+This how-to guide series consists of multiple articles. We recommend that you start this series from the first article. For each article (except the first one), you're expected to use the custom policy you write in the preceding article.

+ In the first step, we specify the options a user needs to choose from in their journey, local or social authentication. In the steps that follow, we use preconditions to track the option the user picked or the stage of the journey at which the user is. For example, we use the `authenticationSource` claim to differentiate between a local authentication journey and a social authentication journey.

+> 1. Ensure the TodoListService service starts first by moving it to the first position in the list, using the up arrow.

+> 1. Ensure the TodoListService service starts first by moving it to the first position in the list, using the up arrow.

+In this article, you will learn how to deploy an application that uses Azure OpenAI or OpenAI on AKS. With OpenAI, you can easily adapt different AI models, such as content generation, summarization, semantic search, and natural language to code generation, for your specific tasks. You will start by deploying an AKS cluster in your Azure subscription. Then you will deploy your OpenAI service and the sample application.

+The sample cloud native application is representative of real-world implementations. The multi-container application is comprised of applications written in multiple languages and frameworks, including:

+> [!NOTE]

+> We don't recommend running stateful containers, such as MongoDB and Rabbit MQ, without persistent storage for production. These are used here for simplicity, but we recommend using managed services, such as Azure CosmosDB or Azure Service Bus.

+> [!NOTE]

+> We don't recommend running stateful containers, such as MongoDB and Rabbit MQ, without persistent storage for production. These are used here for simplicity, but we recommend using managed services, such as Azure CosmosDB or Azure Service Bus.

+1. Review the [YAML manifest](https://github.com/Azure-Samples/aks-store-demo/blob/main/aks-store-all-in-one.yaml) for the application. You will see a series of deployments and services that make up the entire application.

+ kubectl apply -f https://raw.githubusercontent.com/Azure-Samples/aks-store-demo/main/aks-store-all-in-one.yaml

+1. Create a new deployment using the **gpt-35-turbo** model.

+[learn-aoai]: /training/modules/explore-azure-openai

+ Title: Arc SQL Managed Instance pod scheduling

+description: Describes how pods are scheduled for Azure Arc-enabled data services, and how you may configure them.

+# Arc SQL Managed Instance pod scheduling

+By default, SQL pods are scheduled with a preferred pod anti affinity between each other. This setting prefers that the pods are scheduled on different nodes, but does not require it. In a scenario where there are not enough nodes to place each pod on a distinct node, multiple pods are scheduled on a single node. Kubernetes does not reevaluate this decision until a pod is rescheduled.

+This default behavior can be overridden using the scheduling options. Arc SQL Managed Instance has three controls for scheduling, which are located at `$.spec.scheduling`

+## NodeSelector

+The simplest control is node selector. The node selector simply specifies a label that the target nodes for an instance must have. The path of nodeSelector is `$.spec.scheduling.nodeSelector` and functions the same as any other Kubernetes nodeSelector property. (see: [Assign Pods to Nodes | Kubernetes](https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/#create-a-pod-that-gets-scheduled-to-your-chosen-node))

+## Affinity

+Affinity is a feature in Kubernetes that allows fine-grained control over how pods are scheduled onto nodes within a cluster. There are many ways to leverage affinity in Kubernetes (see: [Assigning Pods to Nodes | Kubernetes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity)). The same rules for applying affinities to traditional StatefulSets in Kubernetes apply in SQL MI. The exact same object model is used.

+The path of affinity in a deployment is `$.spec.template.spec.affinity`, whereas the path of affinity in SQL MI is `$.spec.scheduling.affinity`.

+Here is a sample spec for a required pod anti affinity between replicas of a single SQL MI instance. The labels chosen in the labelSelector of the affinity term are automatically applied by the dataController based on the resource type and name, but the labelSelector could be changed to use any labels provided.

+```yaml

+apiVersion: sql.arcdata.microsoft.com/v13

+kind: SqlManagedInstance

+metadata:

+ labels:

+ management.azure.com/resourceProvider: Microsoft.AzureArcData

+ name: sql1

+ namespace: test

+spec:

+ backup:

+ retentionPeriodInDays: 7

+ dev: false

+ licenseType: LicenseIncluded

+ orchestratorReplicas: 1

+ preferredPrimaryReplicaSpec:

+ preferredPrimaryReplica: any

+ primaryReplicaFailoverInterval: 600

+ readableSecondaries: 1

+ replicas: 3

+ scheduling:

+ affinity:

+ podAntiAffinity:

+ requiredDuringSchedulingIgnoredDuringExecution:

+ - labelSelector:

+ matchLabels:

+ arc-resource: sqlmanagedinstance

+ controller: sql1

+ topologyKey: kubernetes.io/hostname

+ default:

+ resources:

+ limits:

+ cpu: "4"

+ requests:

+ cpu: "4"

+ memory: 4Gi

+

+ primary:

+ type: NodePort

+ readableSecondaries:

+ type: NodePort

+ storage:

+ data:

+ volumes:

+ - accessMode: ReadWriteOnce

+ className: local-storage

+ size: 5Gi

+ logs:

+ volumes:

+ - accessMode: ReadWriteOnce

+ className: local-storage

+ size: 5Gi

+ syncSecondaryToCommit: -1

+ tier: BusinessCritical

+```

+## TopologySpreadConstraints

+Pod topology spread constraints control rules around how pods are spread across different groupings of nodes in a Kubernetes cluster. A cluster may have different node topology domains defined such as regions, zones, node pools, etc. A standard Kubernetes topology spread constraint can be applied at `$.spec.scheduling.topologySpreadConstraints` (see: [Pod Topology Spread Constraints | Kubernetes](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/)).

+For instance:

+```yaml

+apiVersion: sql.arcdata.microsoft.com/v13

+kind: SqlManagedInstance

+metadata:

+ labels:

+ management.azure.com/resourceProvider: Microsoft.AzureArcData

+ name: sql1

+ namespace: test

+spec:

+ backup:

+ retentionPeriodInDays: 7

+ dev: false

+ licenseType: LicenseIncluded

+ orchestratorReplicas: 1

+ preferredPrimaryReplicaSpec:

+ preferredPrimaryReplica: any

+ primaryReplicaFailoverInterval: 600

+ readableSecondaries: 1

+ replicas: 3

+ scheduling:

+ topologySpreadConstraints:

+ - maxSkew: 1

+ topologyKey: kubernetes.io/hostname

+ whenUnsatisfiable: DoNotSchedule

+ labelSelector:

+ matchLabels:

+ name: sql1

+```

+1. To link two caches together for geo-replication, first select **Geo-replication** from the Resource menu of the cache that you intend to be the primary linked cache. Next, select **Add cache replication link** from **Geo-replication** on the left.

+ "AzureWebJobsStorage": "",

+> [!IMPORTANT]

+> This example is simplified for the tutorial. For production use, we recommend that you use [Azure Key Vault](../service-connector/tutorial-portal-key-vault.md) to store connection string information.

+>

+Navigate to your new Function App in the Azure portal and select the **Configuration** blade from the Resource menu. Select **New application setting** and enter `redisConnectionString` as the Name, with your connection string as the Value. Set Type to _Custom_, and select **Ok** to close the menu and then **Save** on the Configuration page to confirm. The functions app will restart with the new connection string information.

+First, import the `System.Data.SqlClient` NuGet package to enable communication with the SQL Database instance. Go to the VS Code terminal and use the following command:

+```dos

+dotnet add package System.Data.SqlClient

+```

+Next, copy and paste the following code in redisfunction.cs, replacing the existing code.

+namespace Microsoft.Azure.WebJobs.Extensions.Redis

+ public static class WriteBehind

+ public const string connectionString = "redisConnectionString";

+ public const string SQLAddress = "SQLConnectionString";

+ [RedisPubSubTrigger(connectionString, "__keyevent@0__:set")] string message,

+ // retrive redis connection string from environmental variables

+ var redisConnectionString = System.Environment.GetEnvironmentVariable(connectionString);

+

+ // connect to a Redis cache instance

+ var redisConnection = ConnectionMultiplexer.Connect(redisConnectionString);

+ var key = message;

+ // retrive SQL connection string from environmental variables

+ String SQLConnectionString = System.Environment.GetEnvironmentVariable(SQLAddress);

+### Configure connection strings

+You need to update the 'local.settings.json' file to include the connection string for your SQL Database instance. Add an entry in the `Values` section for `SQLConnectionString`. Your file should look like this:

+```json

+{

+ "IsEncrypted": false,

+ "Values": {

+ "AzureWebJobsStorage": "",

+ "FUNCTIONS_WORKER_RUNTIME": "dotnet",

+ "redisConnectionString": "<redis-connection-string>",

+ "SQLConnectionString": "<sql-connection-string>"

+ }

+}

+You need to manually enter the password for your SQL database connection string, because the password isn't pasted automatically. You can find the Redis connection string in the **Access Keys** of the Resource menu of the Azure Cache for Redis resource. You can find the SQL database connection string under the **ADO.NET** tab in **Connection strings** on the Resource menu in the SQL database resource.

+> [!IMPORTANT]

+> This example is simplified for the tutorial. For production use, we recommend that you use [Azure Key Vault](../service-connector/tutorial-portal-key-vault.md) to store connection string information.

+>

+- SET apple 5.25

+- SET bread 2.25

+- SET apple 4.50

+### Add connection string information

+Navigate to your Function App in the Azure portal and select the **Configuration** blade from the Resource menu. Select **New application setting** and enter `SQLConnectionString` as the Name, with your connection string as the Value. Set Type to _Custom_, and select **Ok** to close the menu and then **Save** on the Configuration page to confirm. The functions app will restart with the new connection string information.

+## Verify deployment

+> Autoscaling on custom metrics in Application Insights is supported only for metrics published to **Standard** and **Azure.ApplicationInsights** namespaces. If any other namespaces are used for custom metrics in Application Insights, it returns an **Unsupported Metric** error.

+Set up a scale-in rule so that Azure spins down one of the instances when the number of sessions your web app is handling is less than 60 per instance. Azure reduces the number of instances each time this rule is run until the minimum number of instances is reached.

+The diagram shows the deployment of VMware HCX from on-premises VMware vSphere to Azure VMware Solution private cloud disaster recovery scenario.

+ :::image type="content" source="./media/disaster-recovery-virtual-machines/hcx-disaster-recovery-scenario-1-diagram.png" alt-text="Diagram showing the VMware HCX manual disaster recovery solution in Azure VMware Solution with on-premises VMware vSphere." border="true" lightbox="./media/disaster-recovery-virtual-machines/hcx-disaster-recovery-scenario-1-diagram.png":::

+>Although part of VMware HCX, VMware HCX Disaster Recovery (DR) is not recommended for large deployments. The disaster recovery orchestration is 100% manual, and Azure VMware Solution currently doesn't have runbooks or features to support manual VMware HCX DR failover. For enterprise-class disaster recovery, refer to VMware Site Recovery Manager (SRM) or VMware business continuity and disaster recovery (BCDR) solutions.

+ :::image type="content" source="./media/disaster-recovery-virtual-machines/hcx-vsphere.png" alt-text="Screenshot showing the VMware HCX option in the vSphere Client." border="true":::

+ :::image type="content" source="./media/disaster-recovery-virtual-machines/protect-virtual-machine.png" alt-text="Screenshot showing the Disaster Recovery dashboard in the vSphere Client." border="true" lightbox="./media/disaster-recovery-virtual-machines/protect-virtual-machine.png":::

+ :::image type="content" source="./media/disaster-recovery-virtual-machines/protect-virtual-machines.png" alt-text="Screenshot showing the VMware HCX: Protected Virtual Machines window." border="true":::

+> [!NOTE]

+> The current version of VMware Site Recovery Manager (SRM) in Azure VMware Solution is 8.5.0.3.

+ > [!NOTE]

+ > Use the [Two-site Topology with one vCenter Server instance per PSC](https://docs.vmware.com/en/Site-Recovery-Manager/8.4/com.vmware.srm.install_config.doc/GUID-F474543A-88C5-4030-BB86-F7CC51DADE22.html) deployment model. Also, make sure that the [required vSphere Replication Network ports](https://kb.VMware.com/s/article/2087769) are opened.

+1. The default CloudAdmin user in the Azure VMware Solution private cloud doesn't have sufficient privileges to install VMware SRM or vSphere Replication. The installation process involves multiple steps outlined in the [Prerequisites](#prerequisites) section. Instead, you can install VMware SRM with vSphere Replication as an add-on service from your Azure VMware Solution private cloud.

+1. :::image type="content" source="media/VMware-srm-vsphere-replication/disaster-recovery-add-ons.png" alt-text="Screenshot of Azure VMware Solution private cloud to install VMware SRM with vSphere Replication as an add-on" border="true" lightbox="media/VMware-srm-vsphere-replication/disaster-recovery-add-ons.png":::

+> [!NOTE]

+> The current version of VMware Site Recovery Manager (SRM) in Azure VMware Solution is 8.5.0.3.

+| Rel 23-06 OOB | [5028623] | Latest Cumulative Update(LCU) | [5.83] | Jun 23, 2023 |

+| Rel 23-06 | [5027225] | Latest Cumulative Update(LCU) | [7.27] | Jun 13, 2023 |

+| Rel 23-06 | [5027222] | Latest Cumulative Update(LCU) | [6.59] | Jun 13, 2023 |

+| Rel 23-06 | [5027140] | .NET Framework 3.5 Security and Quality Rollup | [2.139] | Jun 13, 2023 |

+| Rel 23-06 | [5027134] | .NET Framework 4.6.2 Security and Quality Rollup | [2.139] | Jun 13, 2023 |

+| Rel 23-06 OOB | [5028591] | .NET Framework Rollup 4.6 ΓÇô 4.7.2/ .NET standalone update | [2.139] | Jun 22, 2023 |

+| Rel 23-06 | [5027141] | .NET Framework 3.5 Security and Quality Rollup | [4.119] | Jun 13, 2023 |

+| Rel 23-06 | [5027133] | .NET Framework 4.6.2 Security and Quality Rollup | [4.119] | Jun 13, 2023 |

+| Rel 23-06 OOB | [5028590] | .NET Framework Rollup 4.6 ΓÇô 4.7.2/ .NET standalone update | [4.119] | Jun 22, 2023 |

+| Rel 23-06 | [5027138] | .NET Framework 3.5 Security and Quality Rollup | [3.127] | Jun 13, 2023 |

+| Rel 23-06 | [5027132] | .NET Framework 4.6.2 Security and Quality Rollup | [3.127] | Jun 13, 2023 |

+| Rel 23-06 OOB | [5028589] | .NET Framework Rollup 4.6 ΓÇô 4.7.2/ .NET standalone update | [3.127] | Jun 22, 2023 |

+| Rel 23-06 | [5027123] | .NET Framework 4.8 Security and Quality Rollup  | [5.83] | Jun 13, 2023 |

+| Rel 23-06 OOB | [5028580] | .NET Framework Rollup 4.8 /.NET Standalone Update  | [5.83] | Jun 22, 2023 |

+| Rel 23-06 | [5027131] | . NET Framework 4.7.2 Cumulative Update | [6.59] | Jun 13, 2023 |

+| Rel 23-06 OOB | [5028588] | .NET Framework Rollup - 4.6-4.7.2 / .NET Standalone Update | [6.59] | Jun 22, 2023 |

+| Rel 23-06 | [5027127] | .NET Framework 4.8 Security and Quality Rollup | [7.27] | Jun 13, 2023 |

+| Rel 23-06 OOB | [5028584] | .NET Framework Rollup - 4.8 / .NET Standalone Update | [7.27] | Jun 22, 2023 |

+| Rel 23-06 | [5027275] | Monthly Rollup | [2.139] | Jun 13, 2023 |

+| Rel 23-06 | [5027283] | Monthly Rollup | [3.127] | Jun 13, 2023 |

+| Rel 23-06 | [5027271] | Monthly Rollup | [4.119] | Jun 13, 2023 |

+| Rel 23-06 | [5027575] | Servicing Stack Update | [3.127] | Jun 13, 2023 |

+| Rel 23-06 | [5027574] | Servicing Stack Update | [4.119] | Jun 13, 2022 |

+| Rel 23-06 | [4578013] | OOB Standalone Security Update | [4.119] | Aug 19, 2020 |

+| Rel 23-06 | [5023788] | Servicing Stack Update LKG | [5.83] | Mar 14, 2023 |

+| Rel 23-06 | [5017397] | Servicing Stack Update LKG | [2.139] | Sep 13, 2022 |

+| Rel 23-06 | [4494175] | Microcode | [5.83] | Sep 1, 2020 |

+| Rel 23-06 | [4494174] | Microcode | [6.59] | Sep 1, 2020 |

+| Rel 23-06 | 5027396 | Servicing Stack Update | [7.27] | |

+| Rel 23-06 | 5023789 | Servicing Stack Update | [6.59] | |

+[2.139]: ./cloud-services-guestos-update-matrix.md#family-2-releases

+[3.127]: ./cloud-services-guestos-update-matrix.md#family-3-releases

+[4.119]: ./cloud-services-guestos-update-matrix.md#family-4-releases

+[5.83]: ./cloud-services-guestos-update-matrix.md#family-5-releases

+[6.59]: ./cloud-services-guestos-update-matrix.md#family-6-releases

+[7.27]: ./cloud-services-guestos-update-matrix.md#family-7-releases

+###### **July 8, 2023**

+The June Guest OS has released.

+| WA-GUEST-OS-7.27_202306-02 | July 8, 2023 | Post 7.29 |

+| WA-GUEST-OS-7.25_202305-01 | May 19, 2023 | Post 7.28 |

+|~~WA-GUEST-OS-7.24_202304-01~~| April 27, 2023 | July 8, 2023 |

+| WA-GUEST-OS-6.59_202306-02 | July 8, 2023 | Post 6.61 |

+| WA-GUEST-OS-6.57_202305-01 | May 19, 2023 | Post 6.60 |

+|~~WA-GUEST-OS-6.56_202304-01~~| April 27, 2023 | July 8, 2023 |

+| WA-GUEST-OS-5.83_202306-02 | July 8, 2023 | Post 5.85 |

+| WA-GUEST-OS-5.81_202305-01 | May 19, 2023 | Post 5.84 |

+|~~WA-GUEST-OS-5.80_202304-01~~| April 27, 2023 | July 8, 2023 |

+| WA-GUEST-OS-4.119_202306-02 | July 8, 2023 | Post 4.121 |

+| WA-GUEST-OS-4.117_202305-01 | May 19, 2023 | Post 4.120 |

+|~~WA-GUEST-OS-4.116_202304-01~~| April 27, 2023 | July 8, 2023 |

+| WA-GUEST-OS-3.127_202306-02 | July 8, 2023 | Post 3.129 |

+| WA-GUEST-OS-3.125_202305-01 | May 19, 2023 | Post 3.128 |

+|~~WA-GUEST-OS-3.124_202304-02~~| April 27, 2023 | July 8, 2023 |

+| WA-GUEST-OS-2.139_202306-02 | July 8, 2023 | Post 2.141 |

+| WA-GUEST-OS-2.137_202305-01 | May 19, 2023 | Post 2.140 |

+|~~WA-GUEST-OS-2.136_202304-01~~| April 27, 2023 | July 8, 2023 |

+## Responsible AI

+An AI system includes not only the technology, but also the people who will use it, the people who will be affected by it, and the environment in which it is deployed. Read the transparency notes to learn about responsible AI use and deployment in your systems.

+## Responsible AI

+An AI system includes not only the technology, but also the people who will use it, the people who will be affected by it, and the environment in which it is deployed. Read the transparency notes to learn about responsible AI use and deployment in your systems.

+* [Transparency note and use cases](/legal/cognitive-services/speech-service/speech-to-text/transparency-note?context=/azure/cognitive-services/speech-service/context/context)

+* [Characteristics and limitations](/legal/cognitive-services/speech-service/speech-to-text/characteristics-and-limitations?context=/azure/cognitive-services/speech-service/context/context)

+* [Integration and responsible use](/legal/cognitive-services/speech-service/speech-to-text/guidance-integration-responsible-use?context=/azure/cognitive-services/speech-service/context/context)

+* [Data, privacy, and security](/legal/cognitive-services/speech-service/speech-to-text/data-privacy-security?context=/azure/cognitive-services/speech-service/context/context)

+>

+> The pricing for custom voice is different from custom neural voice. Go to the [pricing page](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/) and check the pricing details in the collapsable "Deprecated" section. Custom voice (non-neural training) is referred as **Custom**.

+>

+> The pricing for prebuilt standard voice is different from prebuilt neural voice. Go to the [pricing page](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/) and check the pricing details in the collapsable "Deprecated" section. Prebuilt standard voice (retired) is referred as **Standard**.

+The table in this section summarizes the 19 locales supported for pronunciation assessment, and each language is available on all [Speech to text regions](regions.md#speech-service). Latest update extends support from English to 18 additional languages and quality enhancements to existing features, including accuracy, fluency and miscue assessment. You should specify the language that you're learning or practicing improving pronunciation. The default language is set as `en-US`. If you know your target learning language, [set the locale](how-to-pronunciation-assessment.md#get-pronunciation-assessment-results) accordingly. For example, if you're learning British English, you should specify the language as `en-GB`. If you're teaching a broader language, such as Spanish, and are uncertain about which locale to select, you can run various accent models (`es-ES`, `es-MX`) to determine the one that achieves the highest score to suit your specific scenario.

+>

+> The pricing for custom voice is different from custom neural voice. Go to the [pricing page](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/) and check the pricing details in the collapsable "Deprecated" section. Custom voice (non-neural training) is referred as **Custom**.

+>

+> The pricing for prebuilt standard voice is different from prebuilt neural voice. Go to the [pricing page](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/) and check the pricing details in the collapsable "Deprecated" section. Prebuilt standard voice (retired) is referred as **Standard**.

+## Responsible AI

+An AI system includes not only the technology, but also the people who will use it, the people who will be affected by it, and the environment in which it is deployed. Read the transparency notes to learn about responsible AI use and deployment in your systems.

+### Speech to text

+* [Transparency note and use cases](/legal/cognitive-services/speech-service/speech-to-text/transparency-note?context=/azure/cognitive-services/speech-service/context/context)

+* [Characteristics and limitations](/legal/cognitive-services/speech-service/speech-to-text/characteristics-and-limitations?context=/azure/cognitive-services/speech-service/context/context)

+* [Integration and responsible use](/legal/cognitive-services/speech-service/speech-to-text/guidance-integration-responsible-use?context=/azure/cognitive-services/speech-service/context/context)

+* [Data, privacy, and security](/legal/cognitive-services/speech-service/speech-to-text/data-privacy-security?context=/azure/cognitive-services/speech-service/context/context)

+### Pronunciation Assessment

+* [Transparency note and use cases](/legal/cognitive-services/speech-service/pronunciation-assessment/transparency-note-pronunciation-assessment?context=/azure/cognitive-services/speech-service/context/context)

+* [Characteristics and limitations](/legal/cognitive-services/speech-service/pronunciation-assessment/characteristics-and-limitations-pronunciation-assessment?context=/azure/cognitive-services/speech-service/context/context)

+### Custom Neural Voice

+* [Transparency note and use cases](/legal/cognitive-services/speech-service/custom-neural-voice/transparency-note-custom-neural-voice?context=/azure/cognitive-services/speech-service/context/context)

+* [Characteristics and limitations](/legal/cognitive-services/speech-service/custom-neural-voice/characteristics-and-limitations-custom-neural-voice?context=/azure/cognitive-services/speech-service/context/context)

+* [Limited access](/legal/cognitive-services/speech-service/custom-neural-voice/limited-access-custom-neural-voice?context=/azure/cognitive-services/speech-service/context/context)

+* [Responsible deployment of synthetic speech](/legal/cognitive-services/speech-service/custom-neural-voice/concepts-guidelines-responsible-deployment-synthetic?context=/azure/cognitive-services/speech-service/context/context)

+* [Disclosure of voice talent](/legal/cognitive-services/speech-service/disclosure-voice-talent?context=/azure/cognitive-services/speech-service/context/context)

+* [Disclosure of design guidelines](/legal/cognitive-services/speech-service/custom-neural-voice/concepts-disclosure-guidelines?context=/azure/cognitive-services/speech-service/context/context)

+* [Disclosure of design patterns](/legal/cognitive-services/speech-service/custom-neural-voice/concepts-disclosure-patterns?context=/azure/cognitive-services/speech-service/context/context)

+* [Code of conduct](/legal/cognitive-services/speech-service/tts-code-of-conduct?context=/azure/cognitive-services/speech-service/context/context)

+* [Data, privacy, and security](/legal/cognitive-services/speech-service/custom-neural-voice/data-privacy-security-custom-neural-voice?context=/azure/cognitive-services/speech-service/context/context)

+### Speaker Recognition

+* [Transparency note and use cases](/legal/cognitive-services/speech-service/speaker-recognition/transparency-note-speaker-recognition?context=/azure/cognitive-services/speech-service/context/context)

+* [Characteristics and limitations](/legal/cognitive-services/speech-service/speaker-recognition/characteristics-and-limitations-speaker-recognition?context=/azure/cognitive-services/speech-service/context/context)

+* [Limited access](/legal/cognitive-services/speech-service/speaker-recognition/limited-access-speaker-recognition?context=/azure/cognitive-services/speech-service/context/context)

+* [General guidelines](/legal/cognitive-services/speech-service/speaker-recognition/guidance-integration-responsible-use-speaker-recognition?context=/azure/cognitive-services/speech-service/context/context)

+* [Data, privacy, and security](/legal/cognitive-services/speech-service/speaker-recognition/data-privacy-speaker-recognition?context=/azure/cognitive-services/speech-service/context/context)

+## Responsible AI

+An AI system includes not only the technology, but also the people who will use it, the people who will be affected by it, and the environment in which it is deployed. Read the transparency notes to learn about responsible AI use and deployment in your systems.

+* [Transparency note and use cases](/legal/cognitive-services/speech-service/pronunciation-assessment/transparency-note-pronunciation-assessment?context=/azure/cognitive-services/speech-service/context/context)

+* [Characteristics and limitations](/legal/cognitive-services/speech-service/pronunciation-assessment/characteristics-and-limitations-pronunciation-assessment?context=/azure/cognitive-services/speech-service/context/context)

+## Responsible AI

+An AI system includes not only the technology, but also the people who will use it, the people who will be affected by it, and the environment in which it is deployed. Read the transparency notes to learn about responsible AI use and deployment in your systems.

+* [Transparency note and use cases](/legal/cognitive-services/speech-service/speaker-recognition/transparency-note-speaker-recognition?context=/azure/cognitive-services/speech-service/context/context)

+* [Characteristics and limitations](/legal/cognitive-services/speech-service/speaker-recognition/characteristics-and-limitations-speaker-recognition?context=/azure/cognitive-services/speech-service/context/context)

+* [Limited access](/legal/cognitive-services/speech-service/speaker-recognition/limited-access-speaker-recognition?context=/azure/cognitive-services/speech-service/context/context)

+* [General guidelines](/legal/cognitive-services/speech-service/speaker-recognition/guidance-integration-responsible-use-speaker-recognition?context=/azure/cognitive-services/speech-service/context/context)

+* [Data, privacy, and security](/legal/cognitive-services/speech-service/speaker-recognition/data-privacy-speaker-recognition?context=/azure/cognitive-services/speech-service/context/context)

+>

+> For words that have low pitch and short duration, the pitch might not be raised enough to be noticed.

+## Responsible AI

+An AI system includes not only the technology, but also the people who will use it, the people who will be affected by it, and the environment in which it is deployed. Read the transparency notes to learn about responsible AI use and deployment in your systems.

+* [Transparency note and use cases](/legal/cognitive-services/speech-service/speech-to-text/transparency-note?context=/azure/cognitive-services/speech-service/context/context)

+* [Characteristics and limitations](/legal/cognitive-services/speech-service/speech-to-text/characteristics-and-limitations?context=/azure/cognitive-services/speech-service/context/context)

+* [Integration and responsible use](/legal/cognitive-services/speech-service/speech-to-text/guidance-integration-responsible-use?context=/azure/cognitive-services/speech-service/context/context)

+* [Data, privacy, and security](/legal/cognitive-services/speech-service/speech-to-text/data-privacy-security?context=/azure/cognitive-services/speech-service/context/context)

+| Prebuilt neural voice (called *Neural* on the [pricing page](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/)) | Highly natural out-of-the-box voices. Create an Azure account and Speech service subscription, and then use the [Speech SDK](./get-started-text-to-speech.md) or visit the [Speech Studio portal](https://speech.microsoft.com/portal) and select prebuilt neural voices to get started. Check the [pricing details](https://azure.microsoft.com/pricing/details/cognitive-services/speech-services/). | Check the [Voice Gallery](https://speech.microsoft.com/portal/voicegallery) and determine the right voice for your business needs. |

+Custom Neural Voice (CNV) endpoint hosting is measured by the actual time (hour). The hosting time (hours) for each endpoint is calculated at 00:00 UTC every day for the previous 24 hours. For example, if the endpoint has been active for 24 hours on day one, it will be billed for 24 hours at 00:00 UTC the second day. If the endpoint is newly created or has been suspended during the day, it will be billed for its accumulated running time until 00:00 UTC the second day. If the endpoint is not currently hosted, it will not be billed. In addition to the daily calculation at 00:00 UTC each day, the billing is also triggered immediately when an endpoint is deleted or suspended. For example, for an endpoint created at 08:00 UTC on December 1, the hosting hour will be calculated to 16 hours at 00:00 UTC on December 2 and 24 hours at 00:00 UTC on December 3. If the user suspends hosting the endpoint at 16:30 UTC on December 3, the duration (16.5 hours) from 00:00 to 16:30 UTC on December 3 will be calculated for billing.

+## Responsible AI

+An AI system includes not only the technology, but also the people who will use it, the people who will be affected by it, and the environment in which it is deployed. Read the transparency notes to learn about responsible AI use and deployment in your systems.

+* [Transparency note and use cases for Custom Neural Voice](/legal/cognitive-services/speech-service/custom-neural-voice/transparency-note-custom-neural-voice?context=/azure/cognitive-services/speech-service/context/context)

+* [Characteristics and limitations for using Custom Neural Voice](/legal/cognitive-services/speech-service/custom-neural-voice/characteristics-and-limitations-custom-neural-voice?context=/azure/cognitive-services/speech-service/context/context)

+* [Limited access to Custom Neural Voice](/legal/cognitive-services/speech-service/custom-neural-voice/limited-access-custom-neural-voice?context=/azure/cognitive-services/speech-service/context/context)

+* [Guidelines for responsible deployment of synthetic voice technology](/legal/cognitive-services/speech-service/custom-neural-voice/concepts-guidelines-responsible-deployment-synthetic?context=/azure/cognitive-services/speech-service/context/context)

+* [Disclosure for voice talent](/legal/cognitive-services/speech-service/disclosure-voice-talent?context=/azure/cognitive-services/speech-service/context/context)

+* [Disclosure design guidelines](/legal/cognitive-services/speech-service/custom-neural-voice/concepts-disclosure-guidelines?context=/azure/cognitive-services/speech-service/context/context)

+* [Disclosure design patterns](/legal/cognitive-services/speech-service/custom-neural-voice/concepts-disclosure-patterns?context=/azure/cognitive-services/speech-service/context/context)

+* [Code of Conduct for Text to speech integrations](/legal/cognitive-services/speech-service/tts-code-of-conduct?context=/azure/cognitive-services/speech-service/context/context)

+* [Data, privacy, and security for Custom Neural Voice](/legal/cognitive-services/speech-service/custom-neural-voice/data-privacy-security-custom-neural-voice?context=/azure/cognitive-services/speech-service/context/context)

+ Title: Frequently asked questions about trial phone numbers in Azure Communication Services

+description: A conceptual overview plus FAQ for trial phone numbers and verified phone numbers.

+# Frequently asked questions about trial phone numbers in Azure Communication Services

+This article answers commonly asked questions about Trial Phone Numbers and Verified Phone Numbers.

+## Trial Phone Numbers

+### How many trial phone numbers can I request?

+Customers are limited to one trial phone number.

+

+### Is my subscription eligible for a trial phone number?

+Currently trial phone numbers are only available for US subscriptions. For more information on subscriptions in other regions available for purchase, see our subscription eligibility documentation.

+### Can I use the trial phone number for SMS messaging?

+No, currently the trial phone number for Azure Communication Services only supports PSTN Calling capabilities. SMS messaging capabilities for trial phone numbers will be available soon. Keep an eye on the Azure Communication Services documentation for updates on when SMS functionality will be added to the trial phone numbers.

+### Can I choose a specific phone number or area code for the trial number?

+Currently, customers who can activate a trial phone number will be provided a US toll-free number. If you require a specific phone number or area code, then you must [purchase a phone number](../../quickstarts/telephony/get-phone-number.md).

+### How long can I use the trial phone number?

+The trial phone number is available for 30 days. After the trial period ends, the phone number will no longer be accessible. It's recommended to upgrade to a production subscription if you require a longer-term phone number.

+### How can I make and receive calls using the trial phone number?

+You can use Azure Communication Services APIs or SDKs to make and receive calls using the trial phone number. Microsoft provides comprehensive documentation and code samples to help you integrate the PSTN Calling capabilities into your applications.

+### What are the calling limitations on my trial phone number?

+Trial phone numbers have 60 minutes of inbound and 60 minutes of outbound PSTN calling. The max duration of a phone call is 5 minutes. The trial phone number may not be used to dial emergency services such as 911, 311, 988 or any emergency numbers.

+

+### Are there any costs associated with the trial phone number?

+While the trial phone number itself is provided at no cost during the trial period, there may be associated costs for making and receiving calls or other PSTN Calling services. It's essential to review the pricing details for Azure Communication Services to understand the costs involved.

+## Verified Phone Numbers

+### Why do I need to verify the recipient phone number for a trial phone number?

+Verifying the recipient phone number is a security measure that ensures the trial phone number can only make calls to the verified number. This helps protect against misuse and unauthorized usage of trial phone numbers.

+### How is the recipient phone number verified?

+The verification process involves sending a one-time passcode via SMS to the recipient phone number. The recipient needs to enter this code in the Azure portal to complete the verification.

+### Can I verify multiple recipient phone numbers for the same trial phone number?

+Currently the trial phone number can be verified for up to three recipient phone numbers. If you need to make calls to more numbers, then you'll need to [purchase a phone number](../../quickstarts/telephony/get-phone-number.md)

+### What happens if I enter the verification code incorrectly?

+If the verification code is entered incorrectly, the verification process fails. You can request a new verification code and try again.

+### Does the recipient phone number need to be in a specific format for verification?

+Yes, the recipient phone number should be entered in the correct international format, including the country code. Ensure that the phone number is accurate and free of any typos or formatting errors.

+### How long does the verification process take?

+The verification code is typically sent within a few seconds after initiating the verification process. The overall process should be completed quickly, depending on the recipient's ability to receive the SMS and enter the code in the Azure portal.

+## Next steps

+> [!div class="nextstepaction"]

+> [Get a trial phone number](../../quickstarts/telephony/get-trial-phone-number.md)

+ Title: Quickstart - get and manage trial phone numbers in Azure Communication Services

+description: Learn how to get and use trial phone numbers in Azure Communication Services.

+# Quickstart: get and manage a trial phone number in Azure Communication Services

+> [!NOTE]

+> Trial Phone Numbers are currently only supported by Azure subscriptions with billing addresses based in the United States. To those outside the US, you can visit the [Subscription eligibility](../../concepts/numbers/sub-eligibility-number-capability.md) documentation to determine where you purchase a phone number.

+Azure Communication Services provides powerful communication capabilities for developers to integrate voice, video, and SMS functionalities into their applications. One of the key features is the ability to acquire phone numbers for making and receiving calls. This quickstart guide walks you through the process of obtaining a trial phone number for Azure Communication Services.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- An active Communication Services resource. [Create a Communication Services resource](../create-communication-resource.md).

+## Get a trial phone number

+1. Navigate to your Communication Service resource in the [Azure portal](https://portal.azure.com).

+2. In the Communication Services resource overview, select on the "Phone numbers" option in the left-hand menu.

+If you donΓÇÖt have any phone numbers yet, you will see an empty list of phone numbers followed by this call to action for trial phone numbers.

+If you already have numbers for your Communication Services resource, you can also activate a trial phone number:

+3. Select on ΓÇ£Activate trial phone numberΓÇ¥. This immediately provisions a trial phone number to your Communication Services resource. Once the trial phone number is provisioned, you can view it on the Phone numbers page.

+## Add a verified phone number to your trial phone number

+When using a trial phone number in Azure Communication Services for PSTN Calling capabilities, it is required to verify the recipient phone number. This verification process ensures that the trial phone number can only make calls to the verified number.

+1. Once your trial phone number is provisioned, select on the number in the Phone Numbers page and navigate to the ΓÇ£Trial detailsΓÇ¥ tab:

+This tab shows the current limitations on the number, including the days left to use the number, the total calling minutes, and how many verified phone numbers are attached to the trial phone number. You can find more information on the trial phone number limitations [here](../../concepts/telephony/trial-phone-numbers-faq.md).

+2. Select on ΓÇ£Manage verified phone numbersΓÇ¥ to start adding verified phone numbers.

+3. Select ΓÇ£AddΓÇ¥ or ΓÇ£Verify a phone numberΓÇ¥ and enter your phone number and designated country code associated with it. This recipient phone number is verified by sending a one-time passcode (OTP) to their number either through SMS or automated voicemail. Choose which option you prefer, and then press ΓÇ£NextΓÇ¥ to receive the OTP.

+4. Once the user gets the one-time-passcode (OTP), enter the code into the Portal to verify the number.

+5. Once the correct OTP is entered, the phone number is verified, and it shows in the list of verified numbers that the trial number can call.

+## Conclusion

+Congratulations! You have successfully obtained a trial phone number for Azure Communication Services. You can now use this phone number to add voice capabilities to your applications. Explore the documentation and resources provided by Microsoft to learn more about Azure Communication Services and integrate it into your projects.

+Remember that trial phone numbers have limitations and are intended for evaluation and development purposes. If you require production-ready phone numbers, you can upgrade your Azure Communication Services subscription and [purchase a phone number](get-phone-number.md).

+## Next steps

+In this quickstart you learned how to:

+> [!div class="checklist"]

+> * Activate a trial phone number

+> * View your trial phone number limits

+> * Add a verified phone number

+> [!div class="nextstepaction"]

+> [Make your first outbound call with Call Automation](../call-automation/quickstart-make-an-outbound-call.md)

+> [!div class="nextstepaction"]

+> [Add PSTN calling in your app](pstn-call.md)

+6. Select **Source** Registry from the dropdown menu.

+6. Select **Source** Registry from the dropdown menu.

+ 2. Source - The name of the Source Registry.

+ 2. Source registry Login Server - The login server of your source registry.

+## Upstream support

+Cache for ACR currently supports the following upstream registries:

+| Upstream registries | Support | Availability |

+| | | -- |

+| Docker | Supports both authenticated pulls and unauthenticated pulls. | Azure CLI, Azure portal |

+| Microsoft Artifact Registry | Supports unauthenticated pulls only. | Azure CLI, Azure portal |

+| ECR Public | Supports unauthenticated pulls only. | Azure CLI |

+| Quay.io | Supports both authenticated pulls and unauthenticated pulls. | Azure CLI |

+| GitHub Container Registry | Supports both authenticated pulls and unauthenticated pulls. | Azure CLI |

+## Preview Limitations

+- Cache for ACR feature doesn't support Customer managed key (CMK) enabled registries.

+- Cache will only occur after at least one image pull is complete on the available container image. For every new image available, a new image pull must be complete. Cache for ACR doesn't automatically pull new tags of images when a new tag is available. It is on the roadmap but not supported in this release.

+- Cache for ACR only supports 50 cache rules.

+description: Learn how to troubleshoot the most common problems for a registry enabled with the Cache for ACR feature.

+# Troubleshoot guide for Cache for ACR (Preview)

+This article is part six in a six-part tutorial series. [Part one](tutorial-registry-cache.md) provides an overview of Cache for ACR, its features, benefits, and preview limitations. In [part two](tutorial-enable-registry-cache.md), you learn how to enable Cache for ACR feature by using the Azure portal. In [part three](tutorial-enable-registry-cache-cli.md), you learn how to enable Cache for ACR feature by using the Azure CLI. In [part four](tutorial-enable-registry-cache-auth.md), you learn how to enable Cache for ACR feature with authentication by using Azure portal. In [part five](tutorial-enable-registry-cache-auth-cli.md), you learn how to enable Cache for ACR feature with authentication by using Azure CLI.

+This article helps you troubleshoot problems you might encounter when attempting to use Cache for ACR (preview).

+If you're having an issue with cached images not showing up in your repository in ACR, we recommend verifying the repository path. Incorrect repository paths lead the cached images to not show up in your repository in ACR.

+### Cache rule Limit

+If you're facing issues while creating a Cache rule, we recommend verifying if you have more than 50 cache rules created.

+We recommend deleting any unwanted cache rules to avoid hitting the limit.

+## Upstream support

+Cache for ACR currently supports the following upstream registries:

+| Upstream registries | Support | Availability |

+| | | -- |

+| Docker | Supports both authenticated pulls and unauthenticated pulls. | Azure CLI, Azure portal |

+| Microsoft Artifact Registry | Supports unauthenticated pulls only. | Azure CLI, Azure portal |

+| ECR Public | Supports unauthenticated pulls only. | Azure CLI |

+| Quay.io | Supports both authenticated pulls and unauthenticated pulls. | Azure CLI |

+| GitHub Container Registry | Supports both authenticated pulls and unauthenticated pulls. | Azure CLI |

+> [!NOTE]

+> For some alerts, suppression rules are not applicable for certain entities. If the rule is not available, a message will display at the end of the **Create a suppression rule** process.

+- **Support for exemptions** - Learn how to [create exemption rules for a management group, resource group, or subscription](how-to-enable-agentless-containers.md#support-for-exemptions).

+- **Support for disabling vulnerability findings** - Learn how to [disable vulnerability assessment findings on Container registry images](disable-vulnerability-findings-containers.md).

+1. Once a day:

+ 1. All newly discovered images are pulled, and an inventory is created for each image. Image inventory is kept to avoid further image pulls, unless required by new scanner capabilities.​

+ 1. Using the inventory, vulnerability reports are generated for new images, and updated for images previously scanned which were either pushed in the last 90 days to a registry, or are currently running.

+> [!NOTE]

+> To determine if an image is currently running, Agentless Vulnerability Assessment uses [Agentless Discovery and Visibility within Kubernetes components](/azure/defender-for-cloud/concept-agentless-containers).

+ Title: Disable vulnerability assessment findings on Container registry images and running images in Microsoft Defender for Cloud

+description: Microsoft Defender for Cloud includes a fully integrated agentless vulnerability assessment solution powered by MDVM (Microsoft Defender Vulnerability Management).

+# Disable vulnerability assessment findings on container registry images

+If you have an organizational need to ignore a finding, rather than remediate it, you can optionally disable it. Disabled findings don't affect your secure score or generate unwanted noise.

+When a finding matches the criteria you've defined in your disable rules, it doesn't appear in the list of findings. Typical scenario examples include:

+- Disable findings with severity below medium

+- Disable findings for images that the vendor will not fix

+> [!IMPORTANT]

+> To create a rule, you need permissions to edit a policy in Azure Policy.

+> Learn more in [Azure RBAC permissions in Azure Policy](../governance/policy/overview.md#azure-rbac-permissions-in-azure-policy).

+You can use a combination of any of the following criteria:

+- **CVE** - Enter the CVEs of the findings you want to exclude. Ensure the CVEs are valid. Separate multiple CVEs with a semicolon. For example, CVE-2020-1347; CVE-2020-1346.

+- **Image digest** - Specify images for which vulnerabilities should be excluded based on the image digest. Separate multiple digests with a semicolon, for example: sha256:9b920e938111710c2768b31699aac9d1ae80ab6284454e8a9ff42e887fa1db31;sha256:ab0ab32f75988da9b146de7a3589c47e919393ae51bbf2d8a0d55dd92542451c

+- **OS version** - Specify images for which vulnerabilities should be excluded based on the image OS. Separate multiple versions with a semicolon, for example: ubuntu_linux_20.04;alpine_3.17

+- **Minimum Severity** - Select low, medium, high, or critical to exclude vulnerabilities less than and equal to the specified severity level.

+- **Fix status** - Select the option to exclude vulnerabilities based on their fix status.

+Disable rules apply per recommendation, for example, to disable [CVE-2017-17512](https://github.com/advisories/GHSA-fc69-2v7r-7r95) both on the registry images and runtime images, the disable rule has to be configured in both places.

+> [!NOTE]

+> The [Azure Preview Supplemental Terms](//azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+ To create a rule:

+1. From the recommendations detail page for [Container registry images should have vulnerability findings resolved powered by Microsoft Defender Vulnerability Management](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c0b7cfc6-3172-465a-b378-53c7ff2cc0d5) or [Running container images should have vulnerability findings resolved powered by Microsoft Defender Vulnerability Management

+](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5), select **Disable rule**.

+1. Select the relevant scope.

+1. Define your criteria. You can use any of the following criteria:

+

+ - **CVE** - Enter the CVEs of the findings you want to exclude. Ensure the CVEs are valid. Separate multiple CVEs with a semicolon. For example, CVE-2020-1347; CVE-2020-1346.

+ - **Image digest** - Specify images for which vulnerabilities should be excluded based on the image digest. Separate multiple digests with a semicolon, for example: sha256:9b920e938111710c2768b31699aac9d1ae80ab6284454e8a9ff42e887fa1db31;sha256:ab0ab32f75988da9b146de7a3589c47e919393ae51bbf2d8a0d55dd92542451c

+ - **OS version** - Specify images for which vulnerabilities should be excluded based on the image OS. Separate multiple versions with a semicolon, for example: ubuntu_linux_20.04;alpine_3.17

+ - **Minimum Severity** - Select low, medium, high, or critical to exclude vulnerabilities less than and equal to the specified severity level.

+ - **Fix status** - Select the option to exclude vulnerabilities based on their fix status.

+1. In the justification text box, add your justification for why a specific vulnerability was disabled. This provides clarity and understanding for anyone reviewing the rule.

+

+1. Select **Apply rule**.

+ :::image type="content" source="./media/disable-vulnerability-findings-containers/disable-rules.png" alt-text="Screenshot showing where to create a disable rule for vulnerability findings on registry images." lightbox="media/disable-vulnerability-findings-containers/disable-rules.png":::

+ > [!IMPORTANT]

+ > Changes might take up to 24hrs to take effect.

+**To view, override, or delete a rule:**

+1. From the recommendations detail page, select **Disable rule**.

+1. From the scope list, subscriptions with active rules show as **Rule applied**.

+1. To view or delete the rule, select the ellipsis menu ("...").

+1. Do one of the following:

+ - To view or override a disable rule - select **View rule**, make any changes you want, and select **Override rule**.

+ - To delete a disable rule - select **Delete rule**.

+ :::image type="content" source="./media/disable-vulnerability-findings-containers/override-rules.png" alt-text="Screenshot showing where to view, delete or override a rule for vulnerability findings on registry images." lightbox="media/disable-vulnerability-findings-containers/override-rules.png":::

+## Next steps

+- Learn how to [view and remediate vulnerability assessment findings for registry images](view-and-remediate-vulnerability-assessment-findings.md).

+- Learn about [agentless container posture](concept-agentless-containers.md).

+To deploy Azure's Application Gateway WAF, do the following:

+1. From the Azure portal, open **Defender for Cloud**.

+1. From Defender for Cloud's menu, select **Security solutions**.

+1. In the **Add data sources** section, select **Add** for Azure's Application Gateway WAF.

+ :::image type="content" source="media/other-threat-protections/deploy-azure-waf.png" alt-text="Screenshot showing where to select add to deploy WAF." lightbox="media/other-threat-protections/deploy-azure-waf.png":::

+|July 9 | [Support for disabling specific vulnerability findings](#support-for-disabling-specific-vulnerability-findings)

+### Support for disabling specific vulnerability findings

+July 9, 2023

+Release of support for disabling vulnerability findings for your container registry images or running images as part of agentless container posture. If you have an organizational need to ignore a vulnerability finding on your container registry image, rather than remediate it, you can optionally disable it. Disabled findings don't affect your secure score or generate unwanted noise.

+Learn how to [disable vulnerability assessment findings on Container registry images](disable-vulnerability-findings-containers.md).

+Defender for Cloud has improved the onboarding experience to include a new streamlined user interface and instructions in addition to new capabilities that allow you to onboard your AWS and GCP environments while providing access to advanced onboarding features.

+The following settings work only for workflows that start with a recurrence-based trigger for [built-in, service provider-based connectors](/azure/logic-apps/connectors/built-in/reference/). For a workflow that starts with a function-based trigger, you might try to [set up batching where supported](logic-apps-batch-process-send-receive-messages.md). However, batching isn't always the correct solution. For example, with Azure Service Bus triggers, a batch might hold onto messages beyond the lock duration. As a result, any action, such as complete or abandon, fails on such messages.

+### Outputs

+In this step, you can view all flow outputs, and specify which outputs will be included in the response of the endpoint you deploy.

+- embeddingstore --extra-index-url https://azuremlsdktestpypi.azureedge.net/embeddingstore

+- Create related Faiss-based index files on Azure Blob Storage. We support the LangChain format (index.faiss + index.pkl) for the index files, which can be prepared either by employing our EmbeddingStore SDK or following the quick guide from [LangChain documentation](https://python.langchain.com/docs/modules/data_connection/vectorstores/integrations/faiss). Please refer to [the sample notebook for creating Faiss index](https://aka.ms/pf-sample-build-faiss-index) for building index using EmbeddingStore SDK.

+- Based on where you put your own index files, the identity used by the promptflow runtime should be granted with certain roles. Please refer to [Steps to assign an Azure role](../../../role-based-access-control/role-assignments-steps.md):

+ | Location | Role |

+ | - | - |

+ | workspace datastores or workspace default blob | AzureML Data Scientist |

+ | other blobs | Storage Blob Data Reader |

+| path | string | URL or path for the vector store.<br><br>blob URL format:<br>https://`<account_name>`.blob.core.windows.net/`<container_name>`/`<path_and_folder_name>`.<br><br>AML datastore URL format:<br>azureml://subscriptions/`<your_subscription>`/resourcegroups/`<your_resource_group>`/workspaces/`<your_workspace>`/data/`<data_path>`<br><br>relative path to workspace datastore `workspaceblobstore`:<br>`<path_and_folder_name>`<br><br> public http/https URL (for public demonstration):<br>http(s)://`<path_and_folder_name>` | Yes |

+- embeddingstore --extra-index-url https://azuremlsdktestpypi.azureedge.net/embeddingstore

+ - Add "CognitiveSearchConnection" connection. Fill "API key" field with "Primary admin key" from "Keys" section of created resource, and fill "Api Base" field with the URL, the URL format is `https://{your_serive_name}.search.windows.net`.

+- embeddingstore --extra-index-url https://azuremlsdktestpypi.azureedge.net/embeddingstore

+- Based on where you put your Vector Index, the identity used by the promptflow runtime should be granted with certain roles. Please refer to [Steps to assign an Azure role](../../../role-based-access-control/role-assignments-steps.md):

+ | Location | Role |

+ | - | - |

+ | workspace datastores or workspace default blob | AzureML Data Scientist |

+ | other blobs | Storage Blob Data Reader |

+| path | string | blob/AML asset/datastore URL for the VectorIndex.<br><br>blob URL format:<br>https://`<account_name>`.blob.core.windows.net/`<container_name>`/`<path_and_folder_name>`.<br><br>AML asset URL format:<br>azureml://subscriptions/`<your_subscription>`/resourcegroups/`<your_resource_group>>`/workspaces/`<your_workspace>`/datastores/`<your_datastore>`/paths/`<asset_name and optional version/label>`<br><br>AML datastore URL format:<br>azureml://subscriptions/`<your_subscription>`/resourcegroups/`<your_resource_group>`/workspaces/`<your_workspace>`/data/`<data_path>` | Yes |

+ Title: Connect through a shared private link

+description: Configure indexer connections to access content from other Azure resources that are protected through a shared private link.

+# Make outbound connections through a shared private link

+Setting up a private connection allows Azure Cognitive Search to connect to Azure PaaS through a virtual network IP address instead of a port that's open to the internet. The object created for the connection is called a *shared private link*. On the connection, Search uses the shared private link internally to reach an Azure PaaS resource inside the network boundary.

+Shared private link is a premium feature that's billed by usage. The costs of reading from a data source through the private endpoint are billed to your Azure subscription. As the indexer reads data from the data source, network egress charges are billed at the ["inbound data processed"](https://azure.microsoft.com/pricing/details/private-link/) rate.

+The resource owner must approve the connection request you created. This section assumes the portal for this step, but you can also use the REST APIs of the Azure PaaS resource. [Private Endpoint Connections (Storage Resource Provider)](/rest/api/storagerp/privateendpointconnections) and [Private Endpoint Connections (Cosmos DB Resource Provider)](/rest/api/cosmos-db-resource-provider/2023-03-15/private-endpoint-connections) are two examples.

+| [Built-in skills](cognitive-search-predefined-skills.md) (AI enrichment) ¹ | Number of transactions, billed at the same rate as if you had performed the task by calling Cognitive Services directly. You can process 20 documents per indexer per day for free. Larger or more frequent workloads require a multi-resource Cognitive Services key. |

+| [Semantic search](semantic-search-overview.md) ¹ | Number of queries of "queryType=semantic", billed at a progressive rate. See the [pricing page](https://azure.microsoft.com/pricing/details/search/#pricing). |

+| [Shared private link](search-indexer-howto-access-private.md) ¹ | [Billed for bandwidth](https://azure.microsoft.com/pricing/details/private-link/) as long as the shared private link exists and is used. |

+² In an [indexer configuration](/rest/api/searchservice/create-indexer#indexer-parameters), "imageAction" is the parameter that triggers image extraction. If "imageAction" is set to "none" (the default), you won't be charged for image extraction. Costs are incurred when "imageAction" parameter is set *and* you include OCR, Image Analysis, or Document Extraction in a skillset.

+Popular vector similarity metrics include the following, which are all supported by Azure Cognitive Search.

+ tcpdump -i any port 514 -A vv &

+ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» ΓÇ» "name": "PerGB",

+- For more tips on reducing Log Analytics data volume, see [Azure Monitor best practices - Cost management](../azure-monitor/best-practices-cost.md).

+1. In the **Configuration > Configure an SAP system and assign it to a collector agent** area, you can view information on the health of your SAP systems. Learn how to [add new SAP systems](sap/deploy-data-connector-agent-container.md).

+ The following table describes the different fields in the **Configure an SAP system and assign it to a collector agent** area.

+### System health status and details

+|Agent name |Unique ID of the installed data connector agent. | | |

+|Health |Indicates whether the SID is healthy. To troubleshoot health issues, [review the container execution logs](sap/sap-deploy-troubleshoot.md#view-all-container-execution-logs) and review other [troubleshooting steps](sap/sap-deploy-troubleshoot.md). |ΓÇó **System healthy** (green icon): Indicates that Microsoft Sentinel identified both logs and a heartbeat from the system.<br>ΓÇó **System Connected ΓÇô unauthorized to collect role, production assumed** (yellow icon): Microsoft Sentinel doesn't have sufficient permissions to define whether the system is a production system. In this case, Microsoft Sentinel defines the system as a production system. To allow Microsoft Sentinel to receive the system status, review the Notes column.<br>ΓÇó **Connected with errors** (yellow icon): Microsoft Sentinel detected errors when fetching the system role. In this case, Microsoft Sentinel received data regarding whether the system is or isn't a production system.<br>ΓÇó **System not connected**: Microsoft Sentinel was unable to connect to the SAP system, and cannot fetch the system role. In this case, Microsoft Sentinel received data regarding whether the system is or isn't a production system.<br><br>Other statuses, like **System unreachable for over 1 day**, indicate the connectivity status. |If the system health status is **System Connected ΓÇô unauthorized to collect role, production assumed**, check the Microsoft Sentinel role definitions and permissions on the SAP system, and validate that the system allows Microsoft Sentinel to read the content of the T000 table. Next, consider [updating the SAP connector](sap/update-sap-data-connector.md) to the latest version. |

+### Map users of the ABAP service provider to external user IDs

+1. Run the **SM30** transaction.

+1. In the **Table/View** field, type **VUSREXTID**, then select **Maintain**.

+1. In the **Determine Work Area: Entry** page, select the **DN** ID type as the **Work Area**.

+1. Type these details:

+ - **External ID**: *CN=Sentinel*, *C=US*

+ - **Seq. No**: *000*

+ - **User**: *SENTINEL*

+1. Select **Save** and **Enter**.

+ :::image type="content" source="media/configure-snc/vusrextid-table-configuration.png" alt-text="Screenshot of configuring the SAP VUSREXTID table.":::

+This article shows you how to deploy the container and create SAP systems via the UI. Also see [this video](https://www.youtube.com/watch?v=bg0vmUvcQ5Q) that shows the agent deployment process via the UI.

+Alternatively, you can [deploy the data connector agent using other methods](deploy-data-connector-agent-container-other-methods.md): Managed identity, a registered application, a configuration file, or directly on the VM.

+1. Run the following commands to **create a key vault** (substitute actual names for the `<placeholders>`). If you'll be using an existing key vault, ignore this step:

+- Announcement: [Changes to Microsoft Defender for Office 365 connector alerts that apply when disconnecting and reconnecting](#changes-to-microsoft-defender-for-office-365-connector-alerts-that-apply-when-disconnecting-and-reconnecting)

+Content hub is now generally available (GA)! The [content hub centralization changes announced in February](#out-of-the-box-content-centralization-changes) have also been released. For more information on these changes and their impact, including more details about the tool provided to reinstate **IN USE** gallery templates, see [Out-of-the-box (OOTB) content centralization changes](sentinel-content-centralize.md).

+- [Changes to Microsoft Defender for Office 365 connector alerts that apply when disconnecting and reconnecting](#changes-to-microsoft-defender-for-office-365-connector-alerts-that-apply-when-disconnecting-and-reconnecting)

+### Changes to Microsoft Defender for Office 365 connector alerts that apply when disconnecting and reconnecting

+To improve the overall experience for Microsoft Defender for Office 365 alerts, we've improved the sync between alerts and incidents, and increased the number of alerts that flow through the connector.

+To benefit from this change, disconnect and reconnect the Microsoft Defender for Office 365 connector. However, by taking this action, some fields are no longer populated:

+- `ExtendedProperties["InvestigationName"]`

+- `ExtendedProperties["Status"]`

+- `ExtendedLinks`

+- `AdditionalActionsAndResults` located inside the `Entities` field

+To retrieve the information that was previously retrieved by these fields, in the Microsoft 365 Defender portal, on the left, select **Alerts**, and locate the following information:

+- `ExtendedProperties["InvestigationName"]`: Under **Investigation ID**:

+

+ :::image type="content" source="medio-connector-fields-investigation-id.png":::

+- `ExtendedProperties["Status"]`: Under **Investigation status**:

+

+ :::image type="content" source="medio-connector-fields-investigation-status.png" alt-text="Screenshot showing the Microsoft Defender for Office 365 alerts Investigation status field in the Microsoft 365 Defender portal.":::

+- `ExtendedLinks`: Select **Investigation ID**, which opens the relevant **Investigation** page.

+Azure Synapse Analytics uses Azure Active Directory (Azure AD) passthrough by default for authentication between resources. If you need to connect to a resource using other credentials, use the mssparkutils directly. The mssparkutils simplifies the process of retrieving SAS tokens, Azure AD tokens, connection strings, and secrets stored in a linked service or from an Azure Key Vault.

+Accessing files from the primary Azure Data Lake Storage uses Azure Active Directory passthrough for authentication by default and doesn't require the explicit use of the mssparkutils. The identity used in the passthrough authentication differs based on a few factors. By default, interactive notebooks are executed using the user's identity, but it can be changed to the workspace managed service identity (MSI). Batch jobs and non-interactive executions of the notebook use the Workspace MSI.

+Azure Synapse Analytics provides an integrated linked services experience when connecting to Azure Data Lake Storage Gen2. Linked services can be configured to authenticate using an **Account Key**, **Service Principal**, **Managed Identity**, or **Credential**.

+spark.conf.set(s"spark.storage.synapse.$source_full_storage_account_name.linkedServiceName", "<LINKED SERVICE NAME>")

+sc.hadoopConfiguration.set(s"fs.azure.account.auth.type.$source_full_storage_account_name", "SAS")

+sc.hadoopConfiguration.set(s"fs.azure.sas.token.provider.type.$source_full_storage_account_name", "com.microsoft.azure.synapse.tokenlibrary.LinkedServiceBasedSASProvider")

+spark.conf.set(s"spark.storage.synapse.$source_full_storage_account_name.linkedServiceName", "<LINKED SERVICE NAME>")

+sc.hadoopConfiguration.set(s"fs.azure.account.oauth.provider.type.$source_full_storage_account_name", "com.microsoft.azure.synapse.tokenlibrary.LinkedServiceBasedTokenProvider")

+```

+```

+In government clouds, please provide the fully qualified domain name of the keyvault.

+#### Linked service connections supported from the Spark runtime

+While Azure Synapse Analytics supports a variety of linked service connections (from pipelines and other Azure products), not all of them are supported from the Spark runtime. Here is the list of supported linked

+ - Azure Cognitive Services

+ - Azure Database for MySQL

+ - Azure Database for Postgre SQL

+ - Azure Data Lake Store (Gen1)

+ - Azure Key Vault

+ - Azure SQL Database

+ - Azure SQL Data Warehouse (Dedicated and Serverless)

+ - Azure Storage

+ #### mssparkutils.credenials.getToken()

+ When you need an OAuth bearer token to access services directly, you can use the `getToken` method. The following resources are supported:

+| Service Name | String literal to be used in API call |

+|-||

+| Azure Storage | `Storage` |

+| Azure Key Vault | `Vault` |

+| Azure Management | `AzureManagement` |

+| Azure SQL Data Warehouse (Dedicated and Serverless) | `DW` |

+| Azure Synapse | `Synapse` |

+| Azure Data Lake Store | `DataLakeStore` |

+| Azure Data Factory | `ADF` |

+| Azure Data Explorer | `AzureDataExplorer` |

+| Azure Database for MySQL | `AzureOSSDB` |

+| Azure Database for MariaDB | `AzureOSSDB` |

+| Azure Database for PostgreSQL | `AzureOSSDB` |

+#### Unsupported linked service access from the Spark runtime

+The following methods of accessing the linked services are not supported from the Spark runtime:

+ - Connections with User assigned managed identities (UAMI)

+While running a notebook or a Spark job, requests to get a token / secret using a linked service may fail with an error message that indicates 'BadRequest'. This is often caused by a configuration issue with the linked service. If you see this error message, please check the configuration of your linked service. If you have any questions, please contact Microsoft Azure Support at https://portal.azure.com.

+$ orapwd file=/u01/app/oracle/product/19.0.0/dbhome_1/dbs/orapwcdb1 password=OracleLab123 entries=10 force=y

+> If there is a requirement to migrate an provisioned range from one region to the other, the original custom IP prefix must be fully removed from the first region before a new custom IP prefix with the same address range can be created in another region.