verification failed: signature and/or required key missing- tainting kernel

+ ```

+**Suggested solutions:** You have two options to mitigate this issue:

+

+- **Option 1:** Apply the Azure Stack Edge 2205 updates to your device.

+- **Option 2:** After creating a GPU virtual machine of size in NCasT4_v3-series, manually install the new signing keys before installing the extension, then set required signing keys using steps in [Updating the CUDA Linux GPG Repository Key | NVIDIA Technical Blog](https://developer.nvidia.com/blog/updating-the-cuda-linux-gpg-repository-key/).

+ Here's an example that installs signing keys on an Ubuntu 1804 virtual machine:

+ ```powershell

+ $ sudo apt-key adv --fetch-

+ keys https://developer.download.nvidia.com/compute/cuda/repos/ubuntu1804/x86_64/3bf863cc.pub

+ ```

+## Failure to install GPU extension on a Windows 2016 VHD

+**Error description:** This is a known issue in versions lower than 2205. The GPU extension requires TLS 1.2. In this case, you may see the following error message:

+ ```azurecli

+ Failed to download https://go.microsoft.com/fwlink/?linkid=871664 after 10 attempts. Exiting!

+ ```

+Additional details:

+- Check the guest log for the associated error. To collect the guest logs, see [Collect guest logs for VMs on an Azure Stack Edge Pro GPU device](azure-stack-edge-gpu-collect-virtual-machine-guest-logs.md).

+- On a Linux VM, look in `/var/log/waagent.log` or `/var/log/azure/nvidia-vmext-status`.

+- On a Windows VM, find the error status in `C:\Packages\Plugins\Microsoft.HpcCompute.NvidiaGpuDriverWindows\1.3.0.0\Status`.

+- Review the complete execution log in `C:\WindowsAzure\Logs\WaAppAgent.txt`.

+If the installation failed during the package download, that error indicates the VM couldn't access the public network to download the driver.

+**Suggested solution:** Use the following steps to enable TLS 1.2 on a Windows 2016 VM, and then deploy the GPU extension.

+1. Run the following command inside the VM to enable TLS 1.2:

+ ```powershell

+ sp hklm:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 SchUseStrongCrypto 1

+ ```

+1. Deploy the template `addGPUextensiontoVM.json` to install the extension on an existing VM. You can install the extension manually, or you can install the extension from the Azure portal.

+ - To install the extension manually, see [Install GPU extension on VMs for your Azure Stack Edge Pro GPU device](azure-stack-edge-gpu-deploy-virtual-machine-install-gpu-extension.md)

+ - To install the template using the Azure portal, see [Deploy GPU VMs on your Azure Stack Edge Pro GPU device](azure-stack-edge-gpu-deploy-gpu-virtual-machine.md).

+ > [!NOTE]

+ > The extension deployment is a long running job and takes about 10 minutes to complete.

+## Manually install the Nvidia driver on RHEL 7

+**Error description:** When installing the GPU extension on an RHEL 7 VM, the installation may fail due to a certificate rotation issue and an incompatible driver version.

+**Suggested solution:** In this case, you have two options:

+- **Option 1:** Resolve the certificate rotation issue and then install an Nvidia driver lower than version 510.

+ 1. To resolve the certificate rotation issue, run the following command:

+ ```powershell

+ $ sudo yum-config-manager --add-repo https://developer.download.nvidia.com/compute/cuda/repos/rhel7/$arch/cuda-rhel7.repo

+ ```

+

+ 1. Install an Nvidia driver lower than version 510.

+- **Option 2:** Deploy the GPU extension. Use the following settings when deploying the ARM extension:

+

+ ```powershell

+ settings": {

+ "isCustomInstall": true,

+ "InstallMethod": 0,

+ "DRIVER_URL": " https://developer.download.nvidia.com/compute/cuda/11.4.4/local_installers/cuda-repo-rhel7-11-4-local-11.4.4_470.82.01-1.x86_64.rpm",

+ "DKMS_URL" : " https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm",

+ "LIS_URL": " https://aka.ms/lis",

+ "LIS_RHEL_ver": "3.10.0-1062.9.1.el7"

+ }

+ ```

+On your device, you can use Generation 1 or Generation 2 VMs with a fixed virtual hard disk (VHD) format. VHDs are used to store the machine operating system (OS) and data. VHDs are also used for the images you use to install an OS.

+- Make sure that you've followed the instructions in [Enable compute network](azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy.md#configure-virtual-switches) and:

+> Learn more about this change in [the release note](release-notes-archive.md#microsoft-defender-for-containers-plan-released-for-general-availability-ga).

+> Learn more about this change in [the release note](release-notes-archive.md#microsoft-defender-for-containers-plan-released-for-general-availability-ga).

+ Title: Driving your organization to remediate security issues with recommendation governance in Microsoft Defender for Cloud

+description: Learn how to assign owners and due dates to security recommendations and create rules to automatically assign owners and due dates

+# Drive your organization to remediate security recommendations with governance

+Security teams are responsible for improving the security posture of their organizations but they may not have the resources or authority to actually implement security recommendations. [Assigning owners with due dates](#manually-assigning-owners-and-due-dates-for-recommendation-remediation) and [defining governance rules](#building-an-automated-process-for-improving-security-with-governance-rules) creates accountability and transparency so you can drive the process of improving the security posture in your organization.

+Stay on top of the progress on the recommendations in the security posture. Weekly email notifications to the owners and managers make sure that they take timely action on the recommendations that can improve your security posture and recommendations.

+## Building an automated process for improving security with governance rules

+To make sure your organization is systematically improving its security posture, you can define rules that assign an owner and set the due date for resources in the specified recommendations. That way resource owners have a clear set of tasks and deadlines for remediating recommendations.

+You can then review the progress of the tasks by subscription, recommendation, or owner so you can follow up with tasks that need more attention.

+### Availability

+|Aspect|Details|

+|-|:-|

+|Release state:|Preview.<br>[!INCLUDE [Legalese](../../includes/defender-for-cloud-preview-legal-text.md)]|

+|Pricing:|Free|

+|Required roles and permissions:|Azure - **Contributor**, **Security Admin**, or **Owner** on the subscription<br>AWS, GCP ΓÇô **Contributor**, **Security Admin**, or **Owner** on the connector|

+|Clouds:|:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/no-icon.png"::: National (Azure Government, Azure China 21Vianet)<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Connected AWS accounts<br>:::image type="icon" source="./media/icons/yes-icon.png"::: Connected GCP accounts|

+### Defining governance rules to automatically set the owner and due date of recommendations

+Governance rules can identify resources that require remediation according to specific recommendations or severities, and the rule assigns an owner and due date to make sure the recommendations are handled. Many governance rules can apply to the same recommendations, so the rule with lower priority value is the one that assigns the owner and due date.

+The due date set for the recommendation to be remediated is based on a timeframe of 7, 14, 30, or 90 days from when the recommendation is found by the rule. For example, if the rule identifies the resource on March 1st and the remediation timeframe is 14 days, March 15th is the due date. You can apply a grace period so that the resources that are given a due date don't impact your secure score until they're overdue.

+You can also set the owner of the resources that are affected by the specified recommendations. In organizations that use resource tags to associate resources with an owner, you can specify the tag key and the governance rule reads the name of the resource owner from the tag.

+By default, email notifications are sent to the resource owners weekly to provide a list of the on time and overdue tasks. If an email for the owner's manager is found in the organizational Azure Active Directory (Azure AD), the owner's manager receives a weekly email showing any overdue recommendations by default.

+To define a governance rule that assigns an owner and due date:

+1. In the **Environment settings**, select the Azure subscription, AWS account, or Google project that you want to define the rule for.

+1. In **Governance rules (preview)**, select **Add rule**.

+1. Enter a name for the rule.

+1. Set a priority for the rule. You can see the priority for the existing rules in the list of governance rules.

+1. Select the recommendations that the rule applies to, either:

+ - **By severity** - The rule assigns the owner and due date to any recommendation in the subscription that doesn't already have them assigned.

+ - **By name** - Select the specific recommendations that the rule applies to.

+1. Set the owner to assign to the recommendations either:

+ - **By resource tag** - Enter the resource tag on your resources that defines the resource owner.

+ - **By email address** - Enter the email address of the owner to assign to the recommendations.

+1. Set the **remediation timeframe**, which is the time between when the resources are identified to require remediation and the time that the remediation is due.

+1. If you don't want the resources to affect your secure score until they're overdue, select **Apply grace period**.

+1. If you don't want either the owner or the owner's manager to receive weekly emails, clear the notification options.

+1. Select **Create**.

+If there are existing recommendations that match the definition of the governance rule, you can either:

+- Assign an owner and due date to recommendations that don't already have an owner or due date.

+- Overwrite the owner and due date of existing recommendations.

+## Manually assigning owners and due dates for recommendation remediation

+For every resource affected by a recommendation, you can assign an owner and a due date so that you know who needs to implement the security changes to improve your security posture and when they're expected to do it by. You can also apply a grace period so that the resources that are given a due date don't impact your secure score unless they become overdue.

+To manually assign owners and due dates to recommendations:

+1. Go to the list of recommendations:

+ - In the Defender for Cloud overview, select **Security posture** and then select **View recommendations** for the environment that you want to improve.

+ - Go to **Recommendations** in the Defender for Cloud menu.

+1. In the list of recommendations, use the **Potential score increase** to identify the security control that contains recommendations that will increase your secure score.

+ > [!TIP]

+ > You can also use the search box and filters above the list of recommendations to find specific recommendations.

+1. Select a recommendation to see the affected resources.

+1. For any resource that doesn't have an owner or due date, select the resources and select **Assign owner**.

+1. Enter the email address of the owner that needs to make the changes that remediate the recommendation for those resources.

+1. Select the date by which to remediate the recommendation for the resources.

+1. You can select **Apply grace period** to keep the resource from impacting the secure score until it's overdue.

+1. Select **Save**.

+The recommendation is now shown as assigned and on time.

+## Tracking the status of recommendations for further action

+After you define governance rules, you'll want to review the progress that the owners are making in remediating the recommendations.

+You can track the assigned and overdue recommendations in:

+- The security posture shows the number of unassigned and overdue recommendations.

+ :::image type="content" source="./media/governance-rules/governance-in-security-posture.png" alt-text="Screenshot of governance status in the security posture.":::

+- The list of recommendations shows the governance status of each recommendation.

+ :::image type="content" source="./media/governance-rules/governance-in-recommendations.png" alt-text="Screenshot of recommendations with their governance status." lightbox="media/governance-rules/governance-in-recommendations.png":::

+- The governance report in the governance rules settings lets you drill down into recommendations by rule and owner.

+ :::image type="content" source="./media/governance-rules/governance-in-workbook.png" alt-text="Screenshot of governance status by rule and owner in the governance workbook." lightbox="media/governance-rules/governance-in-workbook.png":::

+### Tracking progress by rule with the governance report

+The governance report lets you select subscriptions that have governance rules and, for each rule and owner, shows you how many recommendations are completed, on time, overdue, or unassigned.

+To review the status of the recommendations in a rule:

+1. In **Recommendations**, select **Governance report (preview)**.

+1. Select the subscriptions that you want to review.

+1. Select the rules that you want to see details about.

+You can see the list of owners and recommendations for the selected rules, and their status.

+To see the list of recommendations for each owner:

+1. Select **Security posture**.

+1. Select the **Owner (preview)** tab to see the list of owners and the number of overdue recommendations for each owner.

+ - Hover over the (i) in the overdue recommendations to see the breakdown of overdue recommendations by severity.

+ - If the owner email address is found in the organizational Azure Active Directory (Azure AD), you'll see the full name and picture of the owner.

+1. Select **View recommendations** to go to the list of recommendations associated with the owner.

+## Next steps

+In this article, you learned how to set up a process for assigning owners and due dates to tasks so that owners are accountable for taking steps to improve your security posture.

+Check out how owners can [set ETAs for tasks](review-security-recommendations.md#manage-the-owner-and-eta-of-recommendations-that-are-assigned-to-you) so that they can manage their progress.

+>

+1. From the list of recommendations that have the **Fix** action icon :::image type="icon" source="media/implement-security-recommendations/fix-icon.png" border="false":::, select a recommendation.

+## December 2021

+Updates in December include:

+- [Microsoft Defender for Containers plan released for general availability (GA)](#microsoft-defender-for-containers-plan-released-for-general-availability-ga)

+- [New alerts for Microsoft Defender for Storage released for general availability (GA)](#new-alerts-for-microsoft-defender-for-storage-released-for-general-availability-ga)

+- [Improvements to alerts for Microsoft Defender for Storage](#improvements-to-alerts-for-microsoft-defender-for-storage)

+- ['PortSweeping' alert removed from network layer alerts](#portsweeping-alert-removed-from-network-layer-alerts)

+### Microsoft Defender for Containers plan released for general availability (GA)

+Over two years ago, we introduced [Defender for Kubernetes](defender-for-kubernetes-introduction.md) and [Defender for container registries](defender-for-container-registries-introduction.md) as part of the Azure Defender offering within Microsoft Defender for Cloud.

+With the release of [Microsoft Defender for Containers](defender-for-containers-introduction.md), we've merged these two existing Defender plans.

+The new plan:

+- **Combines the features of the two existing plans** - threat detection for Kubernetes clusters and vulnerability assessment for images stored in container registries

+- **Brings new and improved features** - including multicloud support, host level threat detection with over **sixty** new Kubernetes-aware analytics, and vulnerability assessment for running images

+- **Introduces Kubernetes-native at-scale onboarding** - by default, when you enable the plan all relevant components are configured to be deployed automatically

+With this release, the availability and presentation of Defender for Kubernetes and Defender for container registries has changed as follows:

+- New subscriptions - The two previous container plans are no longer available

+- Existing subscriptions - Wherever they appear in the Azure portal, the plans are shown as **Deprecated** with instructions for how to upgrade to the newer plan

+ :::image type="content" source="media/release-notes/defender-plans-deprecated-indicator.png" alt-text="Defender for container registries and Defender for Kubernetes plans showing 'Deprecated' and upgrade information.":::

+The new plan is free for the month of December 2021. For the potential changes to the billing from the old plans to Defender for Containers, and for more information on the benefits introduced with this plan, see [Introducing Microsoft Defender for Containers](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/introducing-microsoft-defender-for-containers/ba-p/2952317).

+For more information, see:

+- [Overview of Microsoft Defender for Containers](defender-for-containers-introduction.md)

+- [Enable Microsoft Defender for Containers](defender-for-containers-enable.md)

+- [Introducing Microsoft Defender for Containers - Microsoft Tech Community](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/introducing-microsoft-defender-for-containers/ba-p/2952317)

+- [Microsoft Defender for Containers | Defender for Cloud in the Field #3 - YouTube](https://www.youtube.com/watch?v=KeH0a3enLJ0&t=201s)

+### New alerts for Microsoft Defender for Storage released for general availability (GA)

+Threat actors use tools and scripts to scan for publicly open containers in the hope of finding misconfigured open storage containers with sensitive data.

+Microsoft Defender for Storage detects these scanners so that you can block them and remediate your posture.

+The preview alert that detected this was called **ΓÇ£Anonymous scan of public storage containersΓÇ¥**. To provide greater clarity about the suspicious events discovered, we've divided this into **two** new alerts. These alerts are relevant to Azure Blob Storage only.

+We've improved the detection logic, updated the alert metadata, and changed the alert name and alert type.

+These are the new alerts:

+| Alert (alert type) | Description | MITRE tactic | Severity |

+|||--|-|

+| **Publicly accessible storage containers successfully discovered**<br>(Storage.Blob_OpenContainersScanning.SuccessfulDiscovery) | A successful discovery of publicly open storage container(s) in your storage account was performed in the last hour by a scanning script or tool.<br><br> This usually indicates a reconnaissance attack, where the threat actor tries to list blobs by guessing container names, in the hope of finding misconfigured open storage containers with sensitive data in them.<br><br> The threat actor may use their own script or use known scanning tools like Microburst to scan for publicly open containers.<br><br> Γ£ö Azure Blob Storage<br> Γ£û Azure Files<br> Γ£û Azure Data Lake Storage Gen2 | Collection | Medium |

+| **Publicly accessible storage containers unsuccessfully scanned**<br>(Storage.Blob_OpenContainersScanning.FailedAttempt) | A series of failed attempts to scan for publicly open storage containers were performed in the last hour. <br><br>This usually indicates a reconnaissance attack, where the threat actor tries to list blobs by guessing container names, in the hope of finding misconfigured open storage containers with sensitive data in them.<br><br> The threat actor may use their own script or use known scanning tools like Microburst to scan for publicly open containers.<br><br> Γ£ö Azure Blob Storage<br> Γ£û Azure Files<br> Γ£û Azure Data Lake Storage Gen2 | Collection | Low |

+For more information, see:

+- [Threat matrix for storage services](https://www.microsoft.com/security/blog/2021/04/08/threat-matrix-for-storage/)

+- [Introduction to Microsoft Defender for Storage](defender-for-storage-introduction.md)

+- [List of alerts provided by Microsoft Defender for Storage](alerts-reference.md#alerts-azurestorage)

+### Improvements to alerts for Microsoft Defender for Storage

+The initial access alerts now have improved accuracy and more data to support investigation.

+Threat actors use various techniques in the initial access to gain a foothold within a network. Two of the [Microsoft Defender for Storage](defender-for-storage-introduction.md) alerts that detect behavioral anomalies in this stage now have improved detection logic and additional data to support investigations.

+If you've [configured automations](workflow-automation.md) or defined [alert suppression rules](alerts-suppression-rules.md) for these alerts in the past, update them in accordance with these changes.

+#### Detecting access from a Tor exit node

+Access from a Tor exit node might indicate a threat actor trying to hide their identity.

+The alert is now tuned to generate only for authenticated access, which results in higher accuracy and confidence that the activity is malicious. This enhancement reduces the benign positive rate.

+An outlying pattern will have high severity, while less anomalous patterns will have medium severity.

+The alert name and description have been updated. The AlertType remains unchanged.

+- Alert name (old): Access from a Tor exit node to a storage account

+- Alert name (new): Authenticated access from a Tor exit node

+- Alert types: Storage.Blob_TorAnomaly / Storage.Files_TorAnomaly

+- Description: One or more storage container(s) / file share(s) in your storage account were successfully accessed from an IP address known to be an active exit node of Tor (an anonymizing proxy). Threat actors use Tor to make it difficult to trace the activity back to them. Authenticated access from a Tor exit node is a likely indication that a threat actor is trying to hide their identity. Applies to: Azure Blob Storage, Azure Files, Azure Data Lake Storage Gen2

+- MITRE tactic: Initial access

+- Severity: High/Medium

+#### Unusual unauthenticated access

+A change in access patterns may indicate that a threat actor was able to exploit public read access to storage containers, either by exploiting a mistake in access configurations, or by changing the access permissions.

+This medium severity alert is now tuned with improved behavioral logic, higher accuracy, and confidence that the activity is malicious. This enhancement reduces the benign positive rate.

+The alert name and description have been updated. The AlertType remains unchanged.

+- Alert name (old): Anonymous access to a storage account

+- Alert name (new): Unusual unauthenticated access to a storage container

+- Alert types: Storage.Blob_AnonymousAccessAnomaly

+- Description: This storage account was accessed without authentication, which is a change in the common access pattern. Read access to this container is usually authenticated. This might indicate that a threat actor was able to exploit public read access to storage container(s) in this storage account(s). Applies to: Azure Blob Storage

+- MITRE tactic: Collection

+- Severity: Medium

+For more information, see:

+- [Threat matrix for storage services](https://www.microsoft.com/security/blog/2021/04/08/threat-matrix-for-storage/)

+- [Introduction to Microsoft Defender for Storage](defender-for-storage-introduction.md)

+- [List of alerts provided by Microsoft Defender for Storage](alerts-reference.md#alerts-azurestorage)

+### 'PortSweeping' alert removed from network layer alerts

+The following alert was removed from our network layer alerts due to inefficiencies:

+| Alert (alert type) | Description | MITRE tactics | Severity |

+||-|:--:||

+| **Possible outgoing port scanning activity detected**<br>(PortSweeping) | Network traffic analysis detected suspicious outgoing traffic from %{Compromised Host}. This traffic may be a result of a port scanning activity. When the compromised resource is a load balancer or an application gateway, the suspected outgoing traffic has been originated from to one or more of the resources in the backend pool (of the load balancer or application gateway). If this behavior is intentional, please note that performing port scanning is against Azure Terms of service. If this behavior is unintentional, it may mean your resource has been compromised. | Discovery | Medium |

+A new **environment settings** page provides greater visibility and control over your management groups, subscriptions, and AWS accounts. The page is designed to onboard AWS accounts at scale: connect your AWS **management account**, and you'll automatically onboard existing and future accounts.

+Microsoft Defender for Cloud's security recommendations are enabled and supported by the Azure Security Benchmark.

+Defender for Cloud.

+Enhancements for v3 include:

+ - **Security Principles** - Providing insight into the overall security objectives that build the foundation for our recommendations.

+ - **Azure Guidance** - The technical ΓÇ£how-toΓÇ¥ for meeting these objectives.

+We've also enhanced the "Auditing on SQL server should be enabled" recommendation with the same Sentinel streaming capabilities.

+Use the security recommendation "[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/ffff0522-1e88-47fc-8382-2a80ba848f5d)" to surface the vulnerabilities detected by threat and vulnerability management for your [supported machines](/microsoft-365/security/defender-endpoint/tvm-supported-os?view=o365-worldwide&preserve-view=true).

+To use these features, you'll need to enable the [integration with Microsoft Defender for Endpoint](integration-defender-for-endpoint.md).

+You can safely ignore the policies and recommendation ("Kubernetes clusters should gate deployment of vulnerable images") and there will be no impact on your environment.

+We've extended the integration between [Azure Defender for Servers](defender-for-servers-introduction.md) and Microsoft Defender for Endpoint, to support a new vulnerability assessment provider for your machines: [Microsoft threat and vulnerability management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt).

+Use the security recommendation "[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/ffff0522-1e88-47fc-8382-2a80ba848f5d)" to surface the vulnerabilities detected by threat and vulnerability management for your [supported machines](/microsoft-365/security/defender-endpoint/tvm-supported-os?view=o365-worldwide&preserve-view=true).

+The [asset inventory](asset-inventory.md) page now includes a filter to select machines running specific software - and even specify the versions of interest.

+To use these new features, you'll need to enable the [integration with Microsoft Defender for Endpoint](integration-defender-for-endpoint.md).

+### Changed prefix of some alert types from "ARM_" to "VM_"

+In July 2021, we announced a [logical reorganization of Azure Defender for Resource Manager alerts](release-notes-archive.md#logical-reorganization-of-azure-defender-for-resource-manager-alerts)

+The recommendation "Kubernetes clusters should not use the default namespace" prevents usage of the default namespace for a range of resource types. Two of the resource types that were included in this recommendation have been removed: ConfigMap and Secret.

+To clarify the relationships between different recommendations, we've added a **Related recommendations** area to the details pages of many recommendations.

+- Recommendation #1 is a prerequisite for recommendation #2

+- Recommendation #2 depends upon recommendation #1

+The regulatory compliance dashboard's toolbar offers Azure and Dynamics certification reports for the standards applied to your subscriptions.

+With this update, you can now set Security Center to automatically provision this extension to all supported machines.

+- [Logical reorganization of Azure Defender for Resource Manager alerts](#logical-reorganization-of-azure-defender-for-resource-manager-alerts)

+- [Enhancements to recommendation to enable Azure Disk Encryption (ADE)](#enhancements-to-recommendation-to-enable-azure-disk-encryption-ade)

+Security Center natively integrates with [Azure Sentinel](../sentinel/index.yml), Azure's cloud-native SIEM and SOAR solution.

+| **Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources** | By default, a virtual machineΓÇÖs OS and data disks are encrypted-at-rest using platform-managed keys; temp disks and data caches arenΓÇÖt encrypted, and data isnΓÇÖt encrypted when flowing between compute and storage resources. For a comparison of different disk encryption technologies in Azure, see <https://aka.ms/diskencryptioncomparison>.<br>Use Azure Disk Encryption to encrypt all this data. Disregard this recommendation if: (1) youΓÇÖre using the encryption-at-host feature, or (2) server-side encryption on Managed Disks meets your security requirements. Learn more in Server-side encryption of Azure Disk Storage. | High |

+With this update, these two options are released for general availability (GA).

+We've now added a workbook dedicated to tracking a subscription's compliance with the regulatory or industry standards applied to it.

+ - [Introduction to Azure Defender for Resource Manager](defender-for-resource-manager-introduction.md)

+ - [Respond to Azure Defender for Resource Manager alerts](defender-for-resource-manager-usage.md)

+ - [List of alerts provided by Azure Defender for Resource Manager](alerts-reference.md#alerts-resourcemanager)

+ - [Introduction to Azure Defender for DNS](defender-for-dns-introduction.md)

+ - [Respond to Azure Defender for DNS alerts](defender-for-dns-usage.md)

+ - [List of alerts provided by Azure Defender for DNS](alerts-reference.md#alerts-dns)

+> Enabling Azure Defender plans results in charges. Learn about the pricing details per region on Security Center's [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).

+>

+Learn more in [Trusted launch for Azure virtual machines](../virtual-machines/trusted-launch.md).

+| REST API call | GET <https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Security/assessments?api-version=2019-01-01-preview&$expand=statusEvaluationDates> |

+Security Center's resource health has been expanded, enhanced, and improved to provide a snapshot view of the overall health of a single resource.

+Azure Defender for Kubernetes is expanding its threat protection capabilities to defend your clusters wherever they're deployed. This has been enabled by integrating with [Azure Arc-enabled Kubernetes](../azure-arc/kubernetes/overview.md) and its new [extensions capabilities](../azure-arc/kubernetes/extensions.md).

+When you enable Azure Defender for Servers running Windows Server, a license for Defender for Endpoint is included with the plan. If you've already enabled Azure Defender for Servers and you have Windows Server 2019 servers in your subscription, they'll automatically receive Defender for Endpoint with this update. No manual action is required.

+Enabling Azure Defender plans results in charges. Learn about the pricing details per region on Security Center's [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).

+ - **Guest Configuration extension should be installed on your machines**

+ - **Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity**

+ - **Windows Defender Exploit Guard should be enabled on your machines**

+ - **Authentication to Linux machines should require SSH keys**

+### Two recommendations from "Apply system updates" security control were deprecated

+### 21 recommendations moved between security controls

+When you open Azure Security Center, the first page to appear is the overview page.

+From the regulatory compliance dashboard's toolbar, you can now download Azure and Dynamics certification reports.

+### Two legacy recommendations no longer write data directly to Azure activity log

+### Recommendations page enhancements

+When you enable Azure Defender for Servers running Windows Server, a license for Defender for Endpoint is included with the plan. If you've already enabled Azure Defender for Servers and you have Windows Server 2019 servers in your subscription, they'll automatically receive Defender for Endpoint with this update. No manual action is required.

+Use this link to view the policy definition and review the evaluation logic.

+ - **Counts** - Each filter presents the number of resources that meet the criteria of each category

+ :::image type="content" source="media/release-notes/counts-in-inventory-filters.png" alt-text="Counts in the filters in the asset inventory page of Azure Security Center.":::

+ - **Contains exemptions filter** (Optional) - narrow the results to resources that have/haven't got exemptions. This filter isn't shown by default, but is accessible from the **Add filter** button.

+ :::image type="content" source="media/release-notes/adding-contains-exemption-filter.gif" alt-text="Adding the filter 'contains exemption' in Azure Security Center's asset inventory page":::

+From this release, the benchmark is the foundation for Security CenterΓÇÖs recommendations and fully integrated as the default policy initiative.

+Existing recommendations are unaffected and as the benchmark grows, changes will automatically be reflected within Security Center.

+Subdomain takeovers are a common, high-severity threat for organizations. A subdomain takeover can occur when you have a DNS record that points to a deprovisioned web site. Such DNS records are also known as "dangling DNS" entries. CNAME records are especially vulnerable to this threat.

+[Azure Security Benchmark](/security/benchmark/azure/introduction) is the default policy initiative in Azure Security Center.

+### CSV export of filtered list of recommendations

+In November 2020, we added filters to the recommendations page ([Recommendations list now includes filters](release-notes-archive.md#recommendations-list-now-includes-filters)). In December, we expanded those filters ([Recommendations page has new filters for environment, severity, and available responses](release-notes-archive.md#recommendations-page-has-new-filters-for-environment-severity-and-available-responses)).

+With this announcement, we're changing the behavior of the **Download to CSV** button so that the CSV export only includes the recommendations currently displayed in the filtered list.

+For example, in the image below you can see that the list has been filtered to two recommendations. The CSV file that is generated includes the status details for every resource affected by those two recommendations.

+- **Azure Defender for Azure SQL database servers** - defends your Azure-native SQL Servers

+- **Advanced threat protection** to detect threats and attacks

+A user with the Azure Active Directory role of **Global Administrator** might have tenant-wide responsibilities, but lack the Azure permissions to view that organization-wide information in Azure Security Center.

+ - [Introduction to Azure Defender for Resource Manager](defender-for-resource-manager-introduction.md)

+ - [Respond to Azure Defender for Resource Manager alerts](defender-for-resource-manager-usage.md)

+ - [List of alerts provided by Azure Defender for Resource Manager](alerts-reference.md#alerts-resourcemanager)

+ - [Introduction to Azure Defender for DNS](defender-for-dns-introduction.md)

+ - [Respond to Azure Defender for DNS alerts](defender-for-dns-usage.md)

+ - [List of alerts provided by Azure Defender for DNS](alerts-reference.md#alerts-dns)

+### Revitalized Security Center experience in Azure SQL Database & SQL Managed Instance

+- **Findings** ΓÇô a vulnerability assessment service that continuously monitors Azure SQL configurations and helps remediate vulnerabilities. Assessment scans provide an overview of Azure SQL security states together with detailed security findings.

+- **Guides and feedback** added to the toolbar. This opens a pane with links to related information and tools.

+- **Operator options** for each filter. Now you can choose from more logical operators other than '='. For example, you might want to find all resources with active recommendations whose titles include the string 'encrypt'.

+The recommendation "Web apps should request an SSL certificate for all incoming requests" has been moved from the security control **Manage access and permissions** (worth a maximum of 4 pts) into **Implement security best practices** (which is worth no points).

+With this change, the recommendation is now a recommended best practice that does not impact your score.

+ > The response actions filter replaces the **Quick fix available (Yes/No)** filter.

+ >

+ >

+ - **Check whether the configuration is enabled.** If it isn't, the policy will show as non-compliant and create a compliant resource. Learn more about the supplied Azure Policy templates in the "Deploy at scale with Azure Policy tab" in [Set up a continuous export](continuous-export.md#set-up-a-continuous-export).

+ - **Support exporting security findings.** When using the Azure Policy templates, you can configure your continuous export to include findings. This is relevant when exporting recommendations that have 'sub' recommendations, like findings from vulnerability assessment scanners or specific system updates for the 'parent' recommendation "System updates should be installed on your machines".

+ - **Support exporting secure score data.**

+The NIST SP 800-171 R2 standard is now available as a built-in initiative for use with Azure Security Center's regulatory compliance dashboard. The mappings for the controls are described in [Details of the NIST SP 800-171 R2 Regulatory Compliance built-in initiative](../governance/policy/samples/nist-sp-800-171-r2.md).

+The auto provisioning feature helps reduce management overhead by installing the required extensions on new - and existing - Azure VMs so they can benefit from Security Center's protections.

+- Enriched data for the recommendation from Azure Resource Graph (ARG). ARG is an Azure service that's designed to provide efficient resource exploration. You can use ARG to query at scale across a given set of subscriptions so that you can effectively govern your environment.

+Azure Resource Graph is a service in Azure that is designed to provide efficient resource exploration with the ability to query at scale across a given set of subscriptions so that you can effectively govern your environment.

+### Security Center gets a new look

+**Azure Defender** is the cloud workload protection platform (CWPP) integrated within Security Center for advanced, intelligent, protection of your Azure and hybrid workloads. It replaces Security Center's standard pricing tier option.

+Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords.

+### Azure Defender for Storage protection for Files and ADLS Gen2 is generally available

+Occasionally, a resource will be listed as unhealthy regarding a specific recommendation (and therefore lowering your secure score) even though you feel it shouldn't be. It might have been remediated by a process not tracked by Security Center. Or perhaps your organization has decided to accept the risk for that specific resource.

+Onboarding your AWS and GCP projects into Security Center, integrates AWS Security Hub, GCP Security Command and Azure Security Center.

+Security Center's integrated vulnerability assessment tools return findings about your resources as actionable recommendations within a 'parent' recommendation such as "Vulnerabilities in your virtual machines should be remediated".

+Security misconfigurations are a major cause of security incidents. Security Center now has the ability to help *prevent* misconfigurations of new resources with regard to specific recommendations.

+### Network security group recommendations improved

+The following areas of the emails regarding security alerts have been improved:

+### Secure score doesn't include preview recommendations

+Security Center now provides a security recommendation whenever it identifies an Azure subscription without security defaults enabled. Until now, Security Center recommended enabling multi-factor authentication using conditional access, which is part of the Azure Active Directory (AD) premium license. For customers using Azure AD free, we now recommend enabling security defaults.

+The recommendation, **Service principals should be used to protect your subscriptions instead of Management Certificates** advises you to use Service Principals or Azure Resource Manager to more securely manage your subscriptions.

+You can safely ignore these policies and there will be no impact on your environment. If you'd like to enable them, sign up for the preview at <https://aka.ms/SecurityPrP> and select from the following options:

+When deploying a vulnerability assessment solution, Security Center previously performed a validation check before deploying. The check was to confirm a marketplace SKU of the destination virtual machine.

+Threat protection for Azure Storage detects potentially harmful activity on your Azure Storage accounts. Security Center displays alerts when it detects attempts to access or exploit your storage accounts.

+The recommendations also include the quick fix capability.

+>

+To improve the clarity and guidance regarding Azure Security Center's container security capabilities, we've also refreshed the container security documentation pages.

+- A new recommendation identifies potentially legitimate behavior that hasn't previously been allowed. The new recommendation, **Allowlist rules in your adaptive application control policy should be updated**, prompts you to add new rules to the existing policy to reduce the number of false positives in adaptive application controls violation alerts.

+- Path rules now support wildcards. From this update, you can configure allowed path rules using wildcards. There are two supported scenarios:

+ - Using a wildcard at the end of a path to allow all executables within this folder and sub-folders

+ - Using a wildcard in the middle of a path to enable a known executable name with a changing folder name (e.g. personal user folders with a known executable, automatically generated folder names, etc.).

+The recommendations also include the Quick fix capability to help speed up the deployment process.

+This new feature (currently in preview) helps reduce alert fatigue. Use rules to automatically hide alerts that are known to be innocuous or related to normal activities in your organization. This lets you focus on the most relevant threats.

+The new solution can continuously scan your virtual machines to find vulnerabilities and present the findings in Security Center.

+One security control introduced with the enhanced secure score was "Implement security best practices". Any custom recommendations created for your subscriptions were automatically placed in that control.

+### Expanded security control "Implement security best practices"

+One security control introduced with the enhanced secure score is "Implement security best practices". When a recommendation is in this control, it doesn't impact the secure score.

+Custom policies are now part of the Security Center recommendations experience, secure score, and the regulatory compliance standards dashboard. This feature is now generally available and allows you to extend your organization's security assessment coverage in Security Center.

+### Crash dump analysis capabilities migrating to fileless attack detection

+- **Proactive and timely malware detection** - The CDA approach involved waiting for a crash to occur and then running analysis to find malicious artifacts. Using fileless attack detection brings proactive identification of in-memory threats while they are running.

+- **Enriched alerts** - The security alerts from fileless attack detection include enrichments that aren't available from CDA, such as the active network connections information.

+Learn more about [customizing the set of standards in your regulatory compliance dashboard](update-regulatory-compliance-packages.md).

+The features, operation, and UI for Azure Security Center's just-in-time tools that secure your management ports have been enhanced as follows:

+- **Justification field** - When requesting access to a virtual machine (VM) through the just-in-time page of the Azure portal, a new optional field is available to enter a justification for the request. Information entered into this field can be tracked in the activity log.

+- **Automatic cleanup of redundant just-in-time (JIT) rules** - Whenever you update a JIT policy, a cleanup tool automatically runs to check the validity of your entire ruleset. The tool looks for mismatches between rules in your policy and rules in the NSG. If the cleanup tool finds a mismatch, it determines the cause and, when it's safe to do so, removes built-in rules that aren't needed anymore. The cleaner never deletes rules that you've created.

+Two security recommendations related to web applications are being deprecated:

+To counter this threat, Azure Security Center released fileless attack detection for Windows in October 2018, and has now extended fileless attack detection on Linux as well.

+- [Threat Protection for Azure Key Vault in North America regions (preview)](#threat-protection-for-azure-key-vault-in-north-america-regions-preview)

+- [Threat Protection for Azure Storage includes Malware Reputation Screening](#threat-protection-for-azure-storage-includes-malware-reputation-screening)

+- [Workflow automation with Logic Apps (preview)](#workflow-automation-with-logic-apps-preview)

+- [Quick Fix for bulk resources generally available](#quick-fix-for-bulk-resources-generally-available)

+- [Scan container images for vulnerabilities (preview)](#scan-container-images-for-vulnerabilities-preview)

+- [Additional regulatory compliance standards (preview)](#additional-regulatory-compliance-standards-preview)

+- [Threat Protection for Azure Kubernetes Service (preview)](#threat-protection-for-azure-kubernetes-service-preview)

+- [Virtual machine vulnerability assessment (preview)](#virtual-machine-vulnerability-assessment-preview)

+- [Advanced data security for SQL servers on Azure Virtual Machines (preview)](#advanced-data-security-for-sql-servers-on-azure-virtual-machines-preview)

+- [Support for custom policies (preview)](#support-for-custom-policies-preview)

+- [Extending Azure Security Center coverage with platform for community and partners](#extending-azure-security-center-coverage-with-platform-for-community-and-partners)

+- [Advanced integrations with export of recommendations and alerts (preview)](#advanced-integrations-with-export-of-recommendations-and-alerts-preview)

+- [Onboard on-prem servers to Security Center from Windows Admin Center (preview)](#onboard-on-prem-servers-to-security-center-from-windows-admin-center-preview)

+- [Managing rules with adaptive application controls improvements](#managing-rules-with-adaptive-application-controls-improvements)

+- [Control container security recommendation using Azure Policy](#control-container-security-recommendation-using-azure-policy)

+- [Just-in-time (JIT) VM access for Azure Firewall](#just-in-time-jit-vm-access-for-azure-firewall)

+- [Single click remediation to boost your security posture (preview)](#single-click-remediation-to-boost-your-security-posture-preview)

+- [Cross-tenant management](#cross-tenant-management)

+### Just-in-time (JIT) VM access for Azure Firewall

+Security Center now supports cross-tenant management scenarios as part of Azure Lighthouse. This enables you to gain visibility and manage the security posture of multiple tenants in Security Center.

+Azure Security Center (ASC) has launched new networking recommendations and improved some existing ones. Now, using Security Center ensures even greater networking protection for your resources.

+One of the biggest attack surfaces for workloads running in the public cloud are connections to and from the public Internet. Our customers find it hard to know which Network Security Group (NSG) rules should be in place to make sure that Azure workloads are only available to required source ranges. With this feature, Security Center learns the network traffic and connectivity patterns of Azure workloads and provides NSG rule recommendations, for Internet facing virtual machines. This helps our customer better configure their network access policies and limit their exposure to attacks.

+This page is updated frequently, so revisit it often.

+To learn about *planned* changes that are coming soon to Defender for Cloud, see [Important upcoming changes to Microsoft Defender for Cloud](upcoming-changes.md).

+- [Drive implementation of security recommendations to enhance your security posture](#drive-implementation-of-security-recommendations-to-enhance-your-security-posture)

+- [Filter security alerts by IP address](#filter-security-alerts-by-ip-address)

+### Drive implementation of security recommendations to enhance your security posture

+Today's increasing threats to organizations stretch the limits of security personnel to protect their expanding workloads. Security teams are challenged to implement the protections defined in their security policies.

+Now with the governance experience, security teams can assign remediation of security recommendations to the resource owners and require a remediation schedule. They can have full transparency into the progress of the remediation and get notified when tasks are overdue.

+Learn more about the governance experience in [Driving your organization to remediate security issues with recommendation governance](governance-rules.md).

+### Filter security alerts by IP address

+In many cases of attacks, you want to track alerts based on the IP address of the entity involved in the attack. Up until now, the IP appeared only in the "Related Entities" section in the single alert blade. Now, you can filter the alerts in the security alerts blade to see the alerts related to the IP address, and you can search for a specific IP address.

+> This option is included in [Azure CLI 3.7 and above](/cli/azure/update-azure-cli).

+The recommendation `Azure Cache for Redis should reside within a virtual network` (Preview) has been deprecated. WeΓÇÖve changed our guidance for securing Azure Cache for Redis instances. We recommend the use of a private endpoint to restrict access to your Azure Cache for Redis instance, instead of a virtual network.

+### Container scan alert title augmented with IP address reputation

+An IP address's reputation can indicate whether the scanning activity originates from a known threat actor, or from an actor that is using the Tor network to hide their identity. Both of these indicators, suggest that there's malicious intent. The IP address's reputation is provided by [Microsoft Threat Intelligence](https://go.microsoft.com/fwlink/?linkid=2128684).

+The following alerts will include this information:

+- `Publicly accessible storage containers have been exposed`

+For example, the added information to the title of the `Publicly accessible storage containers have been exposed` alert will look like this:

+- `Publicly accessible storage containers have been exposed`**`by a Tor exit node`**

+### Kubernetes workload protection for Arc-enabled Kubernetes clusters

+We have extended Microsoft Defender for CloudΓÇÖs database coverage. You can now enable protection for your Azure Cosmos DB databases.

+Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects any attempt to exploit databases in your Azure Cosmos DB accounts. Microsoft Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitation of your database through compromised identities, or malicious insiders.

+When potentially malicious activities are detected, security alerts are generated. These alerts are displayed in Microsoft Defender for Cloud together with the details of the suspicious activity along with the relevant investigation steps, remediation actions, and security recommendations.

+There's no impact on database performance when enabling the service, because Defender for Azure Cosmos DB doesn't access the Azure Cosmos DB account data.

+In December 2020, we introduced the preview of Defender for Resource Manager, and in May 2021 the plan was release for general availability.

+To benefit from all of the security features available from [Microsoft Defender for Servers](defender-for-servers-introduction.md) and [Microsoft Defender for SQL on machines](defender-for-sql-introduction.md), the plans must be enabled on **both** the subscription and workspace levels.

+When a machine is in a subscription with one of these plan enabled, you'll be billed for the full protections. However, if that machine is reporting to a workspace *without* the plan enabled, you won't actually receive those benefits.

+We've added two recommendations that highlight workspaces without these plans enabled, that nevertheless have machines reporting to them from subscriptions that *do* have the plan enabled.

+Defender for Cloud's auto provisioning settings has a toggle for each type of supported extension, including the Log Analytics agent.

+In a further expansion of our hybrid cloud features, we've added an option to auto provision the Log Analytics agent to machines connected to Azure Arc.

+When you enable this option, you'll be prompted for the workspace.

+### Communication with suspicious domain alert expanded to included known Log4Shell-related domains

+The following alert was previously only available to organizations who had enabled the [Microsoft Defender for DNS](defender-for-dns-introduction.md) plan.

+ - Previous name: Vulnerabilities in running container images should be remediated (powered by Qualys)

+ - New name: Running container images should have vulnerability findings resolved

+ - Previous name: Diagnostic logs should be enabled in App Service

+ - New name: Diagnostic logs in App Service should be enabled

+ Title: Improving your security posture with recommendations in Microsoft Defender for Cloud

+description: This document walks you through how to identify security recommendations that will help you improve your security posture.

+# Find recommendations that can improve your security posture

+To improve your [secure score](secure-score-security-controls.md), you have to implement the security recommendations for your environment. From the list of recommendations, you can use filters to find the recommendations that have the most impact on your score, or the ones that you were assigned to implement.

+To get to the list of recommendations:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Either:

+ - In the Defender for Cloud overview, select **Security posture** and then select **View recommendations** for the environment that you want to improve.

+ - Go to **Recommendations** in the Defender for Cloud menu.

+You can search for specific recommendations by name. Use the search box and filters above the list of recommendations to find specific recommendations, and look at the [details of the recommendation](security-policy-concept.md#security-recommendation-details) to decide whether to [remediate it](implement-security-recommendations.md), [exempt resources](exempt-resource.md), or [disable the recommendation](tutorial-security-policy.md#disable-security-policies-and-disable-recommendations).

+## Finding recommendations with high impact on your secure score<a name="monitor-recommendations"></a>

+Your [secure score is calculated](secure-score-security-controls.md?branch=main#how-your-secure-score-is-calculated) based on the security recommendations that you have implemented. In order to increase your score and improve your security posture, you have to find recommendations with unhealthy resources and [remediate those recommendations](implement-security-recommendations.md).

+The list of recommendations shows the **Potential score increase** that you can achieve when you remediate all of the recommendations in the security control.

+To find recommendations that can improve your secure score:

+1. In the list of recommendations, use the **Potential score increase** to identify the security control that contains recommendations that will increase your secure score.

+ - You can also use the search box and filters above the list of recommendations to find specific recommendations.

+1. Open a security control to see the recommendations that have unhealthy resources.

+When you [remediate](implement-security-recommendations.md) all of the recommendations in the security control, your secure score increases by the percentage points listed for the control.

+## Manage the owner and ETA of recommendations that are assigned to you

+[Security teams can assign a recommendation](governance-rules.md) to a specific person and assign a due date to drive your organization towards increased security. If you have recommendations assigned to you, you are accountable to remediate the resources affected by the recommendations to help your organization be compliant with the security policy.

+Recommendations are listed as **On time** until their due date is passed, when they are changed to **Overdue**. Before the recommendation is overdue, the recommendation does not impact the secure score. The security team can also apply a grace period during which overdue recommendations continue to not impact the secure score.

+To help you plan your work and report on progress, you can set an ETA for the specific resources to show when you plan to have the recommendation resolved by for those resources. You can also change the owner of the recommendation for specific resources so that the person responsible for remediation is assigned to the resource.

+To change the owner of resources and set the ETA for remediation of recommendations that are assigned to you:

+1. In the filters for list of recommendations, select **Show my items only**.

+ - The status column indicates the recommendations that are on time, overdue, or completed.

+ - The insights column indicates the recommendations that are in a grace period, so they currently do not impact your secure score until they become overdue.

+1. Select an on time or overdue recommendation.

+1. For the resources that are assigned to you, set the owner of the resource:

+ 1. Select the resources that are owned by another person, and select **Change owner and set ETA**.

+ 1. Select **Change owner**, enter the email address of the owner of the resource, and select **Save**.

+ The owner of the resource gets a weekly email listing the recommendations that they are assigned to.

+1. For resources that you own, set an ETA for remediation:

+ 1. Select resources that you plan to remediate by the same date, and select **Change owner and set ETA**.

+ 1. Select **Change ETA** and set the date by which you plan to remediate the recommendation for those resources.

+ 1. Enter a justification for the remediation by that date, and select **Save**.

+The due date for the recommendation does not change, but the security team can see that you plan to update the resources by the specified ETA date.

+You can review recommendations in ARG both on the recommendations page or on an individual recommendation.

+When you open the underlying query, and run it, Azure Resource Graph Explorer returns the same 15 resources and their health status for this recommendation:

+To download a CSV report of your recommendations:

+1. Sign in to the [Azure portal](https://portal.azure.com).

+Defender for Cloud makes its security recommendations based on your chosen initiatives. When a policy from your initiative is compared against your resources and finds one or more that aren't compliant, it is presented as a recommendation in Defender for Cloud.

+1. The initiative includes multiple ***policies***, each with a requirement of a specific resource type. These policies enforce the requirements in the initiative.

+ So, for example, if an Azure Storage account on any of your protected subscriptions isn't protected with virtual network rules, you'll see the recommendation to harden those resources.

+### Security recommendation details

+Security recommendations contain details that help you understand its significance and how to handle it.

+The recommendation details shown are:

+1. For supported recommendations, the top toolbar shows any or all of the following buttons:

+ - **Enforce** and **Deny** (see [Prevent misconfigurations with Enforce/Deny recommendations](prevent-misconfigurations.md)).

+ - **View policy definition** to go directly to the Azure Policy entry for the underlying policy.

+ - **Open query** - You can view the detailed information about the affected resources using Azure Resource Graph Explorer.

+1. **Severity indicator**

+1. **Freshness interval**

+1. **Count of exempted resources** if exemptions exist for a recommendation, this shows the number of resources that have been exempted with a link to view the specific resources.

+1. **Mapping to MITRE ATT&CK ® tactics and techniques** if a recommendation has defined tactics and techniques, select the icon for links to the relevant pages on MITRE's site. This applies only to Azure scored recommendations.

+ :::image type="content" source="media/review-security-recommendations/tactics-window.png" alt-text="Screenshot of the MITRE tactics mapping for a recommendation.":::

+1. **Description** - A short description of the security issue.

+1. When relevant, the details page also includes a table of **related recommendations**:

+ The relationship types are:

+ - **Prerequisite** - A recommendation that must be completed before the selected recommendation

+ - **Alternative** - A different recommendation, which provides another way of achieving the goals of the selected recommendation

+ - **Dependent** - A recommendation for which the selected recommendation is a prerequisite

+ For each related recommendation, the number of unhealthy resources is shown in the "Affected resources" column.

+ > [!TIP]

+ > If a related recommendation is grayed out, its dependency isn't yet completed and so isn't available.

+1. **Remediation steps** - A description of the manual steps required to remediate the security issue on the affected resources. For recommendations with the **Fix** option, you can select**View remediation logic** before applying the suggested fix to your resources.

+1. **Affected resources** - Your resources are grouped into tabs:

+ - **Healthy resources** ΓÇô Relevant resources, which either aren't impacted or on which you've already remediated the issue.

+ - **Unhealthy resources** ΓÇô Resources that are still impacted by the identified issue.

+ - **Not applicable resources** ΓÇô Resources for which the recommendation can't give a definitive answer. The not applicable tab also includes reasons for each resource.

+ :::image type="content" source="./media/review-security-recommendations/recommendations-not-applicable-reasons.png" alt-text="Screenshot of resources for which the recommendation can't give a definitive answer.":::

+1. Action buttons to remediate the recommendation or trigger a logic app.

+Use this link to view the policy definition and review the evaluation logic.

+### Devices monitored by Defender for IoT

+For more information, see [Devices monitored by Defender for IoT](architecture.md#devices-monitored-by-defender-for-iot).

+## View the device inventory from an on-premises management console

+## Integrate data into the enterprise device inventory

+For more information, see [Devices monitored by Defender for IoT](architecture.md#devices-monitored-by-defender-for-iot).

+### What's a device?

+### Calculate the number of devices you need to monitor

+When onboarding or editing your Defender for IoT plan, you'll need to know how many devices you want to monitor.

+**To calculate the number of devices you need to monitor**:

+Collect the total number of devices in your network and remove:

+- **Duplicate devices that have the same IP or MAC address**. When detected, the duplicates are automatically removed by Defender for IoT.

+- **Duplicate devices that have the same ID**. These are the same devices, seen by the same sensor, with different field values. For such devices, check the last time each device had activity and use the latest device only.

+- **Inactive devices**, with no traffic for more than 60 days.

+- **Broadcast / multicast devices**. These represent unique addresses but not unique devices.

+For more information, see [What's a device?](#whats-a-device)

+Increase the resiliency of your Defender for IoT deployment by configuring high availability on your on-premises management console. High availability deployments ensure your managed sensors continuously report to an active on-premises management console.

+> [!NOTE]

+> In this document, the principal on-premises management console is referred to as the primary, and the agent is referred to as the secondary.

+- The primary on-premises management console data is automatically backed up to the secondary on-premises management console every 10 minutes. The on-premises management console configurations and device data are backed up. PCAP files and logs are not included in the backup. You can back up and restore PCAPs and logs manually.

+- The primary setup on the management console is duplicated on the secondary. For example, if the system settings are updated on the primary, they're also updated on the secondary.

+During failover, sensors continue attempting to communicate with the primary appliance. When more than half the managed sensors succeed to communicate with the primary, the primary is restored. The following message appears on the secondary console when the primary is restored:

+1. Configure the on-premises management console primary appliance. For example, scheduled backup settings, VLAN settings. For more information, see [Manage the on-premises management console](how-to-manage-the-on-premises-management-console.md). All settings are applied to the secondary appliance automatically after pairing.

+- [Certificate requirements](how-to-manage-the-on-premises-management-console.md#manage-certificates)

+Verify if your organizational security policy allows you to have access to the following services on the primary and secondary on-premises management console. These services also allow the connection between the sensors and secondary on-premises management console:

+To update an on-premises management console that has high availability configured, you will need to:

+1. Disconnect the high availability from both the primary and secondary appliances.

+1. Update the appliances to the new version.

+1. Reconfigure the high availability back onto both appliances.

+Perform the update in the following order. Make sure each step is complete before you begin a new step.

+**To update an on-premises management console with high availability configured**:

+1. Disconnect the high availability from both the primary and secondary appliances:

+ **On the primary:**

+

+ 1. Get the list of the currently connected appliances. Run:

+ ```bash

+ cyberx-management-trusted-hosts-list

+ ```

+ 1. Find the domain associated with the secondary appliance and copy it to your clipboard. For example:

+ :::image type="content" source="media/how-to-set-up-high-availability/update-high-availability-domain.jpg" alt-text="Screenshot showing the domain associated with the secondary appliance.":::

+ 1. Remove the secondary domain from the list of trusted hosts. Run:

+

+ ```bash

+ sudo cyberx-management-trusted-hosts-remove -d [Secondary domain]

+ ```

+

+ 1. Verify that the certificate is installed correctly. Run:

+

+ ```bash

+ sudo cyberx-management-trusted-hosts-apply

+ ```

+

+ **On the secondary:**

+

+ 1. Get the list of the currently connected appliances. Run:

+ ```bash

+ cyberx-management-trusted-hosts-list

+ ```

+ 1. Find the domain associated with the primary appliance and copy it to your clipboard.

+ 1. Remove the primary <!--original text said secondary, I think it's a mistake--> domain from the list of trusted hosts. Run:

+

+ ```bash

+ sudo cyberx-management-trusted-hosts-remove -d [Primary domain]

+ ```

+

+ 1. Verify that the certificate is installed correctly. Run:

+

+ ```bash

+ sudo cyberx-management-trusted-hosts-apply

+ ```

+1. Update both the primary and secondary appliances to the new version. For more information, see [Update the software version](how-to-manage-the-on-premises-management-console.md#update-the-software-version).

+1. Set up high availability again, on both the primary and secondary appliances. For more information, see [Create the primary and secondary pair](#create-the-primary-and-secondary-pair).

+| **Device inventories** | Defender for IoT considers any of the following as single and unique network devices:<br><br>- Managed or un-managed standalone IT/OT/IoT devices, with one or more NICs<br>- Devices with multiple backplane components, including all racks, slots, or modules<br>- Devices that provide network infrastructure, such as switches or routers with multiple NICs<br><br>Monitored devices are listed in the **Device inventory** pages on the Azure portal, sensor console, and the on-premises management console. Data integration features let you enhance device data with details from other enterprise resources, such as CMDBs, DNS, firewalls, and Web APIs. <br><br>The following items are not monitored as devices, and do not appear in the Defender for IoT device inventories: <br>- Public internet IP addresses<br>- Multi-cast groups<br>- Broadcast groups<br><br>Devices that are inactive for more than 60 days are classified as *inactive* inventory devices.<br>The data integration capabilities of the on-premises management console let you enhance the data in the device inventory with information from other enterprise resources. Example resources are CMDBs, DNS, firewalls, and Web APIs.| [**Device map**](#d)|

+Create a database in your new Kusto cluster (using the cluster name from above and in the same location). This database will be used to store contextualized Azure Digital Twins data. The command below creates a database with a soft delete period of 365 days, and a hot cache period of 31 days. For more information about the options available for this command, see [az kusto database create](/cli/azure/kusto/database?view=azure-cli-latest&preserve-view=true#az-kusto-database-create).

+ Title: 'Tutorial: Create custom Azure DNS records for a web app'

+description: In this tutorial, you create custom domain DNS records for web app using Azure DNS.

+> [!NOTE]

+> Contoso.com is used as an example throughout this tutorial. Substitute your own domain name for contoso.com.

+* An Azure account with an active subscription. If you donΓÇÖt have one, you can [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* A domain name that you can host in Azure DNS. You must have full control of this domain. Full control includes the ability to set the name server (NS) records for the domain.

+* A web app. If you don't have one, you can [create a static HTML web app](../app-service/quickstart-html.md) for this tutorial.

+* An Azure DNS zone with delegation in your registrar to Azure DNS. If you don't have one, you can [create a DNS zone](./dns-getstarted-powershell.md), then [delegate your domain](dns-delegate-domain-azure-dns.md#delegate-the-domain) to Azure DNS.

+## Create the A record

+In the left navigation of the App Services page in the Azure portal, select **Custom domains**, then copy the IP address of your web app:

+### Create the record

+To create the A record, use:

+> [!IMPORTANT]

+> The A record must be manually updated if the underlying IP address for the web app changes.

+## Create the TXT record

+To create the TXT record, use:

+If your domain is already managed by Azure DNS (see [DNS domain delegation](dns-domain-delegation.md)), you can use the following example to create a CNAME record for contoso.azurewebsites.net. The CNAME created in this example has a "time to live" of 600 seconds in DNS zone named "contoso.com" with the alias for the web app contoso.azurewebsites.net.

+ ResourceGroupName : myazureresourcegroup

+Now, you can add the custom host names to your web app:

+ -ResourceGroupName <your web app resource group> `

+Open a browser and browse to `http://www.<your domain name>` and `http://<you domain name>`.

+When no longer needed, you can delete all resources created in this tutorial by deleting the resource group **MyAzureResourceGroup**:

+1. From the left-hand menu, select **Resource groups**.

+2. Select the **MyAzureResourceGroup** resource group.

+3. Select **Delete resource group**.

+4. Enter *MyAzureResourceGroup* and select **Delete**.

+> Event Grid will start **requiring authorizations to create partner topics or partner destinations** around June 15th, 2022. You should update your documentation asking your customers to grant you the authorization before you attempt to create a channel or an event channel.

+> Event Grid will start requiring authorizations to create partner topics or partner destinations around June 15th, 2022. Meanwhile, requiring your (subscriber's) authorization for a partner to create resources on your Azure subscription is an **optional** feature. We encourage you to opt-in to use this feature and try to use it in non-production Azure subscriptions before it becomes a mandatory step around June 15th, 2022. To opt-in to this feature, reach out to [mailto:askgrid@microsoft.com](mailto:askgrid@microsoft.com) using the subject line **Request to enforce partner authorization on my Azure subscription(s)** and provide your Azure subscription(s) in the email.

+2. Register your subscription using the following command:

+There's no additional cost for a firewall deployed in more than one Availability Zone. However, there are added costs for inbound and outbound data transfers associated with Availability Zones. For more information, see [Bandwidth pricing details](https://azure.microsoft.com/pricing/details/bandwidth/).

+2. On the Azure portal home page, select **Resource groups**, then select **Create**.

+1. For **Resource group**, type **RG-DNAT-Test**.

+3. Select **Create**.

+1. Under **Subnet name**, select **default**.

+3. Select **Create**.

+2. Under **Popular**, select **Windows Server 2019 Datacenter**.

+ |Firewall tier|**Standard**|

+3. Select **Create**.

+1. For **Address prefix destination**, select **IP Addresses**.

+1. For **Destination IP addresses/CIDR ranges**, type **0.0.0.0/0**.

+19. Select **Add**.

+ Title: Consume events with Logic Apps - Azure Health Data Services

+description: This article provides resources on how to consume events with Logic Apps.

+# Consume events with Logic Apps

+This tutorial shows how to use Azure Logic Apps to process Azure Health Data Services FHIR events. Logic Apps create and run automated workflows to process event data from other applications. You will learn how to register a FHIR event with your Logic App, meet a specified event criteria, and perform a service operation.

+Here's an example of a Logic App workflow:

+The workflow is on the left and the trigger condition is on the right.

+## Overview

+Follow these steps to create a Logic App workflow to consume FHIR events:

+1. Set up prerequisites

+2. Create a Logic App

+3. Create a Logic App workflow

+## Prerequisites

+Before you begin this tutorial, you need to have deployed a FHIR service and enabled events. For more information about deploying events, see [Deploy Events in the Azure portal](./events-deploy-portal.md).

+## Creating a Logic App

+To set up an automated workflow, you must first create a Logic App. For more information about Logic Apps, see [What is Azure Logic Apps?](./../../logic-apps/logic-apps-overview.md)

+### Specify your Logic App details

+Follow these steps:

+1. Go to the Azure portal.

+2. Search for "Logic App".

+3. Click "Add".

+4. Specify Basic details.

+5. Specify Hosting.

+6. Specify Monitoring.

+7. Specify Tags.

+8. Review and create your Logic App.

+You now need to fill out the details of your Logic App. Specify information for these five categories. They are in separate tabs:

+- Tab 1 - Basics

+- Tab 2 - Hosting

+- Tab 3 - Monitoring

+- Tab 4 - Tags

+- Tab 5 - Review + Create

+### Basics - Tab 1

+Start by specifying the following basics:

+#### Project details

+- Subscription

+- Resource Group

+Select a current subscription and specify an existing or new resource group.

+#### Instance details

+- Logic App name

+- Publish type

+- Region

+Create a name for your Logic App. You must choose Workflow or Docker Container as your publishing type. Select a region that is compatible with your plan.

+#### Plan

+- Plan type

+- App Service Plan

+- Sku and size

+Choose a plan type (Standard or Consumption). Create a new Windows Plan name and specify the Sku and size.

+#### Zone redundancy

+- Zone redundancy deployment

+Enabling your plan will make it zone redundant.

+### Hosting - Tab 2

+Continue specifying your Logic App by clicking "Next: Hosting".

+#### Storage

+- Storage type

+- Storage account

+Choose the type of storage you want to use and the storage account. You can use Azure Storage or add SQL functionality. You must also create a new storage account or use an existing one.

+### Monitoring - Tab 3

+Continue specifying your Logic App by clicking "Next: Monitoring".

+#### Monitoring with Application Insights

+- Enable Application Insights

+- Application Insights

+- Region

+Enable Azure Monitor application insights to automatically monitor your application. If you enable insights, you must create a new insight and specify the region.

+### Tags - Tab 4

+Continue specifying your Logic App by clicking "Next: Tags".

+#### Use tags to categorize resources

+Tags are name/value pairs that enable you to categorize resources and view consolidated billing by applying the same tag to multiple resources and resource groups.

+This example will not use tagging.

+### Review + create - Tab 5

+Finish specifying your Logic App by clicking "Next: Review + create".

+#### Review your Logic App

+Your proposed Logic app will display the following details:

+- Subscription

+- Resource Group

+- Logic App Name

+- Runtime stack

+- Hosting

+- Storage

+- Plan

+- Monitoring

+If you're satisfied with the proposed configuration, click "Create". If not, click "Previous" to go back and specify new details.

+First you'll see an alert telling you that deployment is initializing. Next you'll see a new page telling you that the deployment is in progress.

+If there are no errors, you will finally see a notification telling you that your deployment is complete.

+#### Your Logic App dashboard

+Azure creates a dashboard when your Logic App is complete. The dashboard will show you the status of your app. You can return to your dashboard by clicking Overview in the Logic App menu. Here's a Logic App dashboard:

+You can do the following activities from your dashboard.

+- Browse

+- Refresh

+- Stop

+- Restart

+- Swap

+- Get Publish Profile

+- Reset Publish Profile

+- Delete

+## Creating a Logic App workflow

+When your Logic App is running, follow these steps to create a Logic App workflow:

+1. Initialize a workflow

+2. Configuring a workflow

+3. Designing a workflow

+4. Adding an action

+5. Giving FHIR Reader access

+6. Adding a condition

+7. Choosing a condition criteria

+8. Testing your condition

+### Initializing your workflow

+Before you begin, you'll need to have a Logic App configured and running correctly.

+Once your Logic App is running, you can create and configure a workflow. To initialize a workflow, follow these steps:

+1. Start at the Azure portal.

+2. Click "Logic Apps" in Azure services.

+3. Select the Logic App you created.

+4. Click "Workflows" in the Workflow menu on the left.

+5. Click "Add" to add a workflow.

+### Configuring a new workflow

+You will see a new panel on the right for creating a workflow.

+You can specify the details of the new workflow in the panel on the right.

+#### Creating a new workflow for the Logic App

+To set up a new workflow, fill in these details:

+- Workflow Name

+- State type

+Specify a new name for your workflow. Indicate whether you want the workflow to be stateful or stateless. Stateful is for business processes and stateless is for processing IoT events.

+When you have specified the details, click "Create" to begin designing your workflow.

+### Designing the workflow

+In your new workflow, click the name of the enabled workflow.

+You can write code to design a workflow for your application, but for this tutorial, choose the Designer option on the Developer menu.

+Next, click "Choose an operation" to display the "Add a Trigger" blade on the right. Then search for "Azure Event Grid" and click the "Azure" tab below. The Event Grid is not a Logic App Built-in.

+When you see the "Azure Event Grid" icon, click on it to display the Triggers and Actions available from Event Grid. For more information about Event Grid, see [What is Azure Event Grid?](./../../event-grid/overview.md).

+Click "When a resource event occurs" to set up a trigger for the Azure Event Grid.

+To tell Event Grid how to respond to the trigger, you must specify parameters and add actions.

+#### Parameter settings

+You need to specify the parameters for the trigger:

+- Subscription

+- Resource Type

+- Resource Name

+- Event type item(s)

+Fill in the details for subscription, resource type, and resource name. Then you must specify the event types you want to respond to. The event types used in this article are:

+- Resource created

+- Resource deleted

+- Resource updated

+For more information about event types, see [What FHIR resource events does Events support?](./events-faqs.md).

+### Adding an HTTP action

+Once you have specified the trigger events, you must add more details. Click the "+" below the "When a resource event occurs" button.

+You need to add a specific action. Click "Choose an operation" to continue. Then, for the operation, search for "HTTP" and click on "Built-in" to select an HTTP operation. The HTTP action will allow you to query the FHIR service.

+The options in this example are:

+- Method is "Get"

+- URL is "concat('https://', triggerBody()?['subject'], '/_history/', triggerBody()?['dataVersion'])".

+- Authentication type is "Managed Identity".

+- Audience is "concat('https://', triggerBody()?['data']['resourceFhirAccount'])"

+### Allow FHIR Reader access to your Logic App

+At this point, you need to give the FHIR Reader access to your app, so it can verify that the event details are correct. Follow these steps to give it access:

+1. The first step is to go back to your Logic App and click the Identity menu item.

+2. In the System assigned tab, make sure the Status is "On".

+3. Click on Azure role assignments. Click "Add role assignment".

+4. Specify the following:

+ - Scope = Subscription

+ - Subscription = your subscription

+ - Role = FHIR Data Reader.

+When you have specified the first four steps, add the role assignment by Managed identity, using Subscription, Managed identity (Logic App Standard), and select your Logic App by clicking the name and then clicking the Select button. Finally, click "Review + assign" to assign the role.

+### Add a condition

+After you have given FHIR Reader access to your app, go back to the Logic App workflow Designer. Then add a condition to determine whether the event is one you want to process. Click the "+" below HTTP to "Choose an operation". On the right, search for the word "condition". Click on "Built-in" to display the Control icon. Next click Actions and choose Condition.

+When the condition is ready, you can specify what actions happen if the condition is true or false.

+### Choosing a condition criteria

+In order to specify whether you want to take action for the specific event, begin specifying the criteria by clicking on "Condition" in the workflow on the left. You will then see a set of condition choices on the right.

+Under the "And" box, add these two conditions:

+- resourceType

+- Event Type

+#### resourceType

+The expression for getting the resourceType is `body('HTTP')?['resourceType']`.

+#### Event Type

+You can select Event Type from the Dynamic Content.

+Here is an example of the Condition criteria:

+#### Save your workflow

+When you have entered the condition criteria, save your workflow.

+#### Workflow dashboard

+To check the status of your workflow, click Overview in the workflow menu. Here is a dashboard for a workflow:

+You can do the following operations from your workflow dashboard:

+- Run trigger

+- Refresh

+- Enable

+- Disable

+- Delete

+### Condition testing

+Save your workflow by clicking the "Save" button.

+To test your new workflow, do the following steps:

+1. Add a new Patient FHIR Resource to your FHIR Service.

+2. Wait a moment or two and then check the Overview webpage of your Logic App workflow.

+3. The event should be shaded in green if the action was successful.

+4. If it failed, the event will be shaded in red.

+Here is an example of a workflow trigger success operation:

+## Next steps

+For more information about FHIR events, see

+>[!div class="nextstepaction"]

+>[What are Events?](./events-overview.md)

+(FHIR&#174;) is a registered trademark of HL7 and is used with the permission of HL7.

+3. You see the **status of publishing** the template on page. If using [Azure Lab Services April 2022 Update (preview)](lab-services-whats-new.md), publishing can take up to 20 minutes.

+Create a resource group with [az group create](/cli/azure/group#az-group-create).

+Create a virtual network by using [az network vnet create](/cli/azure/network/vnet#az-network-vnet-create).

+Use [az network public-ip create](/cli/azure/network/public-ip#az-network-public-ip-create) to create a public IP address for the Azure Bastion host.

+Use [az network vnet subnet create](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-create) to create a subnet.

+Use [az network bastion create](/cli/azure/network/bastion#az-network-bastion-create) to create a host.

+Create an internal load balancer with [az network lb create](/cli/azure/network/lb#az-network-lb-create).

+Create a health probe with [az network lb probe create](/cli/azure/network/lb/probe#az-network-lb-probe-create).

+Create a load balancer rule with [az network lb rule create](/cli/azure/network/lb/rule#az-network-lb-rule-create).

+To create a network security group, use [az network nsg create](/cli/azure/network/nsg#az-network-nsg-create).

+To create a network security group rule, use [az network nsg rule create](/cli/azure/network/nsg/rule#az-network-nsg-rule-create).

+Create two network interfaces with [az network nic create](/cli/azure/network/nic#az-network-nic-create).

+Create the availability set with [az vm availability-set create](/cli/azure/vm/availability-set#az-vm-availability-set-create).

+Create the virtual machines with [az vm create](/cli/azure/vm#az-vm-create).

+Add the virtual machines to the backend pool with [az network nic ip-config address-pool add](/cli/azure/network/nic/ip-config/address-pool#az-network-nic-ip-config-address-pool-add).

+Create the network interface with [az network nic create](/cli/azure/network/nic#az-network-nic-create).

+Create the virtual machine with [az vm create](/cli/azure/vm#az-vm-create).

+Use [az vm extension set](/cli/azure/vm/extension#az-vm-extension-set) to install IIS on the backend virtual machines and set the default website to the computer name.

+Create a resource group with [az group create](/cli/azure/group#az-group-create).

+Create a virtual network by using [az network vnet create](/cli/azure/network/vnet#az-network-vnet-create).

+Use [az network public-ip create](/cli/azure/network/public-ip#az-network-public-ip-create) to create a public IP address for the Azure Bastion host.

+Use [az network vnet subnet create](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-create) to create a subnet.

+Use [az network bastion create](/cli/azure/network/bastion#az-network-bastion-create) to create a host.

+Create an internal load balancer with [az network lb create](/cli/azure/network/lb#az-network-lb-create).

+Create a health probe with [az network lb probe create](/cli/azure/network/lb/probe#az-network-lb-probe-create).

+Create a load balancer rule with [az network lb rule create](/cli/azure/network/lb/rule#az-network-lb-rule-create).

+To create a network security group, use [az network nsg create](/cli/azure/network/nsg#az-network-nsg-create).

+To create a network security group rule, use [az network nsg rule create](/cli/azure/network/nsg/rule#az-network-nsg-rule-create).

+Create two network interfaces with [az network nic create](/cli/azure/network/nic#az-network-nic-create).

+Create the virtual machines with [az vm create](/cli/azure/vm#az-vm-create).

+Add the virtual machines to the backend pool with [az network nic ip-config address-pool add](/cli/azure/network/nic/ip-config/address-pool#az-network-nic-ip-config-address-pool-add).

+Use [az network public-ip create](/cli/azure/network/public-ip#az-network-public-ip-create) to create a single IP for the outbound connectivity.

+Use [az network nat gateway create](/cli/azure/network/nat#az-network-nat-gateway-create) to create the NAT gateway resource. The public IP created in the previous step is associated with the NAT gateway.

+Configure the source subnet in virtual network to use a specific NAT gateway resource with [az network vnet subnet update](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-update).

+Create the network interface with [az network nic create](/cli/azure/network/nic#az-network-nic-create).

+Create the virtual machine with [az vm create](/cli/azure/vm#az-vm-create).

+Use [az vm extension set](/cli/azure/vm/extension#az-vm-extension-set) to install IIS on the backend virtual machines and set the default website to the computer name.

+* [Managed connectors for Azure Logic Apps](../connectors/managed.md)

+* [Built-in triggers and actions for Azure Logic Apps](../connectors/built-in.md)

+ | AzureMachineLearning | TCP | 443, 8787, 18881 |

+ | MicrosoftContainerRegistry.region</br>**Note** that this tag has a dependency on the **AzureFrontDoor.FirstParty** tag | TCP | 443 |

+To connect to the workspace, you need identifier parameters - a subscription, resource group and workspace name. You'll use these details in the `MLClient` from `azure.ai.ml` to get a handle to the required Azure Machine Learning workspace. To authenticate, you use the [default Azure authentication](/python/api/azure-identity/azure.identity.defaultazurecredential?view=azure-python&preserve-view=true). Check this [example](https://github.com/Azure/azureml-examples/blob/sdk-preview/sdk/jobs/configuration.ipynb) for more details on how to configure credentials and connect to a workspace.

+For the CLI, you can use the [sweep job YAML schema](/azure/machine-learning/reference-yaml-job-sweep)., to define the search space in your YAML:

+[Random sampling](/azure/machine-learning/how-to-tune-hyperparameters) supports discrete and continuous hyperparameters. It supports early termination of low-performance jobs. Some users do an initial search with random sampling and then refine the search space to improve results.

+Grid sampling supports discrete hyperparameters. Use grid sampling if you can budget to exhaustively search over the search space. Supports early termination of low-performance jobs.

+Bayesian sampling is based on the Bayesian optimization algorithm. It picks samples based on how previous samples did, so that new samples improve the primary metric.

+Define the objective of your sweep job by specifying the primary metric and goal you want hyperparameter tuning to optimize. Each training job is evaluated for the primary metric. The early termination policy uses the primary metric to identify low-performance jobs.

+To configure your hyperparameter tuning experiment, provide the following:

+* `azureml-core` - [Install the Azure Machine Learning SDK (v1) for Python](/python/api/overview/azure/ml/install?view=azure-ml-py&preserve-view=true )

+When you're publishing an offer to the commercial marketplace with Partner Center, you'll want to connect it to your Customer Relationship Management (CRM) system. This lets you receive customer contact information as soon as someone expresses interest in or uses your product. Partner Center supports Azure table, Dynamics 365 Customer Engagement, HTTPS endpoint, Marketo, and Salesforce.

+* [Enable compute network on your Azure Stack Edge device](../databox-online/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy.md#configure-virtual-switches).

+sudo apt-get update

+## Limitations

+A Debug Session works with all generally available [indexer data sources](search-data-sources-gallery.md) and most preview data sources. The following list notes the exceptions:

+## Expected behaviors

+In this quickstart, you'll run the **Import data** wizard to apply skills that transform and enrich content during indexing. Output is a searchable index containing AI-generated image text, captions, and entities. Enriched content is queryable in the portal using [Search explorer](search-explorer.md).

+In this demo, there is one warning: `"Could not execute skill because one or more skill input was invalid." It tells you that a PNG file in the data source doesn't provide a text input to Entity Recognition. This warning occurs because the upstream OCR skill didn't recognize any text in the image, and thus could not provide a text input to the downstream Entity Recognition skill.

+**Q: Can I use Always Encrypted feature when indexing from Azure SQL database?

+[Always Encrypted](/sql/relational-databases/security/encryption/always-encrypted-database-engine) columns are not currently supported by Cognitive Search indexers.

+Clusters in different regions connect to different traffic managers. Regardless of the domain name, the IP address returned from the ping is the correct one to use when defining an inbound firewall rule for the Azure portal in your region.

+## FAQ

+**Q: Can I use Always Encrypted feature when indexing from SQL Server?

+[Always Encrypted](/sql/relational-databases/security/encryption/always-encrypted-database-engine) columns are not currently supported by Cognitive Search indexers.

+## FAQ

+**Q: Can I use Always Encrypted feature when indexing from SQL Managed Instance?

+[Always Encrypted](/sql/relational-databases/security/encryption/always-encrypted-database-engine) columns are not currently supported by Cognitive Search indexers.

+In order to enable these Fusion-powered attack detection scenarios, any data sources listed must be ingested to your Log Analytics workspace. For scenarios with scheduled analytics rules, follow the instructions in [Configure scheduled analytics rules for Fusion detections](configure-fusion-rules.md#configure-scheduled-analytics-rules-for-fusion-detections).

+**Data connector sources:** Microsoft Defender for Endpoint (formerly Microsoft Defender Advanced Threat Protection, or MDATP), Microsoft Sentinel (scheduled analytics rule)

+**Data connector sources:** Microsoft Defender for Endpoint (formerly MDATP), Microsoft Sentinel (scheduled analytics rule)

+**Data connector sources:** Microsoft Defender for Endpoint (formerly MDATP), Microsoft Sentinel (scheduled analytics rule)

+**Data connector sources:** Microsoft Defender for Endpoint (formerly MDATP), Microsoft Sentinel (scheduled analytics rule)

+**Data connector sources:** Microsoft Defender for Endpoint (formerly MDATP), Microsoft Sentinel (scheduled analytics rule)

+ Title: High availability for Service Connector

+description: This article covers availability zones, zone redundancy, disaster recovery, and cross-region failover for Service Connector.

+#Customer intent: As an Azure developer, I want to understand the availability of my connection created with Service Connector.

+# High availability for Service Connector

+Service Connector supports Azure availability zones to help you achieve resiliency and reliability for your business-critical workloads. The goal of the high availability architecture in Service Connector is to guarantee that your service connections are up and running at least 99.9% of time, so that you don't have to worry about the effects of potential maintenance operations and outages. Service Connector is designed to provide high availability support for all types of applications you're running on Azure.

+Users can distribute Azure compute services across availability zones in many regions. Service Connector is an extension resource provider to these compute services. When you create a service connection in a compute service with availability zones enabled, Azure will also automatically set up the corresponding service connection availability zone for your service connection. Microsoft is responsible for setting up availability zones and disaster recovery for your service connections.

+## Zone redundancy in Service Connector

+Service Connector is an Azure extension resource provider. It extends Azure App Service, Azure Spring Apps and Azure Container Apps. When you create a new service connection in one of these compute services with Service Connector, there's a connection resource provisioned as part of your top-level parent compute service.

+To enable zone redundancy for your connection, you must enable zone redundancy for your compute service. Once the compute service has been configured with zone redundancy, your service connections will also automatically become zone-redundant. For example, if you have an app service with zone redundancy enabled, the platform automatically spreads your app service instances across three zones in the selected region. When you create a service connection in this app service with Service Connector, the service connection resource is also automatically created in the three corresponding zones in the selected region. Traffic is routed to all of your available connection resources. When a zone goes down, the platform detects the lost instances, automatically attempts to find new replacement instances, and spreads the traffic as needed.

+> [!NOTE]

+> To create, update, validate and list service connections, Service Connector calls APIs from a compute service and a target service. As Service Connector relies on the responses from both the compute service and the target service, requests to Service Connector in a zone-down scenario may not succeed if the target service can't be reached. This limitation applies to App Service, Container Apps and Spring Apps.

+## How to create a zone-redundant service connection with Service Connector

+Follow the instructions below to create a zone-redundant Service Connection in App Service using the Azure CLI or the Azure portal. The same process can be used to create a zone-redundant connection for Spring Apps and Container Apps compute services.

+### [Azure CLI](#tab/azure-cli)

+To enable zone redundancy for a service connection using the Azure CLI, you must first create a zone-redundant app service.

+1. Create an App Service plan and include a `--zone-redundant` parameter. Optionally include the `--number-of-workers` parameter to specify capacity. Learn more details in [How to deploy a zone-redundant App Service](../app-service/environment/overview-zone-redundancy.md).

+ ```azurecli

+ az appservice plan create --resource-group MyResourceGroup --name MyPlan --zone-redundant --number-of-workers 6

+ ```

+1. Create an application in App Service and a connection to your Blob Storage account or another target service of your choice.

+ ```azurecli

+ az webapp create --name MyApp --plan MyPlan resource-group MyResourceGroup

+ az webapp connection create storage-blob

+ ```

+### [Portal](#tab/azure-portal)

+To enable zone redundancy for a service connection in App Service using the Azure portal, follow the process below:

+1. In the Azure portal, in the **Search resources, services, and docs (G+/)**, enter **App Services** and select **App Services**.

+1. Select **Create** and fill out the form. In the first tab, under **Zone redundancy**, select **Enabled**.

+ :::image type="content" source="media/enable-zone-redundancy.png" alt-text="Screenshot of the Azure portal, enabling zone redundancy in App Services.":::

+1. Select **Review + create** and then **Create**.

+1. In the App Service instance, select **Service Connector** from the left menu and select **Create**.

+1. Fill out the form to create the connection.

+As you enabled zone redundancy for your App Service, the service connection is also zone redundant.

+> [!TIP]

+> Enabling zone redundancy for your target service is recommended. In a zone-down scenario, traffic to your connection will automatically be spread to other zones. However, creating, validating and updating connections rely on management APIs from the target service. If a target service doesnΓÇÖt support zone redundancy or doesnΓÇÖt have zone redundancy enabled, these operations will fail.

+## Understand disaster recovery and resiliency in Service Connector

+Disaster recovery is the process of restoring application functionality after a catastrophic loss.

+In the cloud, we acknowledge upfront that failures will certainly happen. Instead of trying to prevent failures altogether, the goal is to minimize the effects of a single failing component. If there's a disaster, Service Connector will fail over to the paired region. Customers donΓÇÖt need to do anything if the outage is decided/declared by the Service Connector team.

+We'll use the terms RTO (Recovery Time Objective), to indicate the time between the beginning of an outage impacting Service Connector and the recovery to full availability. We'll use RPO (Recovery Point Objective), to indicate the time between the last operation correctly restored and the time of the start of the outage affecting Service Connector. Expected and maximum RPO is 24 hours and RTO is 24 hours.

+Operations against Service Connector may fail during the disaster time, before the failover happens. Once the failover is completed, data will be restored and the customer isn't required to take any action.

+Service connector handles business continuity and disaster recovery (BCRD) for storage and compute. The platform strives to have as minimal of an impact as possible in case of issues in storage/compute, in any region. The data layer design prioritizes availability over latency in the event of a disaster ΓÇô meaning that if a region goes down, Service Connector will attempt to serve the end-user request from its paired region.

+During the failover action, Service Connector handles the DNS remapping to the available regions. All data and action from customer view serves as usual after failover.

+Service Connector will change its DNS in about one hour. Performing a manual failover would take more time. As Service Connector is a resource provider built on top of other Azure services, the actual time depends on the failover time of the underlying services.

+## Disaster recovery region support

+Service Connector currently supports the following region pairs. In the event of a primary region outage, failover to the secondary region starts automatically.

+| Primary | Secondary |

+|--|-|

+| East US 2 EUAP | East US |

+| West Central US | West Central US 2 |

+| West Europe | North Europe |

+| North Europe | West Europe |

+| East US | West US 2 |

+| West US 2 | East US |

+## Cross-region failover

+Microsoft is responsible for handling cross-region failovers. Service Connector runs health checks every 10 minutes and regional failovers are detected and handled in the Service Connector backend. The failover process doesnΓÇÖt require any changes in the customerΓÇÖs applications or compute service configurations. Service Connector uses an active-passive cluster configuration with automatic failover. After a disaster recovery, customers can use the full functionalities provided by Service Connector.

+The health check that runs every 10 minutes simulates user behavior by creating, validating, and updating connections to target services in each of the compute services supported by Service Connector. Microsoft will start to analyze and launch a Service Connector failover if we meet any of the following conditions:

+- The service health check fails three times in a row

+- Service ConnectorΓÇÖs dependent services declare an outage

+- Customers report a region outage

+Requests to service connections are impacted during a failover. Once the failover is complete, service connection data is restored. You can check the [Azure status page](https://status.azure.com/en-us/status) to check the status of all Azure services.

+## Next steps

+Go the concept article below to learn more about Service Connector.

+> [!div class="nextstepaction"]

+> [Learn about Service Connector concepts](./concept-service-connector-internals.md)

+ Title: Integrate Azure SQL Database with Service Connector

+description: Integrate SQL into your application with Service Connector

+# Integrate Azure SQL Database with Service Connector

+This page shows all the supported compute services, clients, and authentication types to connect services to Azure SQL Database instances, using Service Connector. This page also shows the default environment variable names and application properties needed to create service connections. You might still be able to connect to an Azure SQL Database instance using other programming languages, without using Service Connector. Learn more about the [Service Connector environment variable naming conventions](concept-service-connector-internals.md).

+## Supported compute services

+- Azure App Service

+- Azure Spring Cloud

+## Supported authentication types and clients

+| Client type | System-assigned managed identity | User-assigned managed identity | Secret/connection string | Service principal |

+|--|:--:|::|::|:--:|

+| .NET | | |  | |

+| Go | | |  | |

+| Java | | |  | |

+| Java - Spring Boot | | |  | |

+| PHP | | |  | |

+| Node.js | | |  | |

+| Python | | |  | |

+| Python - Django | | |  | |

+| Ruby | | |  | |

+## Default environment variable names or application properties

+Use the environment variable names and application properties listed below to connect a service to Azure SQL Database using a secret and a connection string.

+### Connect an Azure App Service instance

+Use the connection details below to connect Azure App Service instances with .NET, Go, Java, Java - Spring Boot, PHP, Node.js, Python, Python - Django and Ruby. For each example below, replace the placeholder texts `<sql-server>`, `<sql-db>`, `<sql-user>`, and `<sql-pass>` with your server name, database name, user ID and password.

+#### Azure App Service with .NET (sqlClient)

+> [!div class="mx-tdBreakAll"]

+> | Default environment variable name | Description | Sample value |

+> | | | |

+> | AZURE_SQL_CONNECTIONSTRING | Azure SQL Database connection string | `Data Source=<sql-server>.database.windows.net,1433;Initial Catalog=<sql-db>;User ID=<sql-user>;Password=<sql-pass>` |

+#### Azure App Service with Java Database Connectivity (JDBC)

+> [!div class="mx-tdBreakAll"]

+> | Default environment variable name | Description | Sample value |

+> | | | |

+> | AZURE_SQL_CONNECTIONSTRING | Azure SQL Database connection string | `jdbc:sqlserver://<sql-server>.database.windows.net:1433;databaseName=<sql-db>;user=<sql-user>;password=<sql-pass>;` |

+#### Azure App Service with Java Spring Boot (spring-boot-starter-jdbc)

+> [!div class="mx-tdBreakAll"]

+> | Default environment variable name | Description | Sample value |

+> |--|-|-|

+> | spring.datasource.url | Azure SQL Database datasource URL | `jdbc:sqlserver://<sql-server>.database.windows.net:1433;databaseName=<sql-db>;` |

+> | spring.datasource.username | Azure SQL Database datasource username | `<sql-user>` |

+> | spring.datasource.password | Azure SQL Database datasource password | `<sql-pass>` |

+#### Azure App Service with Go (go-mssqldb)

+> [!div class="mx-tdBreakAll"]

+> | Default environment variable name | Description | Sample value |

+> | | | |

+> | AZURE_SQL_CONNECTIONSTRING | Azure SQL Database connection string | `server=<sql-server>.database.windows.net;port=1433;database=<sql-db>;user id=<sql-user>;password=<sql-pass>;` |

+#### Azure App Service with Node.js

+> [!div class="mx-tdBreakAll"]

+> | Default environment variable name | Description | Sample value |

+> |--|--|-|

+> | AZURE_SQL_SERVER | Azure SQL Database server | `<sql-server>.database.windows.net` |

+> | AZURE_SQL_PORT | Azure SQL Database port | `1433` |

+> | AZURE_SQL_DATABASE | Azure SQL Database database | `<sql-db>` |

+> | AZURE_SQL_USERNAME | Azure SQL Database username | `<sql-user>` |

+> | AZURE_SQL_PASSWORD | Azure SQL Database password | `<sql-pass>` |

+#### Azure App Service with PHP

+> [!div class="mx-tdBreakAll"]

+> | Default environment variable name | Description | Sample value |

+> |--|--|-|

+> | AZURE_SQL_SERVERNAME | Azure SQL Database servername | `<sql-server>.database.windows.net` |

+> | AZURE_SQL_DATABASE | Azure SQL Database database | `<sql-db>` |

+> | AZURE_SQL_UID | Azure SQL Database unique identifier (UID) | `<sql-user>` |

+> | AZURE_SQL_PASSWORD | Azure SQL Database password | `<sql-pass>` |