+Custom template models generate an estimated accuracy score when trained. Documents analyzed with a custom model produce a confidence score for extracted fields. A confidence score indicates probability by measuring the degree of statistical certainty that the extracted result is detected correctly. The estimated accuracy is calculated by running a few different combinations of the training data to predict the labeled values. In this article, learn to interpret accuracy and confidence scores and best practices for using those scores to improve accuracy and confidence results.

+The output of a `build` (v3.0) or `train` (v2.1) custom model operation includes the estimated accuracy score. This score represents the model's ability to accurately predict the labeled value on a visually similar document. Accuracy is measured within a percentage value range from 0% (low) to 100% (high). It's best to target a score of 80% or higher. For more sensitive cases, like financial or medical records, we recommend a score of close to 100%. You can also require human review.

+## Improve confidence scores

+After an analysis operation, review the JSON output. Examine the `confidence` values for each key/value result under the `pageResults` node. You should also look at the confidence score in the `readResults` node, which corresponds to the text-read operation. The confidence of the read results doesn't affect the confidence of the key/value extraction results, so you should check both. Here are some tips:

+* If the confidence score for the `readResults` object is low, improve the quality of your input documents.

+* If the confidence score for the `pageResults` object is low, ensure that the documents you're analyzing are of the same type.

+* Consider incorporating human review into your workflows.

+* Use forms that have different values in each field.

+* For custom models, use a larger set of training documents. Tagging more documents teaches your model to recognize fields with greater accuracy.

+* With the model compose operation, you can assign up to 200 models to a single model ID. If the number of models that I want to compose exceeds the upper limit of a composed model, you can use one of these alternatives:

+ * Classify the documents before calling the custom model. You can use the [Read model](concept-read.md) and build a classification based on the extracted text from the documents and certain phrases by using sources like code, regular expressions, or search.

+ * If you want to extract the same fields from various structured, semi-structured, and unstructured documents, consider using the deep-learning [custom neural model](concept-custom-neural.md). Learn more about the [differences between the custom template model and the custom neural model](concept-custom.md#compare-model-features).

+* Analyzing a document by using composed models is identical to analyzing a document by using a single model. The `Analyze Document` result returns a `docType` property that indicates which of the component models you selected for analyzing the document. There's no change in pricing for analyzing a document by using an individual custom model or a composed custom model.

+* Model Compose is currently available only for custom models trained with labels.

+* A single file containing one document type, such as a loan application form.

+* A single file containing multiple document types. For instance, a loan application package that contains a loan application form, payslip, and bank statement.

+|Model | PDF |Image:<br>`jpeg/jpg`, `png`, `bmp`, `tiff`, `heif`| Microsoft Office:<br> Word (docx), Excel (xlxs), PowerPoint (pptx)|

+The `analyze` operation now includes a `splitMode` property that gives you granular control over the splitting behavior.

+Custom models now include [custom classification models](./concept-custom-classifier.md) for scenarios where you need to identify the document type before invoking the extraction model. Classifier models are available starting with the ```2023-07-31 (GA)``` API. A classification model can be paired with a custom extraction model to analyze and extract fields from forms and documents specific to your business. Standalone custom extraction models can be combined to create [composed models](concept-composed-models.md).

+> Starting with version 4.0 (2024-02-29-preview) API, custom neural models now support **overlapping fields** and **table, row and cell level confidence**.

+ |Model | PDF |Image: </br>`jpeg/jpg`, `png`, `bmp`, `tiff`, `heif` | Microsoft Office: </br> Word (docx), Excel (xlsx), PowerPoint (pptx)|

+### Optimal training data

+Training input data is the foundation of any machine learning model. It determines the quality, accuracy, and performance of the model. Therefore, it's crucial to create the best training input data possible for your Document Intelligence project. When you use the Document Intelligence custom model, you provide your own training data. Here are a few tips to help train your models effectively:

+* Use text-based instead of image-based PDFs when possible. One way to identify an image*based PDF is to try selecting specific text in the document. If you can select only the entire image of the text, the document is image based, not text based.

+* Organize your training documents by using a subfolder for each format (JPEG/JPG, PNG, BMP, PDF, or TIFF).

+* Use forms that have all of the available fields completed.

+* Use forms with differing values in each field.

+* Use a larger dataset (more than five training documents) if your images are low quality.

+* Determine if you need to use a single model or multiple models composed into a single model.

+* Consider segmenting your dataset into folders, where each folder is a unique template. Train one model per folder, and compose the resulting models into a single endpoint. Model accuracy can decrease when you have different formats analyzed with a single model.

+* Consider segmenting your dataset to train multiple models if your form has variations with formats and page breaks. Custom forms rely on a consistent visual template.

+* Ensure that you have a balanced dataset by accounting for formats, document types, and structure.

+The `build custom model` operation adds support for the *template* and *neural* custom models. Previous versions of the REST API and client libraries only supported a single build mode that is now known as the *template* mode.

+## Custom model life cycle

+The life cycle of a custom model depends on the API version that is used to train it. If the API version is a general availability (GA) version, the custom model has the same life cycle as that version. The custom model isn't available for inference when the API version is deprecated. If the API version is a preview version, the custom model has the same life cycle as the preview version of the API.

+The new machine-learning based page object detection extracts logical roles like titles, section headings, page headers, page footers, and more. The Document Intelligence Layout model assigns certain text blocks in the `paragraphs` collection with their specialized role or type predicted by the model. It's best to use paragraph roles with unstructured documents to help understand the layout of the extracted content for a richer semantic analysis. The following paragraph roles are supported:

+Here are a few factors to consider when using the Document Intelligence bale extraction capability:

+* Is the data that you want to extract presented as a table, and is the table structure meaningful?

+* Can the data fit in a two-dimensional grid if the data isn't in a table format?

+* Do your tables span multiple pages? If so, to avoid having to label all the pages, split the PDF into pages before sending it to Document Intelligence. After the analysis, post-process the pages to a single table.

+* Refer to [Labeling as tables](quickstarts/try-document-intelligence-studio.md#labeling-as-tables) if you're creating custom models. Dynamic tables have a variable number of rows for each column. Fixed tables have a constant number of rows for each column.

+> [!NOTE]

+>

+> * Document processing projects that involve financial data, protected health data, personal data, or highly sensitive data require careful attention.

+> * Be sure to comply with all [national/regional and industry-specific requirements](https://azure.microsoft.com/resources/microsoft-azure-compliance-offerings/).

+\* - Contains submodels. See the model specific information for supported variations and subtypes.

+### Latency

+Latency is the amount of time it takes for an API server to handle and process an incoming request and deliver the outgoing response to the client. The time to analyze a document depends on the size (for example, number of pages) and associated content on each page. Document Intelligence is a multitenant service where latency for similar documents is comparable but not always identical. Occasional variability in latency and performance is inherent in any microservice-based, stateless, asynchronous service that processes images and large documents at scale. Although we're continuously scaling up the hardware and capacity and scaling capabilities, you might still have latency issues at runtime.

+### Bounding box and polygon coordinates

+A bounding box (`polygon` in v3.0 and later versions) is an abstract rectangle that surrounds text elements in a document used as a reference point for object detection.

+* The bounding box specifies position by using an x and y coordinate plane presented in an array of four numerical pairs. Each pair represents a corner of the box in the following order: upper left, upper right, lower right, lower left.

+* Image coordinates are presented in pixels. For a PDF, coordinates are presented in inches.

+## Language support

+The deep-learning-based universal models in Document Intelligence support many languages that can extract multilingual text from your images and documents, including text lines with mixed languages.

+Language support varies by Document Intelligence service functionality. For a complete list, see the following articles:

+* [Language support: document analysis models](language-support-ocr.md)

+* [Language support: prebuilt models](language-support-prebuilt.md)

+* [Language support: custom models](language-support-custom.md)

+## Regional availability

+Document Intelligence is generally available in many of the [60+ Azure global infrastructure regions](https://azure.microsoft.com/global-infrastructure/services/?products=metrics-advisor&regions=all#select-product).

+For more information, see our [Azure geographies](https://azure.microsoft.com/global-infrastructure/geographies/#overview) page to help choose the region that's best for you and your customers.

+## Model details

+This section describes the output you can expect from each model. You can extend the output of most models with add-on features.

+The US mortgage document models analyze and extract key fields including borrower, loan, and property information from a select group of mortgage documents. The API supports the analysis of English-language US mortgage documents of various formats and quality including phone-captured images, scanned documents, and digital PDFs. The following models are currently supported:

+ |1008 Summary document|Extract borrower, seller, property, mortgage, and underwriting details.|**prebuilt-mortgage.us.1008**|

+ |Closing disclosure|Extract closing, transaction costs, and loan details.|**prebuilt-mortgage.us.closingDisclosure**|

+Use the marriage certificate model to process U.S. marriage certificates to extract key fields including the individuals, date, and location.

+Custom document models analyze and extract data from forms and documents specific to your business. They recognize form fields within your distinct content and extract key-value pairs and table data. You only need one example of the form type to get started.

+Version v3.0 and later custom models support signature detection in custom template (form) and cross-page tables in both template and neural models. [Signature detection](quickstarts/try-document-intelligence-studio.md#signature-detection) looks for the presence of a signature, not the identity of the person who signs the document. If the model returns **unsigned** for signature detection, the model didn't find a signature in the defined field.

+Support for containers is currently available with Document Intelligence version `2022-08-31 (GA)` for all models and `2023-07-31 (GA)` for Read, Layout, ID Document, Receipt, and Invoice models:

+Queries to the container are billed at the pricing tier of the Azure resource used for the API `Key`. Billing is calculated for each container instance used to process your documents and images.

+If you receive the following error: *Container isn't in a valid state. Subscription validation failed with status 'OutOfQuota' API key is out of quota*. It's an indicator that your containers aren't communication wit the billing endpoint.

+To use Document Intelligence Studio, you need the following assets and settings:

+* **Properly scoped Azure role assignments** For document analysis and prebuilt models, following role assignments are required for different scenarios.

+ * Basic

+ ✔️ **Cognitive Services User**: you need this role to Document Intelligence or Azure AI services resource to enter the analyze page.

+ * Advanced

+ ✔️ **Contributor**: you need this role to create resource group, Document Intelligence service, or Azure AI services resource.

+ For more information on authorization, *see* [Document Intelligence Studio authorization policies](../studio-overview.md#authorization-policies).

+ > [!NOTE]

+ > If local (key-based) authentication is disabled for your Document Intelligence service resource, be sure to obtain **Cognitive Services User** role and your AAD token will be used to authenticate requests on Document Intelligence Studio. The **Contributor** role only allows you to list keys but does not give you permission to use the resource when key-access is disabled.

+* Once your resource is configured, you can try the different models offered by Document Intelligence Studio. From the front page, select any Document Intelligence model to try using with a no-code approach.

+* To test any of the document analysis or prebuilt models, select the model and use one of the sample documents or upload your own document to analyze. The analysis result is displayed at the right in the content-result-code window.

+* Custom models need to be trained on your documents. See [custom models overview](../concept-custom.md) for an overview of custom models.

+## Authentication

+Navigate to the [Document Intelligence Studio](https://formrecognizer.appliedai.azure.com/). If it's your first time logging in, a popup window appears prompting you to configure your service resource. In accordance with your organization's policy, you have one or two options:

+* **Microsoft Entra authentication: access by Resource (recommended)**.

+ * Choose your existing subscription.

+ * Select an existing resource group within your subscription or create a new one.

+ * Select your existing Document Intelligence or Azure AI services resource.

+ :::image type="content" source="../media/studio/configure-service-resource.png" alt-text="Screenshot of configure service resource form from the Document Intelligence Studio.":::

+* **Local authentication: access by API endpoint and key**.

+ * Retrieve your endpoint and key from the Azure portal.

+ * Go to the overview page for your resource and select **Keys and Endpoint** from the left navigation bar.

+ * Enter the values in the appropriate fields.

+ :::image type="content" source="../media/studio/keys-and-endpoint.png" alt-text="Screenshot of the keys and endpoint page in the Azure portal.":::

+* After validating the scenario in the Document Intelligence Studio, use the [**C#**](get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true), [**Java**](get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true), [**JavaScript**](get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true), or [**Python**](get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true) client libraries or the [**REST API**](get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true) to get started incorporating Document Intelligence models into your own applications.

+To learn more about each model, *see* our concept pages.

+### View resource details

+ To view resource details such as name and pricing tier, select the **Settings** icon in the top-right corner of the Document Intelligence Studio home page and select the **Resource** tab. If you have access to other resources, you can switch resources as well.

+1. Zoom in and out, rotate the document view, and use the controls at the bottom of the screen.

+1. Observe the highlighted extracted content in the document view. To see details hover your mouse over the keys and values.

+1. Format the output section's result tab and browse the JSON output for more understanding of the service response.

+1. To save the changes, select the save button at the top of the page.

+1. Select the Custom model card from the Studio home and open the Custom models page.

+1. Use the "Create a project" command and start the new project configuration wizard.

+1. Review your settings, submit, and create the project.

+1. Define the labels and their types for extraction by using manual labeling.

+1. Use the Test command once the model is ready and validate with your test documents and observe the results.

+1. Select the text in your page and then choose the cell and assign it to the text. Repeat for all rows and columns in all pages in all documents.

+1. Select the text in your page and then choose the cell and assign it to the text. Repeat for other documents.

+1. Create a new "Signature" type label and name it using the labeling view.

+1. Select the drawn region and choose the Signature type label and assign it to your drawn region. Repeat for other documents.

+## Billing

+Document Intelligence billing is calculated monthly based on the model type and the number of pages analyzed. You can find usage metrics on the metrics dashboard in the Azure portal. The dashboard displays the number of pages that Azure AI Document Intelligence processes. You can check the estimated cost spent on the resource by using the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/). For detailed instructions, see [Check usage and estimate cost](how-to-guides/estimate-cost.md). Here are some details:

+- When you submit a document for analysis, the service analyzes all pages unless you specify a page range by using the `pages` parameter in your request. When the service analyzes Microsoft Excel and PowerPoint documents through the read, OCR, or layout model, it counts each Excel worksheet and PowerPoint slide as one page.

+- When the service analyzes PDF and TIFF files, it counts each page in the PDF file or each image in the TIFF file as one page with no maximum character limits.

+- When the service analyzes Microsoft Word and HTML files that the read and layout models support, it counts pages in blocks of 3,000 characters each. For example, if your document contains 7,000 characters, the two pages with 3,000 characters each and one page with 1,000 characters add up to a total of three pages.

+- The read and layout models don't support analysis of embedded or linked images in Microsoft Word, Excel, PowerPoint, and HTML files. Therefore, service doesn't count them as added images.

+- Training a custom model is always free with Document Intelligence. Charges are incurred only when the service uses a model to analyze a document.

+- Container pricing is the same as cloud service pricing.

+- Document Intelligence offers a free tier (F0) where you can test all the Document Intelligence features.

+- Document Intelligence has a commitment-based pricing model for large workloads.

+- The Layout model is required to generate labels for your dataset for custom training. If the dataset that you use for custom training doesn't have label files available, the service generates them for you and bills you for layout model usage.

+- Document Intelligence Resource ID

+- Region

+- Base model information:

+ - Sign in to the [Azure portal](https://portal.azure.com)

+ - Select the Document Intelligence Resource for which you would like to increase the transaction limit

+ - Select -Properties- (-Resource Management- group)

+ - Copy and save the values of the following fields:

+ - Resource ID

+ - Location (your endpoint Region)

+- Ensure you have the [required information](#have-the-required-information-ready)

+- Sign in to the [Azure portal](https://portal.azure.com)

+- Select the Document Intelligence Resource for which you would like to increase the TPS limit

+- Select -New support request- (-Support + troubleshooting- group). A new window appears with autopopulated information about your Azure Subscription and Azure Resource

+- Enter -Summary- (like "Increase Document Intelligence TPS limit")

+- Select "Quota or usage validation" for problem type field.

+- Select -Next: Solutions-

+- Proceed further with the request creation

+- Enter the following information in the -Description- field, under the Details tab:

+ - a note, that the request is about Document Intelligence quota.

+ - Provide a TPS expectation you would like to scale to meet.

+ - Azure resource information you [collected](#have-the-required-information-ready).

+ - Complete entering the required information and select -Create- button in -Review + create- tab

+ - Note the support request number in Azure portal notifications. Look for Support to contact you shortly for further processing.

+> [!IMPORTANT]

+>

+> * There are separate URLs for Document Intelligence Studio sovereign cloud regions.

+> * Azure for US Government: [Document Intelligence Studio (Azure Fairfax cloud)](https://formrecognizer.appliedai.azure.us/studio)

+> * Microsoft Azure operated by 21Vianet: [Document Intelligence Studio (Azure in China)](https://formrecognizer.appliedai.azure.cn/studio)

+Use the [Document Intelligence Studio quickstart](quickstarts/try-document-intelligence-studio.md) to get started analyzing documents with document analysis or prebuilt models. Build custom models and reference the models in your applications using one of the [language specific `SDKs`](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true). To use Document Intelligence Studio, you need to acquire the following assets from the Azure portal:

+* **An Azure subscription** - [Create one for free](https://azure.microsoft.com/free/cognitive-services/).

+* **An Azure AI services or Document Intelligence resource**. Once you have your Azure subscription, create a [single-service](https://portal.azure.com/#create/Microsoft.CognitiveServicesFormRecognizer) or [multi-service](https://portal.azure.com/#create/Microsoft.CognitiveServicesAllInOne) resource, in the Azure portal to get your key and endpoint. Use the free pricing tier (`F0`) to try the service, and upgrade later to a paid tier for production.

+Your organization can opt to disable local authentication and enforce Microsoft Entra (formerly Azure Active Directory) authentication for Azure AI Document Intelligence resources and Azure blob storage.

+* For more information, *see* the following guidance:

+* **Designating role assignments**. Document Intelligence Studio basic access requires the [`Cognitive Services User`](../../role-based-access-control/built-in-roles/ai-machine-learning.md#cognitive-services-user) role. For more information, *see* [Document Intelligence role assignments](quickstarts/try-document-intelligence-studio.md#azure-role-assignments).

+>

+> * Make sure you have the **Cognitive Services User role**, and not the Cognitive Services Contributor role when setting up Entra authentication.

+> * In Azure context, Contributor role can only perform actions to control and manage the resource itself, including listing the access keys.

+> * User accounts with a Contributor are only able to access the Document Intelligence service by calling with access keys. However, when setting up access with Entra ID, key-access will be disabled and **Cognitive Service User** role will be required for an account to use the resources.

+## Document Intelligence model support

+Use the help wizard, labeling interface, training step, and interactive visualizations to understand how each feature works.

+* **Read**: Try out Document Intelligence's [Studio Read feature](https://documentintelligence.ai.azure.com/studio/read) with sample documents or your own documents and extract text lines, words, detected languages, and handwritten style if detected. To learn more, *see* [Read overview](concept-read.md).

+* **Layout**: Try out Document Intelligence's [Studio Layout feature](https://documentintelligence.ai.azure.com/studio/layout) with sample documents or your own documents and extract text, tables, selection marks, and structure information. To learn more, *see* [Layout overview](concept-layout.md).

+* **Prebuilt models**: Document Intelligence's prebuilt models enable you to add intelligent document processing to your apps and flows without having to train and build your own models. As an example, start with the [Studio Invoice feature](https://documentintelligence.ai.azure.com/studio/prebuilt?formType=invoice). To learn more, *see* [Models overview](concept-model-overview.md).

+* **Custom extraction models**: Document Intelligence's [Studio Custom models feature](https://documentintelligence.ai.azure.com/studio/custommodel/projects) enables you to extract fields and values from models trained with your data, tailored to your forms and documents. To extract data from multiple form types, create standalone custom models or combine two, or more, custom models and create a composed model. Test the custom model with your sample documents and iterate to improve the model. To learn more, *see* the [Custom models overview](concept-custom.md).

+* **Custom classification models**: Document classification is a new scenario supported by Document Intelligence. The document classifier API supports classification and splitting scenarios. Train a classification model to identify the different types of documents your application supports. The input file for the classification model can contain multiple documents and classifies each document within an associated page range. To learn more, *see* [custom classification models](concept-custom-classifier.md).

+* **Add-on Capabilities**: Document Intelligence supports more sophisticated analysis capabilities. These optional capabilities can be enabled and disabled in the studio using the `Analyze Options` button in each model page. There are four add-on capabilities available: `highResolution`, `formula`, `font`, and `barcode extraction` capabilities. To learn more, *see* [Add-on capabilities](concept-add-on-capabilities.md).

+* Once your resource is configured, you can try the different models offered by Document Intelligence Studio. From the front page, select any Document Intelligence model to try using with a no-code approach.

+* To test any of the document analysis or prebuilt models, select the model and use one of the sample documents or upload your own document to analyze. The analysis result is displayed at the right in the content-result-code window.

+* Custom models need to be trained on your documents. See [custom models overview](concept-custom.md) for an overview of custom models.

+* After validating the scenario in the Document Intelligence Studio, use the [**C#**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true), [**Java**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true), [**JavaScript**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true), or [**Python**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true) client libraries or the [**REST API**](quickstarts/get-started-sdks-rest-api.md?view=doc-intel-3.0.0&preserve-view=true) to get started incorporating Document Intelligence models into your own applications.

+## Analyze options

+* Document Intelligence supports sophisticated analysis capabilities. The Studio allows one entry point (Analyze options button) for configuring the add-on capabilities with ease.

+* Depending on the document extraction scenario, configure the analysis range, document page range, optional detection, and premium detection features.

+ :::image type="content" source="media/studio/analyze-options.png" alt-text="Screenshot of the analyze-options dialog window.":::

+ > [!NOTE]

+ > Font extraction is not visualized in Document Intelligence Studio. However, you can check the styles section of the JSON output for the font detection results.

+### Auto label documents with prebuilt models or one of your own models

+* In custom extraction model labeling page, you can now auto label your documents using one of Document Intelligent Service prebuilt models or your trained models.

+ :::image type="content" source="media/studio/auto-label.gif" alt-text="Animated screenshot showing auto labeling in Studio.":::

+* For some documents, duplicate labels after running autolabel are possible. Make sure to modify the labels so that there are no duplicate labels in the labeling page afterwards.

+ :::image type="content" source="media/studio/duplicate-labels.png" alt-text="Screenshot showing duplicate label warning after auto labeling.":::

+### Auto label tables

+* In custom extraction model labeling page, you can now auto label the tables in the document without having to label the tables manually.

+ :::image type="content" source="media/studio/auto-table-label.gif" alt-text="Animated screenshot showing auto table labeling in Studio.":::

+### Add test files directly to your training dataset

+* Once you train a custom extraction model, make use of the test page to improve your model quality by uploading test documents to training dataset if needed.

+* If a low confidence score is returned for some labels, make sure to correctly label your content. If not, add them to the training dataset and relabel to improve the model quality.

+ :::image type="content" source="media/studio/add-from-test.gif" alt-text="Animated screenshot showing how to add test files to training dataset.":::

+### Make use of the document list options and filters in custom projects

+* Use the custom extraction model labeling page to navigate through your training documents with ease by making use of the search, filter, and sort by feature.

+* Utilize the grid view to preview documents or use the list view to scroll through the documents more easily.

+ :::image type="content" source="media/studio/document-options.png" alt-text="Screenshot of document list view options and filters.":::

+### Project sharing

+Share custom extraction projects with ease. For more information, see [Project sharing with custom models](how-to-guides/project-share-custom-models.md).

+## Troubleshooting

+|Scenario |Cause| Resolution|

+|-||-|

+|You receive the error message</br> `Form Recognizer Not Found` when opening a custom project.|Your Document Intelligence resource, bound to the custom project was deleted or moved to another resource group.| There are two ways to resolve this problem: </br>&bullet; Re-create the Document Intelligence resource under the same subscription and resource group with the same name.</br>&bullet; Re-create a custom project with the migrated Document Intelligence resource and specify the same storage account.|

+|You receive the error message</br> `PermissionDenied` when using prebuilt apps or opening a custom project.|The principal doesn't have access to API/Operation" when analyzing against prebuilt models or opening a custom project. It's likely the local (key-based) authentication is disabled for your Document Intelligence resource don't have enough permission to access the resource.|Reference [Azure role assignments](quickstarts/try-document-intelligence-studio.md#azure-role-assignments) to configure your access roles.|

+|You receive the error message</br> `AuthorizationPermissionMismatch` when opening a custom project.|The request isn't authorized to perform the operation using the designated permission. It's likely the local (key-based) authentication is disabled for your storage account and you don't have the granted permission to access the blob data.|Reference [Azure role assignments](quickstarts/try-document-intelligence-studio.md#azure-role-assignments) to configure your access roles.|

+|You can't sign in to Document Intelligence Studio and receive the error message</br> `InteractionRequiredAuthError:login_required:AADSTS50058:A silent sign-request was sent but no user is signed in`|It's likely that your browser is blocking third-party cookies so you can't successfully sign in.|To resolve, see [Manage third-party settings](#manage-third-party-settings-for-studio-access) for your browser.|

+### Manage third-party settings for Studio access

+**Edge**:

+* Go to **Settings** for Edge

+* Search for "**third*party**"

+* Go to **Manage and delete cookies and site data**

+* Turn off the setting of **Block third*party cookies**

+**Chrome**:

+* Go to **Settings** for Chrome

+* Search for "**Third*party**"

+* Under **Default behavior**, select **Allow third*party cookies**

+**Firefox**:

+* Go to **Settings** for Firefox

+* Search for "**cookies**"

+* Under **Enhanced Tracking Protection**, select **Manage Exceptions**

+* Add exception for **https://documentintelligence.ai.azure.com** or the Document Intelligence Studio URL of your environment

+**Safari**:

+* Choose **Safari** > **Preferences**

+* Select **Privacy**

+* Deselect **Block all cookies**

+* Visit [Document Intelligence Studio](https://formrecognizer.appliedai.azure.com/studio).

+* Get started with [Document Intelligence Studio quickstart](quickstarts/try-document-intelligence-studio.md).

+The Document Intelligence Studio adds support for Microsoft Entra (formerly Azure Active Directory) authentication. For more information, *see* [Document Intelligence Studio overview](quickstarts/try-document-intelligence-studio.md#authentication).

+ * Custom extraction models now support cell, row, and table level confidence scores. Learn more about [table, row, and cell confidence](concept-accuracy-confidence.md#table-row-and-cell-confidence).

+ * Custom classification model now supported incremental training for scenarios where you need to update the classifier model with added samples or classes. Learn more about [incremental training](concept-custom-classifier.md#incremental-training).

+ |`BAM` | Bosnian Convertible Mark|(`ba`)|

+ |`BGN`| Bulgarian Lev| (`bg`)|

+ |`ILS` | Israeli New Shekel| (`il`)|

+ |`MKD` | Macedonian Denar |(`mk`)|

+ |`RUB` | Russian Ruble | (`ru`)|

+ |`THB` | Thai Baht |(`th`) |

+ |`TRY` | Turkish Lira| (`tr`)|

+ |`UAH` | Ukrainian Hryvnia |(`ua`)|

+ |`VND` | Vietnamese Dong| (`vn`) |

+ * Tax items support expansion for Germany (`de`), Spain (`es`), Portugal (`pt`), English Canada `en-CA`.

+* If a low confidence score is returned for some labels, make sure your labels are correct. If not, add them to the training dataset and relabel to improve the model quality.

+ * **[New locales for prebuilt Receipts](./concept-receipt.md)** in addition to EN-US, support is now available for en-au, en-ca, en-gb, en-in.

+Azure OpenAI API version [2024-06-01](./reference.md) is currently the latest GA API release. This API version is the replacement for the previous`2024-02-01` GA API release.

+These models were deprecated on July 6, 2023 and were retired on June 14, 2024. These models are no longer available for new deployments. Deployments created before July 6, 2023 remain available to customers until June 14, 2024. We recommend customers migrate their applications to deployments of replacement models before the June 14, 2024 retirement.

+We announced the deprecation of models with upcoming retirement on July 5, 2024.

+ Title: Azure OpenAI Service REST API preview reference

+description: Learn how to use Azure OpenAI's latest preview REST API. In this article, you learn about authorization options, how to structure a request and receive a response.

+recommendations: false

+# Azure OpenAI Service REST API preview reference

+This article provides details on the inference REST API endpoints for Azure OpenAI.

+## Data plane inference

+The rest of the article covers the latest preview release of the Azure OpenAI data plane inference specification, `2024-05-01-preview`. This article includes documentation for the latest preview capabilities like assistants, threads, and vector stores.

+If you're looking for documentation on the latest GA API release, refer to the [latest GA data plane inference API](./reference.md)

+## Next steps

+Learn about [Models, and fine-tuning with the REST API](/rest/api/azureopenai/fine-tuning).

+Learn more about the [underlying models that power Azure OpenAI](./concepts/models.md).

+## Data plane inference

+The rest of the article covers the latest GA release of the Azure OpenAI data plane inference specification, `2024-06-01`.

+If you're looking for documentation on the latest preview API release, refer to the [latest preview data plane inference API](./reference-preview.md)

+### New GA API release

+API version `2024-06-01` is the latest GA data plane inference API release. It replaces API version `2024-02-01` and adds support for:

+- embeddings `encoding_format` & `dimensions` parameters.

+- chat completions `logprops` & `top_logprobs` parameters.

+Refer to our [data plane inference reference documentation](./reference.md) for more information.

+The workload consists of an AWS EKS cluster to orchestrate consumers reading messages from an Amazon Simple Queue Service (SQS) and saving processed messages to an Amazon DynamoDB table. A producer app generates messages and queues them in the Amazon SQS queue. KEDA and Karpenter dynamically scale the number of EKS nodes and pods used for the consumers.

+The AWS workload uses an IAM role policy that defines full access to an Amazon Simple Queue Service (SQS) resource:

+The AWS workload uses an IAM role policy that defines full access to an Amazon DynamoDB resource:

+Let's explore how to perform similar AWS service communication logic within the Azure environment using AKS.

+You apply two Azure RBAC role definitions to control data plane access to the Azure Storage Queue and the Azure Storage Table. These roles are like the IAM role policies that AWS uses to control access to SQS and DynamoDB. Azure RBAC roles aren't bundled with the resource. Instead, you assign the roles to a service principal associated with a given resource.

+The AWS workload uses the AWS boto3 Python library to interact with Amazon SQS queues to configure storage queue access. The AWS IAM `AssumeRole` capability authenticates to the SQS endpoint using the IAM identity associated with the EKS pod hosting the application.

+The original AWS code for DynamoDB access uses the AWS boto3 Python library to interact with Amazon SQS queues. The consumer part of the workload uses the same code as the producer for connecting to the Amazon SQS queue to read messages. The consumer also contains Python code to connect to DynamoDB using the AWS IAM `AssumeRole` capability to authenticate to the DynamoDB endpoint using the IAM identity associated with the EKS pod hosting the application.

+The AWS EDW workload uses an AWS Identity and Access Management (IAM) role that is assumed by the EKS service. This role is assigned to EKS pods to permit access to AWS resources, such as queues or databases, without the need to store credentials.

+The AWS EDW workload uses service communication to connect with a queue and a database. AWS EKS usesΓÇ»`AssumeRole`, a feature of IAM, to acquire temporary security credentials to access AWS users, applications, or services. This implementation allows services to assume an IAM role that grants specific access, providing secure and limited permissions between services.

+For Amazon Simple Queue Service (SQS) and Amazon DynamoDB database access using service communication, the AWS workflow uses `AssumeRole` with EKS, which is an implementation of Kubernetes [service account token volume projection][service-account-volume-projection]. In the EKS EDW workload, a configuration allows a Kubernetes service account to assume an AWS Identity and Access Management (IAM) role. Pods that are configured to use the service account can then access any AWS service that the role has permissions to access. In the EDW workload, two IAM policies are defined to grant permissions to access Amazon DynamoDB and Amazon SQS.

+| Messaging | [Amazon SQS to Azure Queue Storage][aws-azure-messaging] |

+This article shows you how to quickly deploy Red Hat Quarkus on Azure Kubernetes Service (AKS) with a simple CRUD application. The application is a "to do list" with a JavaScript front end and a REST endpoint. Azure Database for PostgreSQL Flexible Server provides the persistence layer for the app. The article shows you how to test your app locally and deploy it to AKS.

+- Prepare a local machine with Unix-like operating system installed - for example, Ubuntu, macOS, or Windows Subsystem for Linux.

+- Install a Java SE implementation version 17 or later - for example, [Microsoft build of OpenJDK](/java/openjdk).

+- Install [Maven](https://maven.apache.org/download.cgi), version 3.9.8 or higher.

+- Install [Docker](https://docs.docker.com/get-docker/) or [Podman](https://podman.io/docs/installation) for your OS.

+- Install [jq](https://jqlang.github.io/jq/download/).

+- Install [cURL](https://curl.se/download.html).

+- Install the [Quarkus CLI](https://quarkus.io/guides/cli-tooling), version 3.12.1 or higher.

+ - This article requires at least version 2.61.0 of Azure CLI.

+git checkout 2024-07-08

+```bash

+```bash

+- Azure Database for PostgreSQL Flexible Server

+Some of these resources must have unique names within the scope of the Azure subscription. To ensure this uniqueness, you can use the *initials, sequence, date, suffix* pattern. To apply this pattern, name your resources by listing your initials, some sequence number, today's date, and some kind of resource specific suffix - for example, `rg` for "resource group". The following environment variables use this pattern. Replace the placeholder values `UNIQUE_VALUE`, `LOCATION`, and `DB_PASSWORD` with your own values and then run the following commands in your terminal:

+```bash

+export LOCATION=<your desired Azure region for deploying your resources - for example, northeurope>

+export DB_NAME=demodb

+export DB_ADMIN=demouser

+export DB_PASSWORD='<your desired password for the database server - for example, Secret123456>'

+### Create an Azure Database for PostgreSQL Flexible Server

+Azure Database for PostgreSQL Flexible Server is a fully managed database service designed to provide more granular control and flexibility over database management functions and configuration settings. This section shows you how to create an Azure Database for PostgreSQL Flexible Server instance using the Azure CLI. For more information, see [Quickstart: Create an Azure Database for PostgreSQL - Flexible Server instance using Azure CLI](/azure/postgresql/flexible-server/quickstart-create-server-cli).

+First, create a resource group to contain the database server and other resources by using the following command:

+```azurecli

+az group create \

+ --name $RESOURCE_GROUP_NAME \

+ --location $LOCATION

+```

+Next, create an Azure Database for PostgreSQL flexible server instance by using the following command:

+```azurecli

+az postgres flexible-server create \

+ --name $DB_SERVER_NAME \

+ --resource-group $RESOURCE_GROUP_NAME \

+ --admin-user $DB_ADMIN \

+ --admin-password $DB_PASSWORD \

+ --database-name $DB_NAME \

+ --public-access 0.0.0.0 \

+ --yes

+It takes a few minutes to create the server, database, admin user, and firewall rules. If the command is successful, the output looks similar to the following example:

+ "connectionString": "postgresql://<DB_ADMIN>:<DB_PASSWORD>@<DB_SERVER_NAME>.postgres.database.azure.com/<DB_NAME>?sslmode=require",

+ "databaseName": "<DB_NAME>",

+ "firewallName": "AllowAllAzureServicesAndResourcesWithinAzureIps_2024-7-5_14-39-45",

+ "host": "<DB_SERVER_NAME>.postgres.database.azure.com",

+ "id": "/subscriptions/REDACTED/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.DBforPostgreSQL/flexibleServers/<DB_SERVER_NAME>",

+ "location": "North Europe",

+ "password": "<DB_PASSWORD>",

+ "resourceGroup": "<RESOURCE_GROUP_NAME>",

+ "skuname": "Standard_D2s_v3",

+ "username": "<DB_ADMIN>",

+ "version": "13"

+### Create an Azure Container Registry instance

+```azurecli

+```azurecli

+```azurecli

+To manage a Kubernetes cluster, you use `kubectl`, the Kubernetes command-line client. To install `kubectl` locally, use the [az aks install-cli](/cli/azure/aks#az-aks-install-cli) command, as shown in the following example:

+```azurecli

+```azurecli

+```bash

+```bash

+aks-nodepool1-xxxxxxxx-yyyyyyyyyy Ready agent 76s v1.28.9

+```bash

+### Create a secret for database connection in AKS

+Create secret `db-secret` in the AKS namespace to store the database connection information. Use the following command to create the secret:

+```bash

+kubectl create secret generic db-secret \

+ -n ${AKS_NS} \

+ --from-literal=jdbcurl=jdbc:postgresql://${DB_SERVER_NAME}.postgres.database.azure.com:5432/${DB_NAME}?sslmode=require \

+ --from-literal=dbusername=${DB_ADMIN} \

+ --from-literal=dbpassword=${DB_PASSWORD}

+```

+The output should look like the following example:

+```output

+secret/db-secret created

+```

+```bash

+Add the following database configuration variables. The database connection related properties `%prod.quarkus.datasource.jdbc.url`, `%prod.quarkus.datasource.username`, and `%prod.quarkus.datasource.password` read values from the environment variables `DB_JDBC_URL`, `DB_USERNAME`, and `DB_PASSWORD`, respectively. These environment variables map to secret values that store the database connection information for security reasons, which is described in the next section.

+%prod.quarkus.datasource.jdbc.url=${DB_JDBC_URL}

+%prod.quarkus.datasource.username=${DB_USERNAME}

+%prod.quarkus.datasource.password=${DB_PASSWORD}

+%prod.quarkus.hibernate-orm.sql-load-script=import.sql

+# Kubernetes configurations

+%prod.quarkus.kubernetes.env.secrets=db-secret

+%prod.quarkus.kubernetes.env.mapping.DB_JDBC_URL.from-secret=db-secret

+%prod.quarkus.kubernetes.env.mapping.DB_JDBC_URL.with-key=jdbcurl

+%prod.quarkus.kubernetes.env.mapping.DB_USERNAME.from-secret=db-secret

+%prod.quarkus.kubernetes.env.mapping.DB_USERNAME.with-key=dbusername

+%prod.quarkus.kubernetes.env.mapping.DB_PASSWORD.from-secret=db-secret

+%prod.quarkus.kubernetes.env.mapping.DB_PASSWORD.with-key=dbpassword

+The other Kubernetes configurations specify the mapping of the secret values to the environment variables in the Quarkus application. The `db-secret` secret contains the database connection information. The `jdbcurl`, `dbusername`, and `dbpassword` keys in the secret map to the `DB_JDBC_URL`, `DB_USERNAME`, and `DB_PASSWORD` environment variables, respectively.

+```bash

+<LOGIN_SERVER_VALUE>/<USER_NAME_VALUE>/todo-quarkus-aks 1.0 b13c389896b7 18 minutes ago 424MB

+```bash

+```bash

+```bash

+```bash

+```bash

+```bash

+```bash

+```bash

+echo psql --host=${DB_SERVER_NAME}.postgres.database.azure.com --port=5432 --username=${DB_ADMIN} --dbname=${DB_NAME}

+```psql

+```azurecli

+* Existing AKS clusters enabled with API Server VNet Integration can have private cluster mode enabled. For more information, see [Enable or disable private cluster mode on an existing cluster with API Server VNet Integration][api-server-vnet-integration].

+[api-server-vnet-integration]: ./api-server-vnet-integration.md#enable-or-disable-private-cluster-mode-on-an-existing-cluster-with-api-server-vnet-integration

+### Kubernetes 1.30

+| AKS managed add-ons | AKS components | OS components | Breaking changes | Notes |

+||-|||-|

+| ΓÇó Azure Policy 1.3.0<br> ΓÇó cloud-provider-node-manager v1.30.0<br> ΓÇó csi-provisioner v4.0.0<br> ΓÇó csi-attacher v4.5.0<br> ΓÇó csi-snapshotter v6.3.3<br> ΓÇó snapshot-controller v6.3.3<br> ΓÇó Metrics-Server 0.6.3<br> ΓÇó KEDA 2.14.0<br> ΓÇó Open Service Mesh 1.2.7<br> ΓÇó Core DNS V1.9.4<br> ΓÇó Overlay VPA 0.13.0<br> ΓÇó Azure-Keyvault-SecretsProvider 1.4.1<br> ΓÇó Application Gateway Ingress Controller (AGIC) 1.7.2<br> ΓÇó Image Cleaner v1.2.3<br> ΓÇó Azure Workload identity v1.2.0<br> ΓÇó MDC Defender Security Publisher 1.0.68<br> ΓÇó MDC Defender Old File Cleaner 1.3.68<br> ΓÇó MDC Defender Pod Collector 1.0.78<br> ΓÇó MDC Defender Low Level Collector 1.3.81<br> ΓÇó Azure Active Directory Pod Identity 1.8.13.6<br> ΓÇó GitOps 1.8.1<br> ΓÇó CSI Secrets Store Driver 1.3.4-1<br> ΓÇó azurefile-csi-driver 1.29.3<br>| ΓÇó Cilium 1.13.5<br> ΓÇó CNI v1.4.43.1 (Default)/v1.5.11 (Azure CNI Overlay)<br> ΓÇó Cluster Autoscaler 1.27.3<br> ΓÇó Tigera-Operator 1.30.7<br>| ΓÇó OS Image Ubuntu 22.04 Cgroups V2 <br> ΓÇó ContainerD 1.7.5 for Linux and 1.7.1 for Windows<br> ΓÇó Azure Linux 2.0<br> ΓÇó Cgroups V2<br> ΓÇó ContainerD 1.6<br>| ΓÇó KEDA 2.14.0 | N/A |

+³ The rate limit by key, quota by key, and Azure OpenAI token limit policies aren't available in the Consumption tier.<br/>

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted

+* You can configure at most 10 custom dimensions for this policy.

+* Where available, values in the usage section of the response from the Azure OpenAI Service API are used to determine token metrics.

+* Certain Azure OpenAI endpoints support streaming of responses. When `stream` is set to `true` in the API request to enable streaming, token metrics are estimated.

+ Title: Azure API Management policy reference - azure-openai-semantic-cache-store

+- [**Gateways:**](api-management-gateways-overview.md) classic, v2, self-hosted

+* Where available when `estimate-prompt-tokens` is set to `false`, values in the usage section of the response from the Azure OpenAI Service API are used to determine token usage.

+* Norway East

+* Switzerland North

+* South Africa North

+* South India

+<a href="/.auth/login/aad">Log in with Microsoft Entra</a>

+- For Microsoft Entra and Google, performs a server-side sign-out on the identity provider.

+Both Microsoft Account and Microsoft Entra lets you sign in from multiple domains. For example, Microsoft Account allows _outlook.com_, _live.com_, and _hotmail.com_ accounts. Microsoft Entra allows any number of custom domains for the sign-in accounts. However, you may want to accelerate your users straight to your own branded Microsoft Entra sign-in page (such as `contoso.com`). To suggest the domain name of the sign-in accounts, follow these steps.

+- You can [manage enterprise-level access](../active-directory/manage-apps/what-is-access-management.md) directly in Microsoft Entra. For instructions, see [How to remove a user's access to an application](../active-directory/manage-apps/methods-for-removing-user-access.md).

+If the setting isn't set (the property is `null`), the default behavior is to enable access unless a private endpoint exists which changes the behavior to disable access. In the Azure portal, when the property isn't set, the radio button is also not set and you're then using default behavior.

+> [!NOTE]

+> For Linux sites, changes to the `publicNetworkAccess` property trigger app restarts.

+>

+|[PowerStore 4.0](https://www.dell.com/en-us/shop/powerstore/sf/power-store)|1.28.10|1.30.0_2024-06-11|16.0.5349.20214|Not validated|

+## July 9 2024

+|Component|Value|

+|--|--|

+|Container images tag |`v1.31.0_2024-07-09`|

+|**CRD names and version:**| |

+|`activedirectoryconnectors.arcdata.microsoft.com`| v1beta1, v1beta2, v1, v2|

+|`datacontrollers.arcdata.microsoft.com`| v1beta1, v1 through v5|

+|`exporttasks.tasks.arcdata.microsoft.com`| v1beta1, v1, v2|

+|`failovergroups.sql.arcdata.microsoft.com`| v1beta1, v1beta2, v1, v2|

+|`kafkas.arcdata.microsoft.com`| v1beta1 through v1beta4|

+|`monitors.arcdata.microsoft.com`| v1beta1, v1, v3|

+|`postgresqls.arcdata.microsoft.com`| v1beta1 through v1beta6|

+|`postgresqlrestoretasks.tasks.postgresql.arcdata.microsoft.com`| v1beta1|

+|`sqlmanagedinstances.sql.arcdata.microsoft.com`| v1beta1, v1 through v13|

+|`sqlmanagedinstancemonitoringprofiles.arcdata.microsoft.com`| v1beta1, v1beta2|

+|`sqlmanagedinstancereprovisionreplicatasks.tasks.sql.arcdata.microsoft.com`| v1beta1|

+|`sqlmanagedinstancerestoretasks.tasks.sql.arcdata.microsoft.com`| v1beta1, v1|

+|`telemetrycollectors.arcdata.microsoft.com`| v1beta1 through v1beta5|

+|`telemetryrouters.arcdata.microsoft.com`| v1beta1 through v1beta5|

+|Azure Resource Manager (ARM) API version|2023-11-01-preview|

+|`arcdata` Azure CLI extension version|1.5.16 ([Download](https://aka.ms/az-cli-arcdata-ext))|

+|Arc-enabled Kubernetes helm chart extension version|1.31.0|

+|Azure Arc Extension for Azure Data Studio<br/>`arc`<br/>`azcli`|<br/>1.8.0 ([Download](https://aka.ms/ads-arcdata-ext))</br>1.8.0 ([Download](https://aka.ms/ads-azcli-ext))|

+|SQL Database version | 970 |

+The isolated worker model uses `System.Text.Json` by default. You can customize the behavior of the serializer by configuring services as part of your `Program.cs` file. This section covers general-purpose serialization and will not influence [HTTP trigger JSON serialization with ASP.NET Core integration](#json-serialization-with-aspnet-core-integration), which must be configured separately.

+The following example shows this using `ConfigureFunctionsWebApplication`, but it will also work for `ConfigureFunctionsWorkerDefaults`:

+#### JSON serialization with ASP.NET Core integration

+ASP.NET Core has its own serialization layer, and it is not affected by [customizing general serialization configuration](#customizing-json-serialization). To customize the serialization behavior used for your HTTP triggers, you need to include an `.AddMvc()` call as part of service registration. The returned `IMvcBuilder` can be used to modify ASP.NET Core's JSON serialization settings. The following example shows how to configure JSON.NET (`Newtonsoft.Json`) for serialization using this approach:

+```csharp

+var host = new HostBuilder()

+ .ConfigureFunctionsWebApplication()

+ .ConfigureServices(services =>

+ {

+ services.AddApplicationInsightsTelemetryWorkerService();

+ services.ConfigureFunctionsApplicationInsights();

+ services.AddMvc().AddNewtonsoftJson();

+ })

+ .Build();

+host.Run();

+```

+|Virtual network support & private link support| Yes. |

+| Connect your data | Available in US Gov Virginia. Virtual network and private links are supported. Deployment to a web app or a copilot in Copilot Studio is not supported. |

+- [CSV] (Comma-separated values) files with a `.csv` extension. The Azure Maps Power BI visual parses the column containing WKT (Well-Known Text) strings from the sheet.

+1. Select **Browse**. The file selection dialog opens, allowing you to choose a file with a `.json`, `.geojson`, `.wkt`, `.kml`, `.shp`, or `.csv` extension.

+1. Select **Enter a URL** and enter a valid URL pointing to your hosted file. Hosted files must be a valid spatial dataset with a `.json`, `.geojson`, `.wkt`, `.kml`, `.shp`, or `.csv` extension. After the link to the hosted file is added to the reference layer, the URL appears in the **Enter a URL** field. To remove the data from the visual delete the URL.

+1. Alternatively, you can create a dynamic URL using Data Analysis Expressions ([DAX]) based on fields, variables, or other programmatic elements. By utilizing DAX, the URL will dynamically change based on filters, selections, or other user interactions and configurations. For more information, see [Expression-based titles in Power BI Desktop].

+| Reference layer data | The data file to upload to the visual as another layer within the map. Selecting **Browse** shows a list of files with a `.json`, `.geojson`, `.wkt`, `.kml`, `.shp`, or `.csv` file extension that can be opened. |

+## Custom style for reference layer via format pane

+The _Custom style for reference layer via format pane_ feature in Azure Maps enables you to personalize the appearance of reference layers. You can define the color, border width, and transparency of points, lines, and polygons directly in the Azure Maps Power BI visual interface, to enhance the visual clarity and impact of your geospatial data.

+### Enabling Custom Styles

+To use the custom styling options for reference layers, follow these steps:

+1. **Upload Geospatial Files**: Start by uploading your supported geospatial files (GeoJSON, KML, WKT, CSV, or Shapefile) to Azure Maps as a reference layer.

+2. **Access Format Settings**: Navigate to the Reference Layer blade within the Azure Maps Power BI visual settings.

+3. **Customize Styles**: Use to adjust the appearance of your reference layer by setting the fill color, border color, border width, and transparency for points, lines, and polygons.

+> [!NOTE]

+> If your geospatial files (GeoJSON, KML) include predefined style properties, Power BI will utilize those styles rather than the settings configured in the format pane. Make sure your files are styled according to your requirements before uploading if you intend to use custom properties defined within them.

+### Style Configuration

+| Setting name | Description | Setting values |

+|||-|

+| Fill Colors | Fill color of points and polygons. | Set colors for different data category or gradient for numeric data. |

+| Border Color | The color of the points, lines, and polygons outline.| Color picker |

+| Border width | The width of the border in pixels. Default: 3 px | Width 1-10 pixels |

+| Border transparency |  The transparency of the borders. Default: 0% | Transparency 0-100% |

+The **Points** section of the format visual pane:

+The **Lines** section of the format visual pane:

+The **polygons** section of the format visual pane:

+[CSV]: https://en.wikipedia.org/wiki/Comma-separated_values

+You can also monitor and set up an alert on the ingestion limits. See [Monitor ingestion limits](../essentials/prometheus-metrics-overview.md#how-can-i-monitor-the-service-limits-and-quota) to avoid metrics ingestion throttling.

+To avoid metrics ingestion throttling, you can monitor and set up an alert on the ingestion limits. See [Monitor ingestion limits](../essentials/prometheus-metrics-overview.md#how-can-i-monitor-the-service-limits-and-quota).

+## Regional availability

+When you create a new Azure Monitor workspace, you provide a region which sets the location in which the data is stored. Currently Azure Monitor Workspace is available in the below regions.

+|Geo|Regions|Geo|Regions|Geo|Regions|Geo|Regions|

+|||||||||

+|Africa|South Africa North|Asia Pacific|East Asia, Southeast Asia|Australia|Australia Central, Australia East, Australia Southeast|Brazil|Brazil South, Brazil Southeast|

+|Canada|Canada Central, Canada East|Europe|North Europe, West Europe|France|France Central, France South|Germany|Germany West Central|

+|India|Central India, South India|Israel|Israel Central|Italy|Italy North|Japan|Japan East, Japan West|

+|Korea|Korea Central, Korea South|Norway|Norway East, Norway West|Spain|Spain Central|Sweden|Sweden South, Sweden Central|

+|Switzerland|Switzerland North, Switzerland West|UAE|UAE North|UK|UK South, UK West|US|Central US, East US, East US 2, South Central US, West Central US, West US, West US 2, West US 3|

+|US Government|USGov Virginia, USGov Texas|||||||

+If you have clusters in regions where Azure Monitor Workspace is not yet available, you can select another region in the same geography.

+There is no additional cost for Summary rules. You only pay for the query and the ingestion of results to the destination table, based on the table plan used in query:

+* Resize operations on Azure NetApp Files volumes don't result in data loss.

+>If you are using a capacity pool with a size of 2 TiB or smaller and have `ANFStdToBasicNetworkFeaturesRevert` and `ANFBasicToStdNetworkFeaturesUpgrade` AFECs enabled and want to change the capacity pool's QoS type from auto to manual, you must [perform the operation with the REST API](#resizing-the-capacity-pool-or-a-volume-using-rest-api) using the `2023-07-01` API version or later.

+Before creating the policy, review [Azure NetApp Files resource limits](azure-netapp-files-resource-limits.md).

+1. Follow the steps in the section [Configure SQL Server enabled by Azure Arc - Modify SQL Server configuration](https://learn.microsoft.com/sql/sql-server/azure-arc/manage-configuration?view=sql-server-ver16&tabs=azure#modify-sql-server-configuration). This section also provides syntax to configure by using Azure PowerShell or the Azure CLI.

+ 1. As part of the **Overview** section on the left pane, the **Properties/Extensions** view lists the `WindowsAgent.SqlServer` (*Microsoft.HybridCompute/machines/extensions*), if installed. Alternatively, you can expand **Settings** on the left pane and select **Extensions**. The `WindowsAgent.SqlServer` name and type appear, if installed.

+

+ If you don't see the extension installed you can manually install by choosing **Extensions**, the Add button, and Azure Extension for SQL Server.

+- ESU year of coverage (for example, Year 1, Year 2, or Year 3). See [ESU Availability and End Dates](https://learn.microsoft.com/lifecycle/faq/extended-security-updates?msclkid=65927660d02011ecb3792e8849989799#esu-availability-and-end-dates) for ESU End Date and Year. The support ticket provides you with ESU keys for one year. You'll need to raise a new support request for other years. It's recommended to raise a new request as your current ESU End Date Year date is approaching.

+ Title: Guest OS family 2, 3, and 4 retirement notice | Microsoft Docs

+description: Information about when the Azure Guest OS Family 2, 3, and 4 retirement happened and how to determine if you're affected.

+# Guest OS Family 2, 3, and 4 retirement notice

+The retirement of Azure Guest OS Families 2, 3, and 4 was announced in July 2024, with the following end-of-life dates:

+- **Windows Server 2008 R2:** December 2024

+- **Windows Server 2012 and Windows Server 2012 R2:** February 2025

+If you have questions, visit the [Microsoft question page for Cloud Services](/answers/topics/azure-cloud-services.html) or [contact Azure support](https://azure.microsoft.com/support/options/).

+## Are you affected?

+Your Cloud Services or [Cloud Services Extended Support](../cloud-services-extended-support/overview.md) are affected if any one of the following applies:

+1. You have a value of `osFamily` = `2`, `3`, or `4` explicitly specified in the `ServiceConfiguration.cscfg` file for your Cloud Service.

+1. The Azure portal lists your Guest Operating System family value as *Windows Server 2008 R2*, *Windows Server 2012*, or *Windows Server 2012 R2*.

+To find which of your cloud services are running which OS Family, you can run the following script in Azure PowerShell, though you must [set up Azure PowerShell](/powershell/azure/) first.

+```powershell

+foreach($subscription in Get-AzureSubscription) {

+ Select-AzureSubscription -SubscriptionName $subscription.SubscriptionName

+ $deployments=get-azureService | get-azureDeployment -ErrorAction Ignore | where {$_.SdkVersion -NE ""}

+ $deployments | ft @{Name="SubscriptionName";Expression={$subscription.SubscriptionName}}, ServiceName, SdkVersion, Slot, @{Name="osFamily";Expression={(select-xml -content $_.configuration -xpath "/ns:ServiceConfiguration/@osFamily" -namespace $namespace).node.value }}, osVersion, Status, URL

+}

+```

+Your cloud services are impacted by this retirement if the `osFamily` column in the script output contains a `2`, `3`, `4`, or is empty. If empty, the default `osFamily` column value is `5`.

+## Recommendations

+If you're affected, we recommend you migrate your Cloud Service or [Cloud Services Extended Support](../cloud-services-extended-support/overview.md) roles to one of the supported Guest OS Families:

+**Guest OS family 7.x**ΓÇ»- Windows Server 2022ΓÇ»*(recommended)*

+1. Ensure that your application is using Visual Studio 2019 or newer with Azure Development Workload as selected and your application is targeting .NET framework version 4.8 or newer.

+1. Set the osFamily attribute to "7" in the `ServiceConfiguration.cscfg` file, and redeploy your cloud service.

+**Guest OS family 6.x**ΓÇ»- Windows Server 2019

+1. Ensure that your application is using SDK 2.9.6 or later and your application is targeting .NET framework 3.5 or 4.7.2 or newer.

+1. Set the osFamily attribute to "6" in the `ServiceConfiguration.cscfg` file, and redeploy your cloud service.

+## Important clarification regarding support

+The announcement of the retirement of Azure Guest OS Families 2, 3, and 4, effective May 2025, pertains specifically to the operating systems within these families. This retirement doesn't extend the overall support timeline for Azure Cloud Services (classic) beyond the scheduled deprecation in August 2024. [Cloud Services Extended Support](../cloud-services-extended-support/overview.md) continues support with Guest OS Families 5 and newer.

+Customers currently using Azure Cloud Services who wish to continue receiving support beyond August 2024 are encouraged to transition to [Cloud Services Extended Support](../cloud-services-extended-support/overview.md). This separate service offering ensures continued assistance and support. Cloud Services Extended Support requires a distinct enrollment and isn't automatically included with existing Azure Cloud Services subscriptions.

+## Next steps

+Review the latest [Guest OS releases](cloud-services-guestos-update-matrix.md).

+To test your workflow, send an HTTP request to the generated URL. For example, you can use local tools or apps such as [Insomnia](https://insomnia.rest/) or [Bruno](https://www.usebruno.com/) to send the HTTP request.

+For more information about the trigger's underlying JSON definition and how to call this trigger, see these topics, [Request trigger type](../logic-apps/logic-apps-workflow-actions-triggers.md#request-trigger) and [Call, trigger, or nest workflows with HTTP endpoints in Azure Logic Apps](../logic-apps/logic-apps-http-endpoint.md).

+Azure Cosmos DB addresses these challenges by providing zero ETL, cost-effective analytics offerings.

+## Zero ETL, near real-time analytics on Azure Cosmos DB

+Azure Cosmos DB offers zero ETL, near real-time analytics on your data without affecting the performance of your transactional workloads or request units (RUs). These offerings remove the need for complex ETL pipelines, making your Azure Cosmos DB data seamlessly available to analytics engines. With reduced latency to insights, you can provide enhanced customer experience and react more quickly to changes in market conditions or business environment. Here are some sample [scenarios](synapse-link-use-cases.md) you can achieve with quick insights into your data.

+ You can enable zero-ETL analytics and BI reporting on Azure Cosmos DB using the following options:

+Mirroring enables you to seamlessly bring your Azure Cosmos DB database data into Microsoft Fabric. With zero ETL, you can get quick, rich business insights on your Azure Cosmos DB data using FabricΓÇÖs built-in analytics, BI, and AI capabilities.

+* Zero ETL, cost-effective near real-time analytics on Azure Cosmos DB data without affecting your request unit (RU) consumption

+Azure Synapse Link for Azure Cosmos DB creates a tight seamless integration between Azure Cosmos DB and Azure Synapse Analytics, enabling zero ETL, near real-time analytics on your operational data.

+Instead of these options, we recommend that you use Mirroring in Microsoft Fabric or Azure Synapse Link, which provide zero ETL analytics, without affecting transactional workload performance or request units.

+- Working with containers that use hierarchical partition keys is supported only in the .NET v3 SDK, in the Java v4 SDK, in the Python SDK, and in the preview version of the JavaScript SDK. You must use a supported SDK to create new containers that have hierarchical partition keys and to perform CRUD or query operations on the data. Support for other SDKs, including Python, isn't available currently.

+1. Search the **Key Vault Administrator** role and assign it to yourself. This assignment is done by first searching the role name from the list and then clicking on the **ΓÇ£MembersΓÇ¥** tab. Once on the tab, select the ΓÇ£User, group or service principalΓÇ¥ option from the radio and then look up your Azure account. Once the account has been selected, the role can be assigned.

+1. On the page, set the scope to **ΓÇ£this resourceΓÇ¥** and verify that you have the Key Vault Administrator role, and the Cosmos DB principal has the Key Vault Crypto Encryption User role.

+| `EnableMongo16MBDocumentSupport` | Enables support for inserting documents up to 16 MB in size. ¹ | No |

+| `EnableTtlOnCustomPath` | Provides the ability to set a custom Time to Live (TTL) on any one field in a collection. Setting TTL on partial unique index property is not supported. ² | No |

+| `EnableUniqueIndexReIndex` | Enables support for unique index re-indexing for Cosmos DB for MongoDB RU. ² | No |

+> ¹ This capability cannot be enabled on an Azure Cosmos DB for MongoDB accounts with Customer Managed Keys (CMK).

+>

+> [!NOTE]

+>

+> ² This capability cannot be enabled on an Azure Cosmos DB for MongoDB accounts with continuous backup.

+> [!WARNING]

+> If you need to delete a resource, rename, or move a resource, or migrate it across resource groups or subscriptions, first delete its diagnostic settings. Otherwise, if you recreate this resource, the diagnostic settings for the deleted resource could be included with the new resource, depending on the resource configuration for each resource. If the diagnostics settings are included with the new resource, this resumes the collection of resource logs as defined in the diagnostic setting and sends the applicable metric and log data to the previously configured destination.

+>

+> Also, it's a good practice to delete the diagnostic settings for a resource you're going to delete and don't plan on using again to keep your environment clean.

+description: An Azure Cosmos DB for NoSQL query clause with two keywords that skips and/or takes a specified number of results.

+The `OFFSET LIMIT` clause is an optional clause to **skip** and then **take** some number of values from the query. The `OFFSET` count and the `LIMIT` count are required in the OFFSET LIMIT clause.

+When `OFFSET LIMIT` is used with an `ORDER BY` clause, the result set is produced by doing skip and take on the ordered values. If no `ORDER BY` clause is used, it results in a deterministic order of values.

+```

+| **`<offset_amount>`** | Specifies the integer number of items that the query results should skip. |

+| **`<limit_amount>`** | Specifies the integer number of items that the query results should include. |

+For the example in this section, this reference set of items is used. Each item includes a `name` property.

+> [!NOTE]

+> In the original JSON data, the items are not sorted.

+The first example includes a query that returns only the `name` property from all items sorted in alphabetical order.

+This next example includes a query using the `OFFSET LIMIT` clause to skip the first item. The limit is set to the number of items in the container to return all possible remaining values. In this example, the query skips **one** item, and returns the remaining **four** (out of a limit of five).

+This final example includes a query using the `OFFSET LIMIT` clause to return a subset of the matching items by skipping **one** item and taking the next **three**.

+- Both the `OFFSET` count and the `LIMIT` count are required in the `OFFSET LIMIT` clause. If an optional `ORDER BY` clause is used, the result set is produced by doing the skip over the ordered values. Otherwise, the query returns a fixed order of values.

+- The RU charge of a query with `OFFSET LIMIT` increases as the number of terms being offset increases. For queries that have [multiple pages of results](pagination.md), we typically recommend using [continuation tokens](pagination.md#continuation-tokens). Continuation tokens are a "bookmark" for the place where the query can later resume. If you use `OFFSET LIMIT`, there's no "bookmark." If you wanted to return the query's next page, you would have to start from the beginning.

+- You should use `OFFSET LIMIT` for cases when you would like to skip items entirely and save client resources. For example, you should use `OFFSET LIMIT` if you want to skip to the 1000th query result and have no need to view results 1 through 999. On the backend, `OFFSET LIMIT` still loads each item, including those items that are skipped. The performance advantage is measured in reducing client resources by avoiding processing items that aren't needed.

+- [`GROUP BY` clause](group-by.md)

+- [`ORDER BY` clause](order-by.md)

+> [!IMPORTANT]

+> The Azure Resource Manager provider, `Microsoft.DocumentDB/databaseAccounts`, has maintained the same name for many years. This ensures that templates written years ago are still compatible with the same provider even as the name of the service and sub-services have evolved.

+> [!IMPORTANT]

+> The Azure Resource Manager provider, `Microsoft.DocumentDB/databaseAccounts`, has maintained the same name for many years. This ensures that templates written years ago are still compatible with the same provider even as the name of the service and sub-services have evolved.

+| [Create items in a container](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/cosmos/azure-cosmos/samples/document_management.py#L33-L45) |container.create_item |

+| [Read an item by its ID](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/cosmos/azure-cosmos/samples/document_management.py#L48-L56) |container.read_item |

+| [Read all the items in a container](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/cosmos/azure-cosmos/samples/document_management.py#L59-L70) |container.read_all_items |

+| [Query an item by its ID](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/cosmos/azure-cosmos/samples/document_management.py#L73-L85) |container.query_items |

+| [Replace an item](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/cosmos/azure-cosmos/samples/document_management.py#L112-L119) |container.replace_item |

+| [Upsert an item](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/cosmos/azure-cosmos/samples/document_management.py#L149-L156) |container.upsert_item |

+| [Delete an item](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/cosmos/azure-cosmos/samples/document_management.py#L258-L263) |container.delete_item |

+| [Exclude a specific item from indexing](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/cosmos/azure-cosmos/samples/index_management.py#L143-L199) | documents.[IndexingDirective](/python/api/azure-cosmos/azure.cosmos.documents.indexingdirective).Exclude|

+| [Use manual indexing with specific items indexed](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/cosmos/azure-cosmos/samples/index_management.py#L202-L261) | documents.IndexingDirective.Include |

+| [Exclude paths from indexing](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/cosmos/azure-cosmos/samples/index_management.py#L264-L334) |Define paths to exclude in [IndexingPolicy](/python/api/azure-mgmt-cosmosdb/azure.mgmt.cosmosdb.models.indexingpolicy) property |

+| [Use range indexes on strings](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/cosmos/azure-cosmos/samples/index_management.py#L399-L483) | Define indexing policy with range indexes on string data type. `'kind': documents.IndexKind.Range`, `'dataType': documents.DataType.String`|

+| [Perform an index transformation](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/cosmos/azure-cosmos/samples/index_management.py#L486-L542) |database.[replace_container](/python/api/azure-cosmos/azure.cosmos.database.databaseproxy#azure-cosmos-database-databaseproxy-replace-container) (use the updated indexing policy)|

+| [Use scans when only hash index exists on the path](https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/cosmos/azure-cosmos/samples/index_management.py#L337-L396) | set the `enable_scan_in_query=True` and `enable_cross_partition_query=True` when querying the items |

+ partition_key=PartitionKey(path='/category'))

+

+

+

+

+az consumption budget create-with-rg --amount 100 --budget-name TestCLIBudget -g $rg --category Cost --time-grain Monthly --time-period '{"start-date":"2024-06-01","end-date":"2025-12-31"}' --notifications "{\"Key1\":{\"enabled\":\"true\", \"operator\":\"GreaterThanOrEqualTo\", \"contact-emails\":[], \"threshold\":80.0, \"contact-groups\":[\"$ActionGroupId\"]}}"

+# Quick Start: Connect your GitHub Environment to Microsoft Defender for Cloud

+In this quick start, you connect your GitHub organizations on the **Environment settings** page in Microsoft Defender for Cloud. This page provides a simple onboarding experience to autodiscover your GitHub repositories.

+By connecting your GitHub environments to Defender for Cloud, you extend the security capabilities of Defender for Cloud to your GitHub resources and improve security posture. [Learn more](defender-for-devops-introduction.md).

+To complete this quick start, you need:

+- GitHub Enterprise with GitHub Advanced Security enabled for posture assessments of secrets, dependencies, Infrastructure-as-Code misconfigurations, and code quality analysis within GitHub repositories.

+

+Upon successful onboarding, DevOps resources (e.g., repositories, builds) will be present within the Inventory and DevOps security pages. It might take up to 8 hours for resources to appear. Security scanning recommendations might require [an additional step to configure your workflows](github-action.md). Refresh intervals for security findings vary by recommendation and details can be found on the Recommendations page.

+|Date | Category | Update|

+| July 9 | Upcoming update | [Inventory experience improvement](#update-inventory-experience-improvement) |

+### Update: Inventory experience improvement

+July 9, 2024

+**Estimated date for change: July 11, 2024**

+The inventory experience will be updated to improve performance, including improvements to the blade's 'Open query' query logic in Azure Resource Graph. Updates to the logic behind Azure resource calculation may result in additional resources counted and presented.

+ - DVDs: First burn the software to the DVD as an image. Your physical media must have a minimum of 4-GB storage.

+- The following CVE is resolved in this version:

+ - CVE-2024-38089

+ Title: Configure ERSPAN traffic mirroring with a Cisco switch - Microsoft Defender for IoT

+description: This article describes how to configure the Cisco switch for encapsulated remote switched port analyzer (ERSPAN) traffic mirroring for Microsoft Defender for IoT.

+# Configure ERSPAN traffic mirroring with a Cisco switch

+This article provides high-level guidance for configuring encapsulated remote switched port analyzer [(ERSPAN) traffic mirroring](../best-practices/traffic-mirroring-methods.md#erspan-ports) for a Cisco switch.

+## Configure the Cisco switch

+## July 2024

+|Service area |Updates |

+|||

+| **OT networks** | - [Security update](#security-update) |

+### Security update

+This update resolves a CVE, which is listed in [software version 24.1.4 feature documentation](release-notes.md#version-2414).

+| **OT networks** | - [Malicious URL path alert](#malicious-url-path-alert)<br> - [Newly supported protocols](#newly-supported-protocols)|

+### Newly supported protocols

+We now support the Open protocol. [See the updated protocol list](concept-supported-protocols.md).

+| **OT networks** | - [Single sign-on for the sensor console](#single-sign-on-for-the-sensor-console)<br>- [Sensor time drift detection](#sensor-time-drift-detection)<br>- [Security update](#security-update-1) |

+You can set up single sign-on (SSO) for the Defender for IoT sensor console using Microsoft Entra ID. SSO allows simple sign in for your organization's users, allows your organization to meet regulation standards, and increases your security posture. With SSO, your users don't need multiple login credentials across different sensors and sites.

+| **OT networks** | **Version 24.1.2**:<br> - [Alert suppression rules from the Azure portal (Public preview)](#alert-suppression-rules-from-the-azure-portal-public-preview)<br>- [Focused alerts in OT/IT environments](#focused-alerts-in-otit-environments)<br>- [Alert ID now aligned on the Azure portal and sensor console](#alert-id-now-aligned-on-the-azure-portal-and-sensor-console)<br>- [Newly supported protocols](#newly-supported-protocols-1)<br><br>**Cloud features**<br>- [New license renewal reminder in the Azure portal](#new-license-renewal-reminder-in-the-azure-portal) <br><br>- [New OT appliance hardware profile](#new-ot-appliance-hardware-profile) <br><br>- [New fields for SNMP MIB OIDs](#new-fields-for-snmp-mib-oids)|

+ | Members > Members | **+ Select members**, then search for the name of the app registration |

+- The **default** value and **shortest** possible retention period is **1 hour**.

+## Supported ExpressRoute Circuits

+ExpressRoute Traffic Collector supports both Provider-managed circuits and ExpressRoute Direct circuits. At this time, ExpressRoute Traffic Collector only supports circuits with a bandwidth of 1Gbps or greater.

+ :::image type="content" source="./media/assign-policy-portal/search-policy.png" alt-text="Screenshot of the Azure portal to search for policy." lightbox="./media/assign-policy-portal/search-policy.png":::

+ :::image type="content" source="./media/assign-policy-portal/select-assignments.png" alt-text="Screenshot of the Assignments pane that highlights the option to Assign policy." lightbox="./media/assign-policy-portal/select-assignments.png":::

+ | **Resource selectors** | Skip resource selectors for this example. Resource selectors let you refine the resources affected by the policy assignment. |

+ | **Policy definition** | Select the ellipsis (`...`) to open the list of available definitions. |

+ | **Available Definitions** | Search the policy definitions list for _Audit VMs that do not use managed disks_ definition, select the policy, and select **Add**. There's a column that shows the latest version of the definition. |

+ | **Version (preview)** | Accept the version in format `1.*.*` to ingest major, minor, and patch versions. <br/><br/> Select the ellipsis (`...`) to view available versions and the options to enroll in minor version updates or preview versions. You must select a version to change the options. For more information, go to [definition version within assignment](./concepts/assignment-structure.md#policy-definition-id-and-version-preview). |

+ :::image type="content" source="./media/assign-policy-portal/select-available-definition.png" alt-text="Screenshot of the policy assignment and available definitions that highlights policy version." lightbox="./media/assign-policy-portal/select-available-definition.png":::

+1. After a Policy definition is selected, you can change the **Version (preview)** options.

+ For example, if you select the options shown in the image, the **Version (preview)** is changed to `1.0.*`.

+ :::image type="content" source="./media/assign-policy-portal/select-version.png" alt-text="Screenshot of the policy definition version options to enroll in minor or preview versions." lightbox="./media/assign-policy-portal/select-version.png":::

+1. Select **Next** to view each tab for **Parameters** and **Remediation**. No changes are needed for this example.

+ | **Parameters** | If the policy definition you selected on the **Basics** tab has parameters, you configure them on the **Parameters** tab. This example doesn't use parameters. |

+Policy assignments define which resources are to be evaluated by a

+policy definition or initiaitve. Further, the policy assignment can determine the values of parameters for that group of

+resources at assignment time, making it possible to reuse policy definitions that address the same resource properties with different needs for compliance.

+- [scope](#scope)

+- [policy definition ID and version](#policy-definition-id-and-version-preview)

+For example, the following JSON shows a sample policy assignment request in _DoNotEnforce_ mode with parameters:

+ "definitionVersion": "1.*.*",

+## Scope

+The scope used for assignment resource creation time is the primary driver of resource applicability. For more information on assignment scope, see

+> [Understand scope in Azure Policy](./scope.md#assignment-scopes).

+## Policy definition ID and version (preview)

+This field must be the full path name of either a policy definition or an initiative definition.

+`policyDefinitionId` is a string and not an array. The latest content of the assigned policy

+definition or initiative is retrieved each time the policy assignment is evaluated. It's

+recommended that if multiple policies are often assigned together, to use an

+[initiative](./initiative-definition-structure.md) instead.

+For built-in definitions and initiative, you can use specific the `definitionVersion` of which to assess on. By default, the version will set to the latest major version and autoingest minor and patch changes.

+To autoingest any minor changes of the definition, the version number would be `#.*.*`. Wildcard represents autoingesting updates.

+To pin to a minor version path, the version format would be `#.#.*`.

+All patch changes must be autoinjested for security purposes. Patch changes are limited to text changes and break glass scenarios.

+- `updatedBy` (string): The friendly name of the security principal that updated the assignment, if

+ any.

+- `updatedOn` (string): The Universal ISO 8601 DateTime format of the assignment update time, if

+ any.

+### Scenario specific metadata properties

+ "definitionVersion": "1.1.*",

+When you're ready to expand the evaluation scope for your policy, you just have to update the assignment. The following example shows our policy assignment with two more Azure regions added to the **SDPRegions** selector. Note, in this example, _SDP_ means to _Safe Deployment Practice_:

+ "definitionVersion": "1.1.*",

+The optional `overrides` property allows you to change the effect of a policy definition without changing the underlying policy definition or using a parameterized effect in the policy definition.

+A common use case for overrides on effect is policy initiatives with a large number of associated policy definitions. In this situation, managing multiple policy effects can consume significant administrative effort, especially when the effect needs to be updated from time to time. Overrides can be used to simultaneously update the effects of multiple policy definitions within an initiative.

+Another common use case for overrides is rolling out a new version of a definition. For recommended steps on safely updating an assignment version, see [Policy Safe deployment](../how-to/policy-safe-deployment-practices.md#steps-for-safely-updating-built-in-definition-version-within-azure-policy-assignment).

+- `kind`: The property the assignment will override. The supported kinds are `policyEffect` and `policyVersion`.

+- `value`: The new value that overrides the existing value. For `kind: policyEffect`, the supported values are [effects](effect-basics.md). For `kind: policyVersion`, the supported version number must be greater than or equal to the `definitionVersion` specified in the assignment.

+ - `kind`: The property of a selector that describes what characteristic will narrow down the scope of the override. Allowed values for `kind: policyEffect`:

+ - `resourceLocation`: This property is used to select resources based on their type. Can't be used in the same resource selector as `resourceWithoutLocation`.

+ Allowed value for `kind: policyVersion`:

+ - `resourceLocation`: This property is used to select resources based on their type. Can't be used in the same resource selector as `resourceWithoutLocation`.

+One override can be used to replace the effect of many policies by specifying multiple values in the policyDefinitionReferenceId array. A single override can be used for up to 50 policyDefinitionReferenceIds, and a single policy assignment can contain up to 10 overrides, evaluated in the order in which they're specified. Before the assignment is created, the effect chosen in the override is validated against the policy rule and parameter allowed value list (in cases where the effect is [parameterized](./definition-structure-parameters.md)).

+For policy assignments with effect set to **deployIfNotExist** or **modify**, it's required to have an identity property to do remediation on non-compliant resources. When using an identity, the user must also specify a location for the assignment.

+- `version`

+For example, resource `Microsoft.Network/routeTables` supports tags and location and is evaluated in both modes. However, resource `Microsoft.Network/routeTables/routes` can't be tagged and isn't evaluated in `indexed` mode.

+When Azure Policy versioning is released, the following Resource Provider modes won't support built-in versioning:

+- `Microsoft.DataFactory.Data`

+- `Microsoft.MachineLearningServices.v2.Data`

+- `Microsoft.ManagedHSM.Data`

+## Version (preview)

+Built-in policy definitions can host multiple versions with the same `definitionID`. If no version number is specified, all experiences will show the latest version of the definition. To see a specific version of a built-in, it must be specified in API, SDK or UI. To reference a specific version of a definition within an assignment, see [definition version within assignment](../concepts/assignment-structure.md#policy-definition-id-and-version-preview)

+The Azure Policy service uses `version`, `preview`, and `deprecated` properties to convey level of

+> change to a built-in policy definition or initiative and state. The format of `version` is:

+> `{Major}.{Minor}.{Patch}`. Specific states, such as _deprecated_ or _preview_, are appended to the

+> `version` property or in another property as a **boolean**.

+- Major Version (example: 2.0.0): introduce breaking changes such as major rule logic changes, removing parameters, adding an enforcement effect by default.

+- Minor Version (example: 2.1.0): introduce changes such as minor rule logic changes, adding new parameter allowed values, change to `roleDefinitionIds`, adding or moving definitions within an initiative.

+- Patch Version (example: 2.1.4): introduce string or metadata changes and break glass security scenarios (rare).

+> For more information about

+> Azure Policy versions built-ins, see

+> [Built-in versioning](https://github.com/Azure/azure-policy/blob/master/built-in-policies/README.md).

+> To learn more about what it means for a policy to be _deprecated_ or in _preview_, see [Preview and deprecated policies](https://github.com/Azure/azure-policy/blob/master/built-in-policies/README.md#preview-and-deprecated-policies).

+- version

+ "version" : "1.0.0",

+ "definitionVersion": "1.*.*"

+ definition. For built-ins, this metadata version follows the version property of the built-in. It's recommended to use the version property over this metadata version.

+## Version (preview)

+Built-in policy initiatives can host multiple versions with the same `definitionID`. If no version number is specified, all experiences will show the latest version of the definition. To see a specific version of a built-in, it must be specified in API, SDK or UI. To reference a specific version of a definition within an assignment, see [definition version within assignment](../concepts/assignment-structure.md#policy-definition-id-and-version-preview)

+The Azure Policy service uses `version`, `preview`, and `deprecated` properties to convey the level of change to a built-in policy definition or initiative and state. The format of `version` is: `{Major}.{Minor}.{Patch}`. Specific states, such as _deprecated_ or _preview_, are appended to the `version` property or in another property as a **boolean** as shown in the common metadata properties.

+- Major Version (example: 2.0.0): introduce breaking changes such as major rule logic changes, removing parameters, adding an enforcement effect by default.

+- Minor Version (example: 2.1.0): introduce changes such as minor rule logic changes, adding new parameter allowed values, change to role definitionIds, adding or removing definitions within an initiative.

+- Patch Version (example: 2.1.4): introduce string or metadata changes and break glass security scenarios (rare).

+Built-in initiatives are versioned, and specific versions of built-in policy definitions can be referenced within built-in or custom initiatives as well. For more information, see [reference definition and versions](#policy-definition-properties).

+> While in preview, when creating an initiative through the portal, you will not be able to specify versions for built-in policy definition references. All built-in policy references in custom initiatives created through the portal will instead default to the latest version of the policy definition.

+>

+> For more information about

+> To learn more about what it means for a policy to be _deprecated_ or in _preview_, see [Preview and deprecated policies](https://github.com/Azure/azure-policy/blob/master/built-in-policies/README.md#preview-and-deprecated-policies).

+- `definitionVersion` : (Optional) The version of the built-in definition to refer to. If none is specified, it refers to the latest major version at assignment time and autoingest any minor updates. For more information, see [definition version](./definition-structure-basics.md#version-preview)

+ "definitionVersion": "1.2.*"

+source control and whenever a change is made, test, and validate that change. However, that

+| `policy-v#.json` | The entire policy definition for that version |

+| `policyset-v#.json` | The entire initiative definition for that version |

+| `policy-v#.parameters.json` | The `properties.parameters` portion of the policy definition |

+| `policyset-v#.parameters.json` | The `properties.parameters` portion of the initiative definition |

+| `policy-v#.rules.json` | The `properties.policyRule` portion of the policy definition |

+| `policyset-v#.definitions.json` | The `properties.policyDefinitions` portion of the initiative definition |

+| |- versions_____________________ # Subfolder for versions of definition

+| |- policy-v#.json _________________ # Policy definition

+| |- policy-v#.parameters.json ______ # Policy definition of parameters

+| |- policy-v#.rules.json ___________ # Policy rule

+| |- versions_____________________ # Subfolder for versions of definition

+| |- policy-v#.json _________________ # Policy definition

+| |- policy-v#.parameters.json ______ # Policy definition of parameters

+| |- policy-v#.rules.json ___________ # Policy rule

+When a new policy or new version is added or an existing one is updated, the workflow should automatically update the

+| |- versions ____________________ # Subfolder for versions of initiative

+| |- policyset.json ______________ # Initiative definition

+| |- policyset.definitions.json __ # Initiative list of policies

+| |- policyset.parameters.json ___ # Initiative definition of parameters

+| |- versions ____________________ # Subfolder for versions of initiative

+| |- policyset.json ______________ # Initiative definition

+| |- policyset.definitions.json __ # Initiative list of policies

+| |- policyset.parameters.json ___ # Initiative definition of parameters

+> [!NOTE]

+> The VS Code extension will only show the latest version of the policy definition. For more

+> information about the versions of definitions, see the [definitions](../concepts/definition-structure-basics.md#version-preview).

+The high-level approach of implementing SDP with Azure Policy is to gradually rollout policy assignments

+different Azure regions with _Ring 0_ representing non-critical, low traffic locations,

+## Steps for safely updating built-in definition version within Azure Policy assignment

+1. Within the existing assignment, apply _overrides_ to update the version of the definition for the least

+critical ring. We're using a combination of _overrides_ to change the definitionVersion and _selectors_ within the _overrides_ condition to narrow the applicability by `"kind": "resource location"` property. Any resources that are outside of the locations specified will continue to be assessed against the version from the `definitionVersion` top-level property in the assignment. Example override updating the version of the definition to `2.0.*` and only apply it to resources in `EastUs`.

+ ```json

+ "overrides":[{

+ "kind": "definitionVersion",

+ "value": "2.0.*",

+ "selectors": [{

+ "kind": "resourceLocation",

+ "in": [ "eastus"]

+ }]

+ }]

+ ```

+

+2. Once the assignment is updated and the initial compliance scan has completed,

+validate that the compliance result is as expected.

+ You should also configure automated tests that run compliance checks. A compliance check should

+ encompass the following logic:

+

+ - Gather compliance results

+ - If compliance results are as expected, the pipeline should continue

+ - If compliance results aren't as expected, the pipeline should fail and you should start debugging

+

+ For example, you can configure the compliance check by using other tools within

+ your particular continuous integration/continuous deployment (CI/CD) pipeline.

+

+ At each rollout stage, the application health checks should confirm the stability of the service

+ and impact of the policy. If the results aren't as expected due to application configuration,

+ refactor the application as appropriate.

+3. Repeat by expanding the resource selector property values to include the next rings.

+locations and validating the expected compliance results and application health. Example with an added location value:

+ ```json

+ "overrides":[{

+ "kind": "definitionVersion",

+ "value": "2.0",

+ "selectors": [{

+ "kind": "resourceLocation",

+ "in": [ "eastus", "westus"]

+ }]

+ }]

+ ```

+4. Once you have successfully included all the necessary locations within the _selectors, you can remove the override and update the definitionVersion property within the assignment:

+```json

+"properties": {

+ "displayName": "Enforce resource naming rules",

+ "description": "Force resource names to begin with DeptA and end with -LC",

+ "definitionVersion": "2.0.*",

+}

+```

+1. Select **Assign Policy** from the top of the **Policy | Assignments** page.

+1. The **Version** is automatically populated to the latest major version of the definition and set to autoinjest any non-breaking changes. You may change the version to others, if available or adjust your ingesting settings, but no change is required. **Overrides** are optional, so leave it blank for now.

+ [modify](../concepts/effect-modify.md) effect. **Type of Managed Identity** is set to _System Assigned_. **Permissions** is set to _Contributor_

+ "version": "1.0.0"

+ - Scope: The management group or subscription you saved the initiative to become the default.

+ saved location.

+By default, IoT Edge modules on the devices of the La Ni├▒a service are configured to not produce any tracing data and the [logging level](/aspnet/core/fundamentals/logging) is set to `Information`. The amount of produced tracing data is regulated by a [ratio based sampler](https://github.com/open-telemetry/opentelemetry-dotnet/blob/main/src/OpenTelemetry/Trace/Sampler/TraceIdRatioBasedSampler.cs). The sampler is configured with a desired [probability](https://github.com/open-telemetry/opentelemetry-dotnet/blob/bdcf942825915666dfe87618282d72f061f7567e/src/OpenTelemetry/Trace/TraceIdRatioBasedSampler.cs#L35) of a given activity to be included in a trace. By default, the probability is set to 0. With that in place, the devices don't flood the Azure Monitor with the detailed observability data if it's not requested.

+One of the key capabilities of Azure IoT Edge is deploying code to your IoT Edge devices from the cloud. *IoT Edge modules* are executable packages implemented as containers. In this section, you'll deploy a pre-built module from the [IoT Edge Modules section of Microsoft Artifact Registry](https://mcr.microsoft.com/catalog?cat=IoT%20Edge%20Modules&alphaSort=asc&alphaSortKey=Name).

+Follow these steps to deploy your first module.

+1. Sign in to the [Azure portal](https://portal.azure.com) and go to your IoT Hub.

+One of the key capabilities of Azure IoT Edge is deploying code to your IoT Edge devices from the cloud. *IoT Edge modules* are executable packages implemented as containers. In this section, you'll deploy a pre-built module from the [IoT Edge Modules section of Microsoft Artifact Registry](https://mcr.microsoft.com/catalog?cat=IoT%20Edge%20Modules&alphaSort=asc&alphaSortKey=Name).

+Follow these steps to deploy your first module.

+1. Sign in to the [Azure portal](https://portal.azure.com) and go to your IoT Hub.

+ Choose which modules you want to run on your device. You can choose from modules that you've already created, modules from Microsoft Artifact Registry, or modules that you've built yourself. In this quickstart, you'll deploy a module from the Microsoft Artifact Registry.

+A [Deployment manifest](module-composition.md) declares which modules the IoT Edge runtime will install on your IoT Edge device. You provided the code to make a customized Function module in the previous section, but the SQL Server module is already built and available in the Microsoft Artifact Registry. You just need to tell the IoT Edge runtime to include it, then configure it on your device.

+7. Find the **modules** section. You should see three modules. The module *SimulatedTemperatureSensor* is included by default in new solutions, and provides test data to use with your other modules. The module *sqlFunction* is the module that you initially created and updated with new code. Finally, the module *sql* was imported from the the Microsoft Artifact Registry.

+Both Standard and Consumption logic app workflows offer the SAP *managed* connector that's hosted and run in multitenant Azure. Standard workflows also offer the SAP *built-in service provider* connector that's hosted and run in single-tenant Azure Logic Apps. If you create and host a Consumption workflow in an integration service environment (ISE), you can also use the SAP connector's ISE-native version. For more information, see [Connector technical reference](sap.md#connector-technical-reference).

+Based on whether you have a Consumption workflow in multitenant Azure Logic Apps or a Standard workflow in single-tenant Azure Logic Apps, follow the corresponding steps:

+Based on whether you have a Consumption workflow in multitenant Azure Logic Apps or a Standard workflow in single-tenant Azure Logic Apps, follow the corresponding steps:

+Next, create an action to send your IDoc to SAP when the workflow's request trigger fires. Based on whether you have a Consumption workflow in multitenant Azure Logic Apps or a Standard workflow in single-tenant Azure Logic Apps, follow the corresponding steps:

+1. To simulate a webhook trigger payload, send an HTTP POST request to the endpoint URL that's specified by your workflow's Request trigger. Make sure to include your message content with your request. To send the request, use a local tool or app tool such as [Insomnia](https://insomnia.rest/) or [Bruno](https://www.usebruno.com/).

+1. To simulate a webhook trigger payload, send an HTTP POST request to the endpoint URL that's specified by your workflow's Request trigger. Make sure to your message content with your request. To send the request, use a local tool or app such as [Insomnia](https://insomnia.rest/) or [Bruno](https://www.usebruno.com/).

+Both Standard and Consumption logic app workflows offer the SAP *managed* connector that's hosted and run in multitenant Azure. Standard workflows also offer the preview SAP *built-in* connector that's hosted and run in single-tenant Azure Logic Apps, but this connector is currently in preview and subject to the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). If you create and host a Consumption workflow in an integration service environment (ISE), you can also use the SAP connector's ISE-native version. For more information, see [Connector technical reference](sap.md#connector-technical-reference).

+Based on whether you have a Consumption workflow in multitenant Azure Logic Apps or a Standard workflow in single-tenant Azure Logic Apps, follow the corresponding steps:

+Based on whether you have a Consumption workflow in multitenant Azure Logic Apps or a Standard workflow in single-tenant Azure Logic Apps, follow the corresponding steps:

+Based on whether you have a Consumption workflow in multitenant Azure Logic Apps or a Standard workflow in single-tenant Azure Logic Apps, follow the corresponding steps:

+1. To simulate a webhook trigger payload, send an HTTP POST request to the endpoint URL that's specified by your workflow's Request trigger. To send the request, use a local tool or app such as [Insomnia](https://insomnia.rest/) or [Bruno](https://www.usebruno.com/).

+1. To simulate a webhook trigger payload, send an HTTP POST request to the endpoint URL that's specified by your workflow's Request trigger. To send the request, use a local tool or app such as [Insomnia](https://insomnia.rest/) or [Bruno](https://www.usebruno.com/).

+For this task, you'll need an [integration account](../logic-apps-enterprise-integration-create-integration-account.md), if you don't already have one. Based on whether you have a Consumption workflow in multitenant Azure Logic Apps or a Standard workflow in single-tenant Azure Logic Apps, follow the corresponding steps to upload schemas to an integration account from your workflow after schema generation.

+* To test the example workflow in this guide, you need a local tool or app that can send calls to the endpoint created by the Request trigger. For example, you can use local tools such as [Insomnia](https://insomnia.rest/) or [Bruno](https://www.usebruno.com/) to send the HTTP request.

+ >

+1. To test the URL by sending a request and triggering the workflow, open your preferred tool or app, and follow their instructions for creating and sending HTTP requests.

+ For this example, use the **GET** method with the copied URL, which looks like the following sample:

+ **`GET https://fabrikam-workflows.azurewebsites.net:443/api/Fabrikam-Stateful-Workflow/triggers/manual/invoke?api-version=2020-05-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=xxxxxXXXXxxxxxXXXXxxxXXXXxxxxXXXX`**

+ When the trigger fires, the example workflow runs and sends an email that appears similar to this example:

+ 

+1. To test the example workflow in this guide, you need a local tool or app that can send calls to the endpoint created by the Request trigger. For example, you can use local tools such as [Insomnia](https://insomnia.rest/) or [Bruno](https://www.usebruno.com/) to send the HTTP request.

+ 1. Copy and save the **Callback URL** property value.

+1. To test the callback URL by sending a request and triggering the workflow, open your preferred tool or app, and follow their instructions for creating and sending HTTP requests.

+ For this example, use the **GET** method with the copied URL, which looks like the following sample:

+ **`GET http://localhost:7071/api/Stateful-Workflow/triggers/manual/invoke?api-version=2020-05-01&sp=%2Ftriggers%2Fmanual%2Frun&sv=1.0&sig=<shared-access-signature>`**

+ When the trigger fires, the example workflow runs and sends an email that appears similar to this example:

+ 

+ >

+This article provides an overview about custom connectors for [Consumption logic app workflows and Standard logic app workflows](logic-apps-overview.md). Each logic app type is powered by a different Azure Logic Apps runtime, respectively hosted in multitenant Azure and single-tenant Azure. For more information about connectors in Azure Logic Apps, review the following documentation:

+* [Single-tenant versus multitenant and integration service environment for Azure Logic Apps](single-tenant-overview-compare.md)

+In [multitenant Azure Logic Apps](logic-apps-overview.md), you can create [custom connectors from Swagger-based or SOAP-based APIs](/connectors/custom-connectors/) up to [specific limits](../logic-apps/logic-apps-limits-and-config.md#custom-connector-limits) for use in Consumption logic app workflows. The [Connectors documentation](/connectors/connectors) provides more overview information about how to create custom connectors for Consumption logic apps, including complete basic and advanced tutorials. The following list also provides direct links to information about custom connectors for Consumption logic apps:

+In [single-tenant Azure Logic Apps](logic-apps-overview.md), the redesigned Azure Logic Apps runtime powers Standard logic app workflows. This runtime differs from the multitenant Azure Logic Apps runtime that powers Consumption logic app workflows. The single-tenant runtime uses the [Azure Functions extensibility model](../azure-functions/functions-bindings-register.md), which provides a key capability for you to create your own [built-in connectors](../connectors/built-in.md) for anyone to use in Standard workflows. In most cases, the built-in version provides better performance, capabilities, pricing, and so on.

+1. To send a call to the Request trigger's URL, which appears in the Request trigger's **HTTP POST URL** property, follow these steps:

+ 1. Use a local tool or app such as [Insomnia](https://insomnia.rest/) or [Bruno](https://www.usebruno.com/) to send the HTTP request.

+ 1. Send the HTTP request using the **`POST`** method with the URL.

+ 1. Include the XML content that you want to encode or decode in the request body.

+1. To send a call to the Request trigger's URL, which appears in the Request trigger's **HTTP POST URL** property, follow these steps:

+ 1. Use a local tool or app such as [Insomnia](https://insomnia.rest/) or [Bruno](https://www.usebruno.com/) to send the HTTP request.

+ 1. Send the HTTP request using the **`POST`** method with the URL.

+ 1. Include the JSON input to transform, for example:

+ ```json

+ {

+ "devices": "Surface, Mobile, Desktop computer, Monitors",

+ "firstName": "Dean",

+ "lastName": "Ledet",

+ "phone": "(111)0001111"

+ }

+ ```

+* To test the URL for the callable endpoint that you create, you'll need a local tool or app such as [Insomnia](https://insomnia.rest/) or [Bruno](https://www.usebruno.com/) to send the HTTP request.

+1. To test the callback URL that you now have for the Request trigger, use a local tool or app such as [Insomnia](https://insomnia.rest/) or [Bruno](https://www.usebruno.com/), and send the request using the method that the Request trigger expects.

+1. To test the callback URL that you now have for the Request trigger, use a local tool or app such as [Insomnia](https://insomnia.rest/) or [Bruno](https://www.usebruno.com/), and send the request using the method that the Request trigger expects.

+In business to business (B2B) scenarios, partners often exchange messages in groups or *batches*. When you build a batching solution with Azure Logic Apps, you can send messages to trading partners and process those messages together in batches. This article shows how you can batch process EDI messages, using X12 as an example, by creating a "batch sender" logic app and a "batch receiver" logic app.

+Batching X12 messages works like batching other messages. You use a batch trigger that collects messages into a batch and a batch action that sends messages to the batch. Also, X12 batching includes an X12 encoding step before the messages go to the trading partner or other destination. To learn more about the batch trigger and action, see [Batch process messages](logic-apps-batch-process-send-receive-messages.md).

+In this article, you'll build a batching solution by creating two logic apps within the same Azure subscription, Azure region, and following this specific order:

+* A ["batch receiver"](#receiver) logic app, which accepts and collects messages into a batch until your specified criteria is met for releasing and processing those messages. In this scenario, the batch receiver also encodes the messages in the batch by using the specified X12 agreement or partner identities.

+ Make sure that you first create the batch receiver so you can later select the batch destination when you create the batch sender.

+* A ["batch sender"](#sender) logic app workflow, which sends the messages to the previously created batch receiver.

+Make sure that your batch receiver and batch sender logic app workflows use the same Azure subscription *and* Azure region. If they don't, you can't select the batch receiver when you create the batch sender because they're not visible to each other.

+* An Azure subscription. If you don't have a subscription, you can [start with a free Azure account](https://azure.microsoft.com/free/).

+* Basic knowledge about how to create logic app workflows. For more information, see [Create an example Consumption logic app workflow in multitenant Azure Logic Apps](quickstart-create-example-consumption-workflow.md).

+* An existing [integration account](logic-apps-enterprise-integration-create-integration-account.md) that's associated with your Azure subscription and is linked to your logic apps.

+* At least two existing [partners](logic-apps-enterprise-integration-partners.md) in your integration account. Each partner must use the X12 (Standard Carrier Alpha Code) qualifier as a business identity in the partner's properties.

+* An existing [X12 agreement](logic-apps-enterprise-integration-x12.md) in your integration account.

+* To use Visual Studio rather than the Azure portal, make sure you [set up Visual Studio for working with Azure Logic Apps](quickstart-create-logic-apps-with-visual-studio.md).

+Before you can send messages to a batch, that batch must first exist as the destination where you send those messages. So first, you must create the "batch receiver" logic app, which starts with the **Batch** trigger. That way, when you create the "batch sender" logic app, you can select the batch receiver logic app. The batch receiver continues collecting messages until your specified criteria is met for releasing and processing those messages. While batch receivers don't need to know anything about batch senders, batch senders must know the destination where they send the messages.

+For this batch receiver, you specify the batch mode, name, release criteria, X12 agreement, and other settings.

+1. In the [Azure portal](https://portal.azure.com), Visual Studio, or Visual Studio Code, create a logic app with the following name: **BatchX12Messages**

+1. [Link your logic app to your integration account](logic-apps-enterprise-integration-create-integration-account.md#link-account).

+1. In workflow designer, add the **Batch** trigger, which starts your logic app workflow.

+1. [Follow these general steps to add a **Batch** trigger named **Batch messages**](create-workflow-with-trigger-or-action.md?tab=consumption#add-trigger).

+1. Set the batch receiver properties:

+ | Property | Value | Notes |

+ | **Batch Mode** | Inline | |

+ | **Batch Name** | TestBatch | Available only with **Inline** batch mode |

+ | **Release Criteria** | Message count based, Schedule based | Available only with **Inline** batch mode |

+ | **Message Count** | 10 | Available only with **Message count based** release criteria |

+ | **Interval** | 10 | Available only with **Schedule based** release criteria |

+ | **Frequency** | minute | Available only with **Schedule based** release criteria |

+ >

+ > This example doesn't set up a partition for the batch, so each batch

+ > uses the same partition key. To learn more about partitions, see

+ > [Batch process messages](logic-apps-batch-process-send-receive-messages.md#batch-sender).

+1. Now add an action that encodes each batch:

+ 1. [Follow these general steps to add an **X12** action named: **Batch encode <*any-version*>**](create-workflow-with-trigger-or-action.md?tab=consumption#add-action)

+ 1. If you didn't previously connect to your integration account, create the connection now. Provide a name for your connection, select the integration account you want, and then select **Create**.

+ 1. Set these properties for your batch encoder action:

+1. Save your logic app workflow.

+1. If you're using Visual Studio, make sure that you [deploy your batch receiver logic app to Azure](quickstart-create-logic-apps-with-visual-studio.md#deploy-logic-app-to-azure). Otherwise, you can't select the batch receiver when you create the batch sender.

+### Test your workflow

+To make sure your batch receiver works as expected, you can add an HTTP action for testing purposes, and send a batched message to the

+[Request Bin service](https://requestbin.com/).

+1. [Follow these general steps to add the **HTTP** action named **HTTP**](create-workflow-with-trigger-or-action.md?tab=consumption#add-action).

+1. Set the properties for the HTTP action:

+ | Property | Description |

+ | **Method** | From this list, select **POST**. |

+ | **Uri** | Generate a URI for your request bin, and then enter that URI in this box. |

+ | **Body** | Click inside this box, and after the dynamic content list opens, select the **Body** token, which appears in the section, **Batch encode by agreement name**. <p>If you don't see the **Body** token, next to **Batch encode by agreement name**, select **See more**. |

+1. Save your workflow.

+ Your batch receiver logic app looks like the following example:

+Now create one or more logic apps that send messages to the batch receiver logic app. In each batch sender, you specify the batch receiver logic app and batch name, message content, and any other settings. You can optionally provide a unique partition key to divide

+the batch into subsets to collect messages with that key.

+* Make sure that you already [created your batch receiver](#receiver). That way, when you create your batch sender, you can select the existing batch receiver as the destination batch. While batch receivers don't need to know anything about batch senders, batch senders must know where to send messages.

+* Make sure that your batch receiver and batch sender logic app workflows use the same Azure subscription *and* Azure region. If they don't, you can't select the batch receiver when you create the batch sender because they're not visible to each other.

+1. Create another logic app with the following name: **SendX12MessagesToBatch**

+1. [Follow these general steps to add the **Request** trigger named **When a HTTP request is received**](create-workflow-with-trigger-or-action.md?tab=consumption#add-trigger).

+1. To add an action for sending messages to a batch, [follow these general steps to add a **Send messages to batch** action named **Choose a Logic Apps workflow with batch trigger**](create-workflow-with-trigger-or-action.md?tab=consumption#add-action).

+ 1. Select the **BatchX12Messages** logic app that you previously created.

+ 1. Select the **BatchX12Messages** action named **Batch_messages - <*your-batch-receiver*>**.

+1. Set the batch sender's properties.

+1. Save your workflow.

+## Test your workflows

+To test your batching solution, post X12 messages to your batch sender logic app from a local tool or app that can send HTTP requests, such as [Insomnia](https://insomnia.rest/) or [Bruno](https://www.usebruno.com/). Soon, you start getting X12 messages in your request bin, either every 10 minutes or in batches of 10, all with the same partition key.

+1. Make sure that the URL works by calling or sending a request to the URL. You can use any local tool or app that you want for creating and sending HTTP requests, such as [Insomnia](https://insomnia.rest/) or [Bruno](https://www.usebruno.com/).

+1. If you use your own domain name server (DNS) with your virtual network, add the **WEBSITE_DNS_SERVER** app setting, if none exists, and set the value to the IP address for your DNS. If you have a secondary DNS, add another app setting named **WEBSITE_DNS_ALT_SERVER**, and set the value to the IP for your secondary DNS.

+* You can enable availability zone redundancy *only at creation time*. No programmatic tool support, such as Azure PowerShell or Azure CLI, currently exists to enable availability zone redundancy after creation.

+For language models deployed to MaaS, Azure Machine Learning implements a default configuration of [Azure AI Content Safety](../ai-services/content-safety/overview.md) text moderation filters that detect harmful content such as hate, self-harm, sexual, and violent content. To learn more about content filtering (preview), see [harm categories in Azure AI Content Safety](../ai-services/content-safety/concepts/harm-categories.md).

+Content filtering (preview) occurs synchronously as the service processes prompts to generate content, and you might be billed separately as per [AACS pricing](https://azure.microsoft.com/pricing/details/cognitive-services/content-safety/) for such use. You can disable content filtering (preview) for individual serverless endpoints either at the time when you first deploy a language model or in the deployment details page by selecting the content filtering toggle. If you use a model in MaaS via an API other than the [Azure AI Model Inference API](../ai-studio/reference/reference-model-inference-api.md), content filtering isn't enabled unless you implement it separately by using [Azure AI Content Safety](../ai-services/content-safety/quickstart-text.md). If you use a model in MaaS without content filtering, you run a higher risk of exposing users to harmful content.

+ :::image type="content" source="media/how-to-create-compute-instance/pobo-sso-update.png" alt-text="Screenshot shows SSO can be updated on compute instance details page by the assigned to user.":::

+

+If ACR admin user is disallowed by subscription policy, you should first create ACR without admin user, and then associate it with the workspace.

+> [!TIP]

+> To get the value for the `--container-registry` parameter, use the [az acr show](/cli/azure/acr#az-acr-show) command to show information for your ACR. The `id` field contains the resource ID for your ACR.

+Also, if you already have an existing ACR with admin user disabled, you can attach it to the workspace by updating it. The following example demonstrates updating an Azure Machine Learning workspace to use an existing ACR:

+```azurecli-interactive

+az ml workspace update --update-dependent-resources \

+--name <workspace name> \

+--resource-group <workspace resource group> \

+--container-registry /subscriptions/<subscription id>/resourceGroups/<acr resource group>/providers/Microsoft.ContainerRegistry/registries/<acr name>

+```

+> [!IMPORTANT]

+> This information is only valid when using an _Azure Virtual Network_. If you are using a _managed virtual network_, compute resources can't be deployed in your Azure Virtual Network. For information on using a managed virtual network, see [managed compute with a managed network](how-to-managed-network-compute.md).

+> This information is only valid when using an _Azure Virtual Network_. If you are using a _managed virtual network_, compute resources can't be deployed in your Azure Virtual Network. For information on using a managed virtual network, see [managed compute with a managed network](how-to-managed-network-compute.md).

+description: Learn best practices for distributed training with supported frameworks, such as PyTorch, DeepSpeed, TensorFlow, and InfiniBand.

+For a few private packages for a single workspace, use the static [`Environment.add_private_pip_wheel()`](/python/api/azureml-core/azureml.core.environment.environment#add-private-pip-wheel-workspace--file-path--exist-ok-false-) method. This approach allows you to quickly add a private package to the workspace, and is well suited for development and testing purposes.

+To set up such private storage, see [Secure an Azure Machine Learning workspace and associated resources](../how-to-secure-workspace-vnet.md#secure-azure-storage-accounts). You must also [place the Azure Container Registry (ACR) behind the virtual network](../how-to-secure-workspace-vnet.md#enable-azure-container-registry-acr).

+> [!NOTE]

+> The smallest CIDR range you can specify for the subnet to host Azure Database for MySQL flexible server is /29, which provides eight IP addresses. However, the first and last address in any network or subnet can't be assigned to any individual host. Azure reserves five IP addresses for internal use by Azure networking, including the two IP addresses that can't be assigned to a host. This leaves three available IP addresses for a /29 CIDR range. For Azure Database for MySQL flexible server, it's required to allocate one IP address per node from the delegated subnet when private access is enabled. HA-enabled servers require two IP addresses, and a Non-HA server requires one IP address. It is recommended to reserve at least two IP addresses per Azure Database for MySQL flexible server instance, as high availability options can be enabled later.

+1. Azure Databases for MySQL flexible server instances are injected into a delegated subnet - 10.0.1.0/24 of virtual network **VNet-1**.

+1. Applications deployed on different subnets within the same virtual network can access the Azure Database for MySQL flexible server instances directly.

+1. Applications deployed on a different virtual network **VNet-2** don't have direct access to Azure Database for MySQL flexible server instances. Before they can access an instance, you must perform a [private DNS zone virtual network peering](#private-dns-zone-and-virtual-network-peering).

+## Move from private access (virtual network integrated) network to public access or private link

+Azure Database for MySQL flexible server can be transitioned from private access (virtual network Integrated) to public access, with the option to use Private Link. This functionality enables servers to switch from virtual network integrated to Private Link/Public infrastructure seamlessly, without the need to alter the server name or migrate data, simplifying the process for customers.

+> [!NOTE]

+> That once the transition is made, it cannot be reversed. The transition involves a downtime of approximately 5-10 minutes for Non-HA servers and about 20 minutes for HA-enabled servers.

+The process is conducted in offline mode and consists of two steps:

+1. Detaching the server from the virtual network infrastructure.

+1. Establishing a Private Link or enabling public access.

+- For guidance on transitioning from Private access network to Public access or Private Link, visit [Move from private access (virtual network integrated) to public access or Private Link with the Azure portal](how-to-network-from-private-to-public.md). This resource offers step-by-step instructions to facilitate the process.

+## Related content

+- [Azure portal](how-to-manage-virtual-network-portal.md)

+- [Azure CLI](how-to-manage-virtual-network-cli.md)

+- [Use TLS](how-to-connect-tls-ssl.md)

+ Title: How to network from a private access to public access or Private Link in Azure Database for MySQL

+description: Learn about moving an Azure Database for MySQL from private access (virtual network integrated) to public access or a Private Link with the Azure portal.

+# Move from private access (virtual network integrated) to public access or Private Link with the Azure portal

+This article describes moving an Azure Database for MySQL flexible server from Private access (virtual network integrated) to Public access or a Private Link with the Azure portal.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/).

+- An Azure Database for MySQL server started with private access (integrated virtual network).

+- An Azure Virtual Network with a subnet and a service endpoint to the Azure Database for MySQL server.

+- An Azure Database for MySQL server with a private endpoint.

+## How to move from private access

+The steps below describe moving from private access (virtual network integrated) to public access or Private Link with the Azure portal.

+1. In the Azure portal, select your existing Azure Database for MySQL flexible server instance.

+1. On the Private access (virtual network Integrated) Azure Database for MySQL flexible server instance page, select **Networking** from the front panel to open the high availability page.

+1. Select **Move to Private Link**.

+ > [!NOTE]

+ > A warning appears explaining that this operation is irreversible and has downtime.

+ :::image type="content" source="media/how-to-network-from-private-to-public/network-page.png" alt-text="Screenshot of the Azure network page to begin the process." lightbox="media/how-to-network-from-private-to-public/network-page.png":::

+1. Once you select **Yes**, a wizard appears with two steps.

+## Work in the wizard

+1. Detach the server from the virtual network infrastructure and transition it to the Private Link or Public access infrastructure.

+ :::image type="content" source="media/how-to-network-from-private-to-public/allow-public-access.png" alt-text="Screenshot of the Azure allow public access page." lightbox="media/how-to-network-from-private-to-public/allow-public-access.png":::

+ If you need public access only, you need to check `Allow public access to this resource through the internet using a public IP address`, or If you need private access only, then move to step 2 and don't check `Allow public access to this resource through the internet using a public IP address`. If you need public and private access, check the box for `Allow public access to this resource through the internet using a public IP address` and move to Step 2 to create a private link.

+1. Once you select **Next**, detaching the server is initiated.

+ :::image type="content" source="media/how-to-network-from-private-to-public/move-to-private-link.png" alt-text="Screenshot of the Azure move to private link page." lightbox="media/how-to-network-from-private-to-public/move-to-private-link.png":::

+1. Once detached, you can create a private link.

+ :::image type="content" source="media/how-to-network-from-private-to-public/add-private-endpoint.png" alt-text="Screenshot of teh Azure add a private endpoint page." lightbox="media/how-to-network-from-private-to-public/add-private-endpoint.png":::

+1. When the server detaches from the virtual network, the server is put into an updating state. You can monitor the status of the server in the portal.

+ You can select to configure the network setting or move to the networking pane and configure public access, private endpoint, or both.

+ > [!NOTE]

+ > After detaching the server from the virtual network infrastructure, if you didn't opt for "Allow public access to this resource through the internet using a public IP address" and omitted Step 2 or exited the portal before completing the necessary steps, your server becomes inaccessible. You encounter a specific message indicating the server's update status.

+## Related content

+- [Private Link - Azure Database for MySQL - Flexible Server | Microsoft Learn](/azure/mysql/flexible-server/concepts-networking-private-link)

+- [Public Network Access overview - Azure Database for MySQL - Flexible Server | Microsoft Learn](/azure/mysql/flexible-server/concepts-networking-public)

+## July 2024

+- **Move from private access (virtual network integrated) network to public access or private link**

+ Azure Database for MySQL flexible server can be transitioned from private access (virtual network Integrated) to public access, with the option to use Private Link. This functionality enables servers to switch from virtual network integrated to Private Link/Public infrastructure seamlessly, without the need to alter the server name or migrate data, simplifying the process for customers. [Learn more](concepts-networking-vnet.md#move-from-private-access-virtual-network-integrated-network-to-public-access-or-private-link)

+

+- The Azure storage account should be publicly accessible using SAS token. Azure storage account with virtual network configuration are not supported.

+## Prerequisite checks when migration from Single to Flexible Server

+- If your source Azure Database for MySQL Single Server has engine version v8.x, ensure to upgrade your source server's .NET client driver version to 8.0.32 to avoid any encoding incompatibilities post migration to Flexible Server.

+- If your source Azure Database for MySQL Single Server has engine version v8.x, ensure to upgrade your source server's TLS version from v1.0 or v1.1 to TLS v1.2 before the migration as the older TLS versions have been deprecated for Flexible Server.

+- If your source Azure Database for MySQL Single Server utilizes nondefault ports such as 3308,3309 and 3310, change your connectivity port to 3306 as the above mentioned nondefault ports aren't supported on Flexible Server.

+|On-premises connectivity to Oracle database cluster via vWAN attached SD-WAN|Yes|

+- The feature is available in specific regions. The full list is available on [Supported regions](#supported-regions) section.

+Azure Database for PostgreSQL flexible server supports PostgreSQL versions 16, 15, 14, 13, 12, and 11. The Postgres community releases a new major version that contains new features about once a year. Additionally, each major version receives periodic bug fixes in the form of minor releases. Minor version upgrades include changes that are backward compatible with existing applications. Azure Database for PostgreSQL flexible server periodically updates the minor versions during a customer's maintenance window.

+- Learn about [backup and recovery](./concepts-backup-restore.md).

+A read replica can be created in the same region as the primary server or in a different geographical region. Geo-replication can be helpful for scenarios like disaster recovery planning or bringing data closer to your users.

+While creating replicas in any supported region is possible, there are notable benefits for choosing replicas in paired regions, especially when architecting for disaster recovery purposes:

+- **Performance**: While paired regions typically offer low network latency, enhancing data accessibility and user experience, they might not always be the regions with the absolute lowest latency. If the primary objective is to serve data closer to users rather than prioritize disaster recovery, it's crucial to evaluate all available regions for latency. In some cases, a non-paired region might exhibit the lowest latency. For a comprehensive understanding, you can reference [Azure's round-trip latency figures](../../networking/azure-network-latency.md#round-trip-latency-figures) to make an informed choice.

+You can create an Azure Database for PostgreSQL flexible server instance using Azure managed disks, which are block-level storage volumes managed by Azure and used with Azure Virtual Machines. Managed disks are like a physical disk in an on-premises server but, virtualized. With managed disks, all you have to do is specify the disk size, the disk type, and provision the disk. Once you provision the disk, Azure handles the rest. Azure Database for PostgreSQL Flexible Server supports premium solid-state drives (SSD) and Premium SSD v2 and the pricing is calculated based on the compute, memory, and storage tier you provision.

+Azure Premium SSDs deliver high-performance and low-latency disk support for virtual machines (VMs) with input/output (IO)-intensive workloads. Premium SSDs are suitable for mission-critical production applications, but you can use them only with compatible VM series. Premium SSDs support the 512E sector size.

+Premium SSD v2 offers higher performance than Premium SSDs while also generally being less costly. You can individually tweak the performance (capacity, throughput, and IOPS(input/output operations per second)) of Premium SSD v2 disks at any time, allowing workloads to be cost-efficient while meeting shifting performance needs. For example, a transaction-intensive database might need a large amount of IOPS at a small size, or a gaming application might need a large amount of IOPS but only during peak hours. Hence, for most general-purpose workloads, Premium SSD v2 can provide the best price performance. You can now deploy Azure Database for PostgreSQL flexible server instances with Premium SSD v2 disk in all supported regions.

+Unlike Premium SSDs, Premium SSD v2 doesn't have dedicated sizes. You can set a Premium SSD v2 to any supported size you prefer, and make granular adjustments (1-GiB increments) as per your workload requirements. Premium SSD v2 doesn't support host caching but still provides lower latency than Premium SSD. Premium SSD v2 capacities range from 1 GiB to 64 TiBs.

+All Premium SSD v2 disks have a baseline of 3000 IOPS that is free of charge. After 6 GiB, the maximum IOPS a disk can have increases at a rate of 500 per GiB, up to 80,000 IOPS. So, an 8-GiB disk can have up to 4,000 IOPS, and a 10 GiB can have up to 5,000 IOPS. To be able to set 80,000 IOPS on a disk, that disk must have at least 160 GiBs. Increasing your IOPS beyond 3,000 increases the price of your disk.

+- During the preview, features like High Availability, Read Replicas, Geo Redundant Backups, Customer Managed Keys, or Storage Autogrow features aren't supported for PV2.

+- During the preview, online migration from PV1 to PV2 isn't supported. Customers can perform PITR (Point-In-Time-Restore) to migrate from PV1 to PV2.

+- During the preview, you can enable Premium SSD V2 only for newly created servers. Enabling Premium SSD V2 on existing servers is currently not supported.

+The following table provides an overview of premium SSD V2 disk capacities and performance maximums to help you decide which to use.

+Storage autogrow can help ensure that your server always has enough storage capacity and doesn't become read-only. When you turn on storage autogrow, disk size increases without affecting the workload. Storage Autogrow is only supported for Premium SSD storage tier. Premium SSD v2 doesn't support storage autogrow.

+For servers with more than 1 TiB of provisioned storage, the storage autogrow mechanism activates when the available space falls to less than 10% of the total capacity or 64 GiB of free space, whichever of the two values are smaller. Conversely, for servers with storage under 1 TiB, this threshold is adjusted to 20% of the available free space or 64 GiB, depending on which of these values is smaller.

+The process of scaling storage is performed online without causing any downtime, except when the disk is provisioned at 4,096 GiB. This exception is a limitation of Azure Managed disks. If a disk is already 4,096 GiB, the storage scaling activity isn't triggered, even if storage autogrow is turned on. In such cases, you need to scale your storage manually. Manual scaling is an offline operation that you should plan according to your business requirements.

+- Host Caching (ReadOnly and Read/Write) is supported on disk sizes less than 4 TiB. Any disk that is provisioned up to 4,095 GiB can take advantage of Host Caching. Host caching isn't supported for disk sizes more than or equal to 4,096 GiB. For example, a P50 premium disk provisioned at 4,095 GiB can take advantage of Host caching and a P50 disk provisioned at 4,096 GiB can't take advantage of Host Caching. Customers moving from lower disk size to 4,096 GiB or higher won't get disk caching ability.

+> Storage autogrow depends on online disk scaling, so it never causes downtime.

+Azure Database for PostgreSQL flexible server supports provisioning of extra IOPS. This feature enables you to provision more IOPS above the complimentary IOPS limit. Using this feature, you can increase or decrease the number of IOPS provisioned based on your workload requirements at any time.

+* General availability support for [Storage-Autogrow with read replicas](concepts-read-replicas.md)

+### pg_pltemplate deprecation

+Another important consideration is the deprecation of the **pg_pltemplate** system table within the pg_catalog schema by the PostgreSQL community **starting from version 13.** Therefore, if you're migrating to Flexible Server versions 13 and above, and if you have granted permissions to users on the pg_pltemplate table, it is necessary to undo these permissions before initiating the migration process.

+- If you have specifically granted or revoked privileges to any users or roles for the affected pg_catalog tables and views, you will encounter an error during the migration process. This error will be identified by the following pattern:

+```sql

+pg_restore error: could not execute query <GRANT/REVOKE> <PRIVILEGES> on <affected TABLE/VIEWS> to <user>.

+ ```

+To resolve this error, it's necessary to undo the privileges granted to users and roles on the affected pg_catalog tables and views. You can accomplish this by taking the following steps.

+ **Step 1: Identify Privileges**

+Execute the following query on your single server by logging in as the admin user:

+```sql

+SELECT

+ array_to_string(array_agg(acl.privilege_type), ', ') AS privileges,

+ t.relname AS relation_name,

+ r.rolname AS grantee

+FROM

+ pg_catalog.pg_class AS t

+ CROSS JOIN LATERAL aclexplode(t.relacl) AS acl

+ JOIN pg_roles r ON r.oid = acl.grantee

+WHERE

+ acl.grantee <> 'azure_superuser'::regrole

+ AND t.relname IN (

+ 'pg_authid', 'pg_largeobject', 'pg_subscription', 'pg_user_mapping', 'pg_statistic',

+ 'pg_config', 'pg_file_settings', 'pg_hba_file_rules', 'pg_replication_origin_status', 'pg_shadow', 'pg_pltemplate'

+ )

+GROUP BY

+ r.rolname, t.relname;

+```

+**Step 2: Review the Output**

+The output of the above query will show the list of privileges granted to roles on the impacted tables and views.

+For example:

+| Privileges | Relation name | Grantee |

+| : | : | : |

+| SELECT | pg_authid | adminuser1

+| SELECT, UPDATE | pg_shadow | adminuser2

+**Step 3: Undo the privileges**

+To undo the privileges, run REVOKE statements for each privilege on the relation from the grantee. In the above example, you would run:

+```sql

+REVOKE SELECT ON pg_authid FROM adminuser1;

+REVOKE SELECT ON pg_shadow FROM adminuser2;

+REVOKE UPDATE ON pg_shadow FROM adminuser2;

+```

+After completing these steps, you can proceed to initiate a new migration from the single server to the flexible server using the migration service. You should not encounter permission-related issues during this process.

+1. Alternatively, open **AI Enrichments > Enriched Data Structure** to scroll down the list of nodes. The list includes potential and actual nodes, with a column for output, and another column that indicates the upstream object used to produce the output.

+ Title: "Quickstart: Search for images by using Search Explorer in the Azure portal"

+description: Search for images on an Azure AI Search index by using the Azure portal. Run a wizard to vectorize images, and then use Search Explorer to provide an image as your query input.

+# Quickstart: Search for images by using Search Explorer in the Azure portal

+> Image vectors are supported in stable API versions, but the wizard and vectorizers are in preview under [Supplemental Terms of Use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). By default, the wizard targets the [2024-05-01-Preview REST API](/rest/api/searchservice/skillsets/create-or-update?view=rest-searchservice-2024-05-01-preview&preserve-view=true).

+This quickstart shows you how to get started with image search by using the **Import and vectorize data** wizard in the Azure portal. It also shows how to use Search Explorer to run image-based queries.

+Sample data consists of image files in the [azure-search-sample-data](https://github.com/Azure-Samples/azure-search-sample-data/tree/main/unsplash-images) repo, but you can use different images and still follow the walkthrough.

+ Currently, eligible regions are: SwedenCentral, EastUS, NorthEurope, WestEurope, WestUS, SoutheastAsia, KoreaCentral, FranceCentral, AustraliaEast, WestUS2, SwitzerlandNorth, JapanEast. [Check the documentation](/azure/ai-services/computer-vision/how-to/image-retrieval) for an updated list.

+ The service tier determines how many blobs you can index. We used the Free tier to create this walkthrough and limited the content to 10 JPG files.

+ Don't use Azure Data Lake Storage Gen2 (a storage account with a hierarchical namespace). This version of the wizard doesn't support Data Lake Storage Gen2.

+All of the preceding resources must have public access enabled so that the portal nodes can access them. Otherwise, the wizard fails. After the wizard runs, you can enable firewalls and private endpoints on the integration components for security. For more information, see [Secure connections in the import wizards](search-import-data-portal.md#secure-connections).

+If private endpoints are already present and you can't disable them, the alternative option is to run the respective end-to-end flow from a script or program on a virtual machine. The virtual machine must be on the same virtual network as the private endpoint. [Here's a Python code sample](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-python/code/integrated-vectorization) for integrated vectorization. The same [GitHub repo](https://github.com/Azure/azure-search-vector-samples/tree/main) has samples in other programming languages.

+A free search service supports role-based access control on connections to Azure AI Search, but it doesn't support managed identities on outbound connections to Azure Storage or Azure AI Vision. This level of support means you must use key-based authentication on connections between a free search service and other Azure services. For connections that are more secure:

+1. Download the [unsplash-signs image folder](https://github.com/Azure-Samples/azure-search-sample-data/tree/main/unsplash-images/jpg-signs) to a local folder, or find some images of your own. On a free search service, keep the image files under 20 to stay within the free quota for enrichment processing.

+1. On the left pane, under **Data Storage**, select **Containers**.

+If your search service and Azure AI service are in the same [supported region](/azure/ai-services/computer-vision/how-to/image-retrieval) and tenant, and if your Azure Storage blob container is using the default configuration, you're ready to start the wizard.

+ :::image type="content" source="media/search-get-started-portal-import-vectors/command-bar.png" alt-text="Screenshot of the command to open the wizard for importing and vectorizing data.":::

+1. On the **Set up your data connection** page, select **Azure Blob Storage**.

+1. For Azure Storage, select the account and container that provide the data. Use the default values for the remaining boxes.

+ :::image type="content" source="media/search-get-started-portal-images/connect-to-your-data.png" alt-text="Screenshot of the wizard page for setting up a data connection.":::

+If raw content includes text, or if the skillset produces text, the wizard calls a text-embedding model to generate vectors for that content. In this exercise, text will be produced from the OCR skill that you add in the next step.

+Azure AI Vision provides text embeddings, so use that resource for text vectorization.

+1. On the **Vectorize your text** page, select **AI Vision vectorization**. If it's not available, make sure Azure AI Search and your Azure AI multiservice account are together in a region that [supports AI Vision multimodal APIs](/azure/ai-services/computer-vision/how-to/image-retrieval).

+ :::image type="content" source="media/search-get-started-portal-images/vectorize-your-text.png" alt-text="Screenshot of the wizard page for vectorizing text.":::

+Use Azure AI Vision to generate a vector representation of the image files.

+In this step, you can also apply AI to extract text from images. The wizard uses OCR from Azure AI services to recognize text in image files.

+The inclusion of plain text in the `chunk` field is useful if you want to use relevance features that operate on strings, such as [semantic ranking](semantic-search-overview.md) and [scoring profiles](index-add-scoring-profiles.md).

+1. In the enrichment section, select **Extract text from images** and **Use same AI service selected for image vectorization**.

+ :::image type="content" source="media/search-get-started-portal-images/vectorize-enrich-images.png" alt-text="Screenshot of the wizard page for vectorizing images and enriching data.":::

+## Schedule indexing

+1. On the **Advanced settings** page, under **Schedule indexing**, specify a [run schedule](search-howto-schedule-indexers.md) for the indexer. We recommend **Once** for this exercise. For data sources where the underlying data is volatile, you can schedule indexing to pick up the changes.

+ :::image type="content" source="media/search-get-started-portal-images/run-once.png" alt-text="Screenshot of the wizard page for scheduling indexing.":::

+## Finish the wizard

+1. On the **Review your configuration** page, specify a prefix for the objects that the wizard will create. A common prefix helps you stay organized.

+ :::image type="content" source="media/search-get-started-portal-images/review-create.png" alt-text="Screenshot of the wizard page for reviewing and completing the configuration.":::

+1. Select **Create**.

+When the wizard completes the configuration, it creates the following objects:

+ + The [OCR](cognitive-search-skill-ocr.md) skill recognizes text in image files.

+ + The [Text Merge](cognitive-search-skill-textmerger.md) skill unifies the various outputs of OCR processing.

+ + The [Text Split](cognitive-search-skill-textsplit.md) skill adds data chunking. This skill is built into the wizard workflow.

+ + The [Azure AI Vision multimodal embeddings](cognitive-search-skill-vision-vectorize.md) skill is used to vectorize text generated from OCR.

+ + The [Azure AI Vision multimodal embeddings](cognitive-search-skill-vision-vectorize.md) skill is called again to vectorize images.

+1. In the Azure portal, go to **Search Management** > **Indexes**, and then select the index that you created. **Search explorer** is the first tab.

+1. On the **View** menu, select **Image view**.

+ :::image type="content" source="media/search-get-started-portal-images/select-image-view.png" alt-text="Screenshot of the command for selecting image view.":::

+1. Select **Search** to run the query.

+ The top match should be the image that you searched for. Because a [vector search](vector-search-overview.md) matches on similar vectors, the search engine returns any document that's sufficiently similar to the query input, up to the `k` number of results. You can switch to JSON view for more advanced queries that include relevance tuning.

+ :::image type="content" source="media/search-get-started-portal-images/image-search.png" alt-text="Screenshot of search results.":::

+This demo uses billable Azure resources. If you no longer need the resources, delete them from your subscription to avoid charges.

+## Next step

+This quickstart introduced you to the **Import and vectorize data** wizard that creates all of the necessary objects for image search. If you want to explore each step in detail, try an [integrated vectorization sample](https://github.com/Azure/azure-search-vector-samples/blob/main/demo-python/code/integrated-vectorization/azure-search-integrated-vectorization-sample.ipynb).

+ Title: "Quickstart: Vectorize text and images by using the Azure portal"

+description: Use a wizard to automate data chunking and vectorization in a search index.

+# Quickstart: Vectorize text and images by using the Azure portal

+> The **Import and vectorize data** wizard is in public preview under [Supplemental Terms of Use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). By default, it targets the [2024-05-01-Preview REST API](/rest/api/searchservice/skillsets/create-or-update?view=rest-searchservice-2024-05-01-preview&preserve-view=true).

+This quickstart helps you get started with [integrated vectorization (preview)](vector-search-integrated-vectorization.md) by using the **Import and vectorize data** wizard in the Azure portal. This wizard calls a user-specified embedding model to vectorize content during indexing and for queries.

+For fewer limitations or more data source options, try a code-base approach. For more information, see the [integrated vectorization sample](https://github.com/Azure/azure-search-vector-samples/blob/main/demo-python/code/integrated-vectorization/azure-search-integrated-vectorization-sample.ipynb).

+ Azure Storage must be a standard performance (general-purpose v2) account. Access tiers can be hot, cool, and cold.

+

+ Don't use Azure Data Lake Storage Gen2 (a storage account with a hierarchical namespace). This version of the wizard doesn't support Data Lake Storage Gen2.

+ For [multimodal with Azure AI Vision](/azure/ai-services/computer-vision/how-to/image-retrieval), create an Azure AI service in SwedenCentral, EastUS, NorthEurope, WestEurope, WestUS, SoutheastAsia, KoreaCentral, FranceCentral, AustraliaEast, WestUS2, SwitzerlandNorth, or JapanEast. [Check the documentation](/azure/ai-services/computer-vision/how-to/image-retrieval?tabs=csharp) for an updated list.

+ You can also use an [Azure AI Studio model catalog](/azure/ai-studio/what-is-ai-studio) (and hub and project) with model deployments.

+All of the preceding resources must have public access enabled so that the portal nodes can access them. Otherwise, the wizard fails. After the wizard runs, you can enable firewalls and private endpoints on the integration components for security. For more information, see [Secure connections in the import wizards](search-import-data-portal.md#secure-connections).

+If private endpoints are already present and you can't disable them, the alternative option is to run the respective end-to-end flow from a script or program on a virtual machine. The virtual machine must be on the same virtual network as the private endpoint. [Here's a Python code sample](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-python/code/integrated-vectorization) for integrated vectorization. The same [GitHub repo](https://github.com/Azure/azure-search-vector-samples/tree/main) has samples in other programming languages.

+A free search service supports RBAC on connections to Azure AI Search, but it doesn't support managed identities on outbound connections to Azure Storage or Azure AI Vision. This level of support means you must use key-based authentication on connections between a free search service and other Azure services. For connections that are more secure:

+> [!NOTE]

+> If you can't progress through the wizard because options aren't available (for example, you can't select a data source or an embedding model), revisit the role assignments. Error messages indicate that models or deployments don't exist, when in fact the real problem is that the search service doesn't have permission to access them.

+We recommend role assignments for search service connections to other resources.

+1. On Azure AI Search, [enable RBAC](search-security-enable-roles.md).

+1. Configure your search service to [use a system-assigned or user-assigned managed identity](search-howto-managed-identities-data-sources.md#create-a-system-managed-identity).

+In the following sections, you can assign the search service's managed identity to roles in other services. The sections provide steps for role assignments where applicable.

+The wizard supports semantic ranking, but only on the Basic tier and higher, and only if semantic ranking is already [enabled on your search service](semantic-how-to-enable-disable.md). If you're using a billable tier, check whether semantic ranking is enabled.

+### [Azure Storage](#tab/sample-data-storage)

+1. On the left pane, under **Data Storage**, select **Containers**.

+1. On **Access control**, assign the [Storage Blob Data Reader](search-howto-managed-identities-data-sources.md#assign-a-role) role on the container to the search service identity. Or, get a connection string to the storage account from the **Access keys** page.

+### [OneLake](#tab/sample-data-onelake)

+1. Sign in to [Power BI](https://powerbi.com/) and [create a workspace](/fabric/data-engineering/tutorial-lakehouse-get-started).

+1. In Power BI, select **Workspaces** on the left menu and open the workspace that you created.

+ 1. On the upper-right menu, select **Manage access**.

+ 1. Enter the name of your search service. For example, if the URL is `https://my-demo-service.search.windows.net`, the search service name is `my-demo-service`.

+ 1. From the **Power BI** switcher on the lower left, select **Data Engineering**.

+ 1. On the **Data Engineering** pane, select **Lakehouse** to create a lakehouse.

+ 1. Provide a name, and then select **Create** to create and open the new lakehouse.

+ 1. Select **Upload files**, and then upload the [health-plan PDF documents](https://github.com/Azure-Samples/azure-search-sample-data/tree/main/health-plan) used for this quickstart.

+1. Before you leave the lakehouse, copy the URL, or get the workspace and lakehouse IDs, so that you can specify the lakehouse in the wizard. The URL is in this format: `https://msit.powerbi.com/groups/00000000-0000-0000-0000-000000000000/lakehouses/11111111-1111-1111-1111-111111111111?experience=data-engineering`.

+You can use embedding models deployed in Azure OpenAI, in Azure AI Vision for multimodal embeddings, or in the model catalog in Azure AI Studio.

+### [Azure OpenAI](#tab/model-aoai)

+**Import and vectorize data** supports `text-embedding-ada-002`, `text-embedding-3-large`, and `text-embedding-3-small`. Internally, the wizard uses the [AzureOpenAIEmbedding skill](cognitive-search-skill-azure-openai-embedding.md) to connect to Azure OpenAI.

+Use these instructions to assign permissions or get an API key for search service connection to Azure OpenAI. You should set up permissions or have connection information available before you run the wizard.

+ 1. On the left menu, select **Access control**.

+ 1. Select **Add**, and then select **Add role assignment**.

+ 1. Under **Job function roles**, select [Cognitive Services OpenAI User](/azure/ai-services/openai/how-to/role-based-access-control#azure-openai-roles), and then select **Next**.

+ 1. Under **Members**, select **Managed identity**, and then select **Members**.

+ 1. Filter by subscription and resource type (search services), and then select the managed identity of your search service.

+1. On the **Overview** page, select **Click here to view endpoints** or **Click here to manage keys** if you need to copy an endpoint or API key. You can paste these values into the wizard if you're using an Azure OpenAI resource with key-based authentication.

+1. Under **Resource Management** and **Model deployments**, select **Manage Deployments** to open Azure AI Studio.

+1. Copy the deployment name of `text-embedding-ada-002` or another supported embedding model. If you don't have an embedding model, deploy one now.

+### [Azure AI Vision](#tab/model-ai-vision)

+**Import and vectorize data** supports Azure AI Vision image retrieval through multimodal embeddings (version 4.0). Internally, the wizard uses the [multimodal embeddings skill](cognitive-search-skill-vision-vectorize.md) to connect to Azure AI Vision.

+1. [Create an Azure AI Vision service in a supported region](/azure/ai-services/computer-vision/how-to/image-retrieval?tabs=csharp#prerequisites).

+1. Make sure your Azure AI Search service is in the same region.

+1. After the service is deployed, go to the resource and select **Access control** to assign the **Cognitive Services OpenAI User** role to your search service's managed identity. Optionally, you can use key-based authentication for the connection.

+After you finish these steps, you should be able to select the Azure AI Vision vectorizer in the **Import and vectorize data** wizard.

+> [!NOTE]

+> If you can't select an Azure AI Vision vectorizer, make sure you have an Azure AI Vision resource in a supported region. Also make sure that your search service's managed identity has **Cognitive Services OpenAI User** permissions.

+### [Azure AI Studio model catalog](#tab/model-catalog)

+**Import and vectorize data** supports Azure, Cohere, and Facebook embedding models in the Azure AI Studio model catalog, but it doesn't currently support the OpenAI CLIP model. Internally, the wizard uses the [AML skill](cognitive-search-aml-skill.md) to connect to the catalog.

+Use these instructions to assign permissions or get an API key for search service connection to Azure OpenAI. You should set up permissions or have connection information available before you run the wizard.

+1. For the model catalog, you should have an [Azure OpenAI resource](/azure/ai-services/openai/how-to/create-resource), a [hub in Azure AI Studio](/azure/ai-studio/how-to/create-projects), and a [project](/azure/ai-studio/how-to/create-projects). Hubs and projects that have the same name can share connection information and permissions.

+1. Deploy a supported embedding model to the model catalog in your project.

+1. For RBAC, create two role assignments: one for Azure AI Search, and another for the AI Studio project. Assign the [Cognitive Services OpenAI User](/azure/ai-services/openai/how-to/role-based-access-control) role for embeddings and vectorization.

+ :::image type="content" source="media/search-get-started-portal-import-vectors/command-bar.png" alt-text="Screenshot of the command to open the wizard for importing and vectorizing data.":::

+1. In the **Import and vectorize data** wizard, on the **Set up your data connection** page, select **Azure Blob Storage** or **OneLake**.

+1. For OneLake, specify the lakehouse URL, or provide the workspace and lakehouse IDs.

+ For Azure Storage, select the account and container that provide the data.

+In this step, specify the embedding model for vectorizing chunked data.

+1. On the **Vectorize your text** page, specify whether deployed models are on Azure OpenAI, the Azure AI Studio model catalog, or an existing Azure AI Vision multimodal resource in the same region as Azure AI Search.

+1. Make selections according to the resource:

+ 1. For Azure OpenAI, select the service, model deployment, and authentication type.

+ 1. For AI Studio catalog, select the project, model deployment, and authentication type.

+ 1. For AI Vision vectorization, select the account.

+ For more information, see [Set up embedding models](#set-up-embedding-models) earlier in this article.

+1. Select the checkbox that acknowledges the billing impact of using these resources.

+1. On the **Vectorize your images** page, specify the kind of connection the wizard should make. For image vectorization, the wizard can connect to embedding models in Azure AI Studio or Azure AI Vision.

+1. For the Azure AI Studio model catalog, specify the project and deployment. For more information, see [Set up embedding models](#set-up-embedding-models) earlier in this article.

+1. Select the checkbox that acknowledges the billing impact of using these resources.

+## Choose advanced settings

+1. On the **Advanced settings** page, you can optionally add [semantic ranking](semantic-search-overview.md) to rerank results at the end of query execution. Reranking promotes the most semantically relevant matches to the top.

+1. Optionally, specify a [run schedule](search-howto-schedule-indexers.md) for the indexer.

+## Finish the wizard

+1. On the **Review your configuration** page, specify a prefix for the objects that the wizard will create. A common prefix helps you stay organized.

+1. Select **Create**.

+When the wizard completes the configuration, it creates the following objects:

+Search Explorer accepts text strings as input and then vectorizes the text for vector query execution.

+1. In the Azure portal, go to **Search Management** > **Indexes**, and then select the index that you created.

+ :::image type="content" source="media/search-get-started-portal-import-vectors/query-options.png" alt-text="Screenshot of the button for query options.":::

+1. On the **View** menu, select **JSON view** so that you can enter text for your vector query in the `text` vector query parameter.

+ :::image type="content" source="media/search-get-started-portal-import-vectors/select-json-view.png" alt-text="Screenshot of the menu command for opening the JSON view.":::

+ The wizard offers a default query that issues a vector query on the `vector` field and returns the five nearest neighbors. If you opted to hide vector values, your default query includes a `select` statement that excludes the `vector` field from search results.

+1. For the `text` value, replace the asterisk (`*`) with a question related to health plans, such as `Which plan has the lowest deductible?`.

+ Five matches should appear. Each document is a chunk of the original PDF. The `title` field shows which PDF the chunk comes from.

+1. To see all of the chunks from a specific document, add a filter for the `title` field for a specific PDF:

+Azure AI Search is a billable resource. If you no longer need it, delete it from your subscription to avoid charges.

+## Next step

+This quickstart introduced you to the **Import and vectorize data** wizard that creates all of the necessary objects for integrated vectorization. If you want to explore each step in detail, try an [integrated vectorization sample](https://github.com/Azure/azure-search-vector-samples/blob/main/demo-python/code/integrated-vectorization/azure-search-integrated-vectorization-sample.ipynb).

+Information retrieval is foundational to any app that surfaces text and vectors. Common scenarios include catalog or document search, data exploration, and increasingly feeding query results to prompts based on your proprietary grounding data for conversational and copilot search. When you create a search service, you work with the following capabilities:

+| **Incidents: Adding alerts to incidents / <br>Removing alerts from incidents** | Since adding alerts to, or removing alerts from incidents isn't supported after onboarding your workspace to the unified security operations platform, these actions are also not supported from within playbooks. For more information, see [Capability differences between portals](../microsoft-sentinel-defender-portal.md#capability-differences-between-portals). |

+

+> [!NOTE]

+> If the firewall is running, a rule will need to be created to allow remote systems to reach the daemonΓÇÖs syslog listener: `systemctl status firewalld.service`

+> 1. Add for tcp 514 (your zone/port/protocol may differ depending on your scenario)

+> `firewall-cmd --zone=public --add-port=514/tcp --permanent`

+> 2. Add for udp 514 (your zone/port/protocol may differ depending on your scenario)

+> `firewall-cmd --zone=public --add-port=514/udp --permanent`

+> 3. Restart the firewall service to ensure new rules take effect

+> `systemctl restart firewalld.service`

+- [Manage plugins in Microsoft Copilot for Security](/copilot/security/manage-plugins#turn-plugins-on-or-off)

+- [Microsoft Defender XDR integration with Microsoft Sentinel](microsoft-365-defender-sentinel-integration.md)

+ > [!NOTE]

+> [!NOTE]

+> To use Microsoft Entra ID (Azure Active Directory) authentication the following are required:

+> - The user/service principal is assigned the 'Azure Service Bus Data Owner' role. No other built in or customer roles are supported.

+> - The 'Azure Service Bus Data Owner' role has to be assigned at the namespace scope. Assignment at queue or topic scope is not supported.

+> Computer name prefix only works for Service Fabric API version `2024-04-01 or later`.

+Site Recovery has an RTO SLA of [one hours](https://azure.microsoft.com/support/legal/sla/site-recovery/v1_2/). Most of the time, Site Recovery fails over virtual machines within minutes. To calculate the RTO, review the failover job, which shows the time it took to bring up a virtual machine.

+> - For **Brazil South**, you can replicate and fail over to these regions: Brazil Southeast, South Central US, West Central US, East US, East US 2, West US, West US 2, and North Central US.

+> - Brazil South can only be used as a source region from which VMs can replicate using Site Recovery. It can't act as a target region. Note that if you fail over from Brazil South as a source region to a target, failback to Brazil South from the target region is supported. Brazil Southeast can only be used as a target region.

+>

+> - If the region in which you want to create a vault doesn't show, make sure your subscription has access to create resources in that region.

+>

+> - If you can't see a region within a geographic cluster when you enable replication, make sure your subscription has permissions to create VMs in that region.

+>

+> - New Zealand is not a supported region for Azure Site Recovery as a source or target region.

+ Title: Trusted launch VMs with Azure Site Recovery

+# Azure Site Recovery support for Azure trusted launch virtual machines

+ - You can't protect Azure Trusted VMs using recovery services vault which were created before the public preview and have private endpoints configured.

+ Title: How to schedule bandwidth limitations of a Storage Mover agent

+description: Learn how to set a bandwidth schedule that limits the use of the WAN link for a Storage Mover agent

+# Manage network bandwidth of a Storage Mover agent

+In this article, you learn how to set bandwidth management schedules for your Storage Mover agents.

+When migrating your files and folders to Azure, you need to carefully consider the upload bandwidth you want to make available to each of your Storage Mover agents. Other workloads may also depend on having sufficient bandwidth available. To make your Storage Mover agents a good neighbor to other workloads in your network, you can schedule limits for each agent.

+## Prerequisites

+Before you can set a bandwidth schedule, you first need to [deploy a Storage Mover resource](storage-mover-create.md) in one of your resource groups, and then [register an agent](agent-register.md). Bandwidth limit schedules are set and stored per registered agent.

+## Understanding the basic concept of bandwidth management

+A schedule is an attribute of a registered **agent**. In the portal, you can set and change this schedule on the registered agents page, found in your Storage Mover resource.

+A bandwidth management schedule describes time windows throughout a week, during which you can set a limit on how much upload bandwidth a Storage Mover agent is allowed to use.

+This schedule looks a lot like a calendar in outlook, but there are a few important differences:

+- The schedule is repeating itself. It has the seven weekdays and at the end of the week, the schedule repeats.

+- An entry in the schedule is a designated limit the agent shall not exceed. Clear time stretches on a day designate no limitation, allowing the agent to use as much bandwidth as needed.

+- You can't schedule a limit for a specific date, but for repeating weekdays. As an example, you can say: *"Limit the agent's bandwidth to no more than x during my cloud backup window on Sundays."*

+- The schedule doesn't store a timezone. When you set a limit that starts for instance at 9am, then that means agent-local time. You can see what timezone is configured for the agent. Pay close attention, the agent's timezone may be different from the timezone of your site where the agent is deployed.

+> [!TIP]

+> You can set the timezone of a Storage Mover agent to where it is deployed.<br>1. [Connect to the agent console and login](agent-register.md#step-1-connect-to-the-agent-vm)<br>2. Select menu option: ``1) System configuration`` <br>3. Select menu option: ``3) Change timezone`` and follow the prompts to make your selection.

+## Enabling or changing a bandwidth management schedule

+Using the Azure portal, you can enable a bandwidth schedule on a registered agent resource.

+ 1. With the portal showing your Storage Mover resource, select "*Registered agents*" in the menu on the left.

+ 1. You now have two options to set or view a schedule. You can find the column "*Bandwidth management*" and click on the link for your selected agent. Or, you can select the checkbox in front of your agent. That enables and a command button above the list of agents, labeled "*Manage bandwidth limit*".

+ :::image type="content" source="media/bandwidth-management/bandwidth-registered-agents-command-small.png" alt-text="A screenshot of the Azure portal, registered agents blade, showing first select an agent and then select the Bandwidth Management command." lightbox="media/bandwidth-management/bandwidth-registered-agents-command.png":::

+ 1. The bandwidth management window opens and displays the schedule currently in effect for the agent. When an empty schedule is shown, there are no bandwidth limitations defined for this agent.

+## Setting a bandwidth limit

+Open the bandwidth scheduling window. ([see previous section](#enabling-or-changing-a-bandwidth-management-schedule))

+Here you can create a custom schedule for this selected agent, or you can [reuse a schedule](#reusing-a-schedule-from-another-agent) that was previously created for another agent.

+* To create a custom schedule, select the "Add limit" command. A dialog opens, allowing you to define a time slice during which you want to set the maximum bandwidth on your WAN link, that the agent is allowed to use.

+ :::image type="content" source="media/bandwidth-management/bandwidth-add-limit.png" alt-text="A screenshot of an Azure portal dialog showing the inputs to set a limit for a custom time period.":::<br>

+ The dialog requires you to set a start and an end-time during which you want to apply an uplink limit for the agent. You can then pick on which days of the week you like to apply your new limit. Select all weekdays during which you like to apply the same limit. You then need to specify the limit in Mbps (Megabits per second). Overlapping times aren't allowed. Any limit you set, applies at the displayed time in the agent's timezone. You can find the agent's timezone displayed at the top of the bandwidth management window. You may need to offset your schedule or adjust the agent's timezone.

+* To "[reuse a schedule from another agent](#reusing-a-schedule-from-another-agent)", follow the link to an upcoming section.

+* To apply your changes to this agent, select the "*Save*" button at the bottom of the "*Bandwidth management*" window.

+> [!NOTE]

+> Only the *migration data stream* an agent establishes to your target storage in Azure is controlled by this schedule. In addition to this data stream, there is control plane traffic from the agent to Azure. Control messages, progress telemetry, and copy logs generally require only a small amount of bandwidth. To ensure proper functionality of the agent throughout your migration, the control plane of the agent is not governed by the schedule you set. In an extreme case the agent may exceed the limits you defined by a small amount.

+> [!TIP]

+> You can set the timezone of a Storage Mover agent to where it is deployed.<br>1. [Connect to the agent console and login](agent-register.md#step-1-connect-to-the-agent-vm)<br>2. Select menu option: ``1) System configuration`` <br>3. Select menu option: ``3) Change timezone`` and follow the prompts to make your selection.

+## Changing or deleting a bandwidth limit

+Open the bandwidth management schedule for your selected agent. ([see previous section](#enabling-or-changing-a-bandwidth-management-schedule))

+If you like to edit or delete a specific limit, select the limit and the "*Edit limit*" dialog opens. You can adjust the time slot or delete the limit. There are no bulk-editing options, so you must edit every limit on every weekday individually.

+If your goal is to disable bandwidth management altogether for the agent, select the "Clear all limits" command.

+Don't forget to apply your changes to this agent. Select the "*Save*" button at the bottom of the "*Bandwidth management*" window.

+## Reusing a schedule from another agent

+You can reuse the bandwidth limit schedule from another agent.

+1. Open the bandwidth management schedule for your selected agent. [See the previous paragraph.](#enabling-or-changing-a-bandwidth-management-schedule)

+1. Select the command "*Import limits from other agents*" and select the agent you like to copy the schedule from. If there are no agents in the list, then there are no other agents with enabled bandwidth limits.

+ > [!WARNING]

+ > Using this option will overwrite the currently configured schedule for this agent. You cannot restore any unsaved changes you may have made prior to importing a schedule.

+1. Optionally, you can now modify this copied schedule.

+1. To apply your changes to this agent, select the "*Save*" button at the bottom of the "*Bandwidth management*" window.

+> [!IMPORTANT]

+> Schedules are stored free of a timezone. That enables them to be reused on other agents. A scheduled limit will be in effect during this time in whatever the agent's timezone is. You need to ensure that you offset your bandwidth management schedule if the agent's timezone is different to the one used in the location you've deployed the agent in. For example, if the agent's timezone is UTC but your agent is actually deployed in the Pacific timezone (PST), you need to offset your schedule by -7 hours. Alternatively, you can adjust the agent's timezone to the correct one for the location. Doing this removes the need to offset your schedule and also enables your schedule to automatically adjust to Daylight Savings, should your timezone observe that.

+> [!TIP]

+> You can set the timezone of a Storage Mover agent to where it is deployed.<br>1. [Connect to the agent console and login](agent-register.md#step-1-connect-to-the-agent-vm)<br>2. Select menu option: ``1) System configuration`` <br>3. Select menu option: ``3) Change timezone`` and follow the prompts to make your selection.

+## Use PowerShell to configure a bandwidth limit schedule

+Managing this feature is possible when using the latest version of the Azure PowerShell module.

+### Prepare your Azure PowerShell environment

+You need the `Az.StorageMover` module:

+```powershell

+## Ensure you are running the latest version of PowerShell 7

+$PSVersionTable.PSVersion

+## Your local execution policy must be set to at least remote signed or less restrictive

+Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

+## If you don't have the general Az PowerShell module, install it first

+Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force

+## Lastly, the Az.StorageMover module is not installed by default and must be manually requested.

+Install-Module -Name Az.StorageMover -Scope CurrentUser -Repository PSGallery -Force

+```

+### Manage a bandwidth limit schedule

+```powershell

+## Set variables

+$subscriptionID = "Your subscription ID"

+$resourceGroupName = "Your resource group name"

+$storageMoverName = "Your storage mover resource name"

+$registeredAgentName = "Name of the agent, registered to your storage mover resource"

+## Log into Azure with your Azure credentials

+Connect-AzAccount -SubscriptionId $subscriptionID # -DeviceLogin #Leverage DeviceLogin if you need to authenticate your PowerShell session from another machine. # -TenantID #In some environments you may you need to specify the EntraID tenant to authenticate against.

+#

+# GET the schedule configured on an agent:

+$schedule = @(Get-AzStorageMoverAgent -ResourceGroupName $resourceGroupName -StorageMoverName $storageMoverName -AgentName $registeredAgentName).UploadLimitScheduleWeeklyRecurrence

+# $schedule then contains a JSON structure with elements for each configured time windows and the upload limit in Mbps that applies during this window.

+# Output the entire schedule

+$schedule

+# Schedule elements can be addressed like an array.

+$schedule[0]

+```

+#### Add a new bandwidth limitation

+```powershell

+$newLimit = New-AzStorageMoverUploadLimitWeeklyRecurrenceObject `

+ -Day "Monday", "Tuesday" ` # Mandatory. An array, limited to the English names of all 7 days, Monday through Sunday in any order.

+ -LimitInMbps 900 ` # Mandatory. Limit in "Mega bits per second"

+ -StartTimeHour 5 ` # Mandatory. 24-hour clock: 5 = 5am

+ -EndTimeHour 17 ` # Mandatory. 24-hour clock: 17 = 5pm

+ -EndTimeMinute 30 # Optional. Time blocks are precise to 30 Minutes. -EndTimeMinute 0 is equivalent to omitting the parameter. The only other acceptable value is the half hour mark: 30.

+$schedule += $newLimit # Appends the new limit to the exiting schedule. The JSON structure does not need to be ordered by days or time.

+# Updates the bandwidth limit schedule for the selected agent by adding the defined "time block" to the schedule.

+# Ensure that the new limit does not overlap with an already configured limit in the schedule, otherwise the operation will fail.

+Update-AzStorageMoverAgent `

+ -ResourceGroupName $resourceGroupName `

+ -StorageMoverName $storageMoverName `

+ -AgentName $registeredAgentName `

+ -UploadLimitScheduleWeeklyRecurrence $schedule

+ # This command sets and overwrites a bandwidth limit schedule for the selected agent. Be sure to preserve an existing schedule if you want to only add a new limit. If you are building an entirely new schedule, you can form all your limit objects and then supply a comma-separated list of your new limits here.

+ # Ensure the new limit's time span is not overlapping any existing limits. Otherwise, the operation will fail.

+```

+#### Disable bandwidth limitation for an agent

+```powershell

+Update-AzStorageMoverAgent `

+ -ResourceGroupName $resourceGroupName `

+ -StorageMoverName $storageMoverName `

+ -AgentName $registeredAgentName `

+ -UploadLimitScheduleWeeklyRecurrence @() # Supply an empty array to remove all previously configured limits. This operation cannot be undone. You have to build and supply a new schedule if you want to enable bandwidth limitations for this agent again.

+```

+#### Change an existing bandwidth limitation

+You can combine the previously described management actions to selectively update an existing bandwidth limitation to a new limit or updated time span.

+```powershell

+# Step 1: define the new limit object you want to use to replace an existing limit:

+$limit = New-AzStorageMoverUploadLimitWeeklyRecurrenceObject `

+ -Day "Monday", "Tuesday" ` # Mandatory. An array, limited to the English names of all 7 days, Monday through Sunday in any order.

+ -LimitInMbps 900 ` # Mandatory. limit in "Mega bits per second"

+ -StartTimeHour 5 ` # Mandatory. 24-hour clock: 5 = 5am

+ -EndTimeHour 17 ` # Mandatory. 24-hour clock: 17 = 5pm

+ -EndTimeMinute 30 # Optional. Time blocks are precise to 30 Minutes. -EndTimeMinute 0 is equivalent to omitting the parameter. The only other acceptable value is the half hour mark: 30.

+# Step 2: Find the bandwidth limitation window you want to change:

+$schedule = @(Get-AzStorageMoverAgent -ResourceGroupName $resourceGroupName -StorageMoverName $storageMoverName -AgentName $registeredAgentName).UploadLimitScheduleWeeklyRecurrence

+$schedule[<n>] = $limit # Replace the limit (start count at zero) with your newly defined limit.

+#Step 3: Update the bandwidth limit schedule for the selected agent:

+Update-AzStorageMoverAgent `

+ -ResourceGroupName $resourceGroupName `

+ -StorageMoverName $storageMoverName `

+ -AgentName $registeredAgentName `

+ -UploadLimitScheduleWeeklyRecurrence $schedule # Apply your entire, updated schedule. Performing this step on an agent with other limits already configured will override them with this new schedule. Ensure there are no overlapping time spans, otherwise the operation will fail.

+```

+## Understanding the JSON schema of a bandwidth limit schedule

+The bandwidth limit schedule is stored as a JSON construct in the property `UploadLimitScheduleWeeklyRecurrence` of a registered agent.

+The [previous PowerShell section](#use-powershell-to-configure-a-bandwidth-limit-schedule) shows an example of how you can form and update this agent property by using Azure PowerShell.

+You can, however, manually form that JSON and directly supply it as an argument for the property. The following section can help you understand the bandwidth schedule elements of this JSON construct.

+> [!IMPORTANT]

+> The schedule consists of one or more time spans during which a bandwidth limit applies that the agent is not to exceed. These time spans must not be overlapping. At any given time, only one limit may apply. A JSON specifying a schedule with overlapping times is considered malformed and cannot be applied to the agent.

+The following two representations of a bandwidth limit schedule are equivalent:

+```json

+{

+ {

+ "startTime":

+ {

+ "hour": 7,

+ "minute": 0

+ },

+ "endTime":

+ {

+ "hour": 9,

+ "minute": 0

+ }

+ "days": ["Monday"],

+ "limitInMbps": 500

+ },

+ {

+ "startTime":

+ {

+ "hour": 9,

+ "minute": 0

+ },

+ "endTime":

+ {

+ "hour": 12,

+ "minute": 0

+ }

+ "days": ["Monday", "Tuesday", "Wednesday"],

+ "limitInMbps": 200

+ }

+}

+```

+> [!NOTE]

+> Time spans not covered by an entry in the schedule allow the agent to utilize available bandwidth. During these times, it is likely that an agent doesn't utilize all available bandwidth. You can find more details about that in the performance article, section: "[Why migration performance varies](performance-targets.md#why-migration-performance-varies)".

+## Next steps

+Advance to one of the next articles to learn how to deploy a Storage Mover agent or create a migration project.

+> [!div class="nextstepaction"]

+> [Create a migration project](project-manage.md)

+> [!div class="nextstepaction"]

+> [Create a migration job](job-definition-create.md)

+| Milestone | Version number | Release date | Status |

+|--|-|--|--|

+| Bandwidth Management and general improvements | 3.1.613 | July 10, 2024 | Current |

+| Performance and security improvements | 3.1.593 | June 16, 2024 | No longer supported. Decommission and download latest agent from [Microsoft Download Center](https://aka.ms/StorageMover/agent).|

+| Agent registration and private networking improvements | 3.0.500| April 2, 2024 | No longer supported. Decommission and download latest agent from [Microsoft Download Center](https://aka.ms/StorageMover/agent).|

+| Important security release | 3.0.412 | November 30, 2023 | No longer supported. Decommission and download latest agent from [Microsoft Download Center](https://aka.ms/StorageMover/agent).|

+| Major refresh release | 2.0.358 | November 6, 2023 | No longer supported. Decommission and download latest agent from [Microsoft Download Center](https://aka.ms/StorageMover/agent).|

+| Refresh release | 2.0.287 | August 5, 2023 | No longer supported. Decommission and download latest agent from [Microsoft Download Center](https://aka.ms/StorageMover/agent).|

+| Refresh release | 1.1.256 | June 14, 2023 | No longer supported. Decommission and download latest agent from [Microsoft Download Center](https://aka.ms/StorageMover/agent).|

+| General availability release | 1.0.229 | April 17, 2023 | No longer supported. Decommission and download latest agent from [Microsoft Download Center](https://aka.ms/StorageMover/agent).|

+| Public preview release | 0.1.116 | September 15, 2022 | No longer supported. Decommission and download latest agent from [Microsoft Download Center](https://aka.ms/StorageMover/agent).|

+- The [Supported agent versions](#supported-agent-versions) table lists expiration dates. Expired agent versions, might still be able to update themselves to a supported version but there are no guarantees.

+## 2024 July 10

+Major refresh release notes for:

+- Service version: July 2, 2024

+- Agent version: 3.1.613

+### What's new

+- Supports WAN link bandwidth management schedules. ([see documentation](bandwidth-management.md))

+- Performance optimizations.

+- Security improvements and bug fixes.

+## 2024 June 16

+Refresh release notes for:

+- Service version: June 10, 2024

+- Agent version: 3.1.593

+### What's new

+- You can now collect support bundles from the agent VM even if a part of it isn't running.

+- The agent can now handle data migration from SMB shares that don't support *INodes*.

+- Improved agent registration reliability.

+- Security improvements and bug fixes.

+## 2024 April 2

+Refresh release notes for:

+- Service version: April 2, 2024

+- Agent version: 3.0.500

+## What's new

+- Improved agent registration: You can now add tags to the ARC machine that the agent creates.

+- Improved network connectivity testing: The Storage Mover agent now utilizes the Azure ARC CLI tool (azcmagent) and a curl GET command to verify the ARC and Storage Mover endpoints with the 'Test Network Connectivity' option in the agent console.

+- A new option, 'Test Network Connectivity Verbosely' can help diagnose local network problems more easily.

+- Improved user experience to error conditions during agent registration and unregistration processes.

+- Storage Mover depends on Azure ARC and a Managed Identity. Extra safeguards were added that ensure seamless registration: The ARC *Hybrid Compute* resource is now created in the same region as the storage mover resource, as well as the Azure Arc Private Link Scope (if applicable).

+- Improved instructions during agent registration when using private networking.

+- Security improvements and bug fixes.

+### What's new

+- Migrating your SMB shares to Azure file shares became generally available.

+- Migrations from NFS shares to Azure storage accounts with the hierarchical namespace service feature (HNS) enabled, are now supported and automatically apply the ADLS Gen2 REST APIs for migration. This API allows the migration of files and folders in a Data Lake compliant way. Full fidelity is preserved in just the same way as with the previously existing blob container migration path.

+- [Error codes and messages](status-code.md) were improved.

+- Added support for file and folder security descriptors larger than 8 KiB. (ACLs)

+- [Two new endpoints](endpoint-manage.md) were introduced.

+- [Error messages](status-code.md) were improved.

+- Folder ACLs aren't updated on incremental transfers.

+- Last modified dates on folders aren't preserved.

+- Fixed an issue when moving a Storage Mover resource to a different resource group. It was possible for some properties to be left behind.

+- Improved error messages.

+1. A list of jobs that previously ran on the agent is shown. Copy the ID in the format `Job definition id: Job run id` that represents the job you want to retrieve the copy logs for. You can confirm the selection of the correct job by looking at the details of your selected job by pasting it into menu option `3) Job details`

+| V18.2 Release - [KB5023059](https://support.microsoft.com/topic/613d00dc-998b-4885-86b9-73750195baf5)| 18.2.0.0 | July 9, 2024 | Supported |

+## Version 18.2.0.0

+The following release notes are for Azure File Sync version 18.2.0.0 (released July 9, 2024). This release contains improvements for the Azure File Sync agent. These notes are in addition to the release notes listed for version 18.0.0.0 and 18.1.0.0.

+### Improvements and issues that are fixed

+- Rollup update for Azure File Sync agent [v18](#version-18000) and [v18.1](#version-18100-security-update) releases.

+- This release also includes sync reliability improvements.

+SMB Multichannel enables an SMB 3.x client to establish multiple network connections to an SMB file share. Azure Files supports SMB Multichannel on premium file shares (file shares in the FileStorage storage account kind). There is no additional cost for enabling SMB Multichannel in Azure Files. In most Azure regions, SMB Multichannel is disabled by default.

+Beginning in July 2024, SMB Multichannel will be enabled by default for all newly created Azure storage accounts in the following regions:

+- Central India (Jio)

+- West India (Jio)

+- West India

+- Korea South

+- Norway West

+- Only available for premium Azure file shares. Not available for standard Azure file shares.

+If SMB Multichannel isn't enabled on your Azure storage account, see [SMB Multichannel status](files-smb-protocol.md#smb-multichannel).

+In most scenarios, particularly multi-threaded workloads, clients should see improved performance with SMB Multichannel. However, for some specific scenarios such as single-threaded workloads or for testing purposes, you might want to disable SMB Multichannel. See [Performance comparison](#performance-comparison) and [SMB Multichannel status](files-smb-protocol.md#smb-multichannel) for more details.

+- [Check SMB Multichannel status](files-smb-protocol.md#smb-multichannel)

+# Azure Synapse Runtime for Apache Spark 3.2 (deprecated)

+Azure Synapse Analytics supports multiple runtimes for Apache Spark. This document covers the runtime components and versions for the Azure Synapse Runtime for Apache Spark 3.2.

+> [!WARNING]

+> Deprecation and disablement notification for Azure Synapse Runtime for Apache Spark 3.2

+> * End of Support announced for Azure Synapse Runtime for Apache Spark 3.2 July 8, 2023.

+> * Effective July 8, 2024, Azure Synapse will discontinue official support for Spark 3.2 Runtimes.

+For guidance on migrating from older runtime versions to Azure Synapse Runtime for Apache Spark 3.3 or 3.4, refer to [Runtime for Apache Spark Overview](./apache-spark-version-support.md).

+> When you delete a Traffic Manager profile, the associated domain name is reserved for a period of time. Other Traffic Manager profiles in the same tenant can immediately reuse the name. However, a different Azure tenant is not able to use the same profile name until the reservation expires. This feature enables you to maintain authority over the namespaces that you deploy, eliminating concerns that the name might be taken by another tenant. For more information, see [Traffic Manager FAQs](traffic-manager-faqs.md#when-i-delete-a-traffic-manager-profile-what-is-the-amount-of-time-before-the-name-of-the-profile-is-available-for-reuse).

+- Step 2: Users then proceed to [create an event subscription](../event-grid/subscribe-through-portal.md#create-event-subscriptions) within the system topic in Step 1. During this step, they specify the [endpoint](../event-grid/event-handlers.md) (such as Event Hubs or Azure Monitor Alerts) to which the events are routed. Users can also configure event filters to narrow down the scope of delivered events.

+- NEW: Customers can now subscribe to Health Resources events and send them to Azure Monitor alerts as new destination. For step-by-step guide, see [Subscribe to Health Resources events and send them to Azure monitor alerts](../event-grid/handle-health-resources-events-using-azure-monitor-alerts.md).