-> | Python </p> Flask | Flask Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-python-flask-tutorial) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-python-flask-tutorial) <br/>&#8226; [A template to sign in AAD or B2C users, and optionally call a downstream API (Microsoft Graph)](https://github.com/Azure-Samples/ms-identity-python-webapp) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-python-flask-tutorial) <br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-python-flask-tutorial) | [MSAL Python](/python/api/msal/overview-msal) | Authorization code |

-> | Python </p> Django | Django Series <br/> &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-python-django-tutorial/tree/main/1-Authentication/sign-in) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-python-django-tutorial/tree/main/1-Authentication/sign-in-b2c) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-python-django-tutorial/tree/main/2-Authorization-I/call-graph) <br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-python-django-tutorial/tree/main/3-Deployment/deploy-to-azure-app-service)| [MSAL Python](/python/api/msal/overview-msal) | Authorization code |

-> | Python | [Sign in users](https://github.com/Azure-Samples/ms-identity-python-desktop) | [MSAL Python](/python/api/msal/overview-msal) | Resource owner password credentials |

-> | Python | &#8226; [Call Microsoft Graph with secret](https://github.com/Azure-Samples/ms-identity-python-daemon/tree/master/1-Call-MsGraph-WithSecret) <br/> &#8226; [Call Microsoft Graph with certificate](https://github.com/Azure-Samples/ms-identity-python-daemon/tree/master/2-Call-MsGraph-WithCertificate) | [MSAL Python](/python/api/msal/overview-msal)| Client credentials grant|

-> | Python | [Python Azure function web API secured by Azure AD](https://github.com/Azure-Samples/ms-identity-python-webapi-azurefunctions) | [MSAL Python](/python/api/msal/overview-msal) | Authorization code |

-> | Python | [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-python-devicecodeflow) | [MSAL Python](/python/api/msal/overview-msal) | Device code |

-> | Azure Functions as web APIs | [Python Azure function web API secured by Azure AD](https://github.com/Azure-Samples/ms-identity-python-webapi-azurefunctions) | [MSAL Python](/python/api/msal/overview-msal) | Authorization code |

-> | Desktop | [Sign in users](https://github.com/Azure-Samples/ms-identity-python-desktop) | [MSAL Python](/python/api/msal/overview-msal) | Resource owner password credentials |

-> | Headless | [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-python-devicecodeflow) | [MSAL Python](/python/api/msal/overview-msal) | Device code |

-> | Daemon | &#8226; [Call Microsoft Graph with secret](https://github.com/Azure-Samples/ms-identity-python-daemon/tree/master/1-Call-MsGraph-WithSecret) <br/> &#8226; [Call Microsoft Graph with certificate](https://github.com/Azure-Samples/ms-identity-python-daemon/tree/master/2-Call-MsGraph-WithCertificate) | [MSAL Python](/python/api/msal/overview-msal)| Client credentials grant|

-> | Web application | &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-python-flask-tutorial) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-python-flask-tutorial) <br/>&#8226; [A template to sign in AAD or B2C users, and optionally call a downstream API (Microsoft Graph)](https://github.com/Azure-Samples/ms-identity-python-webapp) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-python-flask-tutorial) <br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-python-flask-tutorial) | [MSAL Python](/python/api/msal/overview-msal) | Authorization code |

-> | Web application | &#8226; [Sign in users](https://github.com/Azure-Samples/ms-identity-python-django-tutorial/tree/main/1-Authentication/sign-in) <br/> &#8226; [Sign in users (B2C)](https://github.com/Azure-Samples/ms-identity-python-django-tutorial/tree/main/1-Authentication/sign-in-b2c) <br/> &#8226; [Call Microsoft Graph](https://github.com/Azure-Samples/ms-identity-python-django-tutorial/tree/main/2-Authorization-I/call-graph) <br/> &#8226; [Deploy to Azure App Service](https://github.com/Azure-Samples/ms-identity-python-django-tutorial/tree/main/3-Deployment/deploy-to-azure-app-service)| [MSAL Python](/python/api/msal/overview-msal) | Authorization code |

-To register devices as hybrid Azure AD join to respective tenants, organizations need to ensure that the SCP configuration is done on the devices and not in AD. More details on how to accomplish this task can be found in the article [Hybrid Azure AD join targeted deployment](hybrid-azuread-join-control.md). It's important for organizations to understand that certain Azure AD capabilities won't work in a single forest, multiple Azure AD tenants configurations.

-| Microsoft Defender Vulnerability Management Add-on | TVM_Premium_Add_on | ad7a56e0-6903-4d13-94f3-5ad491e78960 | TVM_PREMIUM_1 (36810a13-b903-490a-aa45-afbeb7540832) | Microsoft Defender Vulnerability Management (36810a13-b903-490a-aa45-afbeb7540832) |

-| Microsoft Intune Suite | Microsoft_Intune_Suite | a929cd4d-8672-47c9-8664-159c1f322ba8 | Intune-MAMTunnel (a6e407da-7411-4397-8a2e-d9b52780849e)<br/>INTUNE_P2 (d9923fe3-a2de-4d29-a5be-e3e83bb786be)<br/>Intune-EPM (bb73f429-78ef-4ff2-83c8-722b04c3e7d1)<br/>REMOTE_HELP (a4c6cf29-1168-4076-ba5c-e8fe0e62b17e)<br/>Intune_AdvancedEA (2a4baa0e-5e99-4c38-b1f2-6864960f1bd1) | Microsoft Tunnel for Mobile Application Management (a6e407da-7411-4397-8a2e-d9b52780849e)<br/>Intune Plan 2 (d9923fe3-a2de-4d29-a5be-e3e83bb786be)<br/>Intune Endpoint Privilege Management (bb73f429-78ef-4ff2-83c8-722b04c3e7d1)<br/>Remote Help (a4c6cf29-1168-4076-ba5c-e8fe0e62b17e)<br/>Intune Advanced endpoint analytics (2a4baa0e-5e99-4c38-b1f2-6864960f1bd1) |

-## Review permissions

-You can access the Azure portal to get contextual PowerShell scripts to perform the actions.

-> * Create users in Albert.

-Contact Albert support to configure Albert to support provisioning with Azure AD.

-* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)

-* A user account in Axiad Cloud with Admin permissions.

-Contact Axiad Cloud support to configure Axiad Cloud to support provisioning with Azure AD.

-Configure and test Azure AD SSO with Citrix Cloud SAML SSO using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Citrix Cloud SAML SSO.This user must also exist in your Active Directory that is synced with Azure AD Connect to your Azure AD subscription.

-1. In addition to above, Citrix Cloud SAML SSO application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre-populated but you can review them as per your requirements.The values passed in the SAML response should map to the Active Directory attributes of the user.

- | cip_oid | ObjectGUID (Extension Attribute ) |

- 

- 

- 

- b. In the **Sign Authentication Request**, select **No**.

- d. Select **Binding Mechanism** from the drop down, you can select either **HTTP-POST** or **HTTP-Redirect** binding.

-* Data disk encryption support is limited to AKS clusters running Kubernetes version 1.17 and above.

-## Prerequisites

-* You must enable soft delete and purge protection for *Azure Key Vault* when using Key Vault to encrypt managed disks.

-* You need the Azure CLI version 2.11.1 or later.

-* Customer-managed keys are only supported in Kubernetes versions 1.17 and higher.

-* If you choose to rotate (change) your keys periodically, for more information see [Customer-managed keys and encryption of Azure managed disk](../virtual-machines/disk-encryption.md).

-Replace *myKeyVaultName* with the name of your key vault. You will also need a *key* stored in Azure Key Vault to complete the following steps. Either store your existing Key in the Key Vault you created on the previous steps, or [generate a new key][key-vault-generate] and replace *myKeyName* below with the name of your key.

-Create a **new resource group** and AKS cluster, then use your key to encrypt the OS disk.

-> [!IMPORTANT]

-> Ensure you create a new resource group for your AKS cluster

-# Retrieve the DiskEncryptionSet value and set a variable

-# Create a resource group for the AKS cluster

-# Create the AKS cluster

-az aks create -n myAKSCluster -g myResourceGroup --node-osdisk-diskencryptionset-id $diskEncryptionSetId --kubernetes-version KUBERNETES_VERSION --generate-ssh-keys

-When new node pools are added to the cluster created above, the customer-managed key provided during the create process is used to encrypt the OS disk.

-## Using Azure tags

-For more information on using Azure tags, see [Use Azure tags in Azure Kubernetes Service (AKS)][use-tags].

-[az-extension-add]: /cli/azure/extension#az_extension_add

-[az-extension-update]: /cli/azure/extension#az_extension_update

-[key-vault-generate]: ../key-vault/general/manage-with-cli2.md

-[supported-regions]: ../virtual-machines/disk-encryption.md#supported-regions

-[use-tags]: use-tags.md

-* If you chose to use the AKS default VM size [Standard_DS2_v2](../virtual-machines/dv2-dsv2-series.md#dsv2-series) SKU with the default OS disk size of 100 GB, the default VM size supports ephemeral OS, but only has 86 GiB of cache size. This configuration would default to managed disks if you don't explicitly specify it. If you do request an ephemeral OS, you receive a validation error.

-* If you request the same [Standard_DS2_v2](../virtual-machines/dv2-dsv2-series.md#dsv2-series) SKU with a 60 GiB OS disk, this configuration would default to ephemeral OS. The requested size of 60 GiB is smaller than the maximum cache size of 86 GiB.

-* If you select the [Standard_D8s_v3](../virtual-machines/dv3-dsv3-series.md#dsv3-series) SKU with 100 GB OS disk, this VM size supports ephemeral OS and has 200 GiB of cache space. If you don't specify the OS disk type, the node pool would receive ephemeral OS by default.

-* If you request the same [Standard_E2bds_v5](../virtual-machines/ebdsv5-ebsv5-series.md#ebdsv5-series) VM size with a 60 GiB OS disk, this configuration defaults to ephemeral OS disks. The requested size of 60 GiB is smaller than the maximum temporary storage of 75 GiB.

-* If you select [Standard_E4bds_v5](../virtual-machines/ebdsv5-ebsv5-series.md#ebdsv5-series) SKU with 100 GiB OS disk, this VM size supports ephemeral OS

-### Customer Managed key

-You can manage encryption for your ephemeral OS disk with your own keys on an AKS cluster. For more information, see [Azure ephemeral OS disks Customer Managed key][azure-disk-customer-managed-key].

-> Depending on the VM SKU you're using, the Azure Disk CSI driver might have a per-node volume limit. For some high perfomance VMs (for example, 16 cores), the limit is 64 volumes per node. To identify the limit per VM SKU, review the **Max data disks** column for each VM SKU offered. For a list of VM SKUs offered and their corresponding detailed capacity limits, see [General purpose virtual machine sizes][general-purpose-machine-sizes].

-Because Azure Disk are mounted as *ReadWriteOnce*, they're only available to a single node. For storage volumes that can be accessed by pods on multiple nodes simultaneously, use Azure Files.

-1. When you delete the last pod on a node requiring a Secret, the Secret is deleted from the node's tmpfs.

- * Secrets are stored within a given namespace and can only be accessed by pods within the same namespace.

- * ConfigMaps are stored within a given namespace and can only be accessed by pods within the same namespace.

-A PersistentVolume can be *statically* created by a cluster administrator, or *dynamically* created by the Kubernetes API server. If a pod is scheduled and requests currently unavailable storage, Kubernetes can create the underlying Azure Disk or File storage and attach it to the pod. Dynamic provisioning uses a *StorageClass* to identify what type of Azure storage needs to be created.

-| `managed-csi` | Uses Azure StandardSSD locally redundant storage (LRS) to create a Managed Disk. The reclaim policy ensures that the underlying Azure Disk is deleted when the persistent volume that used it is deleted. The storage class also configures the persistent volumes to be expandable, you just need to edit the persistent volume claim with the new size. |

-| `managed-csi-premium` | Uses Azure Premium locally redundant storage (LRS) to create a Managed Disk. The reclaim policy again ensures that the underlying Azure Disk is deleted when the persistent volume that used it is deleted. Similarly, this storage class allows for persistent volumes to be expanded. |

-| `azurefile-csi` | Uses Azure Standard storage to create an Azure file share. The reclaim policy ensures that the underlying Azure file share is deleted when the persistent volume that used it is deleted. |

-| `azurefile-csi-premium` | Uses Azure Premium storage to create an Azure file share. The reclaim policy ensures that the underlying Azure file share is deleted when the persistent volume that used it is deleted.|

-| `azureblob-nfs-premium` | Uses Azure Premium storage to create an Azure Blob storage container and connect using the NFS v3 protocol. The reclaim policy ensures that the underlying Azure Blob storage container is deleted when the persistent volume that used it is deleted. |

-| `azureblob-fuse-premium` | Uses Azure Premium storage to create an Azure Blob storage container and connect using BlobFuse. The reclaim policy ensures that the underlying Azure Blob storage container is deleted when the persistent volume that used it is deleted. |

-Unless you specify a StorageClass for a persistent volume, the default StorageClass will be used. Ensure volumes use the appropriate storage you need when requesting persistent volumes.

-> Starting with Kubernetes version 1.21, AKS only uses CSI drivers by default and CSI migration is enabled. While existing in-tree persistent volumes continue to function, starting with version 1.26, AKS will no longer support volumes created using in-tree driver and storage provisioned for files and disk.

-You can create a StorageClass for additional needs using `kubectl`. The following example uses Premium Managed Disks and specifies that the underlying Azure Disk should be *retained* when you delete the pod:

-[azure-files-volume]: azure-files-volume.md

-[csi-storage-drivers]: csi-storage-drivers.md

-[azure-disk-customer-managed-key]: ../virtual-machines/ephemeral-os-disks.md#customer-managed-key

-In Azure Kubernetes Service (AKS), nodes of the same configuration are grouped together into *node pools*. These node pools contain the underlying VMs that run your applications. The initial number of nodes and their size (SKU) is defined when you create an AKS cluster, which creates a [system node pool][use-system-pool]. To support applications that have different compute or storage demands, you can create additional *user node pools*. System node pools serve the primary purpose of hosting critical system pods such as CoreDNS and `konnectivity`. User node pools serve the primary purpose of hosting your application pods. However, application pods can be scheduled on system node pools if you wish to only have one pool in your AKS cluster. User node pools are where you place your application-specific pods. For example, use these additional user node pools to provide GPUs for compute-intensive applications, or access to high-performance SSD storage.

-This article shows you how to create and manage multiple node pools in an AKS cluster.

-You need the Azure CLI version 2.2.0 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

-The ARM64 processor provides low power compute for your Kubernetes workloads. To create an ARM64 node pool, you will need to choose a [Dpsv5][arm-sku-vm1], [Dplsv5][arm-sku-vm2] or [Epsv5][arm-sku-vm3] series Virtual Machine.

-* ARM64 node pools are not supported on Defender-enabled clusters

-* FIPS-enabled node pools are not supported with ARM64 SKUs

-The Azure Linux container host for AKS is an open-source Linux distribution available as an AKS container host. It provides high reliability, security, and consistency. It only includes the minimal set of packages needed for running container workloads, which improves boot times and overall performance.

-1. Add a Azure Linux node pool into your existing cluster using the `az aks nodepool add` command and specifying `--os-sku AzureLinux`.

-2. [Cordon the existing Ubuntu nodes][cordon-and-drain].

-* If you expand your VNET after creating the cluster you must update your cluster (perform any managed cluster operation but node pool operations don't count) before adding a subnet outside the original CIDR block. AKS will error-out on the agent pool add now though we originally allowed it. The `aks-preview` Azure CLI extension (version 0.5.66+) now supports running `az aks update -g <resourceGroup> -n <clusterName>` without any optional arguments. This command will perform an update operation without making any changes, which can recover a cluster stuck in a failed state.

-To create a node pool with a dedicated subnet, pass the subnet resource ID as an additional parameter when creating a node pool.

-The commands in this section explain how to upgrade a single specific node pool. The relationship between upgrading the Kubernetes version of the control plane and the node pool are explained in the [section below](#upgrade-a-cluster-control-plane-with-multiple-node-pools).

-> The node pool OS image version is tied to the Kubernetes version of the cluster. You will only get OS image upgrades, following a cluster upgrade.

-> Kubernetes uses the standard [Semantic Versioning](https://semver.org/) versioning scheme. The version number is expressed as *x.y.z*, where *x* is the major version, *y* is the minor version, and *z* is the patch version. For example, in version *1.12.6*, 1 is the major version, 12 is the minor version, and 6 is the patch version. The Kubernetes version of the control plane and the initial node pool are set during cluster creation. All additional node pools have their Kubernetes version set when they are added to the cluster. The Kubernetes versions may differ between node pools as well as between a node pool and the control plane.

-The valid Kubernetes upgrades for a cluster's control plane and node pools are validated by the following sets of rules.

-For more information on the capacity reservation groups, please refer to [Capacity Reservation Groups][capacity-reservation-groups].

-Associating a node pool with an existing capacity reservation group can be done using [`az aks nodepool add`][az-aks-nodepool-add] command and specifying a capacity reservation group with the --capacityReservationGroup flag". The capacity reservation group should already exist, otherwise the node pool will be added to the cluster with a warning and no capacity reservation group gets associated.

-Deleting a node pool command will implicitly dissociate a node pool from any associated capacity reservation group, before that node pool is deleted.

-Only pods that have this toleration applied can be scheduled on nodes in *taintnp*. Any other pod would be scheduled in the *nodepool1* node pool. If you create additional node pools, you can use additional taints and tolerations to limit what pods can be scheduled on those node resources.

-You can also delete the additional cluster you created for the public IP for node pools scenario.

-[kubernetes-drain]: https://kubernetes.io/docs/tasks/administer-cluster/safely-drain-node/

-[kubectl-get]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#get

-[kubectl-taint]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#taint

-[kubernetes-labels]: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

-[kubernetes-label-syntax]: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set

-[az-aks-nodepool-update]: /cli/azure/aks/nodepool#az_aks_nodepool_update

-[az-aks-show]: /cli/azure/aks#az_aks_show

-[az-extension-add]: /cli/azure/extension#az_extension_add

-[az-extension-update]: /cli/azure/extension#az_extension_update

-[az-feature-list]: /cli/azure/feature#az_feature_list

-[az-aks-nodepool-add]: /cli/azure/aks#az_aks_nodepool_add

-[gpu-cluster]: gpu-cluster.md

-[supported-versions]: supported-kubernetes-versions.md

-[tag-limitation]: ../azure-resource-manager/management/tag-resources.md

-[node-resource-group]: faq.md#why-are-two-resource-groups-created-with-aks

-[vmss-commands]: ../virtual-machine-scale-sets/virtual-machine-scale-sets-networking.md#public-ipv4-per-virtual-machine

-[az-list-ips]: /cli/azure/vmss#az_vmss_list_instance_public_ips

-[public-ip-prefix-benefits]: ../virtual-network/ip-services/public-ip-address-prefix.md

-[az-public-ip-prefix-create]: /cli/azure/network/public-ip/prefix#az_network_public_ip_prefix_create

-[node-image-upgrade]: node-image-upgrade.md

-[use-tags]: use-tags.md

-Perform the following steps to deploy a Azure Linux AKS cluster using the Azure CLI.

-* Learn more about [Azure Dedicated hosts][azure-dedicated-hosts] for nodes with your AKS cluster to use hardware isolation and control over Azure platform maintenance events.

-description: Learn how to deploy apps to a non-production slot and autoswap into production. Increase the reliability and eliminate app downtime from deployments.

-Deploying your application to a non-production slot has the following benefits:

-Each App Service plan tier supports a different number of deployment slots. There's no additional charge for using deployment slots. To find out the number of slots your app's tier supports, see [App Service limits](../azure-resource-manager/management/azure-subscription-service-limits.md#app-service-limits).

-1. in the [Azure portal](https://portal.azure.com/), search for and select **App Services** and select your app.

-

- 

-

-2. In the left pane, select **Deployment slots** > **Add Slot**.

- 

-

- > [!NOTE]

- > If the app isn't already in the **Standard**, **Premium**, or **Isolated** tier, you receive a message that indicates the supported tiers for enabling staged publishing. At this point, you have the option to select **Upgrade** and go to the **Scale** tab of your app before continuing.

- >

-

- 

- > [!NOTE]

- > Currently, a Private Endpoint isn't cloned across slots.

- >

-

- 

-The slot's URL will be of the format `http://sitename-slotname.azurewebsites.net`. To keep the URL length within necessary DNS limits, the site name will be truncated at 40 characters, the slot name will be truncated at 19 characters, and an additional 4 random characters will be appended to ensure the resulting domain name is unique.

-To configure an app setting or connection string to stick to a specific slot (not swapped), go to the **Configuration** page for that slot. Add or edit a setting, and then select **deployment slot setting**. Selecting this check box tells App Service that the setting is not swappable.

-

-

- 

- 

- 

- To cancel a pending swap, select **Cancel Swap** instead.

-If you have any problems, see [Troubleshoot swaps](#troubleshoot-swaps).

-To automate a multi-phase swap, see [Automate with PowerShell](#automate-with-powershell).

- > Before you configure auto swap for the production slot, consider testing auto swap on a non-production target slot.

-

- 

-## Route traffic

-### Route production traffic automatically

- 

-After the setting is saved, the specified percentage of clients is randomly routed to the non-production slot.

-After a client is automatically routed to a specific slot, it's "pinned" to that slot for one hour or until the cookies are deleted. On the client browser, you can see which slot your session is pinned to by looking at the `x-ms-routing-name` cookie in your HTTP headers. A request that's routed to the "staging" slot has the cookie `x-ms-routing-name=staging`. A request that's routed to the production slot has the cookie `x-ms-routing-name=self`.

- > [!NOTE]

- > You can also use the [`az webapp traffic-routing set`](/cli/azure/webapp/traffic-routing#az-webapp-traffic-routing-set) command in the Azure CLI to set the routing percentages from CI/CD tools like GitHub Actions, DevOps pipelines, or other automation systems.

-### Route production traffic manually

-To let users opt in to your beta app, set the same query parameter to the name of the non-production slot. Here's an example:

-Search for and select your app. Select **Deployment slots** > *\<slot to delete>* > **Overview**. The app type is shown as **App Service (Slot)** to remind you that you're viewing a deployment slot. Before deleting a slot, make sure to stop the slot and set the traffic in the slot to zero. Select **Delete** on the command bar.

-

-<!-- ======== AZURE POWERSHELL CMDLETS =========== -->

-<a name="PowerShell"></a>

-## Automate with PowerShell

-Azure PowerShell is a module that provides cmdlets to manage Azure through Windows PowerShell, including support for managing deployment slots in Azure App Service.

-For information on installing and configuring Azure PowerShell, and on authenticating Azure PowerShell with your Azure subscription, see [How to install and configure Microsoft Azure PowerShell](/powershell/azure/).

-### Create a web app

-```powershell

-New-AzWebApp -ResourceGroupName [resource group name] -Name [app name] -Location [location] -AppServicePlan [app service plan name]

-### Create a slot

-```powershell

-New-AzWebAppSlot -ResourceGroupName [resource group name] -Name [app name] -Slot [deployment slot name] -AppServicePlan [app service plan name]

-```

-### Initiate a swap with a preview (multi-phase swap), and apply destination slot configuration to the source slot

-```powershell

-$ParametersObject = @{targetSlot = "[slot name ΓÇô e.g. "production"]"}

-Invoke-AzResourceAction -ResourceGroupName [resource group name] -ResourceType Microsoft.Web/sites/slots -ResourceName [app name]/[slot name] -Action applySlotConfig -Parameters $ParametersObject -ApiVersion 2015-07-01

-```

-### Cancel a pending swap (swap with review) and restore the source slot configuration

-```powershell

-Invoke-AzResourceAction -ResourceGroupName [resource group name] -ResourceType Microsoft.Web/sites/slots -ResourceName [app name]/[slot name] -Action resetSlotConfig -ApiVersion 2015-07-01

-```

-### Swap deployment slots

-```powershell

-$ParametersObject = @{targetSlot = "[slot name ΓÇô e.g. "production"]"}

-Invoke-AzResourceAction -ResourceGroupName [resource group name] -ResourceType Microsoft.Web/sites/slots -ResourceName [app name]/[slot name] -Action slotsswap -Parameters $ParametersObject -ApiVersion 2015-07-01

-### Monitor swap events in the activity log

-```powershell

-Get-AzLog -ResourceGroup [resource group name] -StartTime 2018-03-07 -Caller SlotSwapJobProcessor

-```

-### Delete a slot

-```powershell

-Remove-AzResource -ResourceGroupName [resource group name] -ResourceType Microsoft.Web/sites/slots ΓÇôName [app name]/[slot name] -ApiVersion 2015-07-01

-```

-To perform a slot swap from the production slot, the identity needs (at minimum) permissions to perform the `Microsoft.Web/sites/slotsswap/Action` operation. For more information, see the [Resource provider operations](../role-based-access-control/resource-provider-operations.md#microsoftweb)

-[Azure Resource Manager templates](../azure-resource-manager/templates/overview.md) are declarative JSON files used to automate the deployment and configuration of Azure resources. To swap slots by using Resource Manager templates, you will set two properties on the *Microsoft.Web/sites/slots* and *Microsoft.Web/sites* resources:

-The following Resource Manager template will update the `buildVersion` of the staging slot and set the `targetBuildVersion` on the production slot. This will swap the two slots. The template assumes you already have a webapp created with a slot named "staging".

-This Resource Manager template is idempotent, meaning that it can be executed repeatedly and produce the same state of the slots. After the first execution, `targetBuildVersion` will match the current `buildVersion`, so a swap will not be triggered.

-<!-- ======== Azure CLI =========== -->

-<a name="CLI"></a>

-## Automate with the CLI

-For [Azure CLI](https://github.com/Azure/azure-cli) commands for deployment slots, see [az webapp deployment slot](/cli/azure/webapp/deployment/slot).

-[Block access to non-production slots](app-service-ip-restrictions.md)

-Hotpatch works by first establishing a baseline with a Windows Update Latest Cumulative Update. Hotpatches are periodically released (for example, on the second Tuesday of the month) that builds on that baseline. Hotpatches will contain updates that don't require a reboot. Periodically (starting at every three months), the baseline is refreshed with a new Latest Cumulative Update.

- * The sample schedule above illustrates four planned baseline releases in a calendar year (five total in the diagram), and eight hotpatch releases.

-* **Unplanned baselines** are released when an important update (such as a zero-day fix) is released, and that particular update can't be released as a hotpatch. When unplanned baselines are released, a hotpatch release will be replaced with an unplanned baseline in that month. Unplanned baselines also include all the updates in a comparable _Latest Cumulative Update_ for that month, and also require a reboot.

- * The sample schedule above illustrates two unplanned baselines that would replace the hotpatch releases for those months (the actual number of unplanned baselines in a year isn't known in advance).

- * On the Management tab under section ΓÇÿGuest OS updatesΓÇÖ, the checkbox for 'Enable hotpatch' will be selected. Patch orchestration options are set to 'Azure-orchestrated'.

-* Patch orchestration is managed by Azure and patches are applied following [availability-first principles](../virtual-machines/automatic-vm-guest-patching.md#availability-first-updates).

-With hotpatch enabled on supported _Windows Server Azure Edition_ VMs, most monthly security updates are delivered as hotpatches that don't require reboots. Latest Cumulative Updates sent on planned or unplanned baseline months require VM reboots. Additional Critical or Security patches may also be available periodically, which may require VM reboots.

-Definition updates and other patches not classified as Critical or Security won't be installed through automatic VM guest patching.

-On this screen, you'll see the hotpatch status for your VM. You can also review if there any available patches for your VM that haven't been installed. As described in the ΓÇÿPatch installationΓÇÖ section above, all security and critical updates are automatically installed on your VM using [Automatic VM Guest Patching](../virtual-machines/automatic-vm-guest-patching.md) and no extra actions are required. Patches with other update classifications aren't automatically installed. Instead, they're viewable in the list of available patches under the ΓÇÿUpdate complianceΓÇÖ tab. You can also view the history of update deployments on your VM through the ΓÇÿUpdate historyΓÇÖ. Update history from the past 30 days is displayed, along with patch installation details.

-With automatic VM guest patching, your VM is periodically and automatically assessed for available updates. These periodic assessments ensure that available patches are detected. You can view the results of the assessment on the Updates screen above, including the time of the last assessment. You can also choose to trigger an on-demand patch assessment for your VM at any time using the ΓÇÿAssess nowΓÇÖ option and review the results after assessment completes.

-There are some important considerations to running a supported _Windows Server Azure Edition_ VM with hotpatch enabled. Reboots are still required to install updates that aren't included in the hotpatch program. Reboots are also required periodically after a new baseline has been installed. These reboots keep the VM in sync with non-security patches included in the latest cumulative update.

-* Patches that are currently not included in the hotpatch program include non-security updates released for Windows, and non-Windows updates (such as .NET patches). These types of patches need to be installed during a baseline month, and will require a reboot.

-* Hotpatch updates are typically released on the second Tuesday of each month. For more information, see below.

-* Hotpatching works by establishing a baseline with a Windows Update Latest Cumulative Update, then builds upon that baseline with hotpatch updates released monthly. Baselines will be released starting out every three months. See the image below for an example of an annual three-month schedule (including example unplanned baselines due to zero-day fixes).

-### Are reboots still needed for a VM enrolled in hotpatch?

-|DataON AZS-6224|1.23.8|1.12.0_2022-10-11|16.0.537.5223| 12.3 (Ubuntu 12.3-1) |

-Data Collection Rules (DCRs) define specify what data should be collected, how to transform that data, and where to send that data. You need to select (or create) a DCR and specify it within the ARM template used for deploying AMA.

-description: Leverage SSH remoting to access and manage Azure Arc-enabled servers.

-> [!IMPORTANT]

-> SSH for Arc-enabled servers is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-To leverage this functionality, please ensure the following:

-### Install local command line tool

-This functionality is currently packaged in an Azure CLI extension and an Azure PowerShell module.

-#### [Install Azure CLI extension](#tab/azure-cli)

-```az extension add --name ssh```

-> [!NOTE]

-> The Azure CLI extension version must be greater than 1.1.0.

-#### [Install Azure PowerShell module](#tab/azure-powershell)

-```Install-Module -Name AzPreview -Scope CurrentUser -Repository PSGallery -Force```

-### Enable functionality on your Arc-enabled server

-In order to use the SSH connect feature, you must enable connections on the hybrid agent.

-> The following actions must be completed in an elevated terminal session.

-View your current incoming connections:

-```azcmagent config list```

-If you have existing ports, you'll need to include them in the following command.

-To add access to SSH connections, run the following:

-```azcmagent config set incomingconnections.ports 22<,other open ports,...>```

-If you're using a non-default port for your SSH connection, replace port 22 with your desired port in the previous command.

-> [!NOTE]

-> The following steps will not need to be run for most users.

-### Register the HybridConnectivity resource provider

-> This is a one-time operation that needs to be performed on each subscription.

-Check if the HybridConnectivity resource provider (RP) has been registered:

-```az provider show -n Microsoft.HybridConnectivity```

-If the RP hasn't been registered, run the following:

-```az provider register -n Microsoft.HybridConnectivity```

-This operation can take 2-5 minutes to complete. Before moving on, check that the RP has been registered.

-### Create default connectivity endpoint

-> [!NOTE]

-> The following actions must be completed for each Arc-enabled server.

-Create the default endpoint in PowerShell:

- ```powershell

- az rest --method put --uri https://management.azure.com/subscriptions/<subscription>/resourceGroups/<resourcegroup>/providers/Microsoft.HybridCompute/machines/<arc enabled server name>/providers/Microsoft.HybridConnectivity/endpoints/default?api-version=2021-10-06-preview --body '{"properties": {"type": "default"}}'

- ```

-Create the default endpoint in Bash:

-```bash

-az rest --method put --uri https://management.azure.com/subscriptions/<subscription>/resourceGroups/<resourcegroup>/providers/Microsoft.HybridCompute/machines/<arc enabled server name>/providers/Microsoft.HybridConnectivity/endpoints/default?api-version=2021-10-06-preview --body '{"properties": {"type": "default"}}'

-```

-Validate endpoint creation:

- ```

- az rest --method get --uri https://management.azure.com/subscriptions/<subscription>/resourceGroups/<resourcegroup>/providers/Microsoft.HybridCompute/machines/<arc enabled server name>/providers/Microsoft.HybridConnectivity/endpoints/default?api-version=2021-10-06-preview

- ```

-> [!IMPORTANT]

-> SSH for Arc-enabled servers is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-### Incorrect Azure subscription

-This problem occurs when the active subscription for Azure CLI isn't the same as the server that is being connected to. Possible errors:

-Resolution:

-### SSH traffic not allowed on the server

- ```powershell

- # Set 22 port:

- azcmagent config list

- azcmagent config get incomingconnections.ports

- azcmagent config set incomingconnections.ports 22

- azcmagent config

-

- # Add multiple ports:

- azcmagent config set incomingconnections.ports 22,6516

- ```

-### Incorrect role assignments

-## Disable SSH to Arc-enabled servers

-To disable the functionality, complete the following actions:

-|fileLoggingMode|debugOnly|Defines what level of file logging is enabled. Options are `never`, `always`, `debugOnly`. |

-# Create a new alert rule

-This article shows you how to create an alert rule. To learn more about alerts, see the [alerts overview](alerts-overview.md).

-You then define these elements for the resulting alert actions by using:

-## Create a new alert rule in the Azure portal

-1. Open the **+ Create** menu and select **Alert rule**.

- :::image type="content" source="media/alerts-create-new-alert-rule/alerts-create-new-alert-rule.png" alt-text="Screenshot that shows steps to create a new alert rule.":::

-### Select a scope for the alert rule

-1. On the **Select a resource** pane, set the scope for your alert rule. You can filter by **subscription**, **resource type**, or **resource location**.

- > [!NOTE]

- > If you select a Log analytics workspace resource, keep in mind that if the workspace receives telemetry from resources in more than one subscription, alerts are sent about those resources from different subscriptions.

- :::image type="content" source="media/alerts-create-new-alert-rule/alerts-select-resource.png" alt-text="Screenshot that shows the select resource pane for creating a new alert rule.":::

-### Set the conditions for the alert rule

-1. On the **Condition** tab, when you select the **Signal name** field, the most commonly used signals are displayed in the drop-down list. Select one of these popular signals, or select **See all signals** if you want to choose a different signal for the condition.

- |Threshold sensitivity|If you selected a **dynamic** threshold, enter the sensitivity level. The sensitivity level affects the amount of deviation from the metric series pattern that's required to trigger an alert. <br> - **High**: Thresholds are tight and close to the metric series pattern. An alert rule is triggered on the smallest deviation, resulting in more alerts. <br> - **Medium**: Thresholds are less tight and more balanced. There will be fewer alerts than with high sensitivity (default). <br> - **Low**: Thresholds are loose, allowing greater deviation from the metric series pattern. Alert rules are only triggered on large deviations, resulting in fewer alerts.|

- > [!NOTE]

- > If you're creating a new log alert rule, note that the current alert rule wizard is different from the earlier experience. For more information, see [Changes to the log alert rule creation experience](#changes-to-the-log-alert-rule-creation-experience).

- To use one of the predefined alert rule queries, expand the **Schema and filter** pane on the left of the **Logs** pane. Then select the **Queries** tab, and select one of the queries.

- :::image type="content" source="media/alerts-create-new-alert-rule/alerts-logs-conditions-tab.png" alt-text="Screenshot that shows the Condition tab when creating a new log alert rule.":::

- |Measure|Log alerts can measure two different things, which can be used for different monitoring scenarios:<br> **Table rows**: The number of rows returned can be used to work with events such as Windows event logs, Syslog, and application exceptions. <br> **Calculation of a numeric column**: Calculations based on any numeric column can be used to include any number of resources. An example is CPU percentage. |

- :::image type="content" source="media/alerts-create-new-alert-rule/alerts-log-measurements.png" alt-text="Screenshot that shows the Measurement tab when creating a new log alert rule.":::

- 1. (Optional) In the **Split by dimensions** section, you can use dimensions to monitor the values of multiple instances of a resource with one rule. Splitting by dimensions allows you to create resource-centric alerts at scale for a subscription or resource group. When you split by dimensions, alerts are split into separate alerts by grouping combinations of numerical or string columns to monitor for the same condition on multiple Azure resources. For example, you can monitor CPU usage on multiple instances running your website or app. Each instance is monitored individually. Notifications are sent for each instance.

- Splitting on the **Azure Resource ID** column makes the specified resource the target of the alert.

- If you select more than one dimension value, each time series that results from the combination triggers its own alert and is charged separately. The alert payload includes the combination that triggered the alert.

- You can select up to six more splittings for any columns that contain text or numbers.

-

- > [!NOTE]

- > Dimensions can **only** be number or string columns. If for example you want to use a dynamic column as a dimension, you need to convert it to a string first.

- You can also decide *not* to split when you want a condition applied to multiple resources in the scope. An example would be if you want to fire an alert if at least five machines in the resource group scope have CPU usage over 80 percent.

- |Resource ID column|Splitting on the **Azure Resource ID** column makes the specified resource the target of the alert. If detected, the **ResourceID** column is selected automatically and changes the context of the fired alert to the record's resource. |

- :::image type="content" source="media/alerts-create-new-alert-rule/alerts-create-log-rule-dimensions.png" alt-text="Screenshot that shows the splitting by dimensions section of a new log alert rule.":::

- :::image type="content" source="media/alerts-create-new-alert-rule/alerts-create-log-rule-logic.png" alt-text="Screenshot that shows the Alert logic section of a new log alert rule.":::

- :::image type="content" source="media/alerts-create-new-alert-rule/alerts-rule-preview-advanced-options.png" alt-text="Screenshot that shows the Advanced options section of a new log alert rule.":::

-### Set the actions for the alert rule

- Use the [common alert schema](alerts-common-schema.md) format to specify the field in the payload, whether or not the action groups configured for the alert rule use the common schema.

- :::image type="content" source="media/alerts-create-new-alert-rule/alerts-rule-actions-tab.png" alt-text="Screenshot that shows the Actions tab when creating a new alert rule.":::

-### Set the details for the alert rule

- |Automatically resolve alerts (preview) |Select to make the alert stateful. When an alert is stateful, the alert is resolved when the condition is no longer met.<br> If you don't select this checkbox, metric alerts are stateless. Stateless alerts fire each time the condition is met, even if alert already fired.<br> The frequency of notifications for stateless metric alerts differs based on the alert rule's configured frequency:<br>**Alert frequency of less than 5 minutes**: While the condition continues to be met, a notification is sent somewhere between one and six minutes.<br>**Alert frequency of more than 5 minutes**: While the condition continues to be met, a notification is sent between the configured frequency and double the frequency. For example, for an alert rule with a frequency of 15 minutes, a notification is sent somewhere between 15 to 30 minutes.|

- :::image type="content" source="media/alerts-create-new-alert-rule/alerts-metric-rule-details-tab.png" alt-text="Screenshot that shows the Details tab when creating a new alert rule.":::

- :::image type="content" source="media/alerts-create-new-alert-rule/alerts-log-rule-details-tab.png" alt-text="Screenshot that shows the Details tab when creating a new log alert rule.":::

- :::image type="content" source="media/alerts-create-new-alert-rule/alerts-activity-log-rule-details-tab.png" alt-text="Screenshot that shows the Actions tab when creating a new activity log alert rule.":::

- #### [Service Health alert](#tab/service-health)

- :::image type="content" source="media/alerts-create-new-alert-rule/alerts-activity-log-rule-details-tab.png" alt-text="Screenshot that shows the Actions tab when creating a new activity log alert rule.":::

- > [!NOTE]

- > Azure CLI support is only available for the `scheduledQueryRules` API version `2021-08-01` and later. Previous API versions can use the Azure Resource Manager CLI with templates as described in the following sections. If you use the legacy [Log Analytics Alert API](./api-alerts.md), you must switch to use the CLI. [Learn more about switching](./alerts-log-api-switch.md).

-1. Follow the rest of the steps from [Create a new alert rule in the Azure portal](#create-a-new-alert-rule-in-the-azure-portal).

-## Changes to the log alert rule creation experience

-The current alert rule wizard is different from the earlier experience:

- - We recommend using [Dimensions](alerts-types.md#narrow-the-target-using-dimensions). Dimensions provide the column value that fired the alert, which gives you context for why the alert fired and how to fix the issue.

- - When you need to investigate in the logs, use the link in the alert to the search results in logs.

- - If you need the raw search results or for any other advanced customizations, use Azure Logic Apps.

- - Use custom properties in the [new API](/rest/api/monitor/scheduledqueryrule-2021-08-01/scheduled-query-rules/create-or-update#actions) to add static parameters and associated values to the webhook actions triggered by the alert.

- - For more advanced customizations, use Logic Apps.

- - Customers often use the custom email subject to indicate the resource on which the alert fired, instead of using the Log Analytics workspace. Use the [new API](alerts-unified-log.md#split-by-alert-dimensions) to trigger an alert of the desired resource by using the resource ID column.

- - For more advanced customizations, use Logic Apps.

-When configuring alert rules in the [Azure portal](https://portal.azure.com), follow the procedure to [Create a new alert rule in the Azure portal](alerts-create-new-alert-rule.md#create-a-new-alert-rule-in-the-azure-portal), with these settings

- - **Signa**: *Percentage CPU*

- 1. Follow the rest of the steps in [Create a new alert rule in the Azure portal](../alerts/alerts-create-new-alert-rule.md#create-a-new-alert-rule-in-the-azure-portal).

-|Draft-Monitor|[Log alert creation in the Azure portal.](../alerts/alerts-create-new-alert-rule.md?tabs=metric#create-a-new-alert-rule-in-the-azure-portal)|

-## Is Profiler running?

- If no records are displayed, Profiler isn't running. Make sure you've [enabled Profiler on your Azure service](./profiler.md).

-To provide the best possible security for your data, Microsoft is moving away from TLS 1.0 and TLS 1.1 because these protocols are vulnerable to determined attackers. If you're using an older version of the site extension, it requires an upgrade to continue working. This article outlines the steps needed to upgrade your instance of Snapshot Debugger to the latest version.

-* Via site extension

-* Via an SDK/NuGet added to your application

-This article discusses both upgrade paths.

-## Upgrade the site extension

-> Older versions of Application Insights used a private site extension called *Application Insights extension for Azure App Service*. The current Application Insights experience is enabled by setting App Settings to light up a preinstalled site extension.

-1. After you've moved to your resource, select the **Extensions** pane. Wait for the list of extensions to populate.

-## Upgrade Snapshot Debugger by using SDK/NuGet

-If the application is using a version of `Microsoft.ApplicationInsights.SnapshotCollector` earlier than version 1.3.1, you must upgrade it to a [newer version](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) to continue working.

-description: Debug snapshots are automatically collected when exceptions are thrown in production .NET apps.

-# Debug snapshots on exceptions in .NET apps

-When an exception occurs, you can automatically collect a debug snapshot from your live web application. The debug snapshot shows the state of source code and variables at the moment the exception was thrown.

-To use the Snapshot Debugger, you:

-## How snapshots work

-The Snapshot Debugger is implemented as an [Application Insights telemetry processor](../app/configuration-with-applicationinsights-config.md#telemetry-processors-aspnet). When your application runs, the Snapshot Debugger telemetry processor is added to your application's system-generated logs pipeline.

-Each time your application calls [TrackException](../app/asp-net-exceptions.md#exceptions), the Snapshot Debugger computes a problem ID from the type of exception being thrown and the throwing method.

-Each time your application calls `TrackException`, a counter is incremented for the appropriate problem ID. When the counter reaches the `ThresholdForSnapshotting` value, the problem ID is added to a collection plan.

-The Snapshot Debugger also monitors exceptions as they're thrown by subscribing to the [AppDomain.CurrentDomain.FirstChanceException](/dotnet/api/system.appdomain.firstchanceexception) event. When that event fires, the problem ID of the exception is computed and compared against the problem IDs in the collection plan.

-If there's a match, a snapshot of the running process is created. The snapshot is assigned a unique identifier and the exception is stamped with that identifier. After the `FirstChanceException` handler returns, the thrown exception is processed as normal. Eventually, the exception reaches the `TrackException` method again. It's reported to Application Insights, along with the snapshot identifier.

-Snapshot creation tips:

- * A process snapshot is a suspended clone of the running process.

- * Creating the snapshot takes about 10 milliseconds to 20 milliseconds.

- * The default value for `ThresholdForSnapshotting` is 1. This value is also the minimum. Your app has to trigger the same exception *twice* before a snapshot is created.

- * Set `IsEnabledInDeveloperMode` to `true` if you want to generate snapshots while you debug in Visual Studio.

- * The snapshot creation rate is limited by the `SnapshotsPerTenMinutesLimit` setting. By default, the limit is one snapshot every 10 minutes.

- * No more than 50 snapshots per day can be uploaded.

-## Required permissions

-Access to snapshots is protected by Azure role-based access control. To inspect a snapshot, you must first be added to the [Application Insights Snapshot Debugger](../../role-based-access-control/role-assignments-portal.md) role. Subscription owners can assign this role to individual users or groups for the target **Application Insights Snapshot**.

-The Snapshot Debugger requires symbol files on the production server to decode variables and to provide a debugging experience in Visual Studio.

-Version 15.2 (or above) of Visual Studio 2017 publishes symbols for release builds by default when it publishes to App Service. In prior versions, you must add the following line to your publish profile `.pubxml` file so that symbols are published in release mode:

-For Azure Compute and other types, make sure that the symbol files are in the same folder of the main application .dll (typically, `wwwroot/bin`). Or they must be available on the current path.

-In some cases, local variables can't be viewed in release builds because of optimizations that are applied by the JIT compiler.

-However, in App Service, the Snapshot Collector can deoptimize throwing methods that are part of its collection plan.

-This article contains the release notes for the `Microsoft.ApplicationInsights.SnapshotCollector` NuGet package for .NET applications, which is used by the Application Insights Snapshot Debugger.

-It used to be 2.2.0 or above.

-| Prometheus Metrics | The service is currently free to use, with billing set to begin on 8/1/2023. Pricing for Azure Monitor managed service for Prometheus consists of data ingestion priced at $0.16/10 million samples ingested and metric queries priced at $0.001/10 million samples processed. Data is retained for 18 months at no extra charge. |

-* [Requirements and considerations for Azure NetApp Files](backup-requirements-considerations.md)

-> [!CAUTION]

-* Using double encryption at rest might have performance impacts based on the workload type and frequency. The performance impact can range from a minimal 1-2% to possibly 15% or higher, depending on the workload profile.

-To expand access to a dashboard beyond the access granted at the subscription level, assign permissions to an individual dashboard, or to a resource group that contains several dashboards. For example, if a user should have limited permissions across the subscription, but needs to be able to edit one particular dashboard, you can assign a different role with more permissions (such as [Contributor](/azure/role-based-access-control/built-in-roles#contributor)) for that dashboard only.

- >Port Mirroring is intended to be used as a temporary investigative tool and not a permanent network data collection feature. This is because NSX-T Data Center does not have the resoures to port mirror all traffic continuously. The IPFIX feature should be used if a continuous meta-data network flow logging solution is required.

- }

- Each permission is a Resource Manager operation that can be granularly assigned to an identity or assigned as part of a role with wildcard permissions. For example, the Contributor role in Azure has */write permission at the assigned scope, which includes `Microsoft.Chaos/experiments/write permission`.

-* **Service-direct faults**: Most service-direct faults are executed through Resource Manager. Target resources don't require any allowlisted network endpoints.

-* **Service-direct AKS Chaos Mesh faults**: Service-direct faults for Azure Kubernetes Service (AKS) that use Chaos Mesh require access that the AKS cluster have a publicly exposed Kubernetes API server. To learn how to limit AKS network access to a set of IP ranges, see [Secure access to the API server using authorized IP address ranges in AKS](../aks/api-server-authorized-ip-ranges.md).

-* **Agent-based faults**: Agent-based faults require agent access to the Chaos Studio agent service. A VM or virtual machine scale set must have outbound access to the agent service endpoint for the agent to connect successfully. The agent service endpoint is `https://acs-prod-<region>.chaosagent.trafficmanager.net`. You must replace the `<region>` placeholder with the region where your VM is deployed. An example is `https://acs-prod-eastus.chaosagent.trafficmanager.net` for a VM in East US.

-You can use service tags to explicitly allow inbound traffic from Chaos Studio without the need to know the IP addresses of the platform. Currently, you can enable service tags via PowerShell. Support will soon be added to the Chaos Studio user interface.

-> [!WARNING]

-> AKS Chaos Mesh faults are only supported on Linux node pools.

- 1. Remove any YAML outside of the `spec`, including the spec property name. Remove the indentation of the spec details.

- duration: '600s'

- {"action":"pod-failure","mode":"all","duration":"600s","selector":{"namespaces":["default"]}}

- {\"action\":\"pod-failure\",\"mode\":\"all\",\"duration\":\"600s\",\"selector\":{\"namespaces\":[\"default\"]}}

- "value": "{\"action\":\"pod-failure\",\"mode\":\"all\",\"duration\":\"600s\",\"selector\":{\"namespaces\":[\"default\"]}}"

- "id": "/subscriptions/b65f2fec-d6b2-4edd-817e-9339d8c01dc4/resourceGroups/myRG/providers/Microsoft.ContainerService/managedClusters/myCluster/providers/Microsoft.Chaos/targets/Microsoft-AzureKubernetesServiceChaosMesh"

-> [!WARNING]

-> AKS Chaos Mesh faults are only supported on Linux node pools.

-Previously, Chaos Mesh faults didn't work with private clusters. You can now use Chaos Mesh faults with private clusters by configuring [virtual network injection in Chaos Studio](chaos-studio-private-networking.md).

- 1. Remove any YAML outside of the `spec` (including the spec property name) and remove the indentation of the spec details.

- duration: '600s'

- {"action":"pod-failure","mode":"all","duration":"600s","selector":{"namespaces":["default"]}}

- "wordLevelTimestampsEnabled": true,

- "displayFormWordLevelTimestampsEnabled": false,

- "wordLevelTimestampsEnabled": true,

- "displayFormWordLevelTimestampsEnabled": false,

- "timestamp": "2022-09-16T09:30:21Z",

- "durationInTicks": 41200000,

- "duration": "PT4.12S",

- "speaker": 1,

- "offset": "PT0.07S",

- "duration": "PT1.59S",

- "offsetInTicks": 700000.0,

- "durationInTicks": 15900000.0,

- "confidence": 0.898652852,

- "words": [

- "word": "hello",

- "offset": "PT0.09S",

- "duration": "PT0.48S",

- "offsetInTicks": 900000.0,

- "durationInTicks": 4800000.0,

- "confidence": 0.987572

- "word": "world",

- "offset": "PT0.59S",

- "duration": "PT0.16S",

- "offsetInTicks": 5900000.0,

- "durationInTicks": 1600000.0,

- "confidence": 0.906032

-|`displayPhraseElements`|A list of results with display text for each word of the phrase. The `displayFormWordLevelTimestampsEnabled` request property must be set to `true`, otherwise this property is not present.<br/><br/>**Note**: This property is only available with Speech to text REST API version 3.1.|

-Except for Calling, Communication Services packages target .NET Standard 2.0, which supports the platforms listed below.

-Support via .NET Framework 4.6.1

-Support via .NET Core 2.0:

-The Calling package supports UWP apps build with .NET Native or C++/WinRT on:

-Navigate to the Short Codes blade in the resource menu and click on "Get" button to launch the short code program brief application wizard. For detailed guidance on how to fill out the program brief application check the [program brief filling guidelines](../../concepts/sms/program-brief-guidelines.md).

-Once completed, review the short code request details, fees, SMS laws and industry standards and submit the completed application through the Azure Portal.

-|Automated validation testing by Microsoft Teams test suites|Minimum: 3. Recommended: 6 (to run tests simultaneously).|

-> You must configure at least three automated test lines. We recommend six automated test lines (to allow simultaneous tests).

-Using a combination of [Service Connector](../service-connector/overview.md) and [Dapr](https://docs.dapr.io/), you can author Dapr components via an improved component creation feature in the Azure Container Apps portal.

-With this new component creation feature, you no longer need to know or remember the Dapr open source metadata concepts. Instead, entering the component information in the easy component creation pane automatically maps your entries to the required component metadata.

-By managing component creation for you, this feature:

-This experience makes authentication easier. When using Managed Identity, Azure Container Apps, Dapr, and Service Connector ensure the selected identification is assigned to all containers apps in scope and target services.

-This guide demonstrates creating a Dapr component by:

-Dapr is an open source project that helps developers with the inherent challenges presented by distributed applications, such as state management and service invocation. Azure Container Apps provides a managed experience of the core Dapr APIs.

-In this tutorial, you'll:

-> - Configure a GitHub Actions workflow for deploying the end-to-end solution to Azure Container Apps.

-The [sample solution](https://github.com/Azure-Samples/container-apps-store-api-microservice) consists of three Dapr-enabled microservices and uses Dapr APIs for service-to-service communication and state management.

- - [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

- - If you don't have one, sign up for [free](https://github.com/join).

-Container Apps run in single-revision mode by default. In the Container Apps bicep module, we explicitly set the revision mode to multiple. This means that once the source code is changed and committed, the GitHub build/deploy workflow builds and pushes a new container image to GitHub Container Registry. Changing the container image is considered a [revision-scope](revisions.md#revision-scope-changes) change and results in a new container app revision.

-* **SKU** - The GPU SKU: **K80**, **P100**, or **V100**. Each SKU maps to the NVIDIA Tesla GPU in one the following Azure GPU-enabled VM families:

- | K80 | [NC](../virtual-machines/nc-series.md) |

- | P100 | [NCv2](../virtual-machines/ncv2-series.md) |

-> Default [subscription limits](container-instances-quotas.md) (quotas) for GPU resources differ by SKU. The default CPU limits for the P100 and V100 SKUs are initially set to 0. To request an increase in an available region, please submit an [Azure support request][azure-support].

-One way to add GPU resources is to deploy a container group by using a [YAML file](container-instances-multi-container-yaml.md). Copy the following YAML into a new file named *gpu-deploy-aci.yaml*, then save the file. This YAML creates a container group named *gpucontainergroup* specifying a container instance with a K80 GPU. The instance runs a sample CUDA vector addition application. The resource requests are sufficient to run the workload.

- sku: K80

-name: Tesla K80 major: 3 minor: 7 memoryClockRate(GHz): 0.8235

-2018-10-25 18:31:10.305981: I tensorflow/core/common_runtime/gpu/gpu_device.cc:1120] Creating TensorFlow device (/device:GPU:0) -> (device: 0, name: Tesla K80, pci bus id: ccb6:00:00.0, compute capability: 3.7)

-Azure Cosmos DB is a fully managed NoSQL and relational database for modern app development. Azure Cosmos DB offers single-digit millisecond response times, automatic and instant scalability, along with guarantee speed at any scale. Business continuity is assured with [SLA-backed](https://azure.microsoft.com/support/legal/sla/cosmos-db) availability and enterprise-grade security.

-The start date of a new Azure Prepayment (previously called monetary commitment) is defined by the date that the regional operations center processed it. Since Azure Prepayment orders via the Azure portal are processed in the UTC time zone, you may experience some delay if your Azure Prepayment purchase order was processed in a different region. The coverage start date on the purchase order shows the start of the Azure Prepayment. The coverage start date is when the Azure Prepayment appears in the Azure portal.

-**Expired** - The EA enrollment expires when it reaches the enterprise agreement end date and is opted out of the extended term. Sign a new enrollment contract as soon as possible. Although your service won't be disabled immediately, there's a risk of it getting disabled.

-Markup allows partner administrators to add a percentage markup to their indirect enterprise agreements. Percentage markup applies to all Microsoft first party service information in the Azure portal such as: meter rates, Azure Prepayment, and orders. After the markup is published by the partner, the customer sees Azure costs in the Azure portal. For example, usage summary, price lists, and downloaded usage reports.

-Microsoft won't access or utilize the provided markup and associated prices for any purpose unless explicitly authorized by the channel partner.

-The LSP provides a single percentage number in the Azure portal.  All commercial information on the portal will be uplifted by the percentage provided by the LSP. Example:

-If you're using different rates for different meters, we recommend developing a custom solution based on the API key. The API key can be provided by the customer to pull consumption data and provide reports.

-Let's look at an example. For an Azure Savings Plan commitment amount of 3.33/hour entered by the customer, if the markup is 13%, after the markdown to arrive at partner price and the subsequent markup in the cost and usage reports, there's minor variance in numbers:

-**You can add price markup on Azure portal with the following steps:**

-**In the Azure portal,**

-**You can add price markup on Azure Enterprise portal with the following steps:**

-**Step One: Add price markup**

-1. From the Enterprise Portal, select **Reports** on the left navigation.

-1. Under _Usage Summary_, select the blue **Markup** wording.

-**Step Two: Review and validate**

-Review the markup price in the _Usage Summary_ for the Prepayment term in the customer view. The Microsoft price will still be available in the partner view. The views can be toggled using the partner markup "people" toggle at the top right.

-  

-Both the service prices and the Prepayment balances will be marked up by the same percentages. If you have different percentages for monetary balance and meter rates, or different percentages for different services, then don't use this feature.

-**Step Three: Publish**

-  

-Pricing with markup will be available to enterprise administrators immediately after selecting publish. Edits can't be made to markup. You must disable markup and begin from the first step.

-To check if an enrollment has a markup published, select **Manage** on the left navigation, and select the **Enrollment** tab. Select the enrollment box to check, and view the markup status under _Enrollment Detail_. It will display the current status of the markup feature for that EA as Disabled, Preview, or Published.

-**To check markup status of an enrollment on Azure portal, follow the below steps:**

-Once partner markup is published, the indirect customer will have access to balance and charge .csv monthly files and usage detail .csv files. The usage detail files will include resource rate and extended cost.

-Partners can use the markup feature (on Azure EA portal or Azure portal) after a Change of Channel Partner is processed; no need to wait for the next anniversary term.

-| Service Bus | 50 Namespaces per account. 40 Service Bus connections | Customers purchasing Service Bus connections through connection packs will have quotas equal to the midpoint between the connection pack they purchased and the next highest connection pack amount. Customers choosing a 500 Pack will have a quota of 750. |

-Microsoft will provide services to you up to at least the level of the associated usage included in the monthly Prepayment that you purchased (the Service Prepayment). However, all other increases in usage levels of service resources are subject to the availability of these service resources. For example, adding to the number of compute instances running, or increasing the amount of storage in use.

-Quotas described above aren't Service Prepayment. You can determine the number of simultaneous small compute instances, or their equivalent, that Microsoft provides as part of a Service Prepayment. Divide the number of committed small compute instance hours purchased for a month by the number of hours in the shortest month of the year. For example, February ΓÇô 672 hours.

-The first time you add a subscription to an account, you'll need to provide your contact information. When you add more subscriptions later, your contact information will be populated for you.

-The first time you add a subscription to your account, you'll be asked to accept the MOSA agreement and a Rate Plan. These sections aren't Applicable to Enterprise Agreement Customers, but are currently necessary to create your subscription. Your Microsoft Azure Enterprise Agreement Enrollment Amendment supersedes the above items and your contractual relationship won't change. Select the box indicating you accept the terms.

-All new subscriptions will be added with the default *Microsoft Azure Enterprise* subscription name. It's important to update the subscription name to differentiate it from the other subscriptions within your Enterprise Enrollment and ensure that it's recognizable on reports at the enterprise level.

-Update the subscription name and service administrator and select the checkmark. The subscription name will appear on reports and it will also be the name of the project associated with the subscription on the development portal.

-When new Account Owners (AO) are added to the enrollment for the first time, they'll always show as `pending` under status. When you receive the activation welcome email, the AO can sign in to activate their account. This activation will update their account status from `pending` to `active`.

-To validate if you're deploying under the right enrollment, you can check your included units information via the price sheet. Sign in as an Enterprise Administrator and select **Reports** on the left navigation and select **Price Sheet** tab. Select the Download symbol in the top-right corner and find the corresponding Plan SKU part numbers with filter on column "Included Quantity" and select values greater than "0".

- - Java Runtime (JRE) version 11 from a JRE provider such as [Eclipse Temurin](https://adoptium.net/temurin/releases/?version=11). Ensure that the JAVA_HOME environment variable is set to the JDK folder (and not just the JRE folder) you may also need to add the bin folder to your system's PATH environment variable.

-You can **not** export data to an Azure Event Hubs or Log Analytics workspace in a different tenant, without using [Azure Lighthouse](../lighthouse/overview.md). When collecting data into a tenant, you can analyze the data from one central location.

-To export data to an Azure Event Hubs or Log Analytics workspace in a different tenant **with Azure Lighthouse**:

-1. In the tenant that has the Azure Event Hubs or Log Analytics workspace, [invite a user](../active-directory/external-identities/what-is-b2b.md#easily-invite-guest-users-from-the-azure-portal) from the tenant that hosts the continuous export configuration.

-1. For a Log Analytics workspace: After the user accepts the invitation to join the tenant, assign the user in the workspace tenant one of these roles: Owner, Contributor, Log Analytics Contributor, Sentinel Contributor, Monitoring Contributor

-1. Configure the continuous export configuration and select the event hub or Analytics workspace to send the data to.

-You can also configure export to another tenant through the REST API. For more information, see the automations [REST API](/rest/api/defenderforcloud/automations/create-or-update?tabs=HTTP).

-description: Learn how to enable all of Microsoft Defender for Cloud's paid plans on your subscription.

-# Protect all of your resources with Defender for Cloud

-In this deployment guide, you learn how to enable all of Microsoft Defender for Cloud's paid plans to your environments.

-## Enable all paid plans on your subscription

-To enable all of the Defender for Cloud's protections, you need to enable the other paid plans for each of the workloads that you want to protect.

-> [!NOTE]

-> - You can enable **Microsoft Defender for Storage accounts** at either the subscription level or resource level.

-> - You can enable **Microsoft Defender for SQL** at either the subscription level or resource level.

-> - You can enable **Microsoft Defender for open-source relational databases** at the resource level only.

-> - The Microsoft Defender plans available at the workspace level are: **Microsoft Defender for Servers**, **Microsoft Defender for SQL servers on machines**.

-When you enabled Defender plans on an entire Azure subscription, the protections are applied to all other resources in the subscription.

-**To enable additional paid plans on a subscription**:

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. Search for and select **Microsoft Defender for Cloud**.

-1. In the Defender for Cloud menu, select **Environment settings**.

- :::image type="content" source="media/get-started/environmental-settings.png" alt-text="Screenshot that shows where to navigate to, to select environmental settings from.":::

-

-1. Select the subscription or workspace that you want to protect.

-1. Select **Enable all** to enable all of the plans for Defender for Cloud.

- :::image type="content" source="media/get-started/enable-all-plans.png" alt-text="Screenshot that shows where the enable button is located on the plans page." lightbox="media/get-started/enable-all-plans.png":::

-

-1. Select **Save**.

-All of the plans are turned on and the monitoring components required by each plan are deployed to the protected resources.

-If you want to disable any of the plans, toggle the individual plan to **off**. The extensions used by the plan aren't uninstalled but, after a short time, the extensions stop collecting data.

-> [!TIP]

-> To access Defender for Cloud on all subscriptions within a management group, see [Enable Defender for Cloud on multiple Azure subscriptions](onboard-management-group.md).

-## Next steps

-Learn more about [Microsoft Defender for Cloud's overview page](overview-page.md).

-description: Learn how to enable Microsoft Defender for Cloud's enhanced security features.

-# Enable Microsoft Defender for Cloud

-In this quickstart guide, you learn how to enable Microsoft Defender for Cloud on your Azure subscription.

-Defender for Cloud provides unified security management and threat protection across your hybrid and multicloud workloads. While the free features offer limited security for your Azure resources only, you can also enable other paid plans that add extra protection for your resources that exist on your on-premises and other clouds. To learn more about these plans and their costs, see the Defender for Cloud [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).

-Defender for Cloud helps you find and fix security vulnerabilities. Defender for Cloud also applies access and application controls to block malicious activity, detect threats using analytics and intelligence, and respond quickly when under attack.

-## Prerequisites

-## Enable Defender for Cloud on your Azure subscription

-> [!TIP]

-> To enable Defender for Cloud on all subscriptions within a management group, see [Enable Defender for Cloud on multiple Azure subscriptions](onboard-management-group.md).

-1. Sign into the [Azure portal](https://azure.microsoft.com/features/azure-portal/).

-1. Search for and select **Microsoft Defender for Cloud**.

- :::image type="content" source="media/get-started/defender-for-cloud-search.png" alt-text="Screenshot of the Azure portal with Microsoft Defender for Cloud entered in the search bar and highlighted in the drop down menu." lightbox="media/get-started/defender-for-cloud-search.png":::

- The Defender for Cloud's overview page opens.

- :::image type="content" source="./media/get-started/overview.png" alt-text="Defender for Cloud's overview dashboard" lightbox="./media/get-started/overview.png":::

-Defender for Cloud is now enabled on your subscription and you have access to the basic features provided by Defender for Cloud. These features include:

-The Defender for Cloud overview page provides a unified view into the security posture of your hybrid cloud workloads, helping you discover and assess the security of your workloads and to identify and mitigate risks. Learn more in [Microsoft Defender for Cloud's overview page](overview-page.md).

-You can view and filter your list of subscriptions from the subscriptions menu to have Defender for Cloud adjust the overview page display to reflect the security posture to the selected subscriptions.

-Within minutes of launching Defender for Cloud for the first time, you might see:

-## Next steps

-In this quickstart, you enabled Defender for Cloud on your Azure subscription. The next step is to set up your hybrid and multicloud environments.

-> [!div class="nextstepaction"]

-> [Quickstart: Connect your non-Azure machines to Microsoft Defender for Cloud with Azure Arc](quickstart-onboard-machines.md)

->

-> [Quickstart: Connect your AWS accounts to Microsoft Defender for Cloud](quickstart-onboard-aws.md)

->

-> [Quickstart: Connect your GCP projects to Microsoft Defender for Cloud](quickstart-onboard-gcp.md)

->

-> [Quickstart: Connect your non-Azure machines to Microsoft Defender for Cloud with Defender for Endpoint](onboard-machines-with-defender-for-endpoint.md)

-Defender for Containers assists you with the three core aspects of container security:

-1. (Optional) To change the retention period for your audit logs, select **Settings**, enter the required timeframe, and select **Save**.

- :::image type="content" source="media/tutorial-enable-containers-aws/retention-period.png" alt-text="Screenshot of adjusting the retention period for EKS control pane logs." lightbox="media/tutorial-enable-containers-aws/retention-period.png":::

-1. Defender for Cloud generates a script in the language of your choice:

-Defender for Containers assists you with the three core aspects of container security:

-1. Defender for Cloud generates a script in the language of your choice:

-description: Learn how to enable the Defender for Containers plan on your on-premises device for Microsoft Defender for Cloud.

-# Protect your on-premises device with the Defender for Containers

-Defender for Containers assists you with the three core aspects of container security:

-## Deploy the Defender extension in Azure

-Defender for Containers assists you with the three core aspects of container security:

-You can learn more about Defender for Storage's pricing on [the pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).

-Defender for Storage continually analyzes the telemetry stream generated by the [Azure Blob Storage](https://azure.microsoft.com/services/storage/blobs/) and Azure Files services. When potentially malicious activities are detected, security alerts are generated. These alerts are displayed in Microsoft Defender for Cloud, together with the details of the suspicious activity along with the relevant investigation steps, remediation actions, and security recommendations.

-**To enable Defender for App Service on your subscription**:

-

-| [Recommendation set to be released for GA: Running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](#recommendation-set-to-be-released-for-ga-running-container-images-should-have-vulnerability-findings-resolved-powered-by-microsoft-defender-vulnerability-management) | July 2023 |

-With this release, the recommendation `Container registry images should have vulnerability findings resolved (powered by MDVM)` is set for General Availability (GA):

-|Recommendation | Description | Assessment Key|

-|--|--|--|

-| Container registry images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)| Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to  improving your security posture, significantly reducing the attack surface for your containerized workloads. |dbd0cb49-b563-45e7-9724-889e799fa648 <br> is replaced by c0b7cfc6-3172-465a-b378-53c7ff2cc0d5

-Customers with both Defender for Containers plan and Defender CSPM plan should [disable the Qualys recommendation](tutorial-security-policy.md#disable-a-security-recommendation), to avoid multiple reports for the same images with potential impact on secure score. If you're currently using the sub-assesment API or Azure Resource Graph or continuous export, you should also update your requests to the new schema used by the MDVM recommendation prior to disabling the Qualys recommendation and using MDVM results instead.

-If you are also using our public preview offering for Windows containers vulnerability assessment powered by Qualys, and you would like to continue using it, you need to [disable Linux findings](defender-for-containers-vulnerability-assessment-azure.md#disable-specific-findings) using disable rules rather than disable the registry recommendation.

-### Recommendation set to be released for GA: Running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)ΓÇ»

-**Estimated date for change: July 2023**

-The recommendation `Running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)` is set to be released as GA (General Availability):

-|Recommendation | Description | Assessment Key|

-|--|--|--|

-| Running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)ΓÇ»| Container image vulnerability assessment scans your registry for commonly known vulnerabilities (CVEs) and provides a detailed vulnerability report for each image. This recommendation provides visibility to vulnerable images currently running in your Kubernetes clusters. Remediating vulnerabilities in container images that are currently running is key to improving your security posture, significantly reducing the attack surface for your containerized workloads. | c609cf0f-71ab-41e9-a3c6-9a1f7fe1b8d5

- Customers with both Defender for the Containers plan and Defender CSPM plan should [disable the Qualys running containers recommendation](tutorial-security-policy.md#disable-a-security-recommendation), to avoid multiple reports for the same images with potential impact on the secure score.

-If you're currently using the sub-assesment API or Azure Resource Graph or continuous export, you should also update your requests to the new schema used by the MDVM recommendation prior to disabling the Qualys recommendation and use MDVM results instead.

-If you are also using our public preview offering for Windows containers vulnerability assessment powered by Qualys, and you would like to continue using it, you need to [disable Linux findings](defender-for-containers-vulnerability-assessment-azure.md#disable-specific-findings) using disable rules rather than disable the runtime recommendation.

-Learn more about [Agentless Containers Posture in Defender CSPM](concept-agentless-containers.md).

-# Components common to Microsoft Dev Box and Azure Deployment Environments

-# Key concepts for Microsoft Dev Box Preview

-> Microsoft Dev Box Preview doesn't support community galleries.

-When you use an Azure Compute Gallery image to create a dev box definition, the Windows 365 service validates the image to ensure that it meets the requirements to be provisioned for a dev box. The Dev Box Preview service replicates the image to the regions specified in the attached network connections, so the images are present in the region that's required for dev box creation.

-1. [Follow the steps to create a user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-azp#create-a-user-assigned-managed-identity).

-With Azure diagnostic logs for DevCenter, you can view audit logs for dataplane operations in your dev center. These logs can be routed to any of the following destinations:

-Diagnostics logs allow you to export basic usage information from your dev center to different kinds sources so that you can consume them in a customized way. The dataplane audit logs expose information around CRUD operations for dev boxes within your dev center. Including, for example, start and stop commands executed on dev boxes. Some sample ways you can choose to export this data:

-| DevCenterDiagnosticLogs | Table used to store dataplane request/response information on dev box or environments within the dev center. |

-description: Learn how to create, delete, attach, and remove Microsoft Dev Box Preview network connections.

-If your organization routes egress traffic through a firewall, you need to open certain ports to allow the Microsoft Dev Box Preview service to function. For more information, see [Network requirements](/windows-365/enterprise/requirements-network).

-The following sections show you how to create and configure a network connection in Microsoft Dev Box Preview.

-1. Select **+ Add**.

-To save on costs, you can enable an Auto-stop schedule on a dev box pool. Microsoft Dev Box Preview attempts to shut down all dev boxes in that pool at the time specified in the schedule. You can configure one stop time in one timezone for each pool.

-1. Select **Save**.

-1. Select **Save**. Dev boxes in this pool won't automatically shut down.

-description: Learn how to create, delete, and connect to Microsoft Dev Box Preview dev boxes by using the developer portal.

-You can preconfigure a dev box to manage all of your tools, services, source code, and prebuilt binaries that are specific to your project. Microsoft Dev Box Preview provides an environment that's ready to build on, so you can run your app in minutes.

-$SecurityType = @{Name='SecurityType';Value='TrustedLaunch'}

-New-AzGalleryImageDefinition -GalleryName $galleryName -ResourceGroupName $imageResourceGroup -Location $location -Name $imageDefName -OsState generalized -OsType Windows -Publisher 'myCompany' -Offer 'vscodebox' -Sku '1-0-0' -Feature $features -HyperVGeneration "V2"

-After the gallery images are available in the dev center, you can use the custom image with the Microsoft Dev Box Preview service. For more information, see [Quickstart: Configure Microsoft Dev Box Preview](./quickstart-configure-dev-box-service.md).

-Team members must have access to a specific Microsoft Dev Box Preview project before they can create dev boxes. By using the built-in DevCenter Dev Box User role, you can assign permissions to Active Directory users or groups at the project level.

-To update a version of the extension that's installed

-A dev box definition is a Microsoft Dev Box Preview resource that specifies a source image, compute size, and storage size.

-A dev box pool is a collection of dev boxes that you manage together. You must have a pool before users can create a dev box.

-If you don't have an available dev center with an existing dev box definition and network connection, follow the steps in [Quickstart: Configure Microsoft Dev Box Preview](quickstart-configure-dev-box-service.md) to create them.

-A project is the point of access to Microsoft Dev Box Preview for the development team members. A project contains dev box pools, which specify the dev box definitions and network connections used when dev boxes are created. Dev managers can configure the project with dev box pools that specify dev box definitions appropriate for their team's workloads. Dev box users create dev boxes from the dev box pools they have access to through their project memberships.

-#Customer intent: As a dev infrastructure manager, I want to be able to manage dev centers so that I can manage my Microsoft Dev Box Preview implementation.

-To create a dev center:

-1. Select **+ Add**.

-You can create multiple Microsoft Dev Box Preview projects in the dev center to align with each team's specific requirements. By using the built-in DevCenter Project Admin role, you can delegate project administration to a member of a team. Project admins can use the network connections and dev box definitions configured at the dev center level to create and manage dev box pools within their project.

-description: Learn how Microsoft Dev Box Preview gives self-service access to high-performance, preconfigured, and ready-to-code cloud-based workstations.

-# What is Microsoft Dev Box Preview?

-Microsoft Dev Box Preview gives you self-service access to high-performance, preconfigured, and ready-to-code cloud-based workstations called dev boxes. You can set up dev boxes with tools, source code, and prebuilt binaries that are specific to a project, so developers can immediately start work. If you're a developer, you can use dev boxes in your day-to-day workflows.

-Members of a development team are assigned the DevCenter Dev Box User role. They can then self-serve one or more dev boxes on demand from the dev box pools that have been enabled for a project. Dev box users can work on multiple projects or tasks by creating multiple dev boxes.

-Organizations can use Microsoft Dev Box Preview in a range of scenarios.

-This diagram shows the components of the Dev Box Preview service and the relationships between them.

-Start using Microsoft Dev Box Preview:

-description: In this quickstart, you learn how to configure the Microsoft Dev Box Preview service to provide dev boxes for users.

-# Quickstart: Configure Microsoft Dev Box Preview

-This quickstart describes how to set up Microsoft Dev Box Preview to enable development teams to self-serve their dev boxes. The setup process involves two distinct phases. In the first phase, dev infra admins configure the necessary Microsoft Dev Box resources through the Azure portal. After this phase is complete, users can proceed to the next phase, creating and managing their dev boxes through the developer portal. This quickstart shows you how to complete the first phase.

-Use the following steps to create a dev center so that you can manage your dev box resources:

-Network connections determine the region in which dev boxes are deployed. They also allow dev boxes to be connected to your existing virtual networks. The following steps show you how to create and configure a network connection in Microsoft Dev Box Preview.

-Microsoft Dev Box Preview makes it possible for you to delegate administration of projects to a member of the project team. Project administrators can assist with the day-to-day management of projects for their teams, like creating and managing dev box pools. To give users permissions to manage projects, assign the DevCenter Project Admin role to them.

-In this quickstart, you get started with Microsoft Dev Box Preview by creating a dev box through the developer portal. After you create the dev box, you can connect to it with a Remote Desktop session through a browser or through a Remote Desktop app.

- :::image type="content" source="./media/quickstart-create-dev-box/dev-portal-delete-dev-box-confirm.png" alt-text="Screenshot of the Delete button in the confirmation message about deleting a dev box.":::

-After you configure the Microsoft Dev Box Preview service and create dev boxes, you can connect to them by using a browser or by using a Remote Desktop client.

-To learn about managing Microsoft Dev Box Preview, see:

- "deliveryAttemptTimeStamp": "2020-09-18T00:22:20.2855749Z",

- "eventTime": "2020-09-18T00:22:20Z"

- "eventTime": "2022-09-06T22:34:52.1303612Z"

-This article will be updated to reflect the features that are currently in preview with instructions to enable them. When the features move to General Availability (GA), they'll be available to all customers without the need to enable a feature flag.

-This preview is automatically enabled on all firewalls and no action is required to enable this functionality.

-Azure HPC Cache enhances productivity best for workflows like these:

-* Read-heavy file access workflow

-* Data stored in NFS-accessible storage, Azure Blob, or both

-* Compute farms of up to 75,000 CPU cores

-Azure HPC Cache can be added to a wide variety of workflows across many industries. Any system where a large number of machines need to access a set of files at scale and with low latency will benefit from this service. The sections below give specific examples.

-Learn more about [High-performance computing for rendering.](https://azure.microsoft.com/solutions/high-performance-computing/rendering/)

-Learn more about [High-performance computing for health and life sciences.](https://azure.microsoft.com/solutions/high-performance-computing/health-and-life-sciences/)

-The silicon design industryΓÇÖs design verification workloads, known as ΓÇ£electronic design automation (EDA) toolsΓÇ¥ are compute-intensive tools that can be run on large-scale virtual machine compute grids.

-Learn more about [High-performance computing for silicon.](https://azure.microsoft.com/solutions/high-performance-computing/silicon/)

-Learn more about [High-performance computing for financial services.](https://azure.microsoft.com/solutions/high-performance-computing/financial-services/)

-The solution uses the IoT Central data export capability to export OPC-UA data. Data export continuously sends filtered telemetry received from the OPC-UA server to an Azure Data Explorer environment. The filter ensures that only data from the OPC-UA is exported. The data export uses a [transformation](howto-transform-data-internally.md) to map the raw telemetry into a tabular structure suitable for Azure Data Explorer to ingest. The following snippet shows the transformation query:

-# Cross-region load balancer (Preview)

-> [!IMPORTANT]

-> Cross-region load balancer is currently in preview.

-> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-* UDP traffic isn't supported on Cross-region Load Balancer.

- | Health probe | Select **Create new**. </br> In **Name**, enter **myHealthProbe**. </br> Select **TCP** in **Protocol**. </br> Leave the rest of the defaults, and select **OK**. |

-> [!IMPORTANT]

-> Cross-region Azure Load Balancer is currently in public preview.

-> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> [!IMPORTANT]

-> Cross-region Azure Load Balancer is currently in public preview.

-> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-> [!IMPORTANT]

-> Cross-region Azure Load Balancer is currently in public preview.

-> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

-> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

-from azure.ai.ml import MLClient

-subscription_id = "sub-id"

-resource_group = "rg-name"

-workspace = "ws-name"

-# get a handle to the workspace

- DefaultAzureCredential(), subscription_id, resource_group, workspace

-rec_trigger = RecurrenceTrigger(start_time="yyyy-mm-ddThh:mm:ss", time_zone=TimeZone.INDIA_STANDARD_TIME, frequency="week", interval=1, schedule=RecurrencePattern(week_days=["Friday"], hours=15, minutes=[30]))

-```

-Models typically use code from the transformers SDK but some models run code from the model repo. Such models need to set the parameter `trust_remote_code` to `True`. Such models are not supported from keeping security in mind. Attempting to deploy such models will fail with the following error: `ValueError: Loading <model> requires you to execute the configuration file in that repo on your local machine. Make sure you have read the code there to avoid malicious use, then set the option trust_remote_code=True to remove this error.`

-> Read replicas are created with the same server configuration as the source. The replica server configuration can be changed after it has been created. The replica server is always created in the same resource group, same location and same subscription as the source server. If you want to create a replica server to a different resource group or different subscription, you can [move the replica server](../../azure-resource-manager/management/move-resource-group-and-subscription.md) after creation. It is recommended that the replica server's configuration should be kept at equal or greater values than the source to ensure the replica is able to keep up with the source.

-If you prefer to install and use the CLI locally, this tutorial requires Azure CLI version 2.0 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI](/cli/azure/install-azure-cli).

-| Single servers with Private Link enabled | Private Link is on the road map for this year. You can also choose to migrate now and perform wNet injection via a point-in-time restore operation to move to private access network connectivity method. |

-| Single servers with Cross-Region Read Replicas enabled | Cross-Region Read Replicas for flexible server (for paired region) is in private preview, and you can start migrating your single server. Cross-Region Read Replicas for flexible server (for any cross-region) is on the road map for later this year, post which you can migrate your single server. |

-**A.** Flexible Server support for private link is on our road map as our highest priority. Launch of the feature is planned in Q2 2023 and you have ample time to initiate your Single Server to Flexible Server migrations with private link configured. You can also choose to migrate now and perform VNet injection via a point-in-time restore operation to move to private access network connectivity method.

-**A.** Flexible Server support for cross-region read replicas is on our roadmap as our highest priority. Cross-Region Read Replicas for flexible server (for paired region) is in private preview, and you can start migrating your single server. Cross-Region Read Replicas for flexible server (for any cross-region) is on the road map for later this year, post, which you can migrate your single server.

- > Azure will create a default network security group for **myVm** virtual machine (because you selected **Basic** NIC network security group). You will use this default network security group to test network communication to and from the virtual machine in the next section.

- | Virtual machine | Select **myVm** virtual machine. |

- | Network interface | Select the network interface of **myVm**. When you use the Azure portal to create a virtual machine, the portal names the network interface using the virtual machine's name and a random number (for example myvm36). |

-1. Change **Remote IP address** to **10.0.0.10** and repeat the test by selecting **Verify IP flow** button again. The result of the second test indicates that access is allowed to **10.0.0.10** because of the default security rule **AllowVnetOutBound**.

- :::image type="content" source="./media/diagnose-vm-network-traffic-filtering-problem/ip-flow-verify-second-test-results.png" alt-text="Screenshot shows the result of IP flow verify to IP address 10.0.0.10." lightbox="./media/diagnose-vm-network-traffic-filtering-problem/ip-flow-verify-second-test-results.png":::

-To determine why the rules in the previous section allow or deny communication, review the effective security rules for the network interface in **myVm** virtual machine.

- > **myVm** virtual machine has one network interface which will be selected once you select **myVm**. If your virtual machine has more than one network interface, choose the one that you want to see its effective security rules.

-Even with the proper network traffic filters in place, communication to a virtual machine can still fail, due to routing configuration. To learn how to diagnose virtual machine routing problems, see [Diagnose a virtual machine network routing problem](diagnose-vm-network-routing-problem.md). To diagnose outbound routing, latency, and traffic filtering problems with one tool, see [Troubleshoot connections with Azure Network Watcher](network-watcher-connectivity-portal.md).

-In this article, you learn how to manage NSG flow logs programmatically using an Azure Resource Manager template and Azure PowerShell.

-In this article, you learn how to create, change, disable, or delete an NSG flow log using the Azure CLI.

-In this article, you learn how to create, change, disable, or delete an NSG flow log using Azure PowerShell.

-This article helps use the REST API to enable, disable, and query flow logs using.

-You learn how to:

-In this article, you learn how to create, change, disable, or delete an NSG flow log using the Azure portal.

-The networking services in Azure provide a variety of networking capabilities that can be used together or separately. Select any of the following key capabilities to learn more about them:

-Azure Bastion is a service that you can deploy to let you connect to a virtual machine using your browser and the Azure portal, or via the native SSH or RDP client already installed on your local computer. The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. When you connect via Azure Bastion, your virtual machines don't need a public IP address, agent, or special client software. For more information, see [What is Azure Bastion?](../../bastion/bastion-overview.md)

-### <a name="avnm"></a>Azure Virtual Network Manager

-Azure Virtual Network Manager is a management service that enables you to group, configure, deploy, and manage virtual networks globally across subscriptions. With Virtual Network Manager, you can define network groups to identify and logically segment your virtual networks. Then you can determine the connectivity and security configurations you want and apply them across all the selected virtual networks in network groups at once. For more information, see [What is Azure Virtual Network Manager?](../../virtual-network-manager/overview.md).

-[Azure Web Application Firewall](../../web-application-firewall/overview.md) (WAF) provides protection to your web applications from common web exploits and vulnerabilities such as SQL injection, and cross site scripting. Azure WAF provides out of box protection from OWASP top 10 vulnerabilities via managed rules. Additionally customers can also configure custom rules, which are customer managed rules to provide additional protection based on source IP range, and request attributes such as headers, cookies, form data fields or query string parameters.

-Customers can choose to deploy [Azure WAF with Application Gateway](../../web-application-firewall/ag/ag-overview.md) which provides regional protection to entities in public and private address space. Customers can also choose to deploy [Azure WAF with Front Door](../../web-application-firewall/afds/afds-overview.md) which provides protection at the network edge to public endpoints.

-description: This article describes management functions for Cloud NGFW by Palo Alto Networks on the Azure portal.

-description: Learn about using the Cloud NGFW by Palo Alto Networks from the Marketplace.

-In this article, you learn how to use the integration of the Palo Alto Networks NGFW (Next Generation Firewall) service with Azure.

-With the integration of Cloud NGFW for Azure into the Azure ecosystem, we are delivering an integrated platform and empowering a growing ecosystem of developers and customers to help protect their organizations on Azure.

-The Palo Alto Networks offering in the Azure Marketplace allows you to manage the Cloud NGFW by Palo Alto Networks in the Azure portal as an integrated service. You can set up the Cloud NGFW by Palo Alto Networks resources through a resource provider namedΓÇ»`PaloAltoNetworks.Cloudngfw`.

-You can create and manage Palo Alto Networks resources through the Azure portal. Palo Alto Networks owns and runs the software as a service (SaaS) application including the accounts created.

-description: This article provides information about getting support and troubleshooting a Cloud NGFW by Palo Alto Networks.

-# Troubleshooting Cloud NGFW by Palo Alto Networks

-| Germany West Central | :heavy_check_mark: (v3/v4 only) | :x: $ | :x: $ | :x: |

-| South Africa North | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: |

-* Support for [minor versions](./concepts-supported-versions.md) 15.2 (preview), 14.7, 13.10, 12.14, 11.19. ^$

-* Support for [minor versions](./concepts-supported-versions.md) 14.6, 13.9, 12.13, 11.18. ^$

- > [!CAUTION]

- > If you configure **Mobile Country Code (MCC)** or **Mobile Network Code (MNC)** values incorrectly, you must redeploy the mobile network to change them.

-The following modifications will trigger a packet core reinstall, during which your service will be unavailable:

-Additionally, the following changes don't trigger a packet core reinstall, but will require you to manually perform a reinstall to allow the new configuration to take effect:

-If you're making any of these changes to a healthy packet core instance, we recommend running this process during a maintenance window to minimize the impact on your service. You should allow up to two hours for the process to complete.

-If your packet core instance is in **Uninstalled**, **Uninstalling** or **Failed** state, or if you're connecting an ASE device for the first time, you won't need a packet core reinstall after making your changes. In this case, you can skip the next step and move to [Select the packet core instance to modify](#select-the-packet-core-instance-to-modify).

-The following list contains the data that will be lost over a packet core reinstall. If you're making a change that requires a reinstall, back up any information you'd like to preserve; after the reinstall, you can use this information to reconfigure your packet core instance.

-# Connect to Azure Cosmos DB for NoSQL in Microsoft Purview

-This article outlines the process to register and scan Azure Cosmos DB for NoSQL instance in Microsoft Purview, including instructions to authenticate and interact with the Azure Cosmos DB database source

-This section will enable you to register the Azure Cosmos DB for NoSQL instance and set up an appropriate authentication mechanism to ensure successful scanning of the data source.

-1. Select the **Azure Cosmos DB for NoSQL** data source and select **Continue**

-This tutorial shows you how to deploy an Azure Route Server into a virtual network and establish a BGP peering connection with a Quagga network virtual appliance (NVA). You'll deploy a virtual network with four subnets. One subnet will be dedicated to the Route Server and another subnet dedicated to the Quagga NVA. The Quagga NVA will be configured to exchange routes with the Route Server. Lastly, you'll test to make sure routes are properly exchanged on the Route Server and Quagga NVA.

-> * Create a virtual network with five subnets

-* An Azure subscription

-You'll need a virtual network to deploy both the Route Server and the Quagga NVA. Azure Route Server must be deployed in a dedicated subnet called *RouteServerSubnet*.

-To configure the Quagga network virtual appliance, you'll need to deploy a Linux virtual machine, and then configure it with this [script](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.network/route-server-quagga/scripts/quaggadeploy.sh).

- | Image | Select an **Ubuntu**, **SUSE** or **RHEL** image. |

- | Username | Enter *azureuser*. Don't use *quagga* as the user name or else the setup script will fail in a later step. |

-

-1. Select **Review + create** and then **Create** after validation passes. The deployment of the virtual machine will take about 10 minutes.

-1. Under **Private IP address Settings**, change the **Assignment** from **Dynamic** to **Static**, and then change the **IP address** from **10.1.4.4** to **10.1.4.10**. This IP address is used in this [script](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.network/route-server-quagga/scripts/quaggadeploy.sh), which will be run in a later step. If you want to use a different IP address, ensure to update the IP in the script.

-1. At your prompt, open an SSH connection to the Quagga VM. Replace the IP address with the one you took note of in the previous step.

-```console

-ssh azureuser@52.240.57.121

-```

-3. When prompted, enter the password you previously created for the Quagga VM.

-1. Once logged in, enter `sudo su` to switch to super user to avoid errors running the script. Copy this [script](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.network/route-server-quagga/scripts/quaggadeploy.sh) and paste it into the SSH session. The script will configure the virtual machine with Quagga along with other network settings. Update the script to suit your network environment before running it on the virtual machine. It will take a few minutes for the script to complete the setup.

- The output should look like the following:

-1. To check the routes learned by the Quagga NVA, enter `vtysh` and then enter `show ip bgp` on the NVA. Output should look like the following:

-2. Select the **myRouteServerRG** resource group.

-3. Select **Delete resource group**.

-4. Enter *myRouteServerRG* and select **Delete**.

-> | Variable | Description | Type | Notes |

-> | -- | - | - | - |

-> | `environment` | Identifier for the control plane (max 5 chars) | Mandatory | For example, `PROD` for a production environment and `NP` for a non-production environment. |

-> | `location` | The Azure region in which to deploy. | Required | Use lower case |

-> | 'name_override_file' | Name override file | Optional | see [Custom naming](naming-module.md) |

-> | `dns_label` | DNS name of the private DNS zone | Optional |

-The following sample code is an example configuration file. It defines three data disks (LUNs 0, 1, and 2), a log disk (LUN 9, using the Ultra SKU) and a backup disk (LUN 13, using the standard SSDN SKU). The application tier servers (Application, Central Services amd Web Dispatchers) will be deployed with jus a single 'sap' data disk.

- "vm_size" : "Standard_D4s_v3",

-Some developers might prefer the more familiar, simple, open-source solution of Lucene. Lucene language analyzers are faster, but the Microsoft analyzers have advanced capabilities, such as lemmatization, word decompounding (in languages like German, Danish, Dutch, Swedish, Norwegian, Estonian, Finish, Hungarian, Slovak) and entity recognition (URLs, emails, dates, numbers). If possible, you should run comparisons of both the Microsoft and Lucene analyzers to decide which one is a better fit. You can use [Analyze API](/rest/api/searchservice/test-analyzer) to see the tokens generated from a given text using a specific analyzer.

- "scoringParameters": [currentLocation--122.123,44.77233]

-| Data sources | Search indexes can accept text from any source, provided it's submitted as a JSON document. <br/><br/> [**Indexers**](search-indexer-overview.md) are a feature that automates data import from supported data sources to extract searchable content in primary data stores. Indexers handle JSON serialization for you and most support some form of change and deletion detection. You can connect to a [variety of data sources](search-data-sources-gallery.md), including [Azure SQL Database](search-howto-connecting-azure-sql-database-to-azure-search-using-indexers.md), [Azure Cosmos DB](search-howto-index-cosmosdb.md), or [Azure Blob storage](search-howto-indexing-azure-blob-storage.md). |

-+ A search engine for full text search over a search index containing user-owned content

-+ Rich query syntax for text search, fuzzy search, autocomplete, geo-search and more

-+ [**Indexing**](search-what-is-an-index.md) is an intake process that loads content into your search service and makes it searchable. Internally, inbound text is processed into tokens and stored in inverted indexes for fast scans. You can upload JSON documents, or use an indexer to serialize your data into JSON.

-This article is a high-level introduction to vector search in Azure Cognitive Search. It also explains integration with other Azure services and covers the core concepts you need to know for vector search development.

-Azure Cognitive Search can efficiently store and retrieve vector embeddings using Approximate Nearest Neighbor methods (ANN). Vector search can be used to power similarity search, multi-modal search, recommendations engines, or applications implementing the [Retrieval Augmented Generation (RAG) architecture](https://arxiv.org/abs/2005.11401).

-+ **Multi-lingual search**: Use a multi-lingual embeddings model to represent your document in multiple languages in a single vector space to find documents regardless of the language they are in.

-+ **Filtered vector search**: Use [filters](search-filters.md) with vector queries to select a specific category of indexed documents, or to implement document-level security, geospatial search, and more.

-+ [LangChain](https://python.langchain.com/docs/get_started/introduction.html) is a framework for developing applications powered by language models. Use the [Azure Cognitive Search vector store integraton](https://python.langchain.com/docs/modules/data_connection/vectorstores/integrations/azuresearch) to simplify the creation of applications using LLMs with Azure Cognitive Search as your vector datastore.

-+ [Semantic kernel](https://github.com/microsoft/semantic-kernel/blob/main/README.md) is a lightweight SDK enabling integration of AI Large Language Models (LLMs) with conventional programming languages.

-*Embeddings* are a specific type of vector representation created by machine learning models that capture the semantic meaning of text, or abstract representations of other content such as images. Natural language machine learning models are trained on large amounts of data to identify patterns and relationships between words. During training, they learn to represent any input as a vector of real numbers in an intermediary step called the *encoder*. After training is complete, these language models can be modified so the intermediary vector representation becomes the model's output. The resulting embeddings are high-dimensional vectors, where words with similar meanings are closer together in the vector space, as explained in [this Azure OpenAI Service article](/azure/cognitive-services/openai/concepts/understand-embeddings). The effectiveness of vector search in retrieving relevant information depends on the effectiveness of the embedding model in distilling the meaning of documents and queries into the resulting vector. The best models are well-trained on the types of data they're representing. This can be achieved by training directly on the problem space or fine-tuning a general-purpose model, such as GPT. Azure Cognitive Search today doesn't provide a way to vectorize documents and queries, leaving it up to you to pick the best embedding model for your data. The new vector search APIs allow you to store and retrieve vectors efficiently.

-*Embedding space* is the corpus for vector search. Machine learning models create the embedding space by mapping individual words, phrases, or documents (for natural language processing), images, or other forms of data into an abstract representation comprised of a vector of real numbers representing a coordinate in a high-dimensional space. In this embedding space, similar items are located close together, and dissimilar items are located farther apart.

-For example, documents that talk about different species of dogs would be clustered close together in the embedding space. Documents about cats would be close together, but farther from the dogs cluster while still being in the neighborhood for animals. Dissimilar concepts such as cloud computing would be much farther away. In practice, these embedding spaces are very abstract and don't have well-defined, human-interpretable meanings, but the core idea stays the same.

-+ `euclidean`: Also known as _l2-norm_, this measures the length of the vector difference between two vectors.

-Approximate Nearest Neighbor search (ANN) is a class of algorithms for finding matches in vector space. This class of algorithms employs different data structures or data partitioning methods to significantly reduce the search space to accelerate query processing. The specific approach depends on the algorithm. While sacrificing some precision, these algorithms offer scalable and faster retrieval of approximate nearest neighbors, which makes them ideal for balancing accuracy and efficiency in modern information retrieval applications. You may adjust the parameters of your algorithm to fine-tune the recall, latency, memory, and disk footprint requirements of your search application.

-| [**Vector search public preview**](vector-search-overview.md) | Feature | Adds vector fields to a search index for similarity search over vector representations of text, image, and multilingual content. |

-1. To configure the upload API data connector, select the **Data connectors** menu.

-1. Find and select the **Threat Intelligence Upload Indicators API** data connector > **Open connector page** button.

-1. Select the **Connect** button.

- - Application (client) ID

- - Client secret

- - Microsoft Sentinel workspace ID

-1. Enter these values in the configuration of your integrated TIP or custom solution where required.

-10. Configure Target - select the strem created before.

- destblobName = '<destination block blob name>'

- <storage-account-name>.blob.core.windows.net:/<storage-account-name>/<container-name> /nfsdata aznfs defaults,sec=sys,vers=3,nolock,proto=tcp,nofail 0 0

- **Does Azure File Sync sync the LastWriteTime for directories?**

- No, Azure File Sync doesn't sync the LastWriteTime for directories.

-description: Describes StorSimple data copy resources, data migration, device decommission operations, end of support, tiering, virtual device, and storage management, and introduces key terms used in StorSimple.

- The system reboots multiple times. You'll be notified when the reset has successfully completed. Depending on the system model, it can take 45-60 minutes for an 8100 device and 60-90 minutes for an 8600 to finish this process.

-description: Learn about processing your real-time data streams in Azure Event Hubs by using the Azure Stream Analytics no-code editor.

-# No-code stream processing through Azure Stream Analytics

-You can process your real-time data streams in Azure Event Hubs by using Azure Stream Analytics. The no-code editor allows you to develop a Stream Analytics job without writing a single line of code. In minutes, you can develop and run a job that tackles many scenarios, including:

-The experience provides a canvas that allows you to connect to input sources to quickly see your streaming data. Then you can transform it before writing to your destination of choice in Azure.

-You can:

-To use the no-code editor to create a Stream Analytics job, open an Event Hubs instance. Select **Process Data**, and then select any template.

-The following screenshot shows a finished Stream Analytics job. It highlights all the sections available to you while you author.

-## Event Hubs as the streaming input

-You can always edit the field names, or remove or change the data type, or change the event time (**Mark as event time**: TIMESTAMP BY clause if a datetime type field), by selecting the three-dot symbol next to each field. You can also expand, select, and edit any nested fields from the incoming messages, as shown in the following image.

-

-You can also add new field with the **Build-in Functions** to aggregate the data from upstream. Currently, the build-in functions we support are some functions in **String Functions**, **Date and Time Functions**, **Mathematical Functions**. To learn more about the definitions of these functions, see [Built-in Functions (Azure Stream Analytics)](/stream-analytics-query/built-in-functions-azure-stream-analytics).

-### Event Hubs

-When you're connecting to an event hub and selecting its tile in the diagram view (the **Data Preview** tab), you'll get a live preview of data coming in if all the following are true:

-You can save the job anytime while creating it. After you configure the event hub, transformations, and streaming outputs for the job, you can start the job.

-> Although the no-code editor is in preview, the Azure Stream Analytics service is generally available.

-## Stream Analytics jobs list

-To see a list of all Stream Analytics jobs that you created by using the no-code drag-and-drop experience, select **Process data** > **Stream Analytics jobs**.

-Stream Analytics can route job output to many storage systems such as Azure Blob storage, Azure SQL Database, Azure Data Lake Store, and Azure Cosmos DB. You can also run batch analytics on stream outputs with Azure Synapse Analytics or HDInsight, or you can send the output to another service, like Event Hubs for consumption or Power BI for real-time visualization.

-For the entire list of Stream Analytics outputs, see [Understand outputs from Azure Stream Analytics](stream-analytics-define-outputs.md).

-It is highly recommended to enable resource logs for all jobs as this will greatly help with debugging and monitoring.

-3. Click an operation to see its summary view. Information here is often limited. To learn more details about the operation, click **JSON**.

-Turning on resource logs and sending them to Azure Monitor logs is highly recommended. They are **off** by default. To turn them on, complete these steps:

-1. Create a Log Analytics workspace if you don't already have one. It is recommended to have your Log Analytics workspace in the same region as your Stream Analytics job.

-2. Provide a **Name** in **Diagnostic settings name** and check the boxes for **Execution** and **Authoring** under **log**, and **AllMetrics** under **metric**. Then select **Send to Log Analytics** and choose your workspace. Click **Save**.

-4. Stream Analytics provides pre-defined queries that allows you to easily search for the logs that you are interested in. You can select any pre-defined queries on the left pane and then select **Run**. You will see the results of the query in the bottom pane.

-Azure Stream Analytics captures two categories of resource logs:

-* **Authoring**: Captures log events that are related to job authoring operations, such as job creation, adding and deleting inputs and outputs, adding and updating the query, and starting or stopping the job.

-* **Execution**: Captures events that occur during job execution.

- * Connectivity errors

- * Data processing errors, including:

- * Events that donΓÇÖt conform to the query definition (mismatched field types and values, missing fields, and so on)

- * Expression evaluation errors

- * Other events and errors

-All logs are stored in JSON format. Each entry has the following common string fields:

-Name | Description

-time | Timestamp (in UTC) of the log.

-resourceId | ID of the resource that the operation took place on, in upper case. It includes the subscription ID, the resource group, and the job name. For example, **/SUBSCRIPTIONS/6503D296-DAC1-4449-9B03-609A1F4A1C87/RESOURCEGROUPS/MY-RESOURCE-GROUP/PROVIDERS/MICROSOFT.STREAMANALYTICS/STREAMINGJOBS/MYSTREAMINGJOB**.

-category | Log category, either **Execution** or **Authoring**.

-operationName | Name of the operation that is logged. For example, **Send Events: SQL Output write failure to mysqloutput**.

-status | Status of the operation. For example, **Failed** or **Succeeded**.

-level | Log level. For example, **Error**, **Warning**, or **Informational**.

-properties | Log entry-specific detail, serialized as a JSON string. For more information, see the following sections in this article.

-### Execution log properties schema

-Execution logs have information about events that happened during Stream Analytics job execution. The schema of properties varies depending on whether the event is a data error or a generic event.

-### Data errors

-Any error that occurs while the job is processing data is in this category of logs. These logs most often are created during data read, serialization, and write operations. These logs do not include connectivity errors. Connectivity errors are treated as generic events. You can learn more about the cause of various different [input and output data errors](./data-errors.md).

-Name | Description

-Source | Name of the job input or output where the error occurred.

-Message | Message associated with the error.

-Type | Type of error. For example, **DataConversionError**, **CsvParserError**, or **ServiceBusPropertyColumnMissingError**.

-Data | Contains data that is useful to accurately locate the source of the error. Subject to truncation, depending on size.

-Depending on the **operationName** value, data errors have the following schema:

-* **Serialize events** occur during event read operations. They occur when the data at the input does not satisfy the query schema for one of these reasons:

- * *Type mismatch during event (de)serialize*: Identifies the field that's causing the error.

- * *Cannot read an event, invalid serialization*: Lists information about the location in the input data where the error occurred. Includes blob name for blob input, offset, and a sample of the data.

-* **Send events** occur during write operations. They identify the streaming event that caused the error.

-### Generic events

-Generic events cover everything else.

-Name | Description

-Error | (optional) Error information. Usually, this is exception information if it's available.

-Message| Log message.

-Type | Type of message. Maps to internal categorization of errors. For example, **JobValidationError** or **BlobOutputAdapterInitializationFailure**.

-Correlation ID | GUID that uniquely identifies the job execution. All execution log entries from the time the job starts until the job stops have the same **Correlation ID** value.

-Stream Analytics has [many metrics](./stream-analytics-job-metrics.md) available to monitor a job's health. To troubleshoot performance problems with your job, you can split and filter metrics by using the following dimensions.

-| Dimension | Definition |

-| - | - |

-| **Logical Name** | The input or output name for a Stream Analytics job. |

-| **Partition ID** | The ID of the input data partition from an input source. For example, if the input source is an event hub, the partition ID is the event hub's partition ID. For embarrassingly parallel jobs, **Partition ID** in the output is the same as it is in the input. |

-| **Node Name** | The identifier of a streaming node that's provisioned when your job runs. A streaming node represents the amount of compute and memory resources allocated to your job. |

-**Logical Name** is the input or output name for a Stream Analytics job. For example, assume that a Stream Analytics job has four inputs and five outputs. You'll see the four individual logical inputs and five individual logical outputs when you split input-related and output-related metrics by this dimension.

-<!--:::image type="content" source="./media/stream-analytics-job-metrics-dimensions/05-input-events-splitting-by-logic-name.png" alt-text="Screenshot that shows splitting the Input Events metric by Logical Name."::: -->

-The **Logical Name** dimension is available for filtering and splitting the following metrics:

-A streaming node represents a set of compute resources that's used to process your input data. Every six streaming units (SUs) translate to one node, which the service automatically manages on your behalf. For more information about the relationship between streaming units and streaming nodes, see [Understand and adjust streaming units](./stream-analytics-streaming-unit-consumption.md).

-**Node Name** is a dimension at the streaming node level. It can help you to drill down certain metrics to the specific streaming node level. For example, you can split the **CPU % Utilization** metric by streaming node level to check the CPU utilization of an individual streaming node.

-The **Node Name** dimension is available for filtering and splitting the following metrics:

-When streaming data is ingested into the Azure Stream Analytics service for processing, the input data is distributed to streaming nodes according to the partitions in the input source. The **Partition ID** dimension is the ID of the input data partition from the input source.

-For example, if the input source is an event hub, the partition ID is the event hub's partition ID. **Partition ID** in the input is the same as it is in the output.

-The **Partition ID** dimension is available for filtering and splitting the following metrics:

-Azure Stream Analytics provides the following metrics for you to monitor your job's health.

-| Metric | Definition |

-| - | - |

-| **Backlogged Input Events** | Number of input events that are backlogged. A nonzero value for this metric implies that your job can't keep up with the number of incoming events. If this value is slowly increasing or is consistently nonzero, you should scale out your job. To learn more, see [Understand and adjust streaming units](stream-analytics-streaming-unit-consumption.md). |

-| **Data Conversion Errors** | Number of output events that couldn't be converted to the expected output schema. To drop events that encounter this scenario, you can change the error policy to **Drop**. |

-| **CPU % Utilization** (preview) | Percentage of CPU that your job utilizes. Even if this value is very high (90 percent or more), you shouldn't increase the number of SUs based on this metric alone. If the number of backlogged input events or watermark delays increases, you can then use this metric to determine if the CPU is the bottleneck. <br><br>This metric might have intermittent spikes. We recommend that you do scale tests to determine the upper bound of your job after which inputs are backlogged or watermark delays increase because of a CPU bottleneck. |

-| **Early Input Events** | Events whose application time stamp is earlier than their arrival time by more than 5 minutes. |

-| **Failed Function Requests** | Number of failed Azure Machine Learning function calls (if present). |

-| **Function Events** | Number of events sent to the Azure Machine Learning function (if present). |

-| **Function Requests** | Number of calls to the Azure Machine Learning function (if present). |

-| **Input Deserialization Errors** | Number of input events that couldn't be deserialized. |

-| **Input Event Bytes** | Amount of data that the Stream Analytics job receives, in bytes. You can use this metric to validate that events are being sent to the input source. |

-| **Input Events** | Number of records deserialized from the input events. This count doesn't include incoming events that result in deserialization errors. Stream Analytics can ingest the same events multiple times in scenarios like internal recoveries and self-joins. Don't expect **Input Events** and **Output Events** metrics to match if your job has a simple pass-through query. |

-| **Input Sources Received** | Number of messages that the job receives. For Azure Event Hubs, a message is a single `EventData` item. For Azure Blob Storage, a message is a single blob. <br><br>Note that input sources are counted before deserialization. If there are deserialization errors, input sources can be greater than input events. Otherwise, input sources can be less than or equal to input events because each message can contain multiple events. |

-| **Late Input Events** | Events that arrived later than the configured tolerance window for late arrivals. [Learn more about Azure Stream Analytics event order considerations](./stream-analytics-time-handling.md). |

-| **Out-of-Order Events** | Number of events received out of order that were either dropped or given an adjusted time stamp, based on the event ordering policy. This metric can be affected by the configuration of the **Out-of-Order Tolerance Window** setting. |

-| **Output Events** | Amount of data that the Stream Analytics job sends to the output target, in number of events. |

-| **Runtime Errors** | Total number of errors related to query processing. It excludes errors found while ingesting events or outputting results. |

-| **SU (Memory) % Utilization** | Percentage of memory that your job utilizes. If this metric is consistently over 80 percent, the watermark delay is rising, and the number of backlogged events is rising, consider increasing streaming units (SUs). High utilization indicates that the job is using close to the maximum allocated resources. |

-| **Watermark Delay** | Maximum watermark delay across all partitions of all outputs in the job. |

-|Metric|Condition|Time aggregation|Threshold|Corrective actions|

-|-|-|-|-|-|

-|**SU (Memory) % Utilization**|Greater than|Average|80|Multiple factors increase the utilization of SUs. You can scale with query parallelization or increase the number of SUs. For more information, see [Leverage query parallelization in Azure Stream Analytics](stream-analytics-parallelization.md).|

-|**CPU % Utilization**|Greater than|Average|90|This likely means that some operations (such as user-defined functions, user-defined aggregates, or complex input deserialization) are requiring a lot of CPU cycles. You can usually overcome this problem by increasing the number of SUs for the job.|

-|**Runtime Errors**|Greater than|Total|0|Examine the activity or resource logs and make appropriate changes to the inputs, query, or outputs.|

-|**Watermark Delay**|Greater than|Average|When the average value of this metric over the last 15 minutes is greater than the late arrival tolerance (in seconds). If you haven't modified the late arrival tolerance, the default is set to 5 seconds.|Try increasing the number of SUs or parallelizing your query. For more information on SUs, see [Understand and adjust streaming units](stream-analytics-streaming-unit-consumption.md#how-many-sus-are-required-for-a-job). For more information on parallelizing your query, see [Leverage query parallelization in Azure Stream Analytics](stream-analytics-parallelization.md).|

-|**Input Deserialization Errors**|Greater than|Total|0|Examine the activity or resource logs and make appropriate changes to the input. For more information on resource logs, see [Troubleshoot Azure Stream Analytics by using resource logs](stream-analytics-job-diagnostic-logs.md).|

-You can create SQL pools, Data Explorer pools, Apache Spark pools, and Integration runtimes if you're an Azure Owner or Contributor on the workspace. When using ARM templates for automated deployment, you need to be an Azure Contributor on the resource group.

-Create a dedicated SQL pool or a serverless SQL pool|Azure Owner or Contributor on the workspace|none

-Create a Data Explorer pool |Azure Owner or Contributor on the workspace|none

-Create an Apache Spark pool|Azure Owner or Contributor on the workspace|

-## Intune user-scope configuration for Windows 10 Enterprise multi-session VMs now generally available

-Azure communicates a schedule for planned maintenance by sending an email to the subscription owner and co-owners group. You can add additional recipients and channels to this communication by creating Azure activity log alerts. For more information, see [Create activity log alerts on service notifications](../service-health/alerts-activity-log-service-notifications-portal.md).

-Make sure you set the **Event type** as **Planned maintenance**, and **Services** as **Virtual Machine Scale Sets** and/or **Virtual Machines**.

-**A:** A planned maintenance wave starts by setting a schedule to one or more Azure regions. Soon after, an email notification is sent to the subscription admins, co-admins, owners, and contributors (One email per subscription with all recipients added). Additional channels and recipients for this notification could be configured using Activity Log Alerts. In case you deploy a virtual machine to a region where planned maintenance is already scheduled, you will not receive the notification but rather need to check the maintenance state of the VM.