+For Assistants you need a combination of a supported model, and a supported region. Certain tools and capabilities require the latest models. The following models are available in the Assistants API, SDK, Azure AI Studio and Azure OpenAI Studio. The following table is for pay-as-you-go. For information on Provisioned Throughput Unit (PTU) availability, see [provisioned throughput](./provisioned-throughput.md). The listed models and regions can be used with both Assistants v1 and v2.

+| `Storage Blob Data Contributor` | Azure OpenAI | Storage Account | Reads from the input container, and writes the preprocessed result to the output container. |

+| `Cognitive Services OpenAI Contributor` | Azure AI Search | Azure OpenAI | Custom skill. |

+| `Storage Blob Data Reader` | Azure AI Search | Storage Account | Reads document blobs and chunk blobs. |

+| `Cognitive Services OpenAI User` | Web app | Azure OpenAI | Inference. |

+To get a Microsoft Entra access token in Python, use the [Azure Identity Client Library](/python/api/overview/azure/identity-readme).

+var recognizer = new SpeechRecognizer(speechConfig, "en-US", audioConfig);

+auto recognizer = SpeechRecognizer::FromConfig(speechConfig, "en-US", audioConfig);

+SpeechRecognizer recognizer = new SpeechRecognizer(speechConfig, "en-US", audioConfig);

+SPXSpeechRecognizer* recognizer = [[SPXSpeechRecognizer alloc] initWithSpeechConfiguration:speechConfig language:@"en-US" audioConfiguration:audioConfig];

+let recognizer = try! SPXSpeechRecognizer(speechConfiguration: speechConfig, language: "en-US", audioConfiguration: audioConfig)

+|storageAccount | Specify an Azure storage account name.| storageAccountName | - No | When a specific storage account name is not provided, the driver will look for a suitable storage account that matches the account settings within the same resource group. If it fails to find a matching storage account, it will create a new one. However, if a storage account name is specified, the storage account must already exist. |

+|storageAccount | Specify an Azure storage account name.| storageAccountName | - No | When a specific storage account name is not provided, the driver will look for a suitable storage account that matches the account settings within the same resource group. If it fails to find a matching storage account, it will create a new one. However, if a storage account name is specified, the storage account must already exist. |

+## Default OS disk sizing

+When you create a new cluster or add a new node pool to an existing cluster, the number for vCPUs by default determines the OS disk size. The number of vCPUs is based on the VM SKU. The following table lists the default OS disk size for each VM SKU:

+|VM SKU Cores (vCPUs)| Default OS Disk Tier | Provisioned IOPS | Provisioned Throughput (Mbps) |

+|--|--|--|--|

+| 1 - 7 | P10/128G | 500 | 100 |

+| 8 - 15 | P15/256G | 1100 | 125 |

+| 16 - 63 | P20/512G | 2300 | 150 |

+| 64+ | P30/1024G | 5000 | 200 |

+> [!IMPORTANT]

+> Default OS disk sizing is only used on new clusters or node pools when Ephemeral OS disks aren't supported and a default OS disk size isn't specified. The default OS disk size might impact the performance or cost of your cluster. You can't change the OS disk size after cluster or node pool creation. This default disk sizing affects clusters or node pools created on July 2022 or later.

+ Title: Azure Kubernetes Services (AKS) core concepts

+description: Learn about the core concepts of Azure Kubernetes Service (AKS).

+# Core concepts for Azure Kubernetes Service (AKS)

+This article describes core concepts of Azure Kubernetes Service (AKS), a managed Kubernetes service that you can use to deploy and operate containerized applications at scale on Azure.

+## What is Kubernetes?

+Kubernetes is an open-source container orchestration platform for automating the deployment, scaling, and management of containerized applications. For more information, see the official [Kubernetes documentation][kubernetes-docs].

+## What is AKS?

+AKS is a managed Kubernetes service that simplifies deploying, managing, and scaling containerized applications using Kubernetes. For more information, see [What is Azure Kubernetes Service (AKS)?][aks-overview]

+## Cluster components

+An AKS cluster is divided into two main components:

+* **Control plane**: The control plane provides the core Kubernetes services and orchestration of application workloads.

+* **Nodes**: Nodes are the underlying virtual machines (VMs) that run your applications.

+

+### Control plane

+The Azure managed control plane is comprised of several components that help manage the cluster:

+| Component | Description |

+| | -- |

+| *kube-apiserver* | The API server ([kube-apiserver][kube-apiserver]) exposes the Kubernetes API to enable requests to the cluster from inside and outside of the cluster. |

+| *etcd* | [etcd][etcd] is a highly available key-value store that helps maintain the state of your Kubernetes cluster and configuration. |

+| *kube-scheduler* | The scheduler ([kube-scheduler][kube-scheduler]) helps make scheduling decisions, watching for new pods with no assigned node and selecting a node for them to run on. |

+| *kube-controller-manager* | The controller manager ([kube-controller-manager][kube-controller-manager]) runs controller processes, such as noticing and responding when nodes go down. |

+| *cloud-controller-manager* | The cloud controller manager ([cloud-controller-manager][cloud-controller-manager]) embeds cloud-specific control logic to run controllers specific to the cloud provider. |

+### Nodes

+Each AKS cluster has at least one node, which is an Azure virtual machine (VM) that runs Kubernetes node components. The following components run on each node:

+| Component | Description |

+| | -- |

+| *kubelet* | The [kubelet][kubelet] ensures that containers are running in a pod. |

+| *kube-proxy* | The [kube-proxy][kube-proxy] is a network proxy that maintains network rules on nodes. |

+| *container runtime* | The [container runtime][container-runtime] manages the execution and lifecycle of containers. |

+

+## Node configuration

+### VM size and image

+The **Azure VM size** for your nodes defines CPUs, memory, size, and the storage type available, such as high-performance SSD or regular HDD. The VM size you choose depends on the workload requirements and the number of pods you plan to run on each node. For more information, see [Supported VM sizes in Azure Kubernetes Service (AKS)][aks-vm-sizes].

+In AKS, the **VM image** for your cluster's nodes is based on Ubuntu Linux, [Azure Linux](use-azure-linux.md), or Windows Server 2022. When you create an AKS cluster or scale out the number of nodes, the Azure platform automatically creates and configures the requested number of VMs. Agent nodes are billed as standard VMs, so any VM size discounts, including [Azure reservations][reservation-discounts], are automatically applied.

+### OS disks

+Default OS disk sizing is only used on new clusters or node pools when Ephemeral OS disks aren't supported and a default OS disk size isn't specified. For more information, see [Default OS disk sizing][default-os-disk] and [Ephemeral OS disks][ephemeral-os-disks].

+### Resource reservations

+AKS uses node resources to help the nodes function as part of the cluster. This usage can cause a discrepancy between the node's total resources and the allocatable resources in AKS. To maintain node performance and functionality, AKS reserves two types of resources, **CPU** and **memory**, on each node. For more information, see [Resource reservations in AKS][resource-reservations].

+### OS

+AKS supports Ubuntu 22.04 and Azure Linux 2.0 as the node OS for Linux node pools. For Windows node pools, AKS supports Windows Server 2022 as the default OS. Windows Server 2019 is being retired after Kubernetes version 1.32 reaches end of life and isn't supported in future releases. If you need to upgrade your Windows OS version, see [Upgrade from Windows Server 2019 to Windows Server 2022][upgrade-2019-2022]. For more information on using Windows Server on AKS, see [Windows container considerations in Azure Kubernetes Service (AKS)][windows-considerations].

+### Container runtime

+A container runtime is software that executes containers and manages container images on a node. The runtime helps abstract away sys-calls or OS-specific functionality to run containers on Linux or Windows. For Linux node pools, [`containerd`][containerd] is used on Kubernetes version 1.19 and higher. For Windows Server 2019 and 2022 node pools, [`containerd`][containerd] is generally available and is the only runtime option on Kubernetes version 1.23 and higher.

+## Pods

+A *pod* is a group of one or more containers that share the same network and storage resources and a specification for how to run the containers. Pods typically have a 1:1 mapping with a container, but you can run multiple containers in a pod.

+## Node pools

+In AKS, nodes of the same configuration are grouped together into *node pools*. These node pools contain the underlying virtual machine scale sets and virtual machines (VMs) that run your applications. When you create an AKS cluster, you define the initial number of nodes and their size (SKU), which creates a [*system node pool*][use-system-pool]. System node pools serve the primary purpose of hosting critical system pods, such as CoreDNS and `konnectivity`. To support applications that have different compute or storage demands, you can create *user node pools*. User node pools serve the primary purpose of hosting your application pods.

+For more information, see [Create node pools in AKS][create-node-pools] and [Manage node pools in AKS][manage-node-pools].

+## Node resource group

+When you create an AKS cluster in an Azure resource group, the AKS resource provider automatically creates a second resource group called the *node resource group*. This resource group contains all the infrastructure resources associated with the cluster, including virtual machines (VMs), virtual machine scale sets, and storage.

+For more information, see the following resources:

+* [Why are two resource groups created with AKS?][node-resource-group]

+* [Can I provide my own name for the AKS node resource group?][custom-nrg]

+* [Can I modify tags and other properties of the resources in the AKS node resource group?][modify-nrg-resources]

+## Namespaces

+Kubernetes resources, such as pods and deployments, are logically grouped into *namespaces* to divide an AKS cluster and create, view, or manage access to resources.

+The following namespaces are created by default in an AKS cluster:

+| Namespace | Description |

+| | -- |

+| *default* | The [default][kubernetes-namespaces] namespace allows you to start using cluster resources without creating a new namespace. |

+| *kube-node-lease* | The [kube-node-lease][kubernetes-namespaces] namespace enables nodes to communicate their availability to the control plane. |

+| *kube-public* | The [kube-public][kubernetes-namespaces] namespace isn't typically used, but can be used for resources to be visible across the whole cluster by any user. |

+| *kube-system* | The [kube-system][kubernetes-namespaces] namespace is used by Kubernetes to manage cluster resources, such as `coredns`, `konnectivity-agent`, and `metrics-server`. |

+

+## Cluster modes

+In AKS, you can create a cluster with the **Automatic (preview)** or **Standard** mode. AKS Automatic provides a more fully managed experience, managing cluster configuration, including nodes, scaling, security, and other preconfigured settings. AKS Standard provides more control over the cluster configuration, including the ability to manage node pools, scaling, and other settings.

+For more information, see [AKS Automatic and Standard feature comparison][automatic-standard].

+## Pricing tiers

+AKS offers three pricing tiers for cluster management: **Free**, **Standard**, and **Premium**. The pricing tier you choose determines the features available for managing your cluster.

+For more information, see [Pricing tiers for AKS cluster management][pricing-tiers].

+## Supported Kubernetes versions

+For more information, see [Supported Kubernetes versions in AKS][supported-kubernetes-versions].

+## Next steps

+For information on more core concepts for AKS, see the following resources:

+* [AKS access and identity][access-identity]

+* [AKS security][security]

+* [AKS networking][networking]

+* [AKS storage][storage]

+* [AKS scaling][scaling]

+* [AKS monitoring][monitoring]

+* [AKS backup and recovery][backup-recovery]

+<!LINKS>

+[kube-apiserver]: https://kubernetes.io/docs/concepts/overview/components/#kube-apiserver

+[etcd]: https://kubernetes.io/docs/concepts/overview/components/#etcd

+[kube-scheduler]: https://kubernetes.io/docs/concepts/overview/components/#kube-scheduler

+[kube-controller-manager]: https://kubernetes.io/docs/concepts/overview/components/#kube-controller-manager

+[cloud-controller-manager]: https://kubernetes.io/docs/concepts/overview/components/#cloud-controller-manager

+[kubelet]: https://kubernetes.io/docs/concepts/overview/components/#kubelet

+[kube-proxy]: https://kubernetes.io/docs/concepts/overview/components/#kube-proxy

+[container-runtime]: https://kubernetes.io/docs/concepts/overview/components/#container-runtime

+[create-node-pools]: ./create-node-pools.md

+[manage-node-pools]: ./manage-node-pools.md

+[node-resource-group]: ./faq.md#why-are-two-resource-groups-created-with-aks

+[custom-nrg]: ./faq.md#can-i-provide-my-own-name-for-the-aks-node-resource-group

+[modify-nrg-resources]: ./faq.md#can-i-modify-tags-and-other-properties-of-the-aks-resources-in-the-node-resource-group

+[kubernetes-namespaces]: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#initial-namespaces

+[use-system-pool]: ./use-system-pools.md

+[automatic-standard]: ./intro-aks-automatic.md#aks-automatic-and-standard-feature-comparison

+[pricing-tiers]: ./free-standard-pricing-tiers.md

+[access-identity]: ./concepts-identity.md

+[security]: ./concepts-security.md

+[networking]: ./concepts-network.md

+[storage]: ./concepts-storage.md

+[scaling]: ./concepts-scale.md

+[monitoring]: ./monitor-aks.md

+[backup-recovery]: ../backup/azure-kubernetes-service-backup-overview.md

+[kubernetes-docs]: https://kubernetes.io/docs/home/

+[resource-reservations]: ./node-resource-reservations.md

+[reservation-discounts]: ../cost-management-billing/reservations/save-compute-costs-reservations.md

+[supported-kubernetes-versions]: ./supported-kubernetes-versions.md

+[default-os-disk]: ./concepts-storage.md#default-os-disk-sizing

+[ephemeral-os-disks]: ./concepts-storage.md#ephemeral-os-disk

+[aks-overview]: ./what-is-aks.md

+[containerd]: https://containerd.io/

+[aks-vm-sizes]: ./quotas-skus-regions.md#supported-vm-sizes

+[windows-considerations]: ./windows-vs-linux-containers.md

+[upgrade-2019-2022]: ./upgrade-windows-os.md

+After [creating the Dapr extension](./dapr.md), you can configure the [Dapr](https://dapr.io/) extension to work best for you and your project using various configuration options, like:

+- Setting automatic custom resource definition (CRD) updates

+By default, the placement service uses a storage class of type `standard_LRS`. It's recommended to create a **zone redundant storage class** while installing Dapr in HA mode across multiple availability zones. For example, to create a `zrs` type storage class, add the `storageaccounttype` parameter:

+The Dapr extension gets installed in the `dapr-system` namespace by default. To override it, use `--release-namespace`. To redefine the namespace, include the cluster `--scope`.

+[Learn how to configure the Dapr release namespace when migrating from Dapr open source to the Dapr extension](./dapr-migration.md).

+To update your Dapr configuration settings, recreate the extension with the desired state. For example, let's say you previously created and installed the extension using the following configuration:

+The Dapr extension requires the following outbound URLs on `https://:443` to function on AKS and Arc for Kubernetes:

+1. The [outbound URLs required for AKS or Arc for Kubernetes](../azure-arc/kubernetes/network-requirements.md).

+Once you successfully provisioned Dapr in your AKS cluster, try deploying a [sample application][sample-application].

+* Secure service-to-service communication in a cluster with TLS (Transport Layer Security) encryption, strong identity-based authentication and authorization.

+* A pluggable policy layer and configuration API supporting access controls, rate limits, and quotas.

+Istio-based service mesh add-on for AKS currently has the following limitations:

+* The add-on doesn't work on AKS clusters with self-managed installations of Istio.

+* The add-on doesn't yet support egress gateways for outbound traffic control.

+* The add-on doesn't yet support the sidecar-less Ambient mode. Microsoft is currently contributing to Ambient workstream under Istio open source. Product integration for Ambient mode is on the roadmap and is being continuously evaluated as the Ambient workstream evolves.

+* The add-on doesn't yet support multi-cluster deployments.

+* Customization of mesh through the following custom resources is blocked for now - `ProxyConfig, WorkloadEntry, WorkloadGroup, Telemetry, IstioOperator, WasmPlugin, EnvoyFilter`.

+* For `EnvoyFilter`, the add-on only supports customization of Lua filters (`type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua`). Note that this EnvoyFilter is allowed but any issue arising from the Lua script itself is not supported (to learn more about our support policy and distinction between "allowed" and "supported" configurations, see [the following section][istio-meshconfig-support]). Other `EnvoyFilter` types are currently blocked. other `EnvoyFilter` types are currently blocked.

+* Gateway API for Istio ingress gateway or managing mesh traffic (GAMMA) are currently not yet supported with Istio addon. It's planned to allow customizations such as ingress static IP address configuration as part of the Gateway API implementation for the add-on in future.

+* [Troubleshoot Istio-based service mesh add-on][istio-troubleshooting]

+[istio-meshconfig]: ./istio-meshconfig.md

+[istio-ingress]: ./istio-deploy-ingress.md

+[istio-troubleshooting]: /troubleshoot/azure/azure-kubernetes/extensions/istio-add-on-general-troubleshooting

+[istio-meshconfig-support]: ./istio-meshconfig.md#allowed-supported-and-blocked-values

+This guide assumes you followed the [documentation][istio-deploy-addon] to enable the Istio add-on on an AKS cluster, deploy a sample application, and set environment variables.

+> Customizations to IP address on internal and external gateways aren't supported yet. IP address customizations on the ingress specifications are reverted back by the Istio add-on.It's planned to allow these customizations in the Gateway API implementation for the Istio add-on in future.

+After enabling the ingress gateway, applications need to be exposed through the gateway and routing rules need to be configured accordingly. Use the following manifest to map the sample deployment's ingress to the Istio ingress gateway:

+If you want to clean up the Istio external or internal ingress gateways, but leave the mesh enabled on the cluster, run the following command:

+```azure-cli-interactive

+az aks mesh disable-ingress-gateway --ingress-gateway-type <external/internal> --resource-group ${RESOURCE_GROUP}

+```

+> [!NOTE]

+> In case of any issues encountered with deploying the Istio ingress gateway or configuring ingress traffic routing, refer to [article on troubleshooting Istio add-on ingress gateways][istio-ingress-tsg]

+[istio-ingress-tsg]: /troubleshoot/azure/azure-kubernetes/extensions/istio-add-on-ingress-gateway

+> 1.30 is the next LTS version after 1.27. Customers will be able to upgrade from 1.27 LTS to 1.30 LTS starting August, 2024. 1.27 LTS goes End of Life by July 2025.

+ Title: "Set up Network Observability for Azure Kubernetes Service (AKS) - Azure managed Prometheus and Grafana"

+# Set up Network Observability for Azure Kubernetes Service (AKS) - Azure managed Prometheus and Grafana

+## Create cluster

+> [!NOTE]

+>For Kubernetes version >= 1.29, Network Observability is included in clusters with Azure Managed Prometheus. Metric scraping is defined via the [AMA metrics profile](/azure/azure-monitor/containers/prometheus-metrics-scrape-configuration).

+>

+>For lower Kubernetes versions, extra steps are required to enable Network Observability.

+### [**Kubernetes version >= 1.29**](#tab/newer-k8s-versions)

+#### Create a resource group

+A resource group is a logical container into which Azure resources are deployed and managed. Create a resource group with [az group create](/cli/azure/group#az-group-create) command. The following example creates a resource group named **myResourceGroup** in the **eastus** location:

+```azurecli-interactive

+az group create \

+ --name myResourceGroup \

+ --location eastus

+```

+#### Create AKS cluster

+Create an AKS cluster with [az aks create](/cli/azure/aks#az-aks-create).

+The following examples each create an AKS cluster named **myAKSCluster** in the **myResourceGroup** resource group.

+##### Example 1: **Non-Cilium**

+Use [az aks create](/cli/azure/aks#az-aks-create) in the following example to create a non-Cilium AKS cluster.

+```azurecli-interactive

+az aks create \

+ --name myAKSCluster \

+ --resource-group myResourceGroup \

+ --location eastus \

+ --generate-ssh-keys \

+ --network-plugin azure \

+ --network-plugin-mode overlay \

+ --pod-cidr 192.168.0.0/16 \

+ --kubernetes-version 1.29

+```

+#### Example 2: **Cilium**

+Use [az aks create](/cli/azure/aks#az-aks-create) in the following example to create a Cilium AKS cluster.

+```azurecli-interactive

+az aks create \

+ --name myAKSCluster \

+ --resource-group myResourceGroup \

+ --generate-ssh-keys \

+ --location eastus \

+ --max-pods 250 \

+ --network-plugin azure \

+ --network-plugin-mode overlay \

+ --network-dataplane cilium \

+ --node-count 2 \

+ --pod-cidr 192.168.0.0/16

+```

+### [**Kubernetes version < 1.29**](#tab/older-k8s-versions)

+#### Install the `aks-preview` Azure CLI extension

+#### Register the `NetworkObservabilityPreview` feature flag

+#### Create a resource group

+#### Create or Update AKS cluster

+The following examples each create or update an AKS cluster named **myAKSCluster** in the **myResourceGroup** resource group.

+##### Example 1: **Non-Cilium**

+###### Create cluster

+Use [az aks create](/cli/azure/aks#az-aks-create) in the following example to create a non-Cilium AKS cluster with Network Observability.

+ --enable-advanced-network-observability

+###### Update Existing cluster

+Use [az aks update](/cli/azure/aks#az-aks-update) to enable Network Observability for an existing non-Cilium cluster.

+ --enable-advanced-network-observability

+##### Example 2: **Cilium**

+Use [az aks create](/cli/azure/aks#az-aks-create) in the following example to create a Cilium AKS cluster.

+## Get cluster credentials

+1. Navigate to your Grafana instance in a web browser.

+1. We have created a sample dashboard. It can be found under **Dashboards > Azure Managed Prometheus > Kubernetes / Networking / Clusters**.

+1. Check if the metrics in the **Kubernetes / Networking / Clusters** Grafana dashboard are visible. If metrics aren't shown, change time range to last 15 minutes in top right dropdown box.

+In this how-to article, you learned how to set up AKS Network Observability for your AKS cluster.

+- If you're interested in more granular Network Observability and other advanced features, see [What is Advanced Container Networking Services for Azure Kubernetes Service (AKS)?](advanced-container-networking-services-overview.md).

+ Title: What is Azure Kubernetes Service (AKS) Network Observability?

+# What is Azure Kubernetes Service (AKS) Network Observability?

+When the Network Observability add-on is enabled, it allows for the collection and conversion of useful metrics into Prometheus format, which can then be visualized in Grafana.

+Azure has offerings for managed [Prometheus](/azure/azure-monitor/essentials/prometheus-metrics-overview) and [Grafana](/azure/azure-monitor/visualize/grafana-plugin).

+* **Azure managed Prometheus and Grafana:** A managed service provided by Azure, taking care of the infrastructure and maintenance of Prometheus and Grafana, allowing you to focus on configuring and visualizing your metrics.

+- To create an AKS cluster with Network Observability and Azure managed Prometheus and Grafana, see [Setup Network Observability for Azure Kubernetes Service (AKS) - Azure managed Prometheus and Grafana](advanced-network-observability-cli.md).

+ Title: Node resource reservations in Azure Kubernetes Service (AKS)

+description: Learn about node resource reservations in Azure Kubernetes Service (AKS).

+# Node resource reservations in Azure Kubernetes Service (AKS)

+In this article, you learn about node resource reservations in Azure Kubernetes Service (AKS).

+## Resource reservations

+AKS uses node resources to help the nodes function as part of the cluster. This usage can cause a discrepancy between the node's total resources and the allocatable resources in AKS.

+AKS reserves two types of resources, **CPU** and **memory**, on each node to maintain node performance and functionality. As a node grows larger in resources, the resource reservations also grow due to a higher need for management of user-deployed pods. Keep in mind that you can't change resource reservations on a node.

+### CPU reservations

+Reserved CPU is dependent on node type and cluster configuration, which might result in less allocatable CPU due to running extra features. The following table shows CPU reservations in millicores:

+| CPU cores on host | 1 core | 2 cores | 4 cores | 8 cores | 16 cores | 32 cores | 64 cores |

+| -- | | - | - | - | -- | -- | -- |

+| Kube-reserved CPU (millicores) | 60 | 100 | 140 | 180 | 260 | 420 | 740 |

+### Memory reservations

+In AKS, reserved memory consists of the sum of two values:

+**AKS 1.29 and later**

+* **`kubelet` daemon** has the *memory.available < 100 Mi* eviction rule by default. This rule ensures that a node has at least 100 Mi allocatable at all times. When a host is below that available memory threshold, the `kubelet` triggers the termination of one of the running pods and frees up memory on the host machine.

+* **A rate of memory reservations** set according to the lesser value of: *20 MB * Max Pods supported on the Node + 50 MB* or *25% of the total system memory resources*.

+ **Examples**:

+ * If the virtual machine (VM) provides 8 GB of memory and the node supports up to 30 pods, AKS reserves *20 MB * 30 Max Pods + 50 MB = 650 MB* for kube-reserved. `Allocatable space = 8 GB - 0.65 GB (kube-reserved) - 0.1 GB (eviction threshold) = 7.25 GB or 90.625% allocatable.`

+ * If the VM provides 4 GB of memory and the node supports up to 70 pods, AKS reserves *25% * 4 GB = 1000 MB* for kube-reserved, as this is less than *20 MB * 70 Max Pods + 50 MB = 1450 MB*.

+ For more information, see [Configure maximum pods per node in an AKS cluster][maximum-pods].

+**AKS versions prior to 1.29**

+* **`kubelet` daemon** has the *memory.available < 750 Mi* eviction rule by default. This rule ensures that a node has at least 750 Mi allocatable at all times. When a host is below that available memory threshold, the `kubelet` triggers the termination of one of the running pods and free up memory on the host machine.

+* **A regressive rate of memory reservations** for the kubelet daemon to properly function (*kube-reserved*).

+ * 25% of the first 4 GB of memory

+ * 20% of the next 4 GB of memory (up to 8 GB)

+ * 10% of the next 8 GB of memory (up to 16 GB)

+ * 6% of the next 112 GB of memory (up to 128 GB)

+ * 2% of any memory more than 128 GB

+> [!NOTE]

+> AKS reserves an extra 2 GB for system processes in Windows nodes that isn't part of the calculated memory.

+Memory and CPU allocation rules are designed to:

+* Keep agent nodes healthy, including some hosting system pods critical to cluster health.

+* Cause the node to report less allocatable memory and CPU than it would report if it weren't part of a Kubernetes cluster.

+For example, if a node offers 7 GB, it reports 34% of memory not allocatable including the 750 Mi hard eviction threshold.

+`0.75 + (0.25*4) + (0.20*3) = 0.75 GB + 1 GB + 0.6 GB = 2.35 GB / 7 GB = 33.57% reserved`

+In addition to reservations for Kubernetes itself, the underlying node OS also reserves an amount of CPU and memory resources to maintain OS functions.

+For associated best practices, see [Best practices for basic scheduler features in AKS][operator-best-practices-scheduler].

+## Next steps

+<!LINKS>

+[operator-best-practices-scheduler]: operator-best-practices-scheduler.md

+[maximum-pods]: concepts-network-ip-address-planning.md#maximum-pods-per-node

+| **Logging and monitoring** | ΓÇó Integrate with [Container Insights](../azure-monitor/containers/kubernetes-monitoring-enable.md), a feature in Azure Monitor, to monitor the health and performance of your clusters and containerized applications. <br/> ΓÇó Set up [Network Observability](./network-observability-overview.md) to collect and visualize network traffic data from your clusters. |

+|Planned maintenance|[Manual upgrade preference is available](how-to-upgrade-preference.md) |[The platform handles maintenance](../../app-service/routine-maintenance.md) |

+Azure App Service provides several monitoring options for monitoring resources for availability, performance, and operation. Options include Diagnostic Settings, Application Insights, log stream, metrics, quotas and alerts, and activity logs.

+If you're using ASP.NET Core, ASP.NET, Java, Node.js, or Python, we recommend [enabling observability with Application Insights](/azure/azure-monitor/app/opentelemetry-enable). To learn more about observability experiences offered by Application Insights, see [Application Insights overview](/azure/azure-monitor/app/app-insights-overview).

+### Monitoring scenarios

+The following table lists monitoring methods to use for different scenarios.

+|Scenario|Monitoring method |

+|-|--|

+|I want to monitor platform metrics and logs | [Azure Monitor platform metrics](#platform-metrics)|

+|I want to monitor application performance and usage | (Azure Monitor) [Application Insights](#application-insights)|

+|I want to monitor built-in logs for testing and development|[Log stream](troubleshoot-diagnostic-logs.md#stream-logs)|

+|I want to monitor resource limits and configure alerts|[Quotas and alerts](web-sites-monitor.md)|

+|I want to monitor web app resource events|[Activity logs](#activity-log)|

+|I want to monitor metrics visually|[Metrics](web-sites-monitor.md#metrics-granularity-and-retention-policy)|

+<a name="platform-metrics"></a>

+For help understanding metrics in App Service, see [Understand metrics](web-sites-monitor.md#understand-metrics). Metrics can be viewed by aggregates on data (ie. average, max, min, etc.), instances, time range, and other filters. Metrics can monitor performance, memory, CPU, and other attributes.

+<a name="activity-log"></a>

+### Azure activity logs for App Service

+Azure activity logs for App Service include details such as:

+- What operations were taken on the resources (ex: App Service Plans)

+- Who started the operation

+- When the operation occurred

+- Status of the operation

+- Property values to help you research the operation

+Azure activity logs can be queried using the Azure portal, PowerShell, REST API, or CLI.

+### Ship activity logs to Event Grid

+While activity logs are user-based, there's a new [Azure Event Grid](../event-grid/index.yml) integration with App Service (preview) that logs both user actions and automated events. With Event Grid, you can configure a handler to react to the said events. For example, use Event Grid to instantly trigger a serverless function to run image analysis each time a new photo is added to a blob storage container.

+Alternatively, you can use Event Grid with Logic Apps to process data anywhere, without writing code. Event Grid connects data sources and event handlers.

+To view the properties and schema for App Service events, see [Azure App Service as an Event Grid source](../event-grid/event-schema-app-service.md).

+## Log stream (via App Service Logs)

+Azure provides built-in diagnostics to assist during testing and development to debug an App Service app. [Log stream](troubleshoot-diagnostic-logs.md#stream-logs) can be used to get quick access to output and errors written by your application, and logs from the web server. These are standard output/error logs in addition to web server logs.

+### Quotas and alerts

+Apps that are hosted in App Service are subject to certain limits on the resources they can use. [The limits](web-sites-monitor.md#understand-quotas) are defined by the App Service plan that's associated with the app. Metrics for an app or an App Service plan can be hooked up to alerts.

+For a list of supported log types and their descriptions, see [Supported resource logs for Microsoft.Web](monitor-app-service-reference.md#supported-resource-logs-for-microsoftweb).

+Diagnostic settings can be used to collect metrics for certain Azure services into Azure Monitor Logs for analysis with other monitoring data using log queries. For this tutorial, you enable the web server and standard output/error logs. See [supported log types](monitor-app-service-reference.md#resource-logs) for a complete list of log types and descriptions.

+ Title: Quotas and alerts

+# Azure App Service quotas and alerts

+For a list of available metrics for apps or for App Service plans, see [Supported metrics for Microsoft.Web](monitor-app-service-reference.md#supported-metrics-for-microsoftweb).

+Metrics for an app or an App Service plan can be hooked up to alerts. For more information, see [Alerts](monitor-app-service.md#alerts).

+| protocol | HTTP or HTTPS¹ |

+¹ HTTPS will be used when a backendTLSPolicy references a target backend service (for Gateway API implementation) or IngressExtension with a backendSetting protocol of HTTPS (for Ingress API implementation) is specified.

+To start using feature flags with Azure App Configuration, continue to the following quickstarts specific to your applicationΓÇÖs language or platform.

+> [!div class="nextstepaction"]

+> [ASP.NET Core](./quickstart-feature-flag-aspnet-core.md)

+> [.NET/.NET Framework](./quickstart-feature-flag-dotnet.md)

+> [!div class="nextstepaction"]

+> [.NET background service](./quickstart-feature-flag-dotnet-background-service.md)

+> [!div class="nextstepaction"]

+> [Java Spring](./quickstart-feature-flag-spring-boot.md)

+> [!div class="nextstepaction"]

+> [Python](./quickstart-feature-flag-python.md)

+> [!div class="nextstepaction"]

+> [Azure Kubernetes Service](./quickstart-feature-flag-azure-kubernetes-service.md)

+> [!div class="nextstepaction"]

+> [Azure Functions](./quickstart-feature-flag-azure-functions-csharp.md)

+To learn more about managing feature flags in Azure App Configuration, continue to the following tutorial.

+> [!div class="nextstepaction"]

+> [Manage feature flags in Azure App Configuration](./manage-feature-flags.md)

+Feature filters allow you to enable a feature flag conditionally. Azure App Configuration offers built-in feature filters that enable you to activate a feature flag only during a specific period or to a particular targeted audience of your app. For more information, continue to the following tutorial.

+> [!div class="nextstepaction"]

+> [Enable conditional features with feature filters](./howto-feature-filters.md)

+> [!div class="nextstepaction"]

+> [Enable features on a schedule](./howto-timewindow-filter.md)

+> [!div class="nextstepaction"]

+> [Roll out features to targeted audiences](./howto-targetingfilter.md)

+ Title: .NET feature flag management

+description: In this tutorial, you learn how to use feature flags in .NET apps. The feature management library provides various out-of-the-box solutions for application development, ranging from simple feature toggles to complex feature experimentation.

+ms.devlang: csharp

+#Customer intent: I want to control feature availability in my app by using the Feature Management library.

+>

+> ``` C#

+> services.AddFeatureManagement(configuration.GetSection("MyFeatureFlags"));

+> ```

+## Next steps

+To learn how to use feature flags in your applications, continue to the following quickstarts.

+> [!div class="nextstepaction"]

+> [ASP.NET Core](./quickstart-feature-flag-aspnet-core.md)

+> [!div class="nextstepaction"]

+> [.NET/.NET Framework console app](./quickstart-feature-flag-dotnet.md)

+> [!div class="nextstepaction"]

+> [.NET background service](./quickstart-feature-flag-dotnet-background-service.md)

+To learn how to use feature filters, continue to the following tutorials.

+> [!div class="nextstepaction"]

+> [Enable conditional features with feature filters](./howto-feature-filters.md)

+> [!div class="nextstepaction"]

+> [Enable features on a schedule](./howto-timewindow-filter.md)

+> [!div class="nextstepaction"]

+> [Roll out features to targeted audiences](./howto-targetingfilter.md)

+To learn how to run experiments with variant feature flags, continue to the following tutorial.

+> [!div class="nextstepaction"]

+> [Run experiments with variant feature flags](./howto-feature-filters.md)

+For the full feature rundown of the .NET feature management library, continue to the following document.

+> [!div class="nextstepaction"]

+> [.NET Feature Management](./feature-management-dotnet-reference.md)

+For the full feature rundown of the .NET feature management library, continue to the following document.

+> [!div class="nextstepaction"]

+> [.NET Feature Management](./feature-management-dotnet-reference.md)

+For the full feature rundown of the .NET feature management library, continue to the following document.

+> [!div class="nextstepaction"]

+> [.NET Feature Management](./feature-management-dotnet-reference.md)

+ Title: Use Azure App Configuration to manage feature flags

+To start using feature flags with Azure App Configuration, continue to the following quickstarts specific to your applicationΓÇÖs language or platform.

+> [!div class="nextstepaction"]

+> [ASP.NET Core](./quickstart-feature-flag-aspnet-core.md)

+> [!div class="nextstepaction"]

+> [.NET/.NET Framework](./quickstart-feature-flag-dotnet.md)

+> [!div class="nextstepaction"]

+> [.NET background service](./quickstart-feature-flag-dotnet-background-service.md)

+> [!div class="nextstepaction"]

+> [Java Spring](./quickstart-feature-flag-spring-boot.md)

+> [!div class="nextstepaction"]

+> [Python](./quickstart-feature-flag-python.md)

+> [!div class="nextstepaction"]

+> [Azure Kubernetes Service](./quickstart-feature-flag-azure-kubernetes-service.md)

+> [Azure Functions](./quickstart-feature-flag-azure-functions-csharp.md)

+ Title: Quickstart for adding feature flags to ASP.NET Core apps

+description: This tutorial will guide you through the process of integrating feature flags from Azure App Configuration into your ASP.NET Core apps.

+In this quickstart, you added feature management capability to an ASP.NET Core app on top of dynamic configuration. The [Microsoft.FeatureManagement.AspNetCore](https://www.nuget.org/packages/Microsoft.FeatureManagement.AspNetCore) library offers rich integration for ASP.NET Core apps, including feature management in MVC controller actions, razor pages, views, routes, and middleware. For the full feature rundown of the .NET feature management library, continue to the following document.

+> [.NET Feature Management](./feature-management-dotnet-reference.md)

+> [Enable conditional features with feature filters](./howto-feature-filters.md)

+> [Enable features on a schedule](./howto-timewindow-filter.md)

+> [!div class="nextstepaction"]

+> [Roll out features to targeted audiences](./howto-targetingfilter.md)

+> [Use feature flags in .NET/.NET Framework console apps](./quickstart-feature-flag-dotnet.md)

+> [!div class="nextstepaction"]

+> [Use feature flags in .NET background services](./quickstart-feature-flag-dotnet-background-service.md)

+In this quickstart, you created a feature flag and used it with an Azure Functions.

+To enable feature management capability for other types of apps, continue to the following tutorials.

+> [!div class="nextstepaction"]

+> [Use feature flags in ASP.NET Core apps](./quickstart-feature-flag-aspnet-core.md)

+> [!div class="nextstepaction"]

+> [Use feature flags in .NET/.NET framework console apps](./quickstart-feature-flag-dotnet.md)

+> [!div class="nextstepaction"]

+> [Use feature flags in .NET background services](./quickstart-feature-flag-dotnet-background-service.md)

+To learn more about managing feature flags in Azure App Configuration, continue to the following tutorial.

+> [!div class="nextstepaction"]

+> [Manage feature flags in Azure App Configuration](./manage-feature-flags.md)

+For the full feature rundown of the .NET feature management library, continue to the following document.

+> [!div class="nextstepaction"]

+> [.NET Feature Management](./feature-management-dotnet-reference.md)

+In this quickstart, you created a feature flag and used it with a background service.

+> [Use feature flags in ASP.NET Core apps](./quickstart-feature-flag-aspnet-core.md)

+> [Use feature flags in .NET/.NET framework console apps](./quickstart-feature-flag-dotnet.md)

+For the full feature rundown of the .NET feature management library, continue to the following document.

+> [!div class="nextstepaction"]

+> [.NET Feature Management](./feature-management-dotnet-reference.md)

+To enable feature management capability for other types of apps, continue to the following tutorials.

+> [!div class="nextstepaction"]

+> [Use feature flags in ASP.NET Core apps](./quickstart-feature-flag-aspnet-core.md)

+> [!div class="nextstepaction"]

+> [Use feature flags in .NET background services](./quickstart-feature-flag-dotnet-background-service.md)

+For the full feature rundown of the .NET feature management library, continue to the following document.

+> [!div class="nextstepaction"]

+> [.NET Feature Management](./feature-management-dotnet-reference.md)

+ms.devlang: csharp

+To learn more about the experimentation concepts, refer to the following document.

+> [!div class="nextstepaction"]

+For the full feature rundown of the .NET feature management library, continue to the following document.

+> [!div class="nextstepaction"]

+> [.NET Feature Management](./feature-management-dotnet-reference.md)

+> [!IMPORTANT]

+> This document has been superseded by the [.NET Feature Management](./feature-management-dotnet-reference.md) reference document, which provides the most current and detailed rundown of the features available in the .NET feature management libraries.

+>

+> To get started with feature flags in your apps, follow the quickstarts for [.NET console apps](./quickstart-feature-flag-dotnet.md) or [ASP.NET Core apps](./quickstart-feature-flag-aspnet-core.md).

+The .NET feature management libraries provide idiomatic support for implementing feature flags in a .NET or ASP.NET Core application. These libraries allow you to declaratively add feature flags to your code so that you don't have to manually write code to enable or disable features with `if` statements.

+The feature management libraries also manage feature flag lifecycles behind the scenes. For example, the libraries refresh and cache flag states, or guarantee a flag state to be immutable during a request call. In addition, the ASP.NET Core library offers out-of-the-box integrations, including MVC controller actions, views, routes, and middleware.

+{

+ "FeatureManagement": {

+* [Microsoft.FeatureManagement Feature Reference](./feature-management-dotnet-reference.md)

+* [Microsoft.FeatureManagement API Reference](/dotnet/api/microsoft.featuremanagement)

+ > When you create your storage account, create it under the same resource group as your Kubernetes cluster. It is recommended that you also create it under the same region/location as your Kubernetes cluster.

+## Version 1.2.0-preview

+- Extension identity and OneLake support: ESA now allows use of a system-assigned extension identity for access to blob storage or OneLake lake houses.

+- Security fixes: security maintenance (package/module version updates).

+If you experience an issue or need support during the preview, see the following video and steps to request support for Edge Storage Accelerator in the Azure portal:

+> [!VIDEO f477de99-2036-41a3-979a-586a39b1854f]

+1. Navigate to the desired Arc-connected Kubernetes cluster with the Edge Storage Accelerator extension that you are experiencing issues with.

+1. To expand the menu, select **Settings** on the left blade.

+1. Select **Extensions**.

+1. Select the name for **Type**: `microsoft.edgestorageaccelerator`. In this example, the name is `hydraext`.

+1. Select **Help** on the left blade to expand the menu.

+1. Select **Support + Troubleshooting**.

+1. In the search text box, describe the issue you are facing in a few words.

+1. Select "Go" to the right of the search text box.

+1. For **Which service you are having an issue with**, make sure that **Edge Storage Accelerator - Preview** is selected. If not, you might need to search for **Edge Storage Accelerator - Preview** in the drop-down.

+1. Select **Next** after you select **Edge Storage Accelerator - Preview**.

+1. **Subscription** should already be populated with the subscription that you used to set up your Kubernetes cluster. If not, select the subscription to which your Arc-connected Kubernetes cluster is linked.

+1. For **Resource**, select **General question** from the drop-down menu.

+1. Select **Next**.

+1. For **Problem type**, from the drop-down menu, select the problem type that best describes your issue.

+1. For **Problem subtype**, from the drop-down menu, select the subtype that best describes your issue. The subtype options vary based on your selected **Problem type**.

+1. Select **Next**.

+1. Based on the issue, there might be documentation available to help you triage your issue. If these articles are not relevant or don't solve the issue, select **Create a support request** at the top.

+1. After you select **Create a support request at the top**, the fields in the **Problem description** section should already be populated with the details that you provided earlier. If you want to change anything, you can do so in this window.

+1. Select **Next** once you verify that the information in the **Problem description** section is accurate.

+1. In the **Recommended solution** section, recommended solutions appear based on the information you entered. If the recommended solutions are not helpful, select **Next** to continue filing a support request.

+1. In the **Additional details** section, populate the **Problem details** with your information.

+1. Once all required fields are complete, select **Next**.

+1. Review your information from the previous sections, then select **Create**.

+See the [release notes for Edge Storage Accelerator](release-notes.md) for information about new features and known issues.

+[What is Edge Storage Accelerator?](overview.md)

+ Title: Use private connectivity for Azure Arc-enabled Kubernetes clusters with private link (preview)

+# Use private connectivity for Arc-enabled Kubernetes clusters with private link (preview)

+ Title: Support matrix for Azure Arc-enabled System Center Virtual Machine Manager

+description: Learn about the support matrix for Arc-enabled System Center Virtual Machine Manager.

+keywords: "VMM, Arc, Azure"

+# Customer intent: As a VI admin, I want to understand the support matrix for System Center Virtual Machine Manager.

+# Support matrix for Azure Arc-enabled System Center Virtual Machine Manager

+This article documents the prerequisites and support requirements for using [Azure Arc-enabled System Center Virtual Machine Manager (SCVMM)](overview.md) to manage your SCVMM managed on-premises VMs through Azure Arc.

+To use Arc-enabled SCVMM, you must deploy an Azure Arc Resource Bridge in your SCVMM managed environment. The Resource Bridge provides an ongoing connection between your SCVMM management server and Azure. Once you've connected your SCVMM management server to Azure, components on the Resource Bridge discover your SCVMM management server inventory. You can [enable them in Azure](enable-scvmm-inventory-resources.md) and start performing virtual hardware and guest OS operations on them using Azure Arc.

+## System Center Virtual Machine Manager requirements

+The following requirements must be met in order to use Arc-enabled SCVMM.

+### Supported SCVMM versions

+Azure Arc-enabled SCVMM works with VMM 2019 and 2022 versions and supports SCVMM management servers with a maximum of 15,000 VMs.

+> [!NOTE]

+> If VMM server is running on Windows Server 2016 machine, ensure that [Open SSH package](https://github.com/PowerShell/Win32-OpenSSH/releases) is installed.

+> If you deploy an older version of appliance (version lesser than 0.2.25), Arc operation fails with the error *Appliance cluster is not deployed with AAD authentication*. To fix this issue, download the latest version of the onboarding script and deploy the Resource Bridge again.

+> Azure Arc Resource Bridge deployment using private link is currently not supported.

+| **Requirement** | **Details** |

+| | |

+| **Azure** | An Azure subscription <br/><br/> A resource group in the above subscription where you have the *Owner/Contributor* role. |

+| **SCVMM** | You need an SCVMM management server running version 2019 or later.<br/><br/> A private cloud or a host group with a minimum free capacity of 32 GB of RAM, 4 vCPUs with 100 GB of free disk space. <br/><br/> A VM network with internet access, directly or through proxy. Appliance VM will be deployed using this VM network.<br/><br/> Only Static IP allocation is supported and VMM Static IP Pool is required. Follow [these steps](/system-center/vmm/network-pool?view=sc-vmm-2022&preserve-view=true) to create a VMM Static IP Pool and ensure that the Static IP Pool has at least four IP addresses. If your SCVMM server is behind a firewall, all IPs in this IP Pool and the Control Plane IP should be allowed to communicate through WinRM ports. The default WinRM ports are 5985 and 5986. <br/><br/> Dynamic IP allocation using DHCP isn't supported. <br/><br/> A library share with write permission for the SCVMM admin account through which Resource Bridge deployment is going to be performed. |

+| **SCVMM accounts** | An SCVMM admin account that can perform all administrative actions on all objects that VMM manages. <br/><br/> The user should be part of local administrator account in the SCVMM server. If the SCVMM server is installed in a High Availability configuration, the user should be a part of the local administrator accounts in all the SCVMM cluster nodes. <br/><br/>This will be used for the ongoing operation of Azure Arc-enabled SCVMM and the deployment of the Arc Resource Bridge VM. |

+| **Workstation** | The workstation will be used to run the helper script. Ensure you have [64-bit Azure CLI installed](/cli/azure/install-azure-cli) on the workstation.<br/><br/> When you execute the script from a Linux machine, the deployment takes a bit longer and you might experience performance issues. |

+### Resource Bridge networking requirements

+The following firewall URL exceptions are required for the Azure Arc Resource Bridge VM:

+>[!Note]

+> To configure SSL proxy and to view the exclusion list for no proxy, seeΓÇ»[Additional network requirements](../resource-bridge/network-requirements.md#azure-arc-resource-bridge-network-requirements).

+In addition, SCVMM requires the following exception:

+| **Service** | **Port** | **URL** | **Direction** | **Notes**|

+| | | | | |

+| SCVMM Management Server | 443 | URL of the SCVMM management server. | Appliance VM IP and control plane endpoint need outbound connection. | Used by the SCVMM server to communicate with the Appliance VM and the control plane. |

+| WinRM | WinRM Port numbers (Default: 5985 and 5986). | URL of the WinRM service. | IPs in the IP Pool used by the Appliance VM and control plane need connection with the VMM server. | Used by the SCVMM server to communicate with the Appliance VM. |

+Generally, connectivity requirements include these principles:

+- All connections are TCP unless otherwise specified.

+- All HTTP connections use HTTPS and SSL/TLS with officially signed and verifiable certificates.

+- All connections are outbound unless otherwise specified.

+To use a proxy, verify that the agents and the machine performing the onboarding process meet the network requirements in this article. For a complete list of network requirements for Azure Arc features and Azure Arc-enabled services, see [Azure Arc network requirements (Consolidated)](../network-requirements-consolidated.md).

+### Azure role/permission requirements

+The minimum Azure roles required for operations related to Arc-enabled SCVMM are as follows:

+| **Operation** | **Minimum role required** | **Scope** |

+| | | |

+| Onboarding your SCVMM Management Server to Arc | Azure Arc SCVMM Private Clouds Onboarding | On the subscription or resource group into which you want to onboard |

+| Administering Arc-enabled SCVMM | Azure Arc SCVMM Administrator | On the subscription or resource group where SCVMM management server resource is created |

+| VM Provisioning | Azure Arc SCVMM Private Cloud User | On the subscription or resource group that contains the SCVMM cloud, datastore, and virtual network resources, or on the resources themselves |

+| VM Provisioning | Azure Arc SCVMM VM Contributor | On the subscription or resource group where you want to provision VMs |

+| VM Operations | Azure Arc SCVMM VM Contributor | On the subscription or resource group that contains the VM, or on the VM itself |

+Any roles with higher permissions on the same scope, such as Owner or Contributor, will also allow you to perform the operations listed above.

+### Azure connected machine agent (Guest Management) requirements

+Ensure the following before you install Arc agents at scale for SCVMM VMs:

+- The Resource Bridge must be in a running state.

+- The SCVMM management server must be in a connected state.

+- The user account must have permissions listed in Azure Arc-enabled SCVMM Administrator role.

+- All the target machines are:

+ - Powered on and the resource bridge has network connectivity to the host running the VM.

+ - Running a [supported operating system](/azure/azure-arc/servers/prerequisites#supported-operating-systems).

+ - Able to connect through the firewall to communicate over the Internet and [these URLs](/azure/azure-arc/servers/network-requirements?tabs=azure-cloud#urls) aren't blocked.

+### Supported SCVMM versions

+Azure Arc-enabled SCVMM supports direct installation of Arc agents in VMs managed by:

+- SCVMM 2022 UR1 or later versions of SCVMM server or console

+- SCVMM 2019 UR5 or later versions of SCVMM server or console

+For VMs managed by other SCVMM versions, [install Arc agents through the script](install-arc-agents-using-script.md).

+>[!Important]

+>We recommend maintaining the SCVMM management server and the SCVMM console in the same Long-Term Servicing Channel (LTSC) and Update Rollup (UR) version.

+### Supported operating systems

+Azure Arc-enabled SCVMM supports direct installation of Arc agents in VMs running Windows Server 2022, 2019, 2016, 2012R2, Windows 10, and Windows 11 operating systems. For other Windows and Linux operating systems, [install Arc agents through the script](install-arc-agents-using-script.md).

+### Software requirements

+Windows operating systems:

+* Microsoft recommends running the latest version, [Windows Management Framework 5.1](https://www.microsoft.com/download/details.aspx?id=54616).

+Linux operating systems:

+* systemd

+* wget (to download the installation script)

+* openssl

+* gnupg (Debian-based systems, only)

+### Networking requirements

+The following firewall URL exceptions are required for the Azure Arc agents:

+| **URL** | **Description** |

+| | |

+| `aka.ms` | Used to resolve the download script during installation |

+| `packages.microsoft.com` | Used to download the Linux installation package |

+| `download.microsoft.com` | Used to download the Windows installation package |

+| `login.windows.net` | Microsoft Entra ID |

+| `login.microsoftonline.com` | Microsoft Entra ID |

+| `pas.windows.net` | Microsoft Entra ID |

+| `management.azure.com` | Azure Resource Manager - to create or delete the Arc server resource |

+| `*.his.arc.azure.com` | Metadata and hybrid identity services |

+| `*.guestconfiguration.azure.com` | Extension management and guest configuration services |

+| `guestnotificationservice.azure.com`, `*.guestnotificationservice.azure.com` | Notification service for extension and connectivity scenarios |

+| `azgn*.servicebus.windows.net` | Notification service for extension and connectivity scenarios |

+| `*.servicebus.windows.net` | For Windows Admin Center and SSH scenarios |

+| `*.blob.core.windows.net` | Download source for Azure Arc-enabled servers extensions |

+| `dc.services.visualstudio.com` | Agent telemetry |

+## Next steps

+[Connect your System Center Virtual Machine Manager management server to Azure Arc](quickstart-connect-system-center-virtual-machine-manager-to-arc.md).

+description: In this quickstart, you learn how to create a Python script that uses Azure Cache for Redis.

+#customer intent: As a cloud developer, I want to quickly see a cache so that understand how to use Python with Azure Cache for Redis.

+In this Quickstart, you incorporate Azure Cache for Redis into a Python script to have access to a secure, dedicated cache that is accessible from any application within Azure.

+ - For macOS or Linux, download from [python.org](https://www.python.org/downloads/).

+ - For Windows 11, use the [Windows Store](https://apps.microsoft.com/search/publisher?name=Python+Software+Foundation&hl=en-us&gl=US).

+## Install redis-py library

+[Redis-py](https://pypi.org/project/redis/) is a Python interface to Azure Cache for Redis. Use the Python packages tool, `pip`, to install the `redis-py` package from a command prompt.

+## Create a Python script to access your cache

+Create a Python script to that uses either Microsoft Entra ID or access keys to connect to an Azure Cache for Redis. We recommend you use Microsoft Entra ID.

+## [Microsoft Entra ID Authentication (recommended)](#tab/entraid)

+### Install the Microsoft Authentication Library

+1. Install the [Microsoft Authentication Library (MSAL)](/entra/identity-platform/msal-overview). This library allows you to acquire security tokens from Microsoft identity to authenticate users.

+1. You can use the [Python Azure identity client library](/python/api/overview/azure/identity-readme) available that uses MSAL to provide token authentication support. Install this library using `pip`:

+ ```python

+ pip install azure-identity

+ ```

+### Create a Python script using Microsoft Entra ID

+1. Create a new text file, add the following script, and save the file as `PythonApplication1.py`.

+1. Replace `<Your Host Name>` with the value from your Azure Cache for Redis instance. Your host name is of the form `<DNS name>.redis.cache.windows.net`.

+1. Replace `<Your Username>` with the values from your Microsoft Entra ID user.

+ ```python

+ import redis

+ from azure.identity import DefaultAzureCredential

+

+ scope = "https://redis.azure.com/.default"

+ host = "<Your Host Name>"

+ port = 6380

+ user_name = "<Your Username>"

+

+

+ def hello_world():

+ cred = DefaultAzureCredential()

+ token = cred.get_token(scope)

+ r = redis.Redis(host=host,

+ port=port,

+ ssl=True, # ssl connection is required.

+ username=user_name,

+ password=token.token,

+ decode_responses=True)

+ result = r.ping()

+ print("Ping returned : " + str(result))

+

+ result = r.set("Message", "Hello!, The cache is working with Python!")

+ print("SET Message returned : " + str(result))

+

+ result = r.get("Message")

+ print("GET Message returned : " + result)

+

+ result = r.client_list()

+ print("CLIENT LIST returned : ")

+ for c in result:

+ print(f"id : {c['id']}, addr : {c['addr']}")

+

+ if __name__ == '__main__':

+ hello_world()

+ ```

+1. Before you run your Python code from a Terminal, make sure you authorize the terminal for using Microsoft Entra ID.

+

+ `azd auth login`

+1. Run `PythonApplication1.py` with Python. You should see results like the following example:

+ :::image type="content" source="media/cache-python-get-started/cache-python-completed.png" alt-text="Screenshot of a terminal showing a Python script to test cache access.":::

+### Create a Python script using reauthentication

+Microsoft Entra ID access tokens have limited lifespans, [averaging 75 minutes](/entra/identity-platform/configurable-token-lifetimes#token-lifetime-policies-for-access-saml-and-id-tokens). In order to maintain a connection to your cache, you need to refresh the token. This example demonstrates how to do this using Python.

+1. Create a new text file, add the following script. Then, save the file as `PythonApplication2.py`.

+1. Replace `<Your Host Name>` with the value from your Azure Cache for Redis instance. Your host name is of the form `<DNS name>.redis.cache.windows.net`.

+1. Replace `<Your Username>` with the values from your Microsoft Entra ID user.

+ ```python

+ import time

+ import logging

+ import redis

+ from azure.identity import DefaultAzureCredential

+

+ scope = "https://redis.azure.com/.default"

+ host = "<Your Host Name>"

+ port = 6380

+ user_name = "<Your Username>"

+

+ def re_authentication():

+ _LOGGER = logging.getLogger(__name__)

+ cred = DefaultAzureCredential()

+ token = cred.get_token(scope)

+ r = redis.Redis(host=host,

+ port=port,

+ ssl=True, # ssl connection is required.

+ username=user_name,

+ password=token.token,

+ decode_responses=True)

+ max_retry = 3

+ for index in range(max_retry):

+ try:

+ if _need_refreshing(token):

+ _LOGGER.info("Refreshing token...")

+ tmp_token = cred.get_token(scope)

+ if tmp_token:

+ token = tmp_token

+ r.execute_command("AUTH", user_name, token.token)

+ result = r.ping()

+ print("Ping returned : " + str(result))

+

+ result = r.set("Message", "Hello!, The cache is working with Python!")

+ print("SET Message returned : " + str(result))

+

+ result = r.get("Message")

+ print("GET Message returned : " + result)

+

+ result = r.client_list()

+ print("CLIENT LIST returned : ")

+ for c in result:

+ print(f"id : {c['id']}, addr : {c['addr']}")

+ break

+ except redis.ConnectionError:

+ _LOGGER.info("Connection lost. Reconnecting.")

+ token = cred.get_token(scope)

+ r = redis.Redis(host=host,

+ port=port,

+ ssl=True, # ssl connection is required.

+ username=user_name,

+ password=token.token,

+ decode_responses=True)

+ except Exception:

+ _LOGGER.info("Unknown failures.")

+ break

+

+

+ def _need_refreshing(token, refresh_offset=300):

+ return not token or token.expires_on - time.time() < refresh_offset

+

+ if __name__ == '__main__':

+ re_authentication()

+ ```

+1. Run `PythonApplication2.py` with Python. You should see results like the following example:

+ :::image type="content" source="media/cache-python-get-started/cache-python-completed.png" alt-text="Screenshot of a terminal showing a Python script to test cache access.":::

+ Unlike the first example, If your token expires, this example automatically refreshes it.

+## [Access Key Authentication](#tab/accesskey)

+### Read and write to the cache from the command line

+Run [Python from the command line](https://docs.python.org/3/faq/windows.html#id2) to test your cache. First, initiate the Python interpreter in your command line by typing `py`, and then use the following code. Replace `<Your Host Name>` and `<Your Access Key>` with the values from your Azure Cache for Redis instance. Your host name is of the form `<DNS name>.redis.cache.windows.net`.

+>>> r = redis.Redis(host='<Your Host Name>',

+### Create a Python script using access keys

+r = redis.Redis(host=myHostname, port=6380,

+print("GET Message returned : " + result)

+<!-- Clean up resources -->

+## Related content

+- [Create a ASP.NET web app that uses an Azure Cache for Redis.](./cache-web-app-howto.md)

+> Targeting .NET 8 with the in-process model is not yet enabled for Linux or for apps in sovereign clouds. Updates will be communicated on [this tracking thread on GitHub](https://github.com/Azure/azure-functions-host/issues/9951).

+> If your scenario relied on the dynamic nature of the `Document` type to identify different schemas and types of events, you can use a base abstract type with the common properties across your types or dynamic types like `JObject` (when using `Microsoft.Azure.WebJobs.Extensions.CosmosDB`) and `JsonNode` (when using `Microsoft.Azure.Functions.Worker.Extensions.CosmosDB`) that allow to access properties like `Document` did.

+A dataset is a collection of indoor map features. The indoor map features represent facilities that are defined in a converted drawing package. After you create a dataset with the [Dataset service], you can create any number of [tilesets].

+Creator services such as Conversion, Dataset, and Tileset return an identifier for each resource that's created from the APIs. The [Alias API] allows you to assign an alias to reference a resource identifier.

+The Indoor Maps module also supports dynamic map styling for more information, see [Enhance your indoor maps with real-time map feature styling].

+ You can use the Azure Maps Creator List, Update, and Delete API to list, update, and delete your datasets and tilesets.

+[Enhance your indoor maps with real-time map feature styling]: https://techcommunity.microsoft.com/t5/azure-maps-blog/enhance-your-indoor-maps-with-real-time-map-feature-styling/ba-p/4048929

+After the response returns, copy the feature `id` for one of the `unit` features. In the following example, the feature `id` is "UNIT26".

+ >When you delete the Creator resource of your Azure Maps account, you also delete the conversions, datasets and tilesets that were created using Creator services. Once a Creator resource is deleted, it cannot be undone.

+To load the indoor map style of the tiles, you must instantiate the *Indoor Manager*. Instantiate the *Indoor Manager* by providing the *Map object*. Your code should look like the following JavaScript code snippet:

+7. Next, create the *Indoor Manager* module with *Indoor Level Picker* control instantiated as part of *Indoor Manager* options.

+[How to use the Azure Maps map control npm package]: how-to-use-npm-package.md

+[Indoor Maps]: https://www.npmjs.com/package/azure-maps-indoor

+A managed identity (either system or user) associated with the resources below. We highly recommend using [user-assigned managed identity](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) for better scalability and performance.

+| Maximum size of a single capacity pool | 2,048 TiB | Yes |

+| Maximum number of files `maxfiles` per volume | See [`maxfiles`](#maxfiles) | Yes |

+For a 320-MB directory, the number of blocks is 655,360, with each block size being 512 bytes. (That is, 320x1024x1024/512.) This number translates to approximately 4 million files maximum for a 320-MB directory. However, the actual number of maximum files might be lower, depending on factors such as the number of files with non-ASCII characters in the directory. As such, you should use the `stat` command as follows to determine whether your directory is approaching its limit.

+Azure NetApp Files volumes have a value called `maxfiles` that refers to the maximum number of files and folders (also known as inodes) a volume can contain. When the `maxfiles` limit is reached, clients receive "out of space" messages when attempting to create new files or folders. If you experience this issue, contact Microsoft technical support.

+The `maxfiles` limit for an Azure NetApp Files volume is based on the size (quota) of the volume, where the service dynamically adjusts the `maxfiles` limit for a volume based on its provisioned size and uses the following guidelines.

+- For regular volumes less than or equal to 683 GiB, the default `maxfiles` limit is 21,251,126.

+- For regular volumes greater than 683 GiB, the default `maxfiles` limit is approximately one file (or inode) per 32 KiB of allocated volume capacity up to a maximum of 2,147,483,632.

+- For [large volumes](large-volumes-requirements-considerations.md), the default `maxfiles` limit is approximately one file (or inode) per 32 KiB of allocated volume capacity up to a default maximum of 15,938,355,048.

+The following table shows examples of the relationship `maxfiles` values based on volume sizes for regular volumes.

+| Volume size | Estimated maxfiles limit |

+| - | - |

+| 0 ΓÇô 683 GiB | 21,251,126 |

+| 1 TiB (1,073,741,824 KiB) | 31,876,709 |

+| 10 TiB (10,737,418,240 KiB) | 318,767,099 |

+| 50 TiB (53,687,091,200 KiB) | 1,593,835,519 |

+| 100 TiB (107,374,182,400 KiB) | 2,147,483,632 |

+The following table shows examples of the relationship `maxfiles` values based on volume sizes for large volumes.

+| Volume size | Estimated maxfiles limit |

+| - | - |

+| 50 TiB (53,687,091,200 KiB) | 1,593,835,512 |

+| 100 TiB (107,374,182,400 KiB) | 3,187,671,024 |

+| 200 TiB (214,748,364,800 KiB) | 6,375,342,024 |

+| 500 TiB (536,870,912,000 KiB) | 15,938,355,048 |

+To see the `maxfiles` allocation for a specific volume size, check the **Maximum number of files** field in the volumeΓÇÖs overview pane.

+You can't set `maxfiles` limits for data protection volumes via a quota request. Azure NetApp Files automatically increases the `maxfiles` limit of a data protection volume to accommodate the number of files replicated to the volume. When a failover happens on a data protection volume, the `maxfiles` limit remains the last value before the failover. In this situation, you can submit a `maxfiles` [quota request](#request-limit-increase) for the volume.

+You can edit the network features option of existing volumes from *Basic* to *Standard* network features. The change you make applies to all volumes in the same *network sibling set* (or *siblings*). Siblings are determined by their network IP address relationship. They share the same NIC for mounting the volume to the client or connecting to the remote share of the volume. At the creation of a volume, its siblings are determined by a placement algorithm that aims for reusing the IP address where possible.

+ Title: Manage alerts and notifications in the Azure mobile app

+# Manage alerts and notifications in the Azure mobile app

+Use Azure mobile app notifications to get up-to-date alerts and information on your resources and services.

+ Title: BCP033

+description: Error - Expected a value of type "{expectedType}" but the provided value is of type "{actualType}".

+# Bicep warning and error code - BCP033

+This error occurs when you assign a value of a mismatched data type.

+## Error description

+`Expected a value of type "{expectedType}" but the provided value is of type "{actualType}".`

+## Solution

+Use the expected data type.

+## Examples

+The following example raises the error because the expected data type is a string. The actual provided value is an integer:

+```bicep

+var myValue = 5

+output myString string = myValue

+```

+You can fix the error by providing a string value:

+```bicep

+var myValue = '5'

+output myString string = myValue

+```

+## Next steps

+For more information about Bicep warning and error codes, see [Bicep warnings and errors](./bicep-error-codes.md).

+ Title: BCP035

+description: Error - The specified <data-type> declaration is missing the following required properties.

+# Bicep warning and error code - BCP035

+This warning occurs when your resource definition is missing a required property.

+## Warning description

+`The specified <date-type> declaration is missing the following required properties: <name-of-the-property.`

+## Solution

+Add the missing property to the resource definition.

+## Examples

+The following example raises the warning for **virtualNetworkGateway1** and **virtualNetworkGateway2**:

+```bicep

+var networkConnectionName = 'testConnection'

+var location = 'eastus'

+var vnetGwAId = 'gatewayA'

+var vnetGwBId = 'gatewayB'

+resource networkConnection 'Microsoft.Network/connections@2023-11-01' = {

+ name: networkConnectionName

+ location: location

+ properties: {

+ virtualNetworkGateway1: {

+ id: vnetGwAId

+ }

+ virtualNetworkGateway2: {

+ id: vnetGwBId

+ }

+ connectionType: 'Vnet2Vnet'

+ }

+}

+```

+The warning is:

+```warning

+The specified "object" declaration is missing the following required properties: "properties". If this is an inaccuracy in the documentation, please report it to the Bicep Team.

+```

+You can verify the missing properties from the [template reference](/azure/templates). If you see the warning from Visual Studio Code, hover the cursor over the resource symbolic name and select **View document** to open the template reference.

+You can fix the error by adding the missing properties:

+```bicep

+var networkConnectionName = 'testConnection'

+var location = 'eastus'

+var vnetGwAId = 'gatewayA'

+var vnetGwBId = 'gatewayB'

+resource networkConnection 'Microsoft.Network/connections@2023-11-01' = {

+ name: networkConnectionName

+ location: location

+ properties: {

+ virtualNetworkGateway1: {

+ id: vnetGwAId

+ properties:{}

+ }

+ virtualNetworkGateway2: {

+ id: vnetGwBId

+ properties:{}

+ }

+ connectionType: 'Vnet2Vnet'

+ }

+}

+```

+## Next steps

+For more information about Bicep warning and error codes, see [Bicep warnings and errors](./bicep-error-codes.md).

+ Title: BCP072

+description: Error - This symbol cannot be referenced here. Only other parameters can be referenced in parameter default values.

+# Bicep warning and error code - BCP072

+This error occurs when you reference a variable in parameter default values.

+## Error description

+`This symbol cannot be referenced here. Only other parameters can be referenced in parameter default values.`

+## Solution

+Reference another parameter instead.

+## Examples

+The following example raises the error because the parameter default value references a variable:

+```bicep

+param foo string = bar

+var bar = 'HelloWorld!'

+```

+You can fix the error by referencing another parameter:

+```bicep

+param foo string = bar

+param bar string = 'HelloWorld!'

+output outValue string = foo

+```

+## Next steps

+For more information about Bicep warning and error codes, see [Bicep warnings and errors](./bicep-error-codes.md).

+ Title: Bicep warnings and error codes

+description: Lists the warnings and error codes.

+# Bicep warning and error codes

+If you need more information about a particular warning or error code, select the **Feedback** button in the upper right corner of the page and specify the code.

+| Error Code | Error Description |

+||-|

+| BCP001 | The following token is not recognized: "{token}". |

+| BCP002 | The multi-line comment at this location is not terminated. Terminate it with the */ character sequence. |

+| BCP003 | The string at this location is not terminated. Terminate the string with a single quote character. |

+| BCP004 | The string at this location is not terminated due to an unexpected new line character. |

+| BCP005 | The string at this location is not terminated. Complete the escape sequence and terminate the string with a single unescaped quote character. |

+| BCP006 | The specified escape sequence is not recognized. Only the following escape sequences are allowed: {ToQuotedString(escapeSequences)}. |

+| BCP007 | This declaration type is not recognized. Specify a metadata, parameter, variable, resource, or output declaration. |

+| BCP008 | Expected the "=" token, or a newline at this location. |

+| BCP009 | Expected a literal value, an array, an object, a parenthesized expression, or a function call at this location. |

+| BCP010 | Expected a valid 64-bit signed integer. |

+| BCP011 | The type of the specified value is incorrect. Specify a string, boolean, or integer literal. |

+| BCP012 | Expected the "{keyword}" keyword at this location. |

+| BCP013 | Expected a parameter identifier at this location. |

+| BCP015 | Expected a variable identifier at this location. |

+| BCP016 | Expected an output identifier at this location. |

+| BCP017 | Expected a resource identifier at this location. |

+| BCP018 | Expected the "{character}" character at this location. |

+| BCP019 | Expected a new line character at this location. |

+| BCP020 | Expected a function or property name at this location. |

+| BCP021 | Expected a numeric literal at this location. |

+| BCP022 | Expected a property name at this location. |

+| BCP023 | Expected a variable or function name at this location. |

+| BCP024 | The identifier exceeds the limit of {LanguageConstants.MaxIdentifierLength}. Reduce the length of the identifier. |

+| BCP025 | The property "{property}" is declared multiple times in this object. Remove or rename the duplicate properties. |

+| BCP026 | The output expects a value of type "{expectedType}" but the provided value is of type "{actualType}". |

+| BCP028 | Identifier "{identifier}" is declared multiple times. Remove or rename the duplicates. |

+| BCP029 | The resource type is not valid. Specify a valid resource type of format "&lt;types>@&lt;apiVersion>". |

+| BCP030 | The output type is not valid. Please specify one of the following types: {ToQuotedString(validTypes)}. |

+| BCP031 | The parameter type is not valid. Please specify one of the following types: {ToQuotedString(validTypes)}. |

+| BCP032 | The value must be a compile-time constant. |

+| [BCP033](./bicep-error-bcp033.md) | Expected a value of type "{expectedType}" but the provided value is of type "{actualType}". |

+| BCP034 | The enclosing array expected an item of type "{expectedType}", but the provided item was of type "{actualType}". |

+| [BCP035](./bicep-error-bcp035.md) | The specified "{blockName}" declaration is missing the following required properties{sourceDeclarationClause}: {ToQuotedString(properties)}.{(showTypeInaccuracy ? TypeInaccuracyClause : string.Empty)} |

+| BCP036 | The property "{property}" expected a value of type "{expectedType}" but the provided value{sourceDeclarationClause} is of type "{actualType}".{(showTypeInaccuracy ? TypeInaccuracyClause : string.Empty)} |

+| BCP037 | The property "{property}"{sourceDeclarationClause} is not allowed on objects of type "{type}".{permissiblePropertiesClause}{(showTypeInaccuracy ? TypeInaccuracyClause : string.Empty)} |

+| BCP040 | String interpolation is not supported for keys on objects of type "{type}"{sourceDeclarationClause}.{permissiblePropertiesClause} |

+| BCP041 | Values of type "{valueType}" cannot be assigned to a variable. |

+| BCP043 | This is not a valid expression. |

+| BCP044 | Cannot apply operator "{operatorName}" to operand of type "{type}". |

+| BCP045 | Cannot apply operator "{operatorName}" to operands of type "{type1}" and "{type2}".{(additionalInfo is null ? string.Empty : " " + additionalInfo)} |

+| BCP046 | Expected a value of type "{type}". |

+| BCP047 | String interpolation is unsupported for specifying the resource type. |

+| BCP048 | Cannot resolve function overload. For details, see the documentation. |

+| BCP049 | The array index must be of type "{LanguageConstants.String}" or "{LanguageConstants.Int}" but the provided index was of type "{wrongType}". |

+| BCP050 | The specified path is empty. |

+| BCP051 | The specified path begins with "/". Files must be referenced using relative paths. |

+| BCP052 | The type "{type}" does not contain property "{badProperty}". |

+| BCP053 | The type "{type}" does not contain property "{badProperty}". Available properties include {ToQuotedString(availableProperties)}. |

+| BCP054 | The type "{type}" does not contain any properties. |

+| BCP055 | Cannot access properties of type "{wrongType}". An "{LanguageConstants.Object}" type is required. |

+| BCP056 | The reference to name "{name}" is ambiguous because it exists in namespaces {ToQuotedString(namespaces)}. The reference must be fully qualified. |

+| BCP057 | The name "{name}" does not exist in the current context. |

+| BCP059 | The name "{name}" is not a function. |

+| BCP060 | The "variables" function is not supported. Directly reference variables by their symbolic names. |

+| BCP061 | The "parameters" function is not supported. Directly reference parameters by their symbolic names. |

+| BCP062 | The referenced declaration with name "{name}" is not valid. |

+| BCP063 | The name "{name}" is not a parameter, variable, resource or module. |

+| BCP064 | Found unexpected tokens in interpolated expression. |

+| BCP065 | Function "{functionName}" is not valid at this location. It can only be used as a parameter default value. |

+| BCP066 | Function "{functionName}" is not valid at this location. It can only be used in resource declarations. |

+| BCP067 | Cannot call functions on type "{wrongType}". An "{LanguageConstants.Object}" type is required. |

+| BCP068 | Expected a resource type string. Specify a valid resource type of format "&lt;types>@&lt;apiVersion>". |

+| BCP069 | The function "{function}" is not supported. Use the "{@operator}" operator instead. |

+| BCP070 | Argument of type "{argumentType}" is not assignable to parameter of type "{parameterType}". |

+| BCP071 | Expected {expected}, but got {argumentCount}. |

+| [BCP072](./bicep-error-bcp072.md) | This symbol cannot be referenced here. Only other parameters can be referenced in parameter default values. |

+| BCP073 | The property "{property}" is read-only. Expressions cannot be assigned to read-only properties.{(showTypeInaccuracy ? TypeInaccuracyClause : string.Empty)} |

+| BCP074 | Indexing over arrays requires an index of type "{LanguageConstants.Int}" but the provided index was of type "{wrongType}". |

+| BCP075 | Indexing over objects requires an index of type "{LanguageConstants.String}" but the provided index was of type "{wrongType}". |

+| BCP076 | Cannot index over expression of type "{wrongType}". Arrays or objects are required. |

+| BCP077 | The property "{badProperty}" on type "{type}" is write-only. Write-only properties cannot be accessed. |

+| BCP078 | The property "{propertyName}" requires a value of type "{expectedType}", but none was supplied. |

+| BCP079 | This expression is referencing its own declaration, which is not allowed. |

+| BCP080 | The expression is involved in a cycle ("{string.Join("\" -> \"", cycle)}"). |

+| BCP081 | Resource type "{resourceTypeReference.FormatName()}" does not have types available. Bicep is unable to validate resource properties prior to deployment, but this will not block the resource from being deployed. |

+| BCP082 | The name "{name}" does not exist in the current context. Did you mean "{suggestedName}"? |

+| BCP083 | The type "{type}" does not contain property "{badProperty}". Did you mean "{suggestedProperty}"? |

+| BCP084 | The symbolic name "{name}" is reserved. Please use a different symbolic name. Reserved namespaces are {ToQuotedString(namespaces.OrderBy(ns => ns))}. |

+| BCP085 | The specified file path contains one ore more invalid path characters. The following are not permitted: {ToQuotedString(forbiddenChars.OrderBy(x => x).Select(x => x.ToString()))}. |

+| BCP086 | The specified file path ends with an invalid character. The following are not permitted: {ToQuotedString(forbiddenPathTerminatorChars.OrderBy(x => x).Select(x => x.ToString()))}. |

+| BCP087 | Array and object literals are not allowed here. |

+| BCP088 | The property "{property}" expected a value of type "{expectedType}" but the provided value is of type "{actualStringLiteral}". Did you mean "{suggestedStringLiteral}"? |

+| BCP089 | The property "{property}" is not allowed on objects of type "{type}". Did you mean "{suggestedProperty}"? |

+| BCP090 | This module declaration is missing a file path reference. |

+| BCP091 | An error occurred reading file. {failureMessage} |

+| BCP092 | String interpolation is not supported in file paths. |

+| BCP093 | File path "{filePath}" could not be resolved relative to "{parentPath}". |

+| BCP094 | This module references itself, which is not allowed. |

+| BCP095 | The file is involved in a cycle ("{string.Join("\" -> \"", cycle)}"). |

+| BCP096 | Expected a module identifier at this location. |

+| BCP097 | Expected a module path string. This should be a relative path to another bicep file, e.g. 'myModule.bicep' or '../parent/myModule.bicep' |

+| BCP098 | The specified file path contains a "\" character. Use "/" instead as the directory separator character. |

+| BCP099 | The "{LanguageConstants.ParameterAllowedPropertyName}" array must contain one or more items. |

+| BCP100 | The function "if" is not supported. Use the "?:\" (ternary conditional) operator instead, e.g. condition ? ValueIfTrue : ValueIfFalse |

+| BCP101 | The "createArray" function is not supported. Construct an array literal using []. |

+| BCP102 | The "createObject" function is not supported. Construct an object literal using {}. |

+| BCP103 | The following token is not recognized: "{token}". Strings are defined using single quotes in bicep. |

+| BCP104 | The referenced module has errors. |

+| BCP105 | Unable to load file from URI "{fileUri}". |

+| BCP106 | Expected a new line character at this location. Commas are not used as separator delimiters. |

+| BCP107 | The function "{name}" does not exist in namespace "{namespaceType.Name}". |

+| BCP108 | The function "{name}" does not exist in namespace "{namespaceType.Name}". Did you mean "{suggestedName}"? |

+| BCP109 | The type "{type}" does not contain function "{name}". |

+| BCP110 | The type "{type}" does not contain function "{name}". Did you mean "{suggestedName}"? |

+| BCP111 | The specified file path contains invalid control code characters. |

+| BCP112 | The "{LanguageConstants.TargetScopeKeyword}" cannot be declared multiple times in one file. |

+| BCP113 | Unsupported scope for module deployment in a "{LanguageConstants.TargetScopeTypeTenant}" target scope. Omit this property to inherit the current scope, or specify a valid scope. Permissible scopes include tenant: tenant(), named management group: managementGroup(&lt;name>), named subscription: subscription(&lt;subId>), or named resource group in a named subscription: resourceGroup(&lt;subId>, &lt;name>). |

+| BCP114 | Unsupported scope for module deployment in a "{LanguageConstants.TargetScopeTypeManagementGroup}" target scope. Omit this property to inherit the current scope, or specify a valid scope. Permissible scopes include current management group: managementGroup(), named management group: managementGroup(&lt;name>), named subscription: subscription(&lt;subId>), tenant: tenant(), or named resource group in a named subscription: resourceGroup(&lt;subId>, &lt;name>). |

+| BCP115 | Unsupported scope for module deployment in a "{LanguageConstants.TargetScopeTypeSubscription}" target scope. Omit this property to inherit the current scope, or specify a valid scope. Permissible scopes include current subscription: subscription(), named subscription: subscription(&lt;subId>), named resource group in same subscription: resourceGroup(&lt;name>), named resource group in different subscription: resourceGroup(&lt;subId>, &lt;name>), or tenant: tenant(). |

+| BCP116 | Unsupported scope for module deployment in a "{LanguageConstants.TargetScopeTypeResourceGroup}" target scope. Omit this property to inherit the current scope, or specify a valid scope. Permissible scopes include current resource group: resourceGroup(), named resource group in same subscription: resourceGroup(&lt;name>), named resource group in a different subscription: resourceGroup(&lt;subId>, &lt;name>), current subscription: subscription(), named subscription: subscription(&lt;subId>) or tenant: tenant(). |

+| BCP117 | An empty indexer is not allowed. Specify a valid expression. |

+| BCP118 | Expected the "{" character, the "[" character, or the "if" keyword at this location. |

+| BCP119 | Unsupported scope for extension resource deployment. Expected a resource reference. |

+| BCP120 | This expression is being used in an assignment to the "{propertyName}" property of the "{objectTypeName}" type, which requires a value that can be calculated at the start of the deployment. |

+| BCP121 | Resources: {ToQuotedString(resourceNames)} are defined with this same name in a file. Rename them or split into different modules. |

+| BCP122 | Modules: {ToQuotedString(moduleNames)} are defined with this same name and this same scope in a file. Rename them or split into different modules. |

+| BCP123 | Expected a namespace or decorator name at this location. |

+| BCP124 | The decorator "{decoratorName}" can only be attached to targets of type "{attachableType}", but the target has type "{targetType}". |

+| BCP125 | Function "{functionName}" cannot be used as a parameter decorator. |

+| BCP126 | Function "{functionName}" cannot be used as a variable decorator. |

+| BCP127 | Function "{functionName}" cannot be used as a resource decorator. |

+| BCP128 | Function "{functionName}" cannot be used as a module decorator. |

+| BCP129 | Function "{functionName}" cannot be used as an output decorator. |

+| BCP130 | Decorators are not allowed here. |

+| BCP132 | Expected a declaration after the decorator. |

+| BCP133 | The unicode escape sequence is not valid. Valid unicode escape sequences range from \\u{0} to \\u{10FFFF}. |

+| BCP134 | Scope {ToQuotedString(LanguageConstants.GetResourceScopeDescriptions(suppliedScope))} is not valid for this module. Permitted scopes: {ToQuotedString(LanguageConstants.GetResourceScopeDescriptions(supportedScopes))}. |

+| BCP135 | Scope {ToQuotedString(LanguageConstants.GetResourceScopeDescriptions(suppliedScope))} is not valid for this resource type. Permitted scopes: {ToQuotedString(LanguageConstants.GetResourceScopeDescriptions(supportedScopes))}. |

+| BCP136 | Expected a loop item variable identifier at this location. |

+| BCP137 | Loop expected an expression of type "{LanguageConstants.Array}" but the provided value is of type "{actualType}". |

+| BCP138 | For-expressions are not supported in this context. For-expressions may be used as values of resource, module, variable, and output declarations, or values of resource and module properties. |

+| BCP139 | A resource's scope must match the scope of the Bicep file for it to be deployable. You must use modules to deploy resources to a different scope. |

+| BCP140 | The multi-line string at this location is not terminated. Terminate it with "'''. |

+| BCP141 | The expression cannot be used as a decorator as it is not callable. |

+| BCP142 | Property value for-expressions cannot be nested. |

+| BCP143 | For-expressions cannot be used with properties whose names are also expressions. |

+| BCP144 | Directly referencing a resource or module collection is not currently supported here. Apply an array indexer to the expression. |

+| BCP145 | Output "{identifier}" is declared multiple times. Remove or rename the duplicates. |

+| BCP147 | Expected a parameter declaration after the decorator. |

+| BCP148 | Expected a variable declaration after the decorator. |

+| BCP149 | Expected a resource declaration after the decorator. |

+| BCP150 | Expected a module declaration after the decorator. |

+| BCP151 | Expected an output declaration after the decorator. |

+| BCP152 | Function "{functionName}" cannot be used as a decorator. |

+| BCP153 | Expected a resource or module declaration after the decorator. |

+| BCP154 | Expected a batch size of at least {limit} but the specified value was "{value}". |

+| BCP155 | The decorator "{decoratorName}" can only be attached to resource or module collections. |

+| BCP156 | The resource type segment "{typeSegment}" is invalid. Nested resources must specify a single type segment, and optionally can specify an API version using the format "&lt;type>@&lt;apiVersion>". |

+| BCP157 | The resource type cannot be determined due to an error in the containing resource. |

+| BCP158 | Cannot access nested resources of type "{wrongType}". A resource type is required. |

+| BCP159 | The resource "{resourceName}" does not contain a nested resource named "{identifierName}". Known nested resources are: {ToQuotedString(nestedResourceNames)}. |

+| BCP160 | A nested resource cannot appear inside of a resource with a for-expression. |

+| BCP162 | Expected a loop item variable identifier or "(" at this location. |

+| BCP164 | A child resource's scope is computed based on the scope of its ancestor resource. This means that using the "scope" property on a child resource is unsupported. |

+| BCP165 | A resource's computed scope must match that of the Bicep file for it to be deployable. This resource's scope is computed from the "scope" property value assigned to ancestor resource "{ancestorIdentifier}". You must use modules to deploy resources to a different scope. |

+| BCP166 | Duplicate "{decoratorName}" decorator. |

+| BCP167 | Expected the "{" character or the "if" keyword at this location. |

+| BCP168 | Length must not be a negative value. |

+| BCP169 | Expected resource name to contain {expectedSlashCount} "/" character(s). The number of name segments must match the number of segments in the resource type. |

+| BCP170 | Expected resource name to not contain any "/" characters. Child resources with a parent resource reference (via the parent property or via nesting) must not contain a fully-qualified name. |

+| BCP171 | Resource type "{resourceType}" is not a valid child resource of parent "{parentResourceType}". |

+| BCP172 | The resource type cannot be validated due to an error in parent resource "{resourceName}". |

+| BCP173 | The property "{property}" cannot be used in an existing resource declaration. |

+| BCP174 | Type validation is not available for resource types declared containing a "/providers/" segment. Please instead use the "scope" property. |

+| BCP176 | Values of the "any" type are not allowed here. |

+| BCP177 | This expression is being used in the if-condition expression, which requires a value that can be calculated at the start of the deployment.{variableDependencyChainClause}{accessiblePropertiesClause} |

+| BCP178 | This expression is being used in the for-expression, which requires a value that can be calculated at the start of the deployment.{variableDependencyChainClause}{accessiblePropertiesClause} |

+| BCP179 | Unique resource or deployment name is required when looping. The loop item variable "{itemVariableName}" or the index variable "{indexVariableName}" must be referenced in at least one of the value expressions of the following properties in the loop body: {ToQuotedString(expectedVariantProperties)} |

+| BCP180 | Function "{functionName}" is not valid at this location. It can only be used when directly assigning to a module parameter with a secure decorator. |

+| BCP181 | This expression is being used in an argument of the function "{functionName}", which requires a value that can be calculated at the start of the deployment.{variableDependencyChainClause}{accessiblePropertiesClause} |

+| BCP182 | This expression is being used in the for-body of the variable "{variableName}", which requires values that can be calculated at the start of the deployment.{variableDependencyChainClause}{violatingPropertyNameClause}{accessiblePropertiesClause} |

+| BCP183 | The value of the module "params" property must be an object literal. |

+| BCP184 | File '{filePath}' exceeded maximum size of {maxSize} {unit}. |

+| BCP185 | Encoding mismatch. File was loaded with '{detectedEncoding}' encoding. |

+| BCP186 | Unable to parse literal JSON value. Please ensure that it is well-formed. |

+| BCP187 | The property "{property}" does not exist in the resource or type definition, although it might still be valid.{TypeInaccuracyClause} |

+| BCP188 | The referenced ARM template has errors. Please see [https://aka.ms/arm-template](https://aka.ms/arm-template) for information on how to diagnose and fix the template. |

+| BCP189 | (allowedSchemes.Contains(ArtifactReferenceSchemes.Local, StringComparer.Ordinal), allowedSchemes.Any(scheme => !string.Equals(scheme, ArtifactReferenceSchemes.Local, StringComparison.Ordinal))) switch { (false, false) => "Module references are not supported in this context.", (false, true) => $"The specified module reference scheme \"{badScheme}\" is not recognized. Specify a module reference using one of the following schemes: {FormatSchemes()}", (true, false) => $"The specified module reference scheme \"{badScheme}\" is not recognized. Specify a path to a local module file.", (true, true) => $"The specified module reference scheme \"{badScheme}\" is not recognized. Specify a path to a local module file or a module reference using one of the following schemes: {FormatSchemes()}"} |

+| BCP190 | The artifact with reference "{artifactRef}" has not been restored. |

+| BCP191 | Unable to restore the artifact with reference "{artifactRef}". |

+| BCP192 | Unable to restore the artifact with reference "{artifactRef}": {message} |

+| BCP193 | {BuildInvalidOciArtifactReferenceClause(aliasName, badRef)} Specify a reference in the format of "{ArtifactReferenceSchemes.Oci}:&lt;artifact-uri>:&lt;tag>", or "{ArtifactReferenceSchemes.Oci}/&lt;module-alias>:&lt;module-name-or-path>:&lt;tag>". |

+| BCP194 | {BuildInvalidTemplateSpecReferenceClause(aliasName, badRef)} Specify a reference in the format of "{ArtifactReferenceSchemes.TemplateSpecs}:&lt;subscription-ID>/&lt;resource-group-name>/&lt;template-spec-name>:&lt;version>", or "{ArtifactReferenceSchemes.TemplateSpecs}/&lt;module-alias>:&lt;template-spec-name>:&lt;version>". |

+| BCP195 | {BuildInvalidOciArtifactReferenceClause(aliasName, badRef)} The artifact path segment "{badSegment}" is not valid. Each artifact name path segment must be a lowercase alphanumeric string optionally separated by a ".", "_", or \"-\"." |

+| BCP196 | The module tag or digest is missing. |

+| BCP197 | The tag "{badTag}" exceeds the maximum length of {maxLength} characters. |

+| BCP198 | The tag "{badTag}" is not valid. Valid characters are alphanumeric, ".", "_", or "-" but the tag cannot begin with ".", "_", or "-". |

+| BCP199 | Module path "{badRepository}" exceeds the maximum length of {maxLength} characters. |

+| BCP200 | The registry "{badRegistry}" exceeds the maximum length of {maxLength} characters. |

+| BCP201 | Expected a provider specification string of with a valid format at this location. Valid formats are "br:&lt;providerRegistryHost>/&lt;providerRepositoryPath>@&lt;providerVersion>" or "br/&lt;providerAlias>:&lt;providerName>@&lt;providerVersion>". |

+| BCP202 | Expected a provider alias name at this location. |

+| BCP203 | Using provider statements requires enabling EXPERIMENTAL feature "Extensibility". |

+| BCP204 | Provider namespace "{identifier}" is not recognized. |

+| BCP205 | Provider namespace "{identifier}" does not support configuration. |

+| BCP206 | Provider namespace "{identifier}" requires configuration, but none was provided. |

+| BCP207 | Namespace "{identifier}" is declared multiple times. Remove the duplicates. |

+| BCP208 | The specified namespace "{badNamespace}" is not recognized. Specify a resource reference using one of the following namespaces: {ToQuotedString(allowedNamespaces)}. |

+| BCP209 | Failed to find resource type "{resourceType}" in namespace "{@namespace}". |

+| BCP210 | Resource type belonging to namespace "{childNamespace}" cannot have a parent resource type belonging to different namespace "{parentNamespace}". |

+| BCP211 | The module alias name "{aliasName}" is invalid. Valid characters are alphanumeric, "_", or "-". |

+| BCP212 | The Template Spec module alias name "{aliasName}" does not exist in the {BuildBicepConfigurationClause(configFileUri)}. |

+| BCP213 | The OCI artifact module alias name "{aliasName}" does not exist in the {BuildBicepConfigurationClause(configFileUri)}. |

+| BCP214 | The Template Spec module alias "{aliasName}" in the {BuildBicepConfigurationClause(configFileUri)} is in valid. The "subscription" property cannot be null or undefined. |

+| BCP215 | The Template Spec module alias "{aliasName}" in the {BuildBicepConfigurationClause(configFileUri)} is in valid. The "resourceGroup" property cannot be null or undefined. |

+| BCP216 | The OCI artifact module alias "{aliasName}" in the {BuildBicepConfigurationClause(configFileUri)} is invalid. The "registry" property cannot be null or undefined. |

+| BCP217 | {BuildInvalidTemplateSpecReferenceClause(aliasName, referenceValue)} The subscription ID "{subscriptionId}" is not a GUID. |

+| BCP218 | {BuildInvalidTemplateSpecReferenceClause(aliasName, referenceValue)} The resource group name "{resourceGroupName}" exceeds the maximum length of {maximumLength} characters. |

+| BCP219 | {BuildInvalidTemplateSpecReferenceClause(aliasName, referenceValue)} The resource group name "{resourceGroupName}" is invalid. Valid characters are alphanumeric, unicode characters, ".", "_", "-", "(", or ")", but the resource group name cannot end with ".". |

+| BCP220 | {BuildInvalidTemplateSpecReferenceClause(aliasName, referenceValue)} The Template Spec name "{templateSpecName}" exceeds the maximum length of {maximumLength} characters. |

+| BCP221 | {BuildInvalidTemplateSpecReferenceClause(aliasName, referenceValue)} The Template Spec name "{templateSpecName}" is invalid. Valid characters are alphanumeric, ".", "_", "-", "(", or ")", but the Template Spec name cannot end with ".". |

+| BCP222 | {BuildInvalidTemplateSpecReferenceClause(aliasName, referenceValue)} The Template Spec version "{templateSpecVersion}" exceeds the maximum length of {maximumLength} characters. |

+| BCP223 | {BuildInvalidTemplateSpecReferenceClause(aliasName, referenceValue)} The Template Spec version "{templateSpecVersion}" is invalid. Valid characters are alphanumeric, ".", "_", "-", "(", or ")", but the Template Spec name cannot end with ".". |

+| BCP224 | {BuildInvalidOciArtifactReferenceClause(aliasName, badRef)} The digest "{badDigest}" is not valid. The valid format is a string "sha256:" followed by exactly 64 lowercase hexadecimal digits. |

+| BCP225 | The discriminator property "{propertyName}" value cannot be determined at compilation time. Type checking for this object is disabled. |

+| BCP226 | Expected at least one diagnostic code at this location. Valid format is "#disable-next-line diagnosticCode1 diagnosticCode2 ...". |

+| BCP227 | The type "{resourceType}" cannot be used as a parameter or output type. Extensibility types are currently not supported as parameters or outputs. |

+| BCP229 | The parameter "{parameterName}" cannot be used as a resource scope or parent. Resources passed as parameters cannot be used as a scope or parent of a resource. |

+| BCP300 | Expected a type literal at this location. Please specify a concrete value or a reference to a literal type. |

+| BCP301 | The type name "{reservedName}" is reserved and may not be attached to a user-defined type. |

+| BCP302 | The name "{name}" is not a valid type. Please specify one of the following types: {ToQuotedString(validTypes)}. |

+| BCP303 | String interpolation is unsupported for specifying the provider. |

+| BCP304 | Invalid provider specifier string. Specify a valid provider of format "&lt;providerName>@&lt;providerVersion>". |

+| BCP305 | Expected the "with" keyword, "as" keyword, or a new line character at this location. |

+| BCP306 | The name "{name}" refers to a namespace, not to a type. |

+| BCP307 | The expression cannot be evaluated, because the identifier properties of the referenced existing resource including {ToQuotedString(runtimePropertyNames.OrderBy(x => x))} cannot be calculated at the start of the deployment. In this situation, {accessiblePropertyNamesClause}{accessibleFunctionNamesClause}. |

+| BCP308 | The decorator "{decoratorName}" may not be used on statements whose declared type is a reference to a user-defined type. |

+| BCP309 | Values of type "{flattenInputType.Name}" cannot be flattened because "{incompatibleType.Name}" is not an array type. |

+| BCP311 | The provided index value of "{indexSought}" is not valid for type "{typeName}". Indexes for this type must be between 0 and {tupleLength - 1}. |

+| BCP315 | An object type may have at most one additional properties declaration. |

+| BCP316 | The "{LanguageConstants.ParameterSealedPropertyName}" decorator may not be used on object types with an explicit additional properties type declaration. |

+| BCP317 | Expected an identifier, a string, or an asterisk at this location. |

+| BCP318 | The value of type "{possiblyNullType}" may be null at the start of the deployment, which would cause this access expression (and the overall deployment with it) to fail. If you do not know whether the value will be null and the template would handle a null value for the overall expression, use a `.?` (safe dereference) operator to short-circuit the access expression if the base expression's value is null: {accessExpression.AsSafeAccess().ToString()}. If you know the value will not be null, use a non-null assertion operator to inform the compiler that the value will not be null: {SyntaxFactory.AsNonNullable(expression).ToString()}. |

+| BCP319 | The type at "{errorSource}" could not be resolved by the ARM JSON template engine. Original error message: "{message}" |

+| BCP320 | The properties of module output resources cannot be accessed directly. To use the properties of this resource, pass it as a resource-typed parameter to another module and access the parameter's properties therein. |

+| BCP321 | Expected a value of type "{expectedType}" but the provided value is of type "{actualType}". If you know the value will not be null, use a non-null assertion operator to inform the compiler that the value will not be null: {SyntaxFactory.AsNonNullable(expression).ToString()}. |

+| BCP322 | The `.?` (safe dereference) operator may not be used on instance function invocations. |

+| BCP323 | The `[?]` (safe dereference) operator may not be used on resource or module collections. |

+| BCP325 | Expected a type identifier at this location. |

+| BCP326 | Nullable-typed parameters may not be assigned default values. They have an implicit default of 'null' that cannot be overridden. |

+| BCP327 | The provided value (which will always be greater than or equal to {sourceMin}) is too large to assign to a target for which the maximum allowable value is {targetMax}. |

+| BCP328 | The provided value (which will always be less than or equal to {sourceMax}) is too small to assign to a target for which the minimum allowable value is {targetMin}. |

+| BCP329 | The provided value can be as small as {sourceMin} and may be too small to assign to a target with a configured minimum of {targetMin}. |

+| BCP330 | The provided value can be as large as {sourceMax} and may be too large to assign to a target with a configured maximum of {targetMax}. |

+| BCP331 | A type's "{minDecoratorName}" must be less than or equal to its "{maxDecoratorName}", but a minimum of {minValue} and a maximum of {maxValue} were specified. |

+| BCP332 | The provided value (whose length will always be greater than or equal to {sourceMinLength}) is too long to assign to a target for which the maximum allowable length is {targetMaxLength}. |

+| BCP333 | The provided value (whose length will always be less than or equal to {sourceMaxLength}) is too short to assign to a target for which the minimum allowable length is {targetMinLength}. |

+| BCP334 | The provided value can have a length as small as {sourceMinLength} and may be too short to assign to a target with a configured minimum length of {targetMinLength}. |

+| BCP335 | The provided value can have a length as large as {sourceMaxLength} and may be too long to assign to a target with a configured maximum length of {targetMaxLength}. |

+| BCP337 | This declaration type is not valid for a Bicep Parameters file. Specify a "{LanguageConstants.UsingKeyword}", "{LanguageConstants.ParameterKeyword}" or "{LanguageConstants.VariableKeyword}" declaration. |

+| BCP338 | Failed to evaluate parameter "{parameterName}": {message} |

+| BCP339 | The provided array index value of "{indexSought}" is not valid. Array index should be greater than or equal to 0. |

+| BCP340 | Unable to parse literal YAML value. Please ensure that it is well-formed. |

+| BCP341 | This expression is being used inside a function declaration, which requires a value that can be calculated at the start of the deployment. {variableDependencyChainClause}{accessiblePropertiesClause} |

+| BCP342 | User-defined types are not supported in user-defined function parameters or outputs. |

+| BCP344 | Expected an assert identifier at this location. |

+| BCP345 | A test declaration can only reference a Bicep File |

+| BCP0346 | Expected a test identifier at this location. |

+| BCP0347 | Expected a test path string at this location. |

+| BCP348 | Using a test declaration statement requires enabling EXPERIMENTAL feature "{nameof(ExperimentalFeaturesEnabled.TestFramework)}". |

+| BCP349 | Using an assert declaration requires enabling EXPERIMENTAL feature "{nameof(ExperimentalFeaturesEnabled.Assertions)}". |

+| BCP350 | Value of type "{valueType}" cannot be assigned to an assert. Asserts can take values of type 'bool' only. |

+| BCP351 | Function "{functionName}" is not valid at this location. It can only be used when directly assigning to a parameter. |

+| BCP352 | Failed to evaluate variable "{name}": {message} |

+| BCP353 | The {itemTypePluralName} {ToQuotedString(itemNames)} differ only in casing. The ARM deployments engine is not case sensitive and will not be able to distinguish between them. |

+| BCP354 | Expected left brace ('{') or asterisk ('*') character at this location. |

+| BCP355 | Expected the name of an exported symbol at this location. |

+| BCP356 | Expected a valid namespace identifier at this location. |

+| BCP358 | This declaration is missing a template file path reference. |

+| BCP360 | The '{symbolName}' symbol was not found in (or was not exported by) the imported template. |

+| BCP361 | The "@export()" decorator must target a top-level statement. |

+| BCP362 | This symbol is imported multiple times under the names {string.Join(", ", importedAs.Select(identifier => $"'{identifier}'"))}. |

+| BCP363 | The "{LanguageConstants.TypeDiscriminatorDecoratorName}" decorator can only be applied to object-only union types with unique member types. |

+| BCP364 | The property "{discriminatorPropertyName}" must be a required string literal on all union member types. |

+| BCP365 | The value "{discriminatorPropertyValue}" for discriminator property "{discriminatorPropertyName}" is duplicated across multiple union member types. The value must be unique across all union member types. |

+| BCP366 | The discriminator property name must be "{acceptablePropertyName}" on all union member types. |

+| BCP367 | The "{featureName}" feature is temporarily disabled. |

+| BCP368 | The value of the "{targetName}" parameter cannot be known until the template deployment has started because it uses a reference to a secret value in Azure Key Vault. Expressions that refer to the "{targetName}" parameter may be used in {LanguageConstants.LanguageFileExtension} files but not in {LanguageConstants.ParamsFileExtension} files. |

+| BCP369 | The value of the "{targetName}" parameter cannot be known until the template deployment has started because it uses the default value defined in the template. Expressions that refer to the "{targetName}" parameter may be used in {LanguageConstants.LanguageFileExtension} files but not in {LanguageConstants.ParamsFileExtension} files. |

+| BCP372 | The "@export()" decorator may not be applied to variables that refer to parameters, modules, or resource, either directly or indirectly. The target of this decorator contains direct or transitive references to the following unexportable symbols: {ToQuotedString(nonExportableSymbols)}. |

+| BCP373 | Unable to import the symbol named "{name}": {message} |

+| BCP374 | The imported model cannot be loaded with a wildcard because it contains the following duplicated exports: {ToQuotedString(ambiguousExportNames)}. |

+| BCP375 | An import list item that identifies its target with a quoted string must include an 'as &lt;alias>' clause. |

+| BCP376 | The "{name}" symbol cannot be imported because imports of kind {exportMetadataKind} are not supported in files of kind {sourceFileKind}. |

+| BCP377 | The provider alias name "{aliasName}" is invalid. Valid characters are alphanumeric, "_", or "-". |

+| BCP378 | The OCI artifact provider alias "{aliasName}" in the {BuildBicepConfigurationClause(configFileUri)} is invalid. The "registry" property cannot be null or undefined. |

+| BCP379 | The OCI artifact provider alias name "{aliasName}" does not exist in the {BuildBicepConfigurationClause(configFileUri)}. |

+| BCP380 | Artifacts of type: "{artifactType}" are not supported. |

+| BCP381 | Declaring provider namespaces with the "import" keyword has been deprecated. Please use the "provider" keyword instead. |

+| BCP383 | The "{typeName}" type is not parameterizable. |

+| BCP384 | The "{typeName}" type requires {requiredArgumentCount} argument(s). |

+| BCP385 | Using resource-derived types requires enabling EXPERIMENTAL feature "{nameof(ExperimentalFeaturesEnabled.ResourceDerivedTypes)}". |

+| BCP386 | The decorator "{decoratorName}" may not be used on statements whose declared type is a reference to a resource-derived type. |

+| BCP387 | Indexing into a type requires an integer greater than or equal to 0. |

+| BCP388 | Cannot access elements of type "{wrongType}" by index. A tuple type is required. |

+| BCP389 | The type "{wrongType}" does not declare an additional properties type. |

+| BCP390 | The array item type access operator ('[*]') can only be used with typed arrays. |

+| BCP391 | Type member access is only supported on a reference to a named type. |

+| BCP392 | "The supplied resource type identifier "{resourceTypeIdentifier}" was not recognized as a valid resource type name." |

+| BCP393 | "The type pointer segment "{unrecognizedSegment}" was not recognized. Supported pointer segments are: "properties", "items", "prefixItems", and "additionalProperties"." |

+| BCP394 | Resource-derived type expressions must derefence a property within the resource body. Using the entire resource body type is not permitted. |

+| BCP395 | Declaring provider namespaces using the '&lt;providerName>@&lt;version>' expression has been deprecated. Please use an identifier instead. |

+| BCP396 | The referenced provider types artifact has been published with malformed content. |

+| BCP397 | "Provider {name} is incorrectly configured in the {BuildBicepConfigurationClause(configFileUri)}. It is referenced in the "{RootConfiguration.ImplicitProvidersConfigurationKey}" section, but is missing corresponding configuration in the "{RootConfiguration.ProvidersConfigurationKey}" section." |

+| BCP398 | "Provider {name} is incorrectly configured in the {BuildBicepConfigurationClause(configFileUri)}. It is configured as built-in in the "{RootConfiguration.ProvidersConfigurationKey}" section, but no built-in provider exists." |

+| BCP399 | Fetching az types from the registry requires enabling EXPERIMENTAL feature "{nameof(ExperimentalFeaturesEnabled.DynamicTypeLoading)}". |

+| BCP400 | Fetching types from the registry requires enabling EXPERIMENTAL feature "{nameof(ExperimentalFeaturesEnabled.ProviderRegistry)}". |

+## Next steps

+To learn about Bicep, see [Bicep overview](./overview.md).

+description: Defines who's responsible for what for NC2 on Azure.

+* Customer = gray

+Microsoft manages the Azure BareMetal specialized compute hardware and its data and control plane platform for underlay network. Microsoft supports if the customers plan to bring their existing Azure Subscription, VNet, vWAN, etc.

+Nutanix covers the life-cycle management of Nutanix software (MCM, Prism Central/Element, etc.) and their licenses.

+| Windows¹, Linux² | [Network Disconnect](#network-disconnect) | Network disruption |

+| Windows¹, Linux² | [Network Latency](#network-latency) | Network performance degradation |

+| Windows¹, Linux² | [Network Packet Loss](#network-packet-loss) | Network reliability issues |

+| Windows | [DNS Failure](#dns-failure) | DNS resolution issues |

+| Windows | [Network Disconnect (Via Firewall)](#network-disconnect-via-firewall) | Network disruption |

+¹ TCP/UDP packets only. ² Outbound network traffic only.

+| Supported OS types | Windows, Linux (outbound traffic only) |

+| Description | Blocks network traffic for specified port range and network block. At least one destinationFilter or inboundDestinationFilter array must be provided. |

+| Fault type | Continuous. |

+* When running on Linux, this fault can only affect **outbound** traffic, not inbound traffic. The fault can affect **both inbound and outbound** traffic on Windows environments (via the `inboundDestinationFilters` and `destinationFilters` parameters).

+| Fault type | Continuous. |

+* This fault currently only affects new connections. Existing active connections are unaffected. You can restart the service or process to force connections to break.

+| Fault type | Continuous. |

+* This fault currently only affects new connections. Existing active connections are unaffected. You can restart the service or process to force connections to break.

+| Supported OS types | Windows, Linux (outbound traffic only) |

+| Fault type | Continuous. |

+* When running on Linux, this fault can only affect **outbound** traffic, not inbound traffic. The fault can affect **both inbound and outbound** traffic on Windows environments (via the `inboundDestinationFilters` and `destinationFilters` parameters).

+* This fault currently only affects new connections. Existing active connections are unaffected. You can restart the service or process to force connections to break.

+| Fault type | Continuous. |

+| Supported OS types | Windows, Linux |

+| Fault type | Continuous. |

+| Supported OS types | Windows, Linux |

+| Fault type | Continuous. |

+| Fault type | Continuous. |

+| Fault type | Continuous. |

+| Fault type | Continuous. |

+| Supported OS types | Windows, Linux |

+| Fault type | Continuous. |

+| Supported OS types | Windows, Linux |

+| Fault type | Continuous. |

+| Supported OS types | Windows |

+| Fault type | Continuous. |

+| Fault type | Continuous. |

+| Fault type | Continuous. |

+| Fault type | Continuous. |

+| Capability name | SecurityRule-1.0, SecurityRule-1.1 |

+| Urn | urn:csci:microsoft:networkSecurityGroup:securityRule/1.0, urn:csci:microsoft:networkSecurityGroup:securityRule/1.1 |

+| Fault type | Continuous. |

+| Fault type | Continuous. |

+| Fault type | Continuous. |

+| Fault type | Continuous. |

+Your cloud services are impacted by this retirement if the `osFamily` column in the script output contains a `2`, `3`, `4`, or is empty. If empty, the default `osFamily` attribute will point to `osFamily` `5`.

+The announcement of the retirement of Azure Guest OS Families 2, 3, and 4, effective March 2025, pertains specifically to the operating systems within these families. This retirement doesn't extend the overall support timeline for Azure Cloud Services (classic) beyond the scheduled deprecation in August 2024. [Cloud Services Extended Support](../cloud-services-extended-support/overview.md) continues support with Guest OS Families 5 and newer.

+az extension add --name containerapp --upgrade --yes

+az extension add --name connectedk8s --upgrade --yes

+az extension add --name containerapp --upgrade --yes

+az extension add --name containerapp --upgrade --yes

+> If the outbound connection to the internet is blocked in the delegated subnet, you must add a [service endpoint](../virtual-network/virtual-network-service-endpoints-overview.md) to Azure Strorage on your delegated subnet.

+* [Create a notebook](nosql/tutorial-create-notebook-vscode.md) and analyze your data.

+At the moment the [Mongo shell](https://devblogs.microsoft.com/cosmosdb/preview-native-mongo-shell/) and [Cassandra shell](https://devblogs.microsoft.com/cosmosdb/announcing-native-cassandra-shell-preview/) integrations in the Azure Cosmos DB Data Explorer aren't supported with VNET access. This integration is currently in active development.

+> Setting the _numLists_ parameter correctly is important for achieving good accuracy and performance. We recommend that `numLists` is set to `documentCount/1000` for up to 1 million documents and to `sqrt(documentCount)` for more than 1 million documents.

+## Role-based access requirements

+When using Microsoft Entra ID as authentication mechanism, make sure the identity has the proper [permissions](../how-to-setup-rbac.md#permission-model):

+* On the monitored container:

+ * `Microsoft.DocumentDB/databaseAccounts/readMetadata`

+ * `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/readChangeFeed`

+* On the lease container:

+ * `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read`

+ * `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create`

+ * `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/replace`

+ * `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/delete`

+ * `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/executeQuery`

+* `Pipelined`: The time spent writing the request into the TCP socket. Request can only be written on a TCP socket one at a time, a large value indicates a bottleneck on the TCP socket which is commonly associated with locked threads by the application code or large requests size.

+* `Transit time`: The time spent on the network after the request was written on the TCP socket. Compare this number to the `BELatencyInMs`. If `BELatencyInMs` is small, then the time was spent on the network, and not on the Azure Cosmos DB service. If the request failed with a timeout, it indicates how long the client waited without response, and the source is network latency.

+* `Received`: The time between the response was received and processed by the SDK. A large value is normally caused by a thread starvation or locked threads.

+* [Create a notebook](nosql/tutorial-create-notebook-vscode.md) and analyze your data.

+- [Defender for Cloud - Pre-Purchase](/azure/defender-for-cloud/prepurchase-plan?toc=/azure/cost-management-billing/reservations/toc.json)

+- [Synapse Analytics - Pre-Purchase](synapse-analytics-pre-purchase-plan.md)

+# Authentication info: SQL or Entra ID

+ "query": "SELECT * FROM MYTABLE",

+ "query": "SELECT * FROM MyTable",

+| storageIntegration | Specify the name of your storage integration that you created in the Snowflake. For the prerequisite steps of using the storage integration, see [Configuring a Snowflake storage integration](https://docs.snowflake.com/en/user-guide/data-load-azure-config#option-1-configuring-a-snowflake-storage-integration). | No |

+- When you specify `storageIntegration` in the source:

+ The sink data store is the Azure Blob Storage that you referred in the external stage in Snowflake. You need to complete the following steps before copying data:

+ 1. Create an [**Azure Blob Storage**](connector-azure-blob-storage.md) linked service for the sink Azure Blob Storage with any supported authentication types.

+

+ 2. Grant at least **Storage Blob Data Contributor** role to the Snowflake service principal in the sink Azure Blob Storage **Access Control (IAM)**.

+- When you don't specify `storageIntegration` in the source:

+

+ The **sink linked service** is [**Azure Blob storage**](connector-azure-blob-storage.md) with **shared access signature** authentication. If you want to directly copy data to Azure Data Lake Storage Gen2 in the following supported format, you can create an Azure Blob Storage linked service with SAS authentication against your Azure Data Lake Storage Gen2 account, to avoid using [staged copy from Snowflake](#staged-copy-from-snowflake).

+ "query": "SELECT * FROM MYTABLE",

+ },

+ "storageIntegration": "< Snowflake storage integration name >"

+- When you specify `storageIntegration` in the source, the interim staging Azure Blob Storage should be the one that you referred in the external stage in Snowflake. Ensure that you create an [Azure Blob Storage](connector-azure-blob-storage.md) linked service for it with any supported authentication, and grant at least **Storage Blob Data Contributor** role to the Snowflake service principal in the staging Azure Blob Storage **Access Control (IAM)**.

+- When you don't specify `storageIntegration` in the source, the staging Azure Blob Storage linked service must use shared access signature authentication, as required by the Snowflake COPY command. Make sure you grant proper access permission to Snowflake in the staging Azure Blob Storage. To learn more about this, see this [article](https://docs.snowflake.com/en/user-guide/data-load-azure-config.html#option-2-generating-a-sas-token).

+ "query": "SELECT * FROM MyTable",

+ "type": "SnowflakeExportCopyCommand",

+ "storageIntegration": "< Snowflake storage integration name >"

+| storageIntegration | Specify the name of your storage integration that you created in the Snowflake. For the prerequisite steps of using the storage integration, see [Configuring a Snowflake storage integration](https://docs.snowflake.com/en/user-guide/data-load-azure-config#option-1-configuring-a-snowflake-storage-integration). | No |

+- When you specify `storageIntegration` in the sink:

+ The source data store is the Azure Blob Storage that you referred in the external stage in Snowflake. You need to complete the following steps before copying data:

+ 1. Create an [**Azure Blob Storage**](connector-azure-blob-storage.md) linked service for the source Azure Blob Storage with any supported authentication types.

+ 2. Grant at least **Storage Blob Data Reader** role to the Snowflake service principal in the source Azure Blob Storage **Access Control (IAM)**.

+- When you don't specify `storageIntegration` in the sink:

+ The **source linked service** is [**Azure Blob storage**](connector-azure-blob-storage.md) with **shared access signature** authentication. If you want to directly copy data from Azure Data Lake Storage Gen2 in the following supported format, you can create an Azure Blob Storage linked service with SAS authentication against your Azure Data Lake Storage Gen2 account, to avoid using [staged copy to Snowflake](#staged-copy-to-snowflake).

+ },

+ "storageIntegration": "< Snowflake storage integration name >"

+- When you specify `storageIntegration` in the sink, the interim staging Azure Blob Storage should be the one that you referred in the external stage in Snowflake. Ensure that you create an [Azure Blob Storage](connector-azure-blob-storage.md) linked service for it with any supported authentication, and grant at least **Storage Blob Data Reader** role to the Snowflake service principal in the staging Azure Blob Storage **Access Control (IAM)**.

+- When you don't specify `storageIntegration` in the sink, the staging Azure Blob Storage linked service need to use shared access signature authentication as required by the Snowflake COPY command.

+ "type": "SnowflakeImportCopyCommand",

+ "storageIntegration": "< Snowflake storage integration name >"

+| path |Specify the path that you want to contain the staged data. If you don't provide a path, the service creates a container to store temporary data. |N/A |No (Yes when `storageIntegration` in Snowflake connector is specified) |

+Integrated Security: Azure Data Factory offers integrated security features such as Entra ID integration and role-based access control to control access to dataflows. This feature increases security in data processing and protects your data.

+<tr><td><b>Security</b></td><td>Connect to an Azure DevOps account in another Entra ID tenant</td><td>You can connect your Data Factory instance to an Azure DevOps account in a different Azure AD tenant for source control purposes.<br><a href="cross-tenant-connections-to-azure-devops.md">Learn more</a></td></tr>

+After creating the exemption, it can take up to 24 hours to take effect. After it takes effect:

+ Title: New and upcoming changes in recommendations and alerts

+<!-- Please don't adjust this next line without getting approval from the Defender for Cloud documentation team. It is necessary for proper RSS functionality. -->

+- This page is updated frequently with the latest recommendations and alerts in Defender for Cloud.

+> [!TIP]

+> Get notified when this page is updated by copying and pasting the following URL into your feed reader:

+>

+> `https://aka.ms/mdc/rss-recommendations-alerts`

+ - [Compute recommendations](recommendations-reference-compute.md)

+ - [Container recommendations](recommendations-reference-container.md)

+ - [Data recommendations](recommendations-reference-data.md)

+ - [DevOps recommendations](recommendations-reference-devops.md)

+ - [Identity and access recommendations](recommendations-reference-identity-access.md)

+ - [IoT recommendations](recommendations-reference-iot.md)

+ - [Networking recommendations](recommendations-reference-networking.md)

+ - [Deprecated recommendations](recommendations-reference-deprecated.md)

+ - [Security alerts](alerts-reference.md).

+| **Date** | **Type** | **State** | **Name** |

+| -- | | | |

+| June 28 | Recommendation | GA | [Azure DevOps repositories should require minimum two-reviewer approval for code pushes](recommendations-reference-devops.md#preview-azure-devops-repositories-should-require-minimum-two-reviewer-approval-for-code-pushes) |

+| June 28 | Recommendation | GA | [Azure DevOps repositories should not allow requestors to approve their own Pull Requests](recommendations-reference-devops.md#preview-azure-devops-repositories-should-not-allow-requestors-to-approve-their-own-pull-requests) |

+| June 28 | Recommendation | GA | [GitHub organizations should not make action secrets accessible to all repositories](recommendations-reference-devops.md#github-organizations-should-not-make-action-secrets-accessible-to-all repositories) |

+| June 27 | Alert | Deprecation | `Security incident detected suspicious source IP activity`<br><br/> Severity: Medium/High |

+| June 27 | Alert | Deprecation | `Security incident detected on multiple resources`<br><br/> Severity: Medium/High |

+| June 27 | Alert | Deprecation | `Security incident detected compromised machine`<br><br/> Severity: Medium/High |

+| June 27 | Alert | Deprecation | `Security incident detected suspicious virtual machines activity`<br><br/> Severity: Medium/High |

+| May 30 | Recommendation | GA | [Linux virtual machines should enable Azure Disk Encryption (ADE) or EncryptionAtHost](recommendations-reference-compute.md#edr-solution-should-be-installed-on-virtual-machines). Assessment key a40cc620-e72c-fdf4-c554-c6ca2cd705c0 |

+| May 30 | Recommendation | GA | [Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost](recommendations-reference-compute.md#edr-solution-should-be-installed-on-virtual-machines). Assessment key 0cb5f317-a94b-6b80-7212-13a9cc8826af |

+| May 28 | Recommendation | GA | [Machine should be configured securely (powered by MDVM)](recommendations-reference-compute.md#machines-should-be-configured-securely) |

+| May 1 | Recommendation | Upcoming deprecation | [System updates should be installed on your machines](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/SystemUpdatesRecommendationDetailsWithRulesBlade/assessmentKey/4ab6e3c5-74dd-8b35-9ab9-f61b30875b27s).<br/><br/> Estimated deprecation: July 2024. |

+| May 1 | Recommendation | Upcoming deprecation | [System updates on virtual machine scale sets should be installed](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/bd20bd91-aaf1-7f14-b6e4-866de2f43146).<br/><br/> Estimated deprecation: July 2024. |

+| May 1 | Recommendation | Upcoming deprecation | [Log Analytics agent should be installed on Windows-based Azure Arc-enabled machines](recommendations-reference-compute.md#log-analytics-agent-should-be-installed-on-windows-based-azure-arc-enabled-machines)<br/><br/>Estimated deprecation: July 2024 |

+| May 1 | Recommendation | Upcoming deprecation | [Log Analytics agent should be installed on virtual machine scale sets](recommendations-reference-compute.md#log-analytics-agent-should-be-installed-on-virtual-machine-scale-sets)<br/><br/>Estimated deprecation: July 2024 |

+| May 1 | Recommendation | Upcoming deprecation | Auto provisioning of the Log Analytics agent should be enabled on subscriptions<br/><br/>Estimated deprecation: July 2024 |

+| May 1 | Recommendation | Upcoming deprecation | [Log Analytics agent should be installed on virtual machines](recommendations-reference-compute.md#log-analytics-agent-should-be-installed-on-virtual-machines)<br/><br/>Estimated deprecation: July 2024 |

+| May 1 | Recommendation | Upcoming deprecation | [Adaptive application controls for defining safe applications should be enabled on your machines](recommendations-reference-compute.md#adaptive-application-controls-for-defining-safe-applications-should-be-enabled-on-your-machines)<br/><br/>Estimated deprecation: July 2024 |

+| April 18 | Alert | Deprecation | `Fileless attack toolkit detected (VM_FilelessAttackToolkit.Windows)`<br/>`Fileless attack technique detected (VM_FilelessAttackTechnique.Windows)`<br/>`Fileless attack behavior detected (VM_FilelessAttackBehavior.Windows)`<br/>`Fileless Attack Toolkit Detected (VM_FilelessAttackToolkit.Linux)`<br/>`Fileless Attack Technique Detected (VM_FilelessAttackTechnique.Linux)`<br/>`Fileless Attack Behavior Detected (VM_FilelessAttackBehavior.Linux)`<br/><br/>Fileless attack alerts for Windows and Linux VMs will be discontinued. Instead, alerts will be generated by Defender for Endpoint. If you already have the Defender for Endpoint integration enabled in Defender for Servers, there's no action required on your part. In May 2024 you might experience a decrease in your alerts volume, but still remain protected. If you don't currently have integration enabled, enable it to maintain and improve alert coverage. All Defender for Server customers can access the full value of Defender for Endpoint's integration at no additional cost. [Learn more](enable-defender-for-endpoint.md). |

+| April 3 | Recommendation | Upcoming deprecation | [Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources](recommendations-reference-compute.md#virtual-machines-should-encrypt-temp-disks-caches-and-data-flows-between-compute-and-storage-resources)<br/><br/>Estimated deprecation date: May 2024. |

+| April 3 | Recommendation | Preview | [Container images in Azure registry should have vulnerability findings resolved (Preview)](recommendations-reference-container.md#preview-container-images-in-azure-registry-should-have-vulnerability-findings-resolved) |

+| April 3 | Recommendation | Preview | [Containers running in Azure should have vulnerability findings resolved (Preview)](recommendations-reference-container.md#preview-containers-running-in-azure-should-have-vulnerability-findings-resolved) |

+| April 3 | Recommendation | Preview | [Container images in AWS registry should have vulnerability findings resolved (Preview)](recommendations-reference-container.md#preview-container-images-in-aws-registry-should-have-vulnerability-findings-resolved) |

+| April 3 | Recommendation | Preview | [Containers running in AWS should have vulnerability findings resolved (Preview)](recommendations-reference-aws.md#preview-containers-running-in-aws-should-have-vulnerability-findings-resolved) |

+| April 3 | Recommendation | Preview | [Container images in GCP registry should have vulnerability findings resolved (Preview)](recommendations-reference-container.md#preview-container-images-in-gcp-registry-should-have-vulnerability-findings-resolved) |

+| April 3 | Recommendation | Preview | [Containers running in GCP should have vulnerability findings resolved (Preview)](recommendations-reference-container.md#preview-containers-running-in-gcp-should-have-vulnerability-findings-resolved) |

+| April 2 | Recommendation | Upcoming deprecation | [Virtual machines should be migrated to new Azure Resource Manager resources](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/12018f4f-3d10-999b-e4c4-86ec25be08a1)The.<br/><br/> There's no effect since these resources no longer exist. Estimated date: July 30, 2024 |

+| April 2 | Recommendation | Update | [Azure AI Services should restrict network access](recommendations-reference-ai.md#azure-ai-services-resources-should-restrict-network-access). |

+| April 2 | Recommendation | Update | [Azure AI Services should have key access disabled (disable local authentication)](recommendations-reference-ai.md#azure-ai-services-resources-should-have-key-access-disabled-disable-local-authentication). |

+| April 2 | Recommendation | Update | [Diagnostic logs in Azure AI services resources should be enabled](recommendations-reference-ai.md#diagnostic-logs-in-azure-ai-services-resources-should-be-enabled). |

+| April 2 | Recommendation | Deprecation | Public network access should be disabled for Cognitive Services accounts. |

+| April 2 | Recommendation | GA | [Azure registry container images should have vulnerabilities resolved](recommendations-reference-container.md#azure-registry-container-images-should-have-vulnerabilities-resolved-powered-by-microsoft-defender-vulnerability-management) |

+| April 2 | Recommendation | Deprecation | [Public network access should be disabled for Cognitive Services accounts](https://ms.portal.azure.com/?feature.msaljs=true#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/684a5b6d-a270-61ce-306e-5cea400dc3a7) |

+| April 2 | Recommendation | GA | [Azure running container images should have vulnerabilities resolved](recommendations-reference-container.md#azure-running-container-images-should-have-vulnerabilities-resolved-powered-by-microsoft-defender-vulnerability-management) |

+| April 2 | Recommendation | GA | [AWS registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](recommendations-reference-container.md#preview-container-images-in-aws-registry-should-have-vulnerability-findings-resolved) |

+| April 2 | Recommendation | GA | [AWS running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](recommendations-reference-container.md#preview-containers-running-in-aws-should-have-vulnerability-findings-resolved) |

+| April 2 | Recommendation | GA | [GCP registry container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](recommendations-reference-container.md#preview-container-images-in-gcp-registry-should-have-vulnerability-findings-resolved) |

+| April 2 | Recommendation | GA | [GCP running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](recommendations-reference-container.md#preview-containers-running-in-gcp-should-have-vulnerability-findings-resolved) |

+| March 28 | Recommendation | Upcoming | Linux virtual machines should enable Azure Disk Encryption or EncryptionAtHost (assessment key a40cc620-e72c-fdf4-c554-c6ca2cd705c0) |

+| March 28 | Recommendation | Upcoming | Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost (assessment key 0cb5f317-a94b-6b80-7212-13a9cc8826af)<br/><br/>Unified disk encryption recommendations will be available for GA in the Azure public cloud in April 2024, replacing the recommendation "Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources." |

+| March 18 | Recommendation | GA | [EDR solution should be installed on virtual machines](recommendations-reference-compute.md#edr-solution-should-be-installed-on-virtual-machines) |

+| March 18 | Recommendation | GA | [EDR configuration issues should be resolved on virtual machines](recommendations-reference-compute.md#edr-configuration-issues-should-be-resolved-on-virtual-machines) |

+| March 18 | Recommendation | GA | [EDR configuration issues should be resolved on EC2s](recommendations-reference-compute.md#edr-configuration-issues-should-be-resolved-on-ec2s) |

+| March 18 | Recommendation | GA | [EDR solution should be installed on EC2s] |

+| March 18 | Recommendation | GA | [EDR configuration issues should be resolved on GCP virtual machines](recommendations-reference-compute.md#edr-configuration-issues-should-be-resolved-on-gcp-virtual-machines) |

+| March 18 | Recommendation | GA | [EDR solution should be installed on GCP virtual machines](recommendations-reference-compute.md#edr-solution-should-be-installed-on-gcp-virtual-machines) |

+| End March | Recommendation | Deprecation | [Endpoint protection should be installed on machines](recommendations-reference-deprecated.md#endpoint-protection-should-be-installed-on-machines) . |

+| End March | Recommendation | Deprecation | [Endpoint protection health issues on machines should be resolved](recommendations-reference-deprecated.md#endpoint-protection-health-issues-on-machines-should-be-resolved) |

+| March 5 | Recommendation | Deprecation | Over-provisioned identities in accounts should be investigated to reduce the Permission Creep Index (PCI) |

+| March 5 | Recommendation | Deprecation | Over-provisioned identities in subscriptions should be investigated to reduce the Permission Creep Index (PCI) |

+| February 20 | Recommendation | Upcoming | [Azure AI Services resources should restrict network access](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/f738efb8-005f-680d-3d43-b3db762d6243) |

+| February 20 | Recommendation | Upcoming | [Azure AI Services resources should have key access disabled (disable local authentication)](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/13b10b36-aa99-4db6-b00c-dcf87c4761e6) |

+| February 12 | Recommendation | Deprecation | [`Public network access should be disabled for Cognitive Services accounts`](https://ms.portal.azure.com/?feature.msaljs=true#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/684a5b6d-a270-61ce-306e-5cea400dc3a7). Estimated deprecation: March 14 2024 |

+| February 8 | Recommendation | Preview | [(Preview) Azure Stack HCI servers should meet secured-core requirements](recommendations-reference-compute.md#preview-azure-stack-hci-servers-should-meet-secured-core-requirements) |

+| February 8 | Recommendation | Preview | [(Preview) Azure Stack HCI servers should have consistently enforced application control policies](recommendations-reference-compute.md#preview-azure-stack-hci-servers-should-have-consistently-enforced-application-control-policies) |

+| February 8 | Recommendation | Preview | [(Preview) Azure Stack HCI systems should have encrypted volumes](recommendations-reference-compute.md#preview-azure-stack-hci-systems-should-have-encrypted-volumes) |

+| February 8 | Recommendation | Preview | [(Preview) Host and VM networking should be protected on Azure Stack HCI systems](recommendations-reference-compute.md#preview-host-and-vm-networking-should-be-protected-on-azure-stack-hci-systems) |

+| February 1 | Recommendation | Upcoming | EDR solution should be installed on virtual machines<br/>EDR configuration issues should be resolved on virtual machines<br/>EDR solution should be installed on EC2s<br/>EDR configuration issues should be resolved on EC2s<br/>EDR configuration issues should be resolved on GCP virtual machines<br/>EDR solution should be installed on GCP virtual machines. |

+| January 25 | Alert (Container) | Deprecation | `Anomalous pod deployment (Preview) (K8S_AnomalousPodDeployment)` |

+| January 25 | Alert (Container) | Deprecation | `Excessive role permissions assigned in Kubernetes cluster (Preview) (K8S_ServiceAcountPermissionAnomaly)` |

+| January 25 | Alert (Container) | Deprecation | `Anomalous access to Kubernetes secret (Preview) (K8S_AnomalousSecretAccess)` |

+| January 25 | Alert (Windows machines) | Update to informational | `Adaptive application control policy violation was audited (VM_AdaptiveApplicationControlWindowsViolationAudited)` |

+| January 25 | Alert (Windows machines) | Update to informational | `Adaptive application control policy violation was audited (VM_AdaptiveApplicationControlLinuxViolationAudited)` |

+| January 25 | Alert (Container) | Update to informational | `Attempt to create a new Linux namespace from a container detected (K8S.NODE_NamespaceCreation)` |

+| January 25 | Alert (Container) | Update to informational | `Attempt to stop apt-daily-upgrade.timer service detected (K8S.NODE_TimerServiceDisabled)` |

+| January 25 | Alert (Container) | Update to informational | `Command within a container running with high privileges (K8S.NODE_PrivilegedExecutionInContainer)` |

+| January 25 | Alert (Container) | Update to informational | `Container running in privileged mode (K8S.NODE_PrivilegedContainerArtifacts)` |

+| January 25 | Alert (Container) | Update to informational | `Container with a sensitive volume mount detected (K8S_SensitiveMount)` |

+| January 25 | Alert (Container) | Update to informational | `Creation of admission webhook configuration detected (K8S_AdmissionController)` |

+| January 25 | Alert (Container) | Update to informational | `Detected suspicious file download (K8S.NODE_SuspectDownloadArtifacts)` |

+| January 25 | Alert (Container) | Update to informational | `Docker build operation detected on a Kubernetes node (K8S.NODE_ImageBuildOnNode)` |

+| January 25 | Alert (Container) | Update to informational | `New container in the kube-system namespace detected (K8S_KubeSystemContainer)` |

+| January 25 | Alert (Container) | Update to informational | `New high privileges role detected (K8S_HighPrivilegesRole)` |

+| January 25 | Alert (Container) | Update to informational | `Privileged container detected (K8S_PrivilegedContainer)` |

+| January 25 | Alert (Container) | Update to informational | `Process seen accessing the SSH authorized keys file in an unusual way (K8S.NODE_SshKeyAccess)` |

+| January 25 | Alert (Container) | Update to informational | `Role binding to the cluster-admin role detected (K8S_ClusterAdminBinding)` |

+| January 25 | Alert (Container) | Update to informational | `SSH server is running inside a container (K8S.NODE_ContainerSSH)` |

+| January 25 | Alert (DNS) | Update to informational | `Communication with suspicious algorithmically generated domain (AzureDNS_DomainGenerationAlgorithm)` |

+| January 25 | Alert (DNS) | Update to informational | `Communication with suspicious algorithmically generated domain (DNS_DomainGenerationAlgorithm)` |

+| January 25 | Alert (DNS) | Update to informational | `Communication with suspicious random domain name (Preview) (DNS_RandomizedDomain)` |

+| January 25 | Alert (DNS) | Update to informational | `Communication with suspicious random domain name (AzureDNS_RandomizedDomain)` |

+| January 25 | Alert (DNS) | Update to informational | `Communication with possible phishing domain (AzureDNS_PhishingDomain)` |

+| January 25 | Alert (DNS) | Update to informational | `Communication with possible phishing domain (Preview) (DNS_PhishingDomain)` |

+| January 25 | Alert (Azure App Service) | Update to informational | `NMap scanning detected (AppServices_Nmap)` |

+| January 25 | Alert (Azure App Service) | Update to informational | `Suspicious User Agent detected (AppServices_UserAgentInjection)` |

+| January 25 | Alert (Azure network layer) | Update to informational | `Possible incoming SMTP brute force attempts detected (Generic_Incoming_BF_OneToOne)` |

+| January 25 | Alert (Azure network layer) | Update to informational | `Traffic detected from IP addresses recommended for blocking (Network_TrafficFromUnrecommendedIP)` |

+| January 25 | Alert (Azure Resource Manager) | Update to informational | `Privileged custom role created for your subscription in a suspicious way (Preview)(ARM_PrivilegedRoleDefinitionCreation)` |

+| January 4 | Recommendation | Preview | [Cognitive Services accounts should have local authentication methods disabled](recommendations-reference-data.md#cognitive-services-accounts-should-have-local-authentication-methods-disabled)<br/> Microsoft Cloud Security Benchmark |

+| January 4 | Recommendation preview | [Cognitive Services should use private link](recommendations-reference-data.md#cognitive-services-should-use-private-link)<br/> Microsoft Cloud Security Benchmark | |

+| January 4 | Recommendation | Preview | [Virtual machines and virtual machine scale sets should have encryption at host enabled](recommendations-reference-compute.md#virtual-machines-and-virtual-machine-scale-sets-should-have-encryption-at-host-enabled)<br/> Microsoft Cloud Security Benchmark |

+| January 4 | Recommendation | Preview | [Azure Cosmos DB should disable public network access](recommendations-reference-data.md#azure-cosmos-db-should-disable-public-network-access)<br/> Microsoft Cloud Security Benchmark |

+| January 4 | Recommendation | Preview | [Cosmos DB accounts should use private link](recommendations-reference-data.md#cosmos-db-accounts-should-use-private-link)<br/> Microsoft Cloud Security Benchmark |

+| January 4 | Recommendation | Preview | VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users<br/> Microsoft Cloud Security Benchmark |

+| January 4 | Recommendation | Preview | [Azure SQL Database should be running TLS version 1.2 or newer](recommendations-reference-data.md#azure-sql-database-should-be-running-tls-version-12-or-newer)<br/> Microsoft Cloud Security Benchmark |

+| January 4 | Recommendation | Preview | [Azure SQL Managed Instances should disable public network access](recommendations-reference-data.md#azure-sql-managed-instances-should-disable-public-network-access)<br/> Microsoft Cloud Security Benchmark |

+| January 4 | Recommendation | Preview | [Storage accounts should prevent shared key access](recommendations-reference-data.md#storage-accounts-should-prevent-shared-key-access)<br/> Microsoft Cloud Security Benchmark |

+| December 14 | Recommendation | Preview | [Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)](recommendations-reference-container.md#azure-registry-container-images-should-have-vulnerabilities-resolved-powered-by-microsoft-defender-vulnerability-management)<br/><br/>Vulnerability assessment for Linux container images with Microsoft Defender Vulnerability Management. |

+| December 14 | Recommendation | GA | [Azure running container images should have vulnerability findings resolved (powered by Microsoft Defender Vulnerability Management)](recommendations-reference-container.md#azure-running-container-images-should-have-vulnerabilities-resolved-powered-by-microsoft-defender-vulnerability-management)<br/><br/> Vulnerability assessment for Linux container images with Microsoft Defender Vulnerability Management. |

+| December 14 | Recommendation | Rename | **New**: [Azure registry container images should have vulnerabilities resolved (powered by Qualys)](recommendations-reference-container.md#azure-registry-container-images-should-have-vulnerabilities-resolved-powered-by-qualys). Vulnerability assessment for container images using Qualys.<br/>**Old**: Container registry images should have vulnerability findings resolved (powered by Qualys) |

+| December 14 | Recommendation | Rename | **New**: [Azure running container images should have vulnerabilities resolved - (powered by Qualys)](recommendations-reference-container.md#azure-running-container-images-should-have-vulnerabilities-resolvedpowered-by-qualys)<br/><br/> Vulnerability assessment for container images using Qualys.<br/>**Old**: Running container images should have vulnerability findings resolved (powered by Qualys) |

+| December 4 | Alert | Preview | `Malicious blob was downloaded from a storage account (Preview)`<br/><br/> MITRE tactics: Lateral movement |

+## Related content

+<!-- Please don't adjust this next line without getting approval from the Defender for Cloud documentation team. It is necessary for proper RSS functionality. -->

+- This page is updated frequently with the latest updates in Defender for Cloud.

+- Find the latest information about security recommendations and alerts in [What's new in recommendations and alerts](release-notes-recommendations-alerts.md).

+## July 2024

+| July 10 | GA | [Compliance standards are now GA](#compliance-standards-are-now-ga) |

+| July 9 | Upcoming update | [Inventory experience improvement](#inventory-experience-improvement) |

+### Compliance standards are now GA

+July 10, 2024

+In March, we added preview versions of many new compliance standards for customers to validate their AWS and GCP resources against.

+Those standards included CIS Google Kubernetes Engine (GKE) Benchmark, ISO/IEC 27001 and ISO/IEC 27002, CRI Profile, CSA Cloud Controls Matrix (CCM), Brazilian General Personal Data Protection Law (LGPD), California Consumer Privacy Act (CCPA), and more.

+Those preview standards are now generally available (GA).

+Check out the [full list of supported compliance standards](concept-regulatory-compliance-standards.md#available-compliance-standards)

+### Inventory experience improvement

+**Estimated date for change**: July 11, 2024

+**Estimated date for change**: August 12, 2024

+With DevOps security capabilities in Microsoft Defender Cloud Security Posture Management (CSPM), you can map your cloud-native applications from code to cloud to easily kick off developer remediation workflows and reduce the time to remediation of vulnerabilities in your container images. Currently, you must manually configure the container image mapping tool to run in the Microsoft Security DevOps action in GitHub. With this change, container mapping will run by default as part of the Microsoft Security DevOps action. [Learn more about the Microsoft Security DevOps action](https://github.com/microsoft/security-devops-action/blob/main/README.md#advanced).

+|Date | Category | Update |

+### GA: Checkov IaC Scanning in Defender for Cloud

+We are announcing the general availability of the Checkov integration for Infrastructure-as-Code (IaC) scanning through [MSDO](azure-devops-extension.yml). As part of this release, Checkov will replace TerraScan as a default IaC analyzer that runs as part of the MSDO CLI. TerraScan may still be configured manually through MSDO's [environment variables](https://github.com/microsoft/security-devops-azdevops/wiki) but will not run by default.

+Security findings from Checkov present as recommendations for both Azure DevOps and GitHub repositories under the assessments "Azure DevOps repositories should have infrastructure as code findings resolved" and "GitHub repositories should have infrastructure as code findings resolved".

+**Estimated date for change**: August, 2024

+**Estimated date for change**: July 10, 2024

+Originally, SQL Vulnerability Assessment (VA) with Express Configuration was only automatically enabled on servers where Microsoft Defender for SQL was activated after the introduction of Express Configuration in December 2022.

+**Estimated date for change**: July 2024

+Will be applied to the following recommendations:

+| May 21 | Update |[Advanced hunting in Microsoft Defender XDR includes Defender for Cloud alerts and incidents](#update-advanced-hunting-in-microsoft-defender-xdr-includes-defender-for-cloud-alerts-and-incidents) |

+| May 7 | GA | [Permissions management in Defender for Cloud](#ga-permissions-management-in-defender-for-cloud) |

+| May 6 | Limited preview | [Threat protection for AI workloads in Azure](#limited-preview-threat-protection-for-ai-workloads-in-azure). |

+### Preview: Checkov integration for IaC scanning in Defender for Cloud

+### Preview: AI multicloud security posture management

+### GA: Security policy management

+### Preview: Defender for open-source databases available in AWS

+### Deprecation: Removal of FIM (with AMA)

+**Estimated date for change**: August 2024

+**Estimated date for change**: May 2024

+Runtime threat detection and agentless discovery for AWS and GCP in Defender for Containers are now generally available. In addition, there's a new authentication capability in AWS which simplifies provisioning.

+### Update: Risk prioritization

+- Updates for Azure Database for MySQL flexible servers are rolling out over the next few weeks. If you see the error `The server <servername> is not compatible with Advanced Threat Protection`, you can either wait for the update, or open a support ticket to update the server sooner to a supported version.

+| March 13 | Update |[Inclusion of DevOps recommendations in the Microsoft cloud security benchmark](#update-inclusion-of-devops-recommendations-in-the-microsoft-cloud-security-benchmark) |

+### GA: Windows container images scanning

+### Preview: Custom recommendations based on KQL for Azure

+### GA: ServiceNow integration is now generally available

+**Estimated date for change**: April, 2024

+**Estimated date for change**: September 30, 2025

+**Estimated date for change**: September 2025

+**Estimated date for change**: March 6, 2024

+* For Azure Maps: Follow the instructions in [Use Creator to create indoor maps](../azure-maps/tutorial-creator-indoor-maps.md) and create an Azure Maps indoor map with a *feature stateset*.

+ * Feature statesets are collections of dynamic properties (states) assigned to dataset features such as rooms or equipment. In the Azure Maps instructions above, the feature stateset stores room status that you'll be displaying on a map.

+You'll need to set two environment variables in your function app. One is your [Azure Maps primary subscription key](../azure-maps/quick-demo-map-app.md#get-the-subscription-key-for-your-account), and one is your Azure Maps stateset ID.

+ Title: Details of Azure Policy definition structure basics

+description: Describes how Azure Policy definition basics are used to establish conventions for Azure resources in your organization.

+- `Static`: Indicates a [Regulatory Compliance](./regulatory-compliance.md) policy definition with Microsoft **Ownership**. The compliance results for these policy definitions are the results of non-Microsoft audits of Microsoft infrastructure. In the Azure portal, this value is sometimes displayed as **Microsoft managed**. For more information, see [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md).

+- `Microsoft.Kubernetes.Data` for managing Kubernetes clusters and components such as pods, containers, and ingresses. Supported for Azure Kubernetes Service clusters and [Azure Arc-enabled Kubernetes clusters](../../../aks/what-is-aks.md). Definitions using this Resource Provider mode use the effects _audit_, _deny_, and _disabled_.

+> Unless explicitly stated, Resource Provider modes only support built-in policy definitions, and exemptions are not supported at the component-level.

+Built-in policy definitions can host multiple versions with the same `definitionID`. If no version number is specified, all experiences will show the latest version of the definition. To see a specific version of a built-in, it must be specified in API, SDK or UI. To reference a specific version of a definition within an assignment, see [definition version within assignment](../concepts/assignment-structure.md#policy-definition-id-and-version-preview)

+The Azure Policy service uses `version`, `preview`, and `deprecated` properties to convey level of change to a built-in policy definition or initiative and state. The format of `version` is: `{Major}.{Minor}.{Patch}`. Specific states, such as _deprecated_ or _preview_, are appended to the `version` property or in another property as a **boolean**.

+For more information about Azure Policy versions built-ins, see [Built-in versioning](https://github.com/Azure/azure-policy/blob/master/built-in-policies/README.md). To learn more about what it means for a policy to be _deprecated_ or in _preview_, see [Preview and deprecated policies](https://github.com/Azure/azure-policy/blob/master/built-in-policies/README.md#preview-and-deprecated-policies).

+- Review [Understanding policy effects](effect-basics.md).

+> [!NOTE]

+> Azure storage team has discontinued all active developments on WASB and recommend all customers to use the ABFS driver to interact with Blob and ADLS gen2. For more information, see [The Azure Blob Filesystem driver (ABFS): A dedicated Azure Storage driver for Hadoop](/azure/storage/blobs/data-lake-storage-abfs-driver)

+> Using an additional storage account in a different location other than the HDInsight cluster is not supported.

+This page lists all the versions of HDInsight that are retired and/or out of support. If youΓÇÖre currently on one of the versions mentioned on this page, we recommend that you immediately migrate to the latest version. If you choose not to migrate and continue using any of the following versions, be aware of the following terms and risks associated with your continued usage of retired and unsupported software:ΓÇ» ΓÇï

+- As a retired and out of support version of an Azure service, HDInsight hasn't been shipping and won’t ship any updates or security patches to these versions. Some of the OSS components in these versions haven’t been updated for several years.   ​

+- By continuing to use these versions, there are security risks that may lead to vulnerabilities, system instability, and potential data loss for you and your customers.ΓÇ» ΓÇï

+- HDInsight wonΓÇÖt be able to provide support or help if a security compromise occurs, as we don't have pipelines and patching mechanisms for these versions.ΓÇ» ΓÇï

+- If there are any operational issues, HDInsight wonΓÇÖt be able to provide support for root cause analysis, investigation of failures, or performance degradation/issues.ΓÇ» ΓÇï

+- There's no guarantee that all the existing functionality of your clusters continues to work as-is, because underlying dependencies determine the availability of the existing features in these versions. If there's a breaking change due to these dependencies, there's no way to recover the impacted clusters.ΓÇ» ΓÇï

+- The new service capabilities developed by HDInsight wonΓÇÖt be applicable to these versions.ΓÇ» ΓÇï

+- In the extreme event of a serious security threat to the service caused by the outdated version you're using, HDInsight might choose to stop or delete your clusters immediately to secure the service. In such cases, there's no way to recover the impacted HDInsight clusters, but your data in Azure storage and BYO Azure SQL DBs aren't deleted and can be utilized to migrate to the latest HDInsight version.ΓÇ» ΓÇï

+## Call to action

+To maintain the security posture,ΓÇ» migrate to [HDInsight 5.1](./hdinsight-5x-component-versioning.md#open-source-components-available-with-hdinsight-5x), which is Generally Available since November 1, 2023. This release contains all theΓÇ»[latest versions of supported software](./hdinsight-5x-component-versioning.md) along with significant improvements on the security patches on open-source components.ΓÇ» ΓÇï

+ Title: MSI Support to Access Azure services

+description: Learn how to provide MSI Support to Access Azure services.

+# MSI Support to access Azure services

+Presently in Azure HDInsight non-ESP cluster, User Job accessing Azure resources like SqlDB, Cosmos DB, EH, KV, Kusto either using username and password or using MSI certificate key. This isn't in line with Microsoft security guidelines.

+This article explains the HDInsight interface and code details to fetch OAuth tokens in a non-ESP cluster.

+## Prerequisites

+* This feature is available in the latest HDInsight-5.1, 5.0, and 4.0 versions. Make sure you recreated or installed this cluster versions.

+* HDInsight Cluster must be with ADL-Gen2 storage as primary storage, which enables MSI based access for this storage. This same MSI used for all job resources access. Ensure the required IAM permissions given to this MSI to access Azure resources.

+* IMDS endpoint can't work for HDI worker nodes and the access tokens can be fetched using this HDInsight utility only.

+There are two Java client implementations provided to fetch the access token.

+* Option 1: HDInsight utility and API usage to fetch access token.

+* Option 2: HDInsight utility, TokenCredential Implementation to fetch Access Token.

+> [!NOTE]

+> By default, the Scope is ΓÇ£.defaultΓÇ¥. We will provide a mechanism in the utility API to pass the user supplied scope argument, in future.

+## How to download the utility jar from Maven Central

+Follow these steps to download client JARs from Maven Central.

+Downloading the JAR in a Maven Build from Maven Central directly.

+1. Add maven central as one of your repositories to resolve maven dependencies, ignore if already added.

+ Add the following code snippet to the `repositories` section of your pom.xml file:

+ ```

+ <repository>

+ <id>central</id>

+ <url>https://repo.maven.apache.org/maven2/</url>

+ <releases>

+ <enabled>true</enabled>

+ </releases>

+ <snapshots>

+ <enabled>true</enabled>

+ </snapshots>

+ </repository>

+ ```

+

+1. Following is the sample code snippet of HDInsight OAuth client utility library dependency, add the `dependency` section to your pom.xml

+```

+<dependency>

+ <groupId>com.microsoft.azure.hdinsight</groupId>

+ <artifactId>hdi-oauth-token-utils</artifactId>

+ <version>1.0.0</version>

+</dependency>

+```

+> [!IMPORTANT]

+>

+> Make sure the following items are in the class path.

+> - Hadoop's `core-site.xml`

+> - All the client jars from this cluster location `/usr/hdp/<hdi-version>/hadoop/client/*`

+> - `azure-core-1.49.0.jar, okhttp3-4.9.3` and its transitive dependent jars.

+### Structure of access token

+Access token structure as follows.

+```

+package com.azure.core.credential;

+import java.time.OffsetDateTime;

+

+/** Represents an immutable access token with a token string and an expiration time

+* in date format. By default, 24hrs is the expiration time out.

+*/

+public class AccessToken {

+

+ public String getToken();

+ public OffsetDateTime getExpiresAt();

+}

+```

+## Option 1 - HDInsight utility and API usage to fetch access token

+Implemented a convenient java utility class to fetch MSI access token by providing target resource URI, which can be EH, KV, Kusto, SqlDB, Cosmos DB etc.

+### How to use the API

+To fetch the token, you can invoke the API in your job application code.

+```

+import com.microsoft.azure.hdinsight.oauthtoken.utils.HdiIdentityTokenServiceUtils;

+import com.azure.core.credential.AccessToken;

+// uri can be EH, Kusto etc.

+// By default, the Scope is ΓÇ£.defaultΓÇ¥.

+// We will provide a mechanism to take user supplied scope, in future.

+String msiResourceUri = https://vault.azure.net/;

+HdiIdentityTokenServiceUtils tokenUtils = new HdiIdentityTokenServiceUtils();

+AccessToken token = tokenUtils.getAccessToken(msiResourceUri);

+```

+## Option 2 - HDInsight Utility, TokenCredential implementation to fetch access token

+Provided `HdiIdentityTokenCredential` feature java class, which is the standard implementation of `com.azure.core.credential.TokenCredential` interface.

+> [!NOTE]

+> The HdiIdentityTokenCredential class can be used with various Azure SDK client libraries to authenticate requests and access Azure services without manual access token management.

+### Examples

+Following are the HDInsight oauth utility examples, which can be used in job applications to fetch access tokens for the given target resource uri:

+**If the client is a Key Vault**

+For Azure Key Vault, the SecretClient instance uses a TokenCredential to authenticate and fetch the access token:

+```

+import com.azure.core.credential.TokenCredential;

+import com.azure.security.keyvault.secrets.SecretClient;

+import com.azure.security.keyvault.secrets.SecretClientBuilder;

+import com.microsoft.azure.hdinsight.oauthtoken.credential.HdiIdentityTokenCredential;

+// Replace <resource-uri> with your Key Vault URI.

+TokenCredential hdiTokenCredential = new HdiIdentityTokenCredential("<resource-uri>");

+

+// Create a SecretClient to call the service.

+SecretClient secretClient = new SecretClientBuilder()

+ .vaultUrl("<your-key-vault-url>") // Replace with your Key Vault URL.

+ .credential(hdiTokenCredential) // Add HDI identity token credential.

+ .buildClient();

+// Retrieve a secret from the Key Vault.

+// Replace with your secret name.

+KeyVaultSecret secret = secretClient.getSecret("<your-secret-name>");

+```

+**If the client is a Event Hub**

+Example of Azure Event Hubs, which doesn't directly fetch an access token. It uses a TokenCredential to authenticate, and this credential handles fetching the access token.

+```

+import com.azure.messaging.eventhubs.EventHubClientBuilder;

+import com.azure.messaging.eventhubs.EventHubProducerClient;

+import com.azure.core.credential.TokenCredential;

+import com.microsoft.azure.hdinsight.oauthtoken.credential.HdiIdentityTokenCredential;

+HdiIdentityTokenCredential hdiTokenCredential = new HdiIdentityTokenCredential("https://eventhubs.azure.net");

+// Create a producer client

+EventHubProducerClient producer = new EventHubClientBuilder()

+ .credential("<fully-qualified-namespace>", "<event-hub-name>", hdiTokenCredential)

+ .buildProducerClient();

+

+// Use the producer client ....

+```

+**If the client is a MySql Database**

+Example of Azure Sql Database, which doesn't directly fetch an access token.

+Connect using access token callback: The following example demonstrates implementing and setting the accessToken callback

+```

+ package com.microsoft.azure.hdinsight.oauthtoken;

+

+ import com.azure.core.credential.AccessToken;

+ import com.microsoft.azure.hdinsight.oauthtoken.utils.HdiIdentityTokenServiceUtils;

+ import com.microsoft.sqlserver.jdbc.SQLServerAccessTokenCallback;

+ import com.microsoft.sqlserver.jdbc.SqlAuthenticationToken;

+

+ public class HdiSQLAccessTokenCallback implements SQLServerAccessTokenCallback {

+

+ @Override

+ public SqlAuthenticationToken getAccessToken(String spn, String stsurl) {

+ try {

+ HdiIdentityTokenServiceUtils provider = new HdiIdentityTokenServiceUtils();

+ AccessToken token = provider.getAccessToken("https://database.windows.net/";);

+ return new SqlAuthenticationToken(token.getToken(), token.getExpiresAt().getTime());

+ } catch (Exception e) {

+ // handle exception...

+ return null;

+ }

+ }

+ }

+

+

+

+ package com.microsoft.azure.hdinsight.oauthtoken;

+

+ import java.sql.DriverManager;

+

+ public class HdiTokenClassBasedConnectionWithDriver {

+

+ public static void main(String[] args) throws Exception {

+

+ // Below is the sample code to use hdi sql callback.

+ // Replaces <dbserver> with your server name and replaces <dbname> with your db name.

+ String connectionUrl = "jdbc:sqlserver://<dbserver>.database.windows.net;"

+ + "database=<dbname>;"

+ + "accessTokenCallbackClass=com.microsoft.azure.hdinsight.oauthtoken.HdiSQLAccessTokenCallback;"

+ + "encrypt=true;"

+ + "trustServerCertificate=false;"

+ + "loginTimeout=30;";

+

+ DriverManager.getConnection(connectionUrl);

+

+ }

+

+ }

+

+ package com.microsoft.azure.hdinsight.oauthtoken;

+

+ import com.microsoft.azure.hdinsight.oauthtoken.HdiSQLAccessTokenCallback;

+ import com.microsoft.sqlserver.jdbc.SQLServerDataSource;

+ import java.sql.Connection;

+

+ public class HdiTokenClassBasedConnectionWithDS {

+

+ public static void main(String[] args) throws Exception {

+

+ HdiSQLAccessTokenCallback callback = new HdiSQLAccessTokenCallback();

+

+ SQLServerDataSource ds = new SQLServerDataSource();

+ ds.setServerName("<db-server>"); // Replaces <db-server> with your server name.

+ ds.setDatabaseName("<dbname>"); // Replace <dbname> with your database name.

+ ds.setAccessTokenCallback(callback);

+

+ ds.getConnection();

+ }

+ }

+```

+

+**If the client is a Kusto**

+Example of Azure Sql Database, which doesn't directly fetch an access token.

+Connect using tokenproviderCallback:

+The following example demonstrates accessToken callback provider,

+```

+public void createConnection () {

+ final String clusterUrl = "https://xyz.eastus.kusto.windows.net";

+ ConnectionStringBuilder conStrBuilder = ConnectionStringBuilder.createWithAadTokenProviderAuthentication(clusterUrl, new Callable<String>() {

+ public String call() throws Exception {

+ // Call HDI util class with scope. This returns the AT and from that get token string and return.

+ // AccessToken contains expiry time and user can cache the token once acquired and call for a new one

+ // if it is about to expire (Say, <= 30mins for expiry).

+ HdiIdentityTokenServiceUtils hdiUtil = new HdiIdentityTokenServiceUtils();

+ AccessToken token = hdiUtil.getAccessToken(clusterUrl);

+ return token.getToken();

+ }

+ });

+ }

+```

+**Connect using pre-fetched Access Token:**

+Fetches accesstoken explicitly and pass it as an option.

+```

+String targetResourceUri = "https://<my-kusto-cluster>";

+HdiIdentityTokenServiceUtils tokenUtils = new HdiIdentityTokenServiceUtils();

+AccessToken token = tokenUtils.getAccessToken(targetResourceUri);

+df.write

+ .format("com.microsoft.kusto.spark.datasource")

+ .option(KustoSinkOptions.KUSTO_CLUSTER, "MyCluster")

+ .option(KustoSinkOptions.KUSTO_DATABASE, "MyDatabase")

+ .option(KustoSinkOptions.KUSTO_TABLE, "MyTable")

+ .option(KustoSinkOptions.KUSTO_ACCESS_TOKEN, token.getToken())

+ .option(KustoOptions., "MyTable")

+ .mode(SaveMode.Append)

+ .save()

+```

+> [!NOTE]

+> HdiIdentityTokenCredential class can be used in combination with various Azure SDK client libraries to authenticate requests and access Azure services without the need to manage access tokens manually.

+### Troubleshooting

+Integrated **HdiIdentityTokenCredential** utility into the Spark job but hitting the following exception while accessing the token during runtime (Job execution).

+```

+User class threw exception: java.lang.NoSuchFieldError: Companion

+at okhttp3.internal.Util.<clinit>(Util.kt:70)

+at okhttp3.internal.concurrent.TaskRunner.<clinit>(TaskRunner.kt:309)

+at okhttp3.ConnectionPool.<init>(ConnectionPool.kt:41)

+at okhttp3.ConnectionPool.<init>(ConnectionPool.kt:47)

+at okhttp3.OkHttpClient$Builder.<init>(OkHttpClient.kt:471)

+at com.microsoft.azure.hdinsight.oauthtoken.utils.HdiIdentityTokenServiceUtils.getAccessToken(HdiIdentityTokenServiceUtils.java:142)

+at com.microsoft.azure.hdinsight.oauthtoken.credential.HdiIdentityTokenCredential.getTokenSync(HdiIdentityTokenCredential.java:83)

+```

+**Answer:**

+Following is the maven dependency tree of `hdi-oauth-util` library. User need to make sure that these jars are available at the runtime (in job container).

+```

+[INFO] +- com.azure:azure-core:jar:1.49.0:compile

+[INFO] | +- com.azure:azure-json:jar:1.1.0:compile

+[INFO] | +- com.azure:azure-xml:jar:1.0.0:compile

+[INFO] | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.5:compile

+[INFO] | +- com.fasterxml.jackson.core:jackson-core:jar:2.13.5:compile

+[INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.5:compile

+[INFO] | \- io.projectreactor:reactor-core:jar:3.4.36:compile

+[INFO] | \- org.reactivestreams:reactive-streams:jar:1.0.4:compile

+[INFO] \- com.squareup.okhttp3:okhttp:jar:4.9.3:compile

+[INFO] +- com.squareup.okio:okio:jar:2.8.0:compile

+[INFO] | \- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.4.0:compile

+[INFO] \- org.jetbrains.kotlin:kotlin-stdlib:jar:1.4.10:compile

+```

+When you build the spark uber jar, user need to make sure these jars are shaded and included into the uber jar. Can refer the following plugins.

+```xml

+ <plugin>

+ <groupId>org.apache.maven.plugins</groupId>

+ <artifactId>maven-shade-plugin</artifactId>

+ <version>${maven.plugin.shade.version}</version>

+ <configuration>

+ <createDependencyReducedPom>false</createDependencyReducedPom>

+ <relocations>

+ <relocation>

+ <pattern>okio</pattern>

+ <shadedPattern>com.shaded.okio</shadedPattern>

+ </relocation>

+ <relocation>

+ <pattern>okhttp</pattern>

+ <shadedPattern>com.shaded.okhttp</shadedPattern>

+ </relocation>

+ <relocation>

+ <pattern>okhttp3</pattern>

+ <shadedPattern>com.shaded.okhttp3</shadedPattern>

+ </relocation>

+ <relocation>

+ <pattern>kotlin</pattern>

+ <shadedPattern>com.shaded.kotlin</shadedPattern>

+ </relocation>

+ <relocation>

+ <pattern>com.fasterxml.jackson</pattern>

+ <shadedPattern>com.shaded.com.fasterxml.jackson</shadedPattern>

+ </relocation>

+ <relocation>

+ <pattern>com.azure</pattern>

+ <shadedPattern>com.shaded.com.azure</shadedPattern>

+ </relocation>

+```

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+ :::image type="content" source="./media/create-connect-device/disable-device.png" alt-text="Screenshot that shows disabling a device in the Azure portal.":::

+ :::image type="content" source="./media/create-connect-device/delete-device.png" alt-text="Screenshot that shows deleting a device in the Azure portal.":::

+ Title: Create an Azure IoT hub

+description: How to create, manage, and delete Azure IoT hubs through the Azure portal, CLI, and PowerShell. Includes information about retrieving the service connection string.

+# Create and manage Azure IoT hubs

+This article describes how to create and manage an IoT hub.

+## Prerequisites

+Prepare the following prerequisites, depending on which tool you use.

+### [Azure portal](#tab/portal)

+* Access to the [Azure portal](https://portal.azure.com).

+### [Azure CLI](#tab/cli)

+* The Azure CLI installed on your development machine. If you don't have the Azure CLI, follow the steps to [Install the Azure CLI](/cli/azure/install-azure-cli).

+* A resource group in your Azure subscription. If you want to create a new resource group, use the [az group create](/cli/azure/group#az-group-create) command:

+ ```azurecli-interactive

+ az group create --name <RESOURCE_GROUP_NAME> --location <REGION>

+ ```

+### [Azure PowerShell](#tab/powershell)

+* Azure PowerShell installed on your development machine. If you don't have Azure PowerShell, follow the steps to [Install Azure PowerShell](/powershell/azure/install-azure-powershell).

+* A resource group in your Azure subscription. If you want to create a new resource group, use the [New-AzResourceGroup](/powershell/module/az.Resources/New-azResourceGroup) command:

+ ```azurepowershell-interactive

+ New-AzResourceGroup -Name <RESOURCE_GROUP_NAME> -Location "<REGION>"

+ ```

+## Create an IoT hub

+### [Azure portal](#tab/portal)

+### [Azure CLI](#tab/cli)

+Use the [az iot hub create](/cli/azure/iot/hub#az-iot-hub-create) command to create an IoT hub in your resource group, using a globally unique name for your IoT hub. For example:

+```azurecli-interactive

+az iot hub create --name <NEW_NAME_FOR_YOUR_IOT_HUB> --resource-group <RESOURCE_GROUP_NAME> --sku S1

+```

+The previous command creates an IoT hub in the S1 pricing tier. For more information, see [Azure IoT Hub pricing](https://azure.microsoft.com/pricing/details/iot-hub/).

+### [Azure PowerShell](#tab/powershell)

+Use the [New-AzIotHub](/powershell/module/az.IotHub/New-azIotHub) command to create an IoT hub in your resource group. The name of the IoT hub must be globally unique. For example:

+```azurepowershell-interactive

+New-AzIotHub `

+ -ResourceGroupName <RESOURCE_GROUP_NAME> `

+ -Name <NEW_NAME_FOR_YOUR_IOT_HUB> `

+ -SkuName S1 -Units 1 `

+ -Location "<REGION>"

+```

+The previous command creates an IoT hub in the S1 pricing tier. For more information, see [Azure IoT Hub pricing](https://azure.microsoft.com/pricing/details/iot-hub/).

+## Connect to an IoT hub

+Provide access permissions to applications and services that use IoT Hub functionality.

+### Connect with a connection string

+Connection strings are tokens that grant devices and services permissions to connect to IoT Hub based on shared access policies. Connection strings are an easy way to get started with IoT Hub, and are used in many samples and tutorials, but aren't recommended for production scenarios.

+For most sample scenarios, the **service** policy is sufficient. The service policy grants **Service Connect** permissions to access service endpoints. For more information about the other built-in shared access policies, see [IoT Hub permissions](./iot-hub-dev-guide-sas.md#access-control-and-permissions).

+To get the IoT Hub connection string for the **service** policy, follow these steps:

+#### [Azure portal](#tab/portal)

+1. In the [Azure portal](https://portal.azure.com), select **Resource groups**. Select the resource group where your hub is located, and then select your hub from the list of resources.

+1. On the left-side pane of your IoT hub, select **Shared access policies**.

+1. From the list of policies, select the **service** policy.

+1. Copy the **Primary connection string** and save the value.

+#### [Azure CLI](#tab/cli)

+Use the [az iot hub connection-string show](/cli/azure/iot/hub/connection-string#az-iot-hub-connection-string-show) command to get a connection string for your IoT hub that grants the service policy permissions:

+```azurecli-interactive

+az iot hub connection-string show --hub-name <YOUR_IOT_HUB_NAME> --policy-name service

+```

+The service connection string should look similar to the following example:

+```text

+"HostName=<IOT_HUB_NAME>.azure-devices.net;SharedAccessKeyName=service;SharedAccessKey=<SHARED_ACCESS_KEY>"

+```

+#### [Azure PowerShell](#tab/powershell)

+Use the [Get-AzIotHubConnectionString](/powershell/module/az.iothub/get-aziothubconnectionstring) command to get a connection string for your IoT hub that grants the service policy permissions.

+```azurepowershell-interactive

+Get-AzIotHubConnectionString -ResourceGroupName "<YOUR_RESOURCE_GROUP>" -Name "<YOUR_IOT_HUB_NAME>" -KeyName "service"

+```

+The service connection string should look similar to the following example:

+```text

+"HostName=<IOT_HUB_NAME>.azure-devices.net;SharedAccessKeyName=service;SharedAccessKey=<SHARED_ACCESS_KEY>"

+```

+### Connect with role assignments

+Authenticating access by using Microsoft Entra ID and controlling permissions by using Azure role-based access control (RBAC) provides improved security and ease of use over security tokens. To minimize potential security issues inherent in security tokens, we recommend that you enforce Microsoft Entra authentication whenever possible. For more information, see [Control access to IoT Hub by using Microsoft Entra ID](./authenticate-authorize-azure-ad.md).

+## Delete an IoT hub

+When you delete an IoT hub, you lose the associated device identity registry. If you want to move or upgrade an IoT hub, or delete an IoT hub but keep the devices, consider [migrating an IoT hub using the Azure CLI](./migrate-hub-state-cli.md).

+### [Azure portal](#tab/portal)

+To delete an IoT hub, open your IoT hub in the Azure portal, then choose **Delete**.

+### [Azure CLI](#tab/cli)

+To delete an IoT hub, run the [az iot hub delete](/cli/azure/iot/hub#az-iot-hub-delete) command:

+```azurecli-interactive

+az iot hub delete --name <IOT_HUB_NAME> --resource-group <RESOURCE_GROUP_NAME>

+```

+### [Azure PowerShell](#tab/powershell)

+To delete the IoT hub, use the [Remove-AzIotHub](/powershell/module/az.iothub/remove-aziothub) command.

+```azurepowershell-interactive

+Remove-AzIotHub `

+ -ResourceGroupName MyIoTRG1 `

+ -Name MyTestIoTHub

+```

+## Other tools for managing IoT hubs

+In addition to the Azure portal and CLI, the following tools are available to help you work with IoT hubs in whichever way supports your scenario:

+* **IoT Hub resource provider REST API**

+ Use the [IoT Hub Resource](/rest/api/iothub/iot-hub-resource) set of operations.

+* **Azure resource manager templates, Bicep, or Terraform**

+ Use the [Microsoft.Devices/IoTHubs](/azure/templates/microsoft.devices/iothubs) resource type. For examples, see [IoT Hub sample templates](/samples/browse/?terms=iot%20hub&languages=bicep%2Cjson).

+* **Visual Studio Code**

+ Use the [Azure IoT Hub extension for Visual Studio Code](./reference-iot-hub-extension.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+Have an IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An Azure IoT hub. If you don't have an IoT hub, you can use the [New-AzIoTHub cmdlet](/powershell/module/az.iothub/new-aziothub) to create one or follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An Azure IoT hub. If you don't have an IoT hub, you can use the [New-AzIoTHub cmdlet](/powershell/module/az.iothub/new-aziothub) to create one or follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+- An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+1. On the **Basics** tab, complete the fields [as you normally would](create-hub.md) except for **Region**. Select one of these regions:

+To enable TLS 1.2 enforcement, follow the steps in [Create an IoT hub in Azure portal](create-hub.md), except

+Get more details about [How to choose the right IoT Hub tier](iot-hub-scaling.md).

+If you want to upgrade an existing IoT hub, you can do so from the Azure portal or Azure CLI.

+### [Azure portal](#tab/portal)

+In the Azure portal, navigate to your IoT hub to view and update its settings.

+### [Azure CLI](#tab/cli)

+Use the [az iot hub show](/cli/azure/iot/hub#az-iot-hub-show) command to view the current details of an IoT hub.

+```bash

+az iot hub show --name <HUB_NAME>

+```

+Use the [az iot hub update](/cli/azure/iot/hub#az-iot-hub-update) command to make changes to an existing IoT hub.

+For example, the following command updates the IoT hub tier to `S2`, or standard tier, size 2.

+```bash

+az iot hub update --name <HUB_NAME> --sku S2

+```

+For example, the following command sets the number of units for an IoT hub. The type of units in an IoT hub are determined by the size value of the tier (1, 2, or 3) but you can scale up or down by changing the number of units.

+```bash

+az iot hub update -n MyIotHub --unit 2

+```

+The maximum limit of device-to-cloud partitions for basic tier and standard tier IoT hubs is 32. Most IoT hubs only need four partitions. You choose the number of partitions when you create the IoT hub. The number of partitions relates the device-to-cloud messages to the number of simultaneous readers of these messages. The number of partitions remains unchanged when you migrate from the basic tier to the standard tier.

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* A device registered in your IoT hub. If you don't have devices in your IoT hub, follow the steps in [Register a device](create-connect-device.md#register-a-device).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+* An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).

+You can register your device with your IoT hub for testing the client certificate that you've created for that device. For more information about registering a device, see [Create and manage device identities](create-connect-device.md).

+While in most cases only one service provider will be managing specific resources for a customer, itΓÇÖs possible for the customer to create multiple delegations for the same subscription or resource group, allowing multiple service providers to have access. This scenario also enables ISV scenarios that [project resources from the service providerΓÇÖs tenant to multiple customers](isv-scenarios.md#saas-based-multitenant-offerings).

+Azure Lighthouse only provides logical links between a managing tenant and managed tenants, rather than physically moving data or resources. Furthermore, the access always goes in only one direction, from the managing tenant to the managed tenants. Users and groups in the managing tenant should use multifactor authentication when performing management operations on managed tenant resources.

+Enterprises with internal or external governance and compliance guardrails can use [Azure Activity logs](../../azure-monitor/essentials/activity-log.md) to meet their transparency requirements. When enterprise tenants have established managing and managed tenant relationships, users in each tenant can view logged activity to see actions taken by users in the managing tenant.

+ Title: Azure Lighthouse in ISV scenarios

+description: ISVs can use the capabilities of Azure Lighthouse for more flexibility with customer offerings.

+A typical scenario for [Azure Lighthouse](../overview.md) involves a service provider that manages resources in its customers' Microsoft Entra tenants. Independent Software Vendors (ISVs) using SaaS-based offerings with their customers may also benefit from the capabilities of Azure Lighthouse. Using Azure Lighthouse can be especially helpful for ISVs who offer managed services that require access to a customer's subscription scope.

+## SaaS-based multitenant offerings

+In this scenario, users in the customer's tenant are essentially granted access as a "managing tenant," even though the customer isn't managing the ISV's resources. Because the customer is directly accessing the ISV's tenant, it's important to grant only the minimum permissions necessary, so that they can't make changes to the solution or access other ISV resources.

+Both [Azure managed applications](../../azure-resource-manager/managed-applications/overview.md) and [Azure Lighthouse](../overview.md) work by enabling a service provider to access resources that reside in the customer's tenant. It can be helpful to understand the differences in the way that they work, the scenarios that they help to enable, and how they can be used together.

+Managed applications can be [published to Azure Marketplace](../../marketplace/azure-app-offer-setup.md), either as a private offer for a specific customer's use, or as public offers that multiple customers can purchase. They can also be delivered to users within your organization by [publishing managed applications to your service catalog](../../azure-resource-manager/managed-applications/publish-service-catalog-app.md). You can deploy both service catalog and Marketplace instances using ARM templates, which can include a commercial marketplace partner's unique identifier to track [customer usage attribution](../../marketplace/azure-partner-customer-usage-attribution.md).

+- In most cases, you'll want to assign permissions to a Microsoft Entra user group or service principal, rather than to a series of individual user accounts. Doing so lets you add or remove access for individual users through your tenant's Microsoft Entra ID, without having to [update the delegation](../how-to/update-delegation.md) every time your individual access requirements change.

+- Follow the principle of least privilege. To reduce the chance of inadvertent errors, users should have only the permissions needed to perform their specific job. For more information, see [Recommended security practices](../concepts/recommended-security-practices.md).

+- Include an authorization with the [Managed Services Registration Assignment Delete Role](../../role-based-access-control/built-in-roles.md#managed-services-registration-assignment-delete-role) so that you can [remove access to the delegation](../how-to/remove-delegation.md) if needed. If this role isn't assigned, access to delegated resources can only be removed by a user in the customer's tenant.

+When you define an authorization, each user account must be assigned one of the [Azure built-in roles](../../role-based-access-control/built-in-roles.md). Custom roles and [classic subscription administrator roles](../../role-based-access-control/classic-administrators.md) aren't supported.

+- The [Owner](../../role-based-access-control/built-in-roles.md#owner) role isn't supported.

+- Any roles with [`DataActions`](../../role-based-access-control/role-definitions.md#dataactions) permission aren't supported.

+- Roles that include any of the following [actions](../../role-based-access-control/role-definitions.md#actions) aren't supported:

+> When assigning roles, be sure to review the [actions](../../role-based-access-control/role-definitions.md#actions) specified for each role. Even though roles with [`DataActions`](../../role-based-access-control/role-definitions.md#dataactions) permission aren't supported, there are cases where actions included in a supported role may allow access to data. This generally occurs when data is exposed through access keys, not accessed via the user's identity. For example, the [Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md) role includes the `Microsoft.Storage/storageAccounts/listKeys/action` action, which returns storage account access keys that could be used to retrieve certain customer data.

+In some cases, a role that was previously supported with Azure Lighthouse may become unavailable. For example, if the [`DataActions`](../../role-based-access-control/role-definitions.md#dataactions) permission is added to a role that previously didn't have that permission, that role can no longer be used when onboarding new delegations. Users who had already been assigned that role will still be able to work on previously delegated resources, but they won't be able to perform any tasks that use the [`DataActions`](../../role-based-access-control/role-definitions.md#dataactions) permission.

+As soon as a new applicable built-in role is added to Azure, it can be assigned when [onboarding a customer using Azure Resource Manager templates](../how-to/onboard-customer.md). There may be a delay before the newly added role becomes available in Partner Center when [publishing a managed service offer](../how-to/publish-managed-services-offers.md). Similarly, if a role becomes unavailable, you may still see it in Partner Center for a while, but you won't be able to publish new offers using such roles.

+When a customer's subscription or resource group has been delegated to a service provider for [Azure Lighthouse](../overview.md), that delegation can be removed if needed. Once a delegation is removed, the [Azure delegated resource management](../concepts/architecture.md) access that was previously granted to users in the service provider tenant will no longer apply.

+> When a customer subscription has multiple delegations from the same service provider, removing one delegation could cause users to lose access granted via the other delegations. This only occurs when the same `principalId` and `roleDefinitionId` combination is included in multiple delegations and then one of the delegations is removed. If this happens, you can fix the issue by repeating the [onboarding process](onboard-customer.md) for the delegations that you don't want to remove.

+Users in a managing tenant can remove access to delegated resources if they were granted the [Managed Services Registration Assignment Delete Role](../../role-based-access-control/built-in-roles.md#managed-services-registration-assignment-delete-role) during the onboarding process. If this role isn't assigned to any service provider users, the delegation can only be removed by a user in the customer's tenant.

+# Select the subscription that is delegated or that contains the delegated resource group(s)

+# Select the subscription that is delegated or that contains the delegated resource group(s)

+description: As a service provider or enterprise using Azure Lighthouse, you can view delegated resources and subscriptions by going to My customers in the Azure portal.

+To view information about a customer, you must have been granted the [Reader](../../role-based-access-control/built-in-roles.md#reader) role (or another built-in role that includes Reader access) when that customer was onboarded.

+To access the **My customers** page in the Azure portal, enter "My customers" in the search box near the top of the Azure portal. You can also access this page from the main **Azure Lighthouse** page in the Azure portal by selecting **Manage your customers**.

+The **Customers** section of the **My customers** page only shows information about customers who have delegated subscriptions or resource groups to your Microsoft Entra tenant through Azure Lighthouse. If you work with other customers (such as through the [Cloud Solution Provider (CSP) program](/partner-center/csp-overview)), you won't see those customers in the **Customers** section unless you [onboarded their resources to Azure Lighthouse](onboard-customer.md). However, you may see details about certain CSP customers in the [**Cloud Solution Provider (Preview)** section](#cloud-solution-provider-preview) lower on the page.

+> Your customers can view details about service providers by navigating to **Service providers** in the Azure portal. For more information, see [View and manage service providers](view-manage-service-providers.md).

+To view customer details, select **Customers** from the service menu of the **My customers** page.

+For each customer, you'll see the customer's name and customer ID (tenant ID), along with the **Offer ID** and **Offer version** associated with the engagement. In the **Delegations** column, you'll see the number of delegated subscriptions and/or resource groups.

+To see additional details, use the following options:

+- To see details about an offer and its delegations, select the offer name.

+- To see details about role assignments for delegated subscriptions or resource groups, select the entry in the **Delegations** column.

+> If a customer renames a subscription after it's been delegated, you'll see the updated subscription name. However, if they rename their tenant, you may still see the older tenant name in some places in the Azure portal.

+The users and permissions associated with each delegation appear in the **Role assignments** column. You can select each entry to view more details. After you do so, select **Role assignments** to see the full list of users, groups, and service principals that have been granted access to the subscription or resource group. From there, you can select a particular user, group, or service principal name to see more information.

+If you included users with the [Managed Services Registration Assignment Delete Role](../../role-based-access-control/built-in-roles.md#managed-services-registration-assignment-delete-role) when onboarding a customer to Azure Lighthouse, those users can remove delegations by selecting the trash can icon that appears in the row for that delegation. When they do so, no users in the service provider's tenant will be able to access the resources that had been previously delegated.

+The **Activity log** section of the **My customers** page keeps track of every time that a customer subscription or resource group is delegated to your tenant. It also records whenever any previously delegated resources are removed. This information can only be viewed by users who have been [assigned the Monitoring Reader role at root scope](monitor-delegation-changes.md).

+1. Select the **Settings** icon near the top of the Azure portal.

+You can change the default subscription at any time by following the steps above and choosing a different subscription (or multiple subscriptions). If you want the filter to include all of the subscriptions to which you have access, select **All directories**, then check the **Select all** box.

+A separate **Cloud Solution Provider (Preview)** section of the **My customers** page shows billing information and resources for your CSP customers who have [signed the Microsoft Customer Agreement (MCA)](/partner-center/confirm-customer-agreement) and are [under the Azure plan](/partner-center/azure-plan-get-started). For more information, see [Get started with your Microsoft Partner Agreement billing account](../../cost-management-billing/understand/mpa-overview.md).

+* China North 2

+- [Azure Synapse Runtime for Apache Spark 3.3](https://github.com/microsoft/synapse-spark-runtime/tree/main/Synapse/spark3.3)

+- [Azure Synapse Runtime for Apache Spark 3.2](https://github.com/microsoft/synapse-spark-runtime/tree/main/Synapse/spark3.2)

+> * __Azure Container Registry__ is required for any custom Docker image. This includes small modifications (such as additional packages) to base images provided by Microsoft. It is also required by the internal training job submission process of Azure Machine Learning. Furthermore, __Microsoft Container Registry__ is always needed regardless of the scenario.

+Assigned to user needs to have the following permission/action in their role *MachineLearningServices/workspaces/computes/enableSso/action*.

+Assigned to user does not need compute write (create) permission to enable SSO.

+ > [!NOTE]

+ > Private link-enabled workspaces are not currently supported when interacting with the job container with VS Code.

+> [!NOTE]

+> Private link-enabled workspaces are not currently supported when attaching a debugger to a job in VS Code.

+ * [Image build timing out](#image-build-timing-out)

+### Image build timing out

+Image build timeouts are often due to an image becoming too large to be able to complete building within the timeframe of deployment creation.

+To verify if this is your issue, check your image build logs at the location that the error may specify. The logs are cut off at the point that the image build timed out.

+To resolve this, please [build your image separately](https://learn.microsoft.com/azure/devops/pipelines/ecosystems/containers/publish-to-acr?view=azure-devops&tabs=javascript%2Cportal%2Cmsi) so that the image only needs to be pulled during deployment creation.

+- Are OK with having only a single replica of your service, which might affect uptime

+> It is highly advised to debug locally before deploying to the web service, for more information, see [Debug Locally](how-to-troubleshoot-deployment-local.md)

+When your Azure Machine Learning workspace is configured with a private endpoint, deploying to Azure Container Instances in a virtual network isn't supported. Instead, consider using a [Managed online endpoint with network isolation](../how-to-secure-online-endpoint.md).

+| `sslEnabled` | `ssl_enabled` | Whether to enable TLS for this Webservice. Defaults to False. |

+| `sslCertificate` | `ssl_cert_pem_file` | The cert file needed if TLS is enabled |

+| `sslKey` | `ssl_key_pem_file` | The key file needed if TLS is enabled |

+| `cname` | `ssl_cname` | The CNAME for if TLS is enabled |

+In this guide, you learn how to use Microsoft Entra groups with [Grafana Team Sync](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-team-sync/) to manage dashboard permissions in Azure Managed Grafana.

+ | Basic | 1 | Burstable | Standard_B2ms |

+ | Basic | 2 | Burstable | Standard_B2ms |

+The following PowerShell script sets up the variables needed to query the network security group flow log blob and list the blocks within the [CloudBlockBlob](/dotnet/api/microsoft.azure.storage.blob.cloudblockblob) block blob. Update the script to contain valid values for your environment, specifically "yourSubscriptionId", "FLOWLOGSVALIDATIONWESTCENTRALUS", "V2VALIDATIONVM-NSG", "yourStorageAccountName", "ml-rg", "000D3AF87856", "11/11/2018 03:00". For example, yourSubscriptionId should be replaced with your subscription ID.

+Azure Red Hat OpenShift is jointly engineered, operated, and supported by Red Hat and Microsoft to provide an integrated support experience. There are no virtual machines to operate, and no patching is required. Control plane, infrastructure, and application nodes are patched, updated, and monitored on your behalf by Red Hat and Microsoft. Your Azure Red Hat OpenShift clusters are deployed into your Azure subscription and are included on your Azure bill.

+ Title: Identity

+description: Learn about Managed Idenities in the Flexible Server deployment option for Azure Database for PostgreSQL - Flexible Server.

+ - mvc

+ - mode-other

+ms.devlang: python

+# Managed Identity in Azure Database for PostgreSQL - Flexible Server

+A common challenge for developers is the management of secrets, credentials, certificates, and keys used to secure communication between services. Managed identities eliminate the need for developers to manage these credentials.

+While developers can securely store the secrets in Azure Key Vault, services need a way to access Azure Key Vault. Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication. Applications can use managed identities to obtain Microsoft Entra tokens without having to manage any credentials.

+Here are some of the benefits of using managed identities:

+- You don't need to manage credentials. Credentials arenΓÇÖt even accessible to you.

+- You can use managed identities to authenticate to any resource that supports Microsoft Entra authentication including your own applications.

+- Managed identities can be used at no extra cost.

+## Managed identity types

+There are two types of managed identities:

+- **System-assigned**. Some Azure resources, such as virtual machines, Azure Database for PostgreSQL Flexible Server allows you to enable a managed identity directly on the resource. When you enable a system-assigned managed identity:

+ - A service principal of a special type is created in Microsoft Entra ID for the identity. The service principal is tied to the lifecycle of that Azure resource. When the Azure resource is deleted, Azure automatically deletes the service principal for you.

+ - By design, only that Azure resource can use this identity to request tokens from Microsoft Entra ID.

+ - You authorize the managed identity to have access to one or more services.

+ - The name of the system-assigned service principal is always the same as the name of the Azure resource it's created for.

+

+- **User-assigned**. You may also create a managed identity as a standalone Azure resource. You can create a user-assigned managed identity and assign it to one or more Azure Resources. When you enable a user-assigned managed identity:

+ - A service principal of a special type is created in Microsoft Entra ID for the identity. The service principal is managed separately from the resources that use it.

+ - Multiple resources can utilize user-assigned identities.

+ - You authorize the managed identity to have access to one or more services.

+## How to enable System Assigned Managed Identity on your Flexible Server

+## Azure portal

+Follow these steps to enable System Assigned Managed Identity on your Azure Database for PostgreSQL flexible server instance.

+1. In the [Azure portal](https://portal.azure.com/), select your existing Azure Database for PostgreSQL flexible server instance for which you want to enable system assigned managed identity.

+2. On the Azure Database for PostgreSQL flexible server page, select **Identity**

+3. In the **Identity** section, select **On** radio button.

+4. Select **Save** to apply the changes.

+

+5. A notification confirms that system assigned managed identity is enabled.

+## ARM template

+Here is the ARM template to enable system assigned managed identity. You can use the 2023-06-01-preview or the latest available API.

+```json

+{

+ "resources": [

+ {

+ "apiVersion": "2023-06-01-preview",

+ "identity": {

+ "type": "SystemAssigned"

+ },

+ "location": "Region name",

+ "name": "flexible server name",

+ "type": "Microsoft.DBforPostgreSQL/flexibleServers"

+ }

+ ]

+}

+ ```

+To disable system assigned managed identity change the type to **None**

+

+```json

+{

+ "resources": [

+ {

+ "apiVersion": "2023-06-01-preview",

+ "identity": {

+ "type": "None"

+ },

+ "location": "Region Name",

+ "name": "flexible server name",

+ "type": "Microsoft.DBforPostgreSQL/flexibleServers"

+ }

+ ]

+}

+ ```

+## How to verify the newly created System Assigned Managed Identity on your Flexible Server

+You can verify the managed identity created by going to **Enterprise Applications**

+1. Choose **Application Type == Managed Identity**

+2. Provide your flexible server name in **Search by application name or Identity** as shown in the screenshot.

+

+## Related content

+- [Microsoft Entra authentication](../concepts-aad-authentication.md)

+- [Firewall rules for IP addresses](concepts-firewall-rules.md)

+- [Private access networking with Azure Database for PostgreSQL - Flexible Server](concepts-networking.md)

+Another important consideration is the deprecation of the **pg_pltemplate** system table within the pg_catalog schema by the PostgreSQL community **starting from version 13.** If you're migrating to Flexible Server versions 13 and above and have granted permissions to users on the pg_pltemplate table on your single server, you mist revoke these permissions before initiating a new migration.

+- If your application is designed to directly query the affected tables and views, it encounters issues upon migrating to the flexible server. We strongly advise you to refactor your application to avoid direct queries to these system tables.

+- If you have granted or revoked privileges to any users or roles for the affected pg_catalog tables and views, you encounter an error during the migration process. This error will be identified by the following pattern:

+The output of the query shows the list of privileges granted to roles on the impacted tables and views.

+| : |: |: |

+| SELECT | pg_authid | adminuser1 |

+| SELECT, UPDATE |pg_shadow | adminuser2 |

+To undo the privileges, run REVOKE statements for each privilege on the relation from the grantee. In this example, you would run:

+> [!NOTE]

+> Make sure you perform the above steps for all the databases included in the migration to avoid any permission-related issues during the migration..

+After completing these steps, you can proceed to initiate a new migration from the single server to the flexible server using the migration service. You shouldn't encounter permission-related issues during this process.

+| Azure Cosmos DB| All public regions<br/> All Government regions</br> All China regions | |GA <br/> [Learn how to create a private endpoint for Azure Cosmos DB.](./tutorial-private-endpoint-cosmosdb-portal.md)|

+| Azure Database for PostgreSQL - Single server | All public regions <br/> All Government regions<br/>All China regions | Supported for General Purpose and Memory Optimized pricing tiers | GA <br/> [Learn how to create a private endpoint for Azure Database for PostgreSQL Single Server.](../postgresql/concepts-data-access-and-security-private-link.md) |

+| Azure Database for PostgreSQL - Flexible server | All public regions <br/> All Government regions<br/>All China regions | | GA <br/> [Learn how to create a private endpoint for Azure Database for PostgreSQL Flexible Server.](../postgresql/flexible-server/concepts-networking-private-link.md) |

+description: This tutorial shows you how to configure an Azure Route Server and peer it with a Quagga network virtual appliance (NVA) using the Azure portal.

+[**Azure AI Search**](search-what-is-azure-search.md) is an information retrieval platform for the enterprise. It supports traditional search and conversational AI-driven search for "chat with your data" experiences over your proprietary content.

+The easiest way to create a service is using the [Azure portal](https://portal.azure.com/), which is covered in this article.

+You can also use [Azure PowerShell](search-manage-powershell.md#create-or-delete-a-service), [Azure CLI](search-manage-azure-cli.md#create-or-delete-a-service), the [Management REST API](search-manage-rest.md#create-or-update-a-service), an [Azure Resource Manager service template](search-get-started-arm.md), a [Bicep file](search-get-started-bicep.md), or [Terraform](search-get-started-terraform.md).

+A few service properties are fixed for the lifetime of the service. Before creating the service, decide on a name, region, and tier.

+## Subscribe (free or paid)

+To try Azure AI Search for free, [open a trial subscription](https://azure.microsoft.com/pricing/free-trial/?WT.mc_id=A261C142F) and then create your search service by choosing the **Free** tier. You can have one free search service per Azure subscription. Free search services are intended for short-term evaluation of the product for nonproduction applications. Generally, you can complete all of the quickstarts and most tutorials, except for those featuring semantic ranking (it requires a billable service).

+Alternatively, you can use free credits to try out paid Azure services. With this approach, you can create your search service at **Basic** or higher to get more capacity. Your credit card is never charged unless you explicitly change your settings and ask to be charged. Another approach is to [activate Azure credits in a Visual Studio subscription](https://azure.microsoft.com/pricing/member-offers/msdn-benefits-details/?WT.mc_id=A261C142F). A Visual Studio subscription gives you credits every month you can use for paid Azure services.

+Review the [supported regions list](search-region-support.md) for supported regions at the service and feature level.

+Some features are subject to regional availability:

+AI enrichment refers to Azure AI services and Azure OpenAI, and integration is through an Azure AI multi-service account. The account must be in the same physical region as Azure AI Search. There are just a few regions that *don't* provide both.

+Azure AI Search is offered in [multiple pricing tiers](https://azure.microsoft.com/pricing/details/search/): Free, Basic, Standard, or Storage Optimized. Each tier has its own [capacity and limits](search-limits-quotas-capacity.md). There are also several features that are tier-dependent.

+Review the [tier descriptions](search-sku-tier.md) for computing characteristics and feature availability.

+There's feature parity in all Azure public, private, and sovereign clouds, but some features aren't supported in specific regions. For more information, see [Choose a region](search-region-support.md).

+ Currently, those regions are: EastUS, WestUS, WestUS2, NorthEurope, WestEurope, FranceCentral, SwedenCentral, SwitzerlandNorth, SoutheastAsia, KoreaCentral, AustraliaEast, JapanEast. [Check the documentation](/azure/ai-services/computer-vision/overview-image-analysis#region-availability) for an updated list.

+ Title: Feature availability across clouds regions

+description: Shows supported regions and feature availability across regions for Azure AI Search.

+# Azure AI Search feature availability across cloud regions

+This article identifies the cloud regions in which Azure AI Search is available. It also lists which premium features are available in each region:

+- [Semantic ranking](semantic-search-overview.md) depends on models hosted by Microsoft. These models are available in specific regions.

+- [AI enrichment](cognitive-search-concept-intro.md) refer to skills and vectorizers that make internal calls to Azure AI and Azure OpenAI. AI enrichment requires that Azure AI Search coexist with an [Azure AI multi-service account](/azure/ai-services/multi-service-resource) in the same physical region. The following tables indicate whether Azure AI is offered in the same region as Azure AI Search.

+- [Availability zones](search-reliability.md#availability-zone-support) are an Azure platform capability that divides a region's data centers into distinct physical location groups to provide high-availability, within the same region.

+We recommend that you check [Azure AI Studio region availability](/azure/ai-studio/reference/region-support) and [Azure OpenAI model region availability](/azure/reliability/availability-zones-service-support#azure-regions-with-availability-zone-support) for the most current list of regions for those features.

+Also, if you're using Azure AI Vision 4.0 multimodal APIs for image vectorization, it's available on a more limited basis. [Check the Azure AI Vision region list for multimodal embeddings](/azure/ai-services/computer-vision/overview-image-analysis#region-availability) and be sure to create both your Azure AI multi-service account and Azure AI Search service in one of those supported regions.

+> [!NOTE]

+> Higher capacity partitions became available in selected regions starting in April 2024. A second wave of higher capacity partitions released in May 2024. If you're using an older search service, consider creating a new search service to benefit from more capacity at the same billing rate as before. For more information, see [Service limits](search-limits-quotas-capacity.md#service-limits)

+## Azure Public regions

+You can create an Azure AI Search resource in any of the following Azure public regions. Almost all of these regions support [higher capacity tiers](search-limits-quotas-capacity.md#service-limits). Exceptions are noted where they apply.

+### Americas

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| Brazil South​​ ​ | ✅ | ✅ | |

+| Canada Central​​ | ✅ | ✅ | ✅ |

+| Canada East​​ ​ | | ✅ | |

+| East US​ | ✅ | ✅ | ✅ |

+| East US 2 ​ | ✅ | ✅ | ✅ |

+| ​Central US​ ​ | ✅ | ✅ | ✅ |

+| North Central US​ ​ | ✅ | ✅ | |

+| South Central US​ ​ | ✅ | ✅ | ✅ |

+| West US​ ​ | ✅ | ✅ | |

+| West US 2​ ​ | ✅ | ✅ | ✅ |

+| West US 3​ ​ | ✅ | ✅ |✅ |

+| West Central US​ ​ | ✅ | ✅ | |

+### Europe

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| North Europe​​ | ✅ | ✅ | ✅ |

+| West EuropeΓÇïΓÇï ¹| Γ£à | Γ£à | Γ£à |

+| France Central​​ | ✅ | ✅ | ✅ |

+| Germany West Central​ ​| ✅ | | ✅ |

+| Italy North​​ | | | ✅ |

+| Norway East​​ | ✅ | | ✅ |

+| Poland CentralΓÇïΓÇï | | | |

+| Spain Central | | | ✅ |

+| Sweden Central​​ | ✅ | | ✅ |

+| Switzerland North​ | ✅ | ✅ | ✅ |

+| Switzerland West​ | ✅ | ✅ | ✅ |

+| UK South​ | ✅ | ✅ | ✅ |

+| UK West​ ​| | ✅ | |

+¹ This region runs on older infrastructure that has lower capacity per partition at every tier. Choose a different region if you want [higher capacity](search-limits-quotas-capacity.md#service-limits).

+### Middle East

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| Israel CentralΓÇï ¹ | | | Γ£à |

+| Qatar CentralΓÇï ¹ | | | Γ£à |

+| UAE North​​ | ✅ | | ✅ |

+¹ These regions run on older infrastructure that has lower capacity per partition at every tier. Choose a different region if you want [higher capacity](search-limits-quotas-capacity.md#service-limits).

+### Africa

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| South Africa North​ | ✅ | | ✅ |

+### Asia Pacific

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| Australia East​ ​ | ✅ | ✅ | ✅ |

+| Australia Southeast​​​ | | ✅ | |

+| East Asia​ | ✅ | ✅ | ✅ |

+| Southeast Asia​ ​ ​ | ✅ | ✅ | ✅ |

+| Central India| ✅ | ✅ | ✅ |

+| Jio India West​ ​ | ✅ | ✅ | |

+| South India ¹ | | | Γ£à |

+| Japan East| ✅ | ✅ | ✅ |

+| Japan West​ | ✅ | ✅ | |

+| Korea Central | ✅ | ✅ | ✅ |

+| Korea South​ ​ | | ✅ | |

+¹ These regions run on older infrastructure that has lower capacity per partition at every tier. Choose a different region if you want [higher capacity](search-limits-quotas-capacity.md#service-limits).

+<!-- ### United States

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| East US​ | ✅ | ✅ | ✅ |

+| East US 2 ​ | ✅ | ✅ | ✅ |

+| ​Central US​ ​ | ✅ | ✅ | ✅ |

+| North Central US​ ​ | ✅ | ✅ | |

+| South Central US​ ​ | ✅ | ✅ | ✅ |

+| West US​ ​ | ✅ | ✅ | |

+| West US 2​ ​ | ✅ | ✅ | ✅ |

+| West US 3​ ​ | ✅ | ✅ |✅ |

+| West Central US​ ​ | ✅ | ✅ | |

+### United Kingdom

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| UK South​ | ✅ | ✅ | ✅ |

+| UK West​ ​| | ✅ | |

+### United Arab Emirates

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| UAE North​​ | ✅ | | ✅ |

+### Switzerland

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| Switzerland North​ | ✅ | ✅ | ✅ |

+| Switzerland West​ | ✅ | ✅ | ✅ |

+### Sweden

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| Sweden Central​​ | ✅ | | ✅ |

+### Spain

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| Spain Central | | | ✅ |

+### South Africa

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| South Africa North​ | ✅ | | ✅ |

+### Qatar

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| Qatar CentralΓÇï ¹ | | | Γ£à |

+¹ This region runs on older infrastructure that has lower capacity per partition at every tier. You can't create a search service with [higher capacity](search-limits-quotas-capacity.md#service-limits) in this region.

+### Poland

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| Poland CentralΓÇïΓÇï | | | |

+### Norway

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| Norway East​​ | ✅ | | ✅ |

+### Korea

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| Korea Central | ✅ | ✅ | ✅ |

+| Korea South​ ​ | | ✅ | |

+### Japan

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| Japan East| ✅ | ✅ | ✅ |

+| Japan West​ | ✅ | ✅ | |

+### Italy

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| Italy North​​ | | | ✅ |

+### Israel

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| Israel CentralΓÇï ¹ | | | Γ£à |

+¹ This region runs on older infrastructure that has lower capacity per partition at every tier. You can't create a search service with [higher capacity](search-limits-quotas-capacity.md#service-limits) in this region.

+### India

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| Central India| ✅ | ✅ | ✅ |

+| Jio India West​ ​ | ✅ | ✅ | |

+| South India ¹ | | | Γ£à |

+¹ This region runs on older infrastructure that has lower capacity per partition at every tier. You can't create a search service with [higher capacity](search-limits-quotas-capacity.md#service-limits) in this region.

+### Germany

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| Germany West Central​ ​| ✅ | | ✅ |

+### France

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| France Central​​ | ✅ | ✅ | ✅ |

+### Europe

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| North Europe​​ | ✅ | ✅ | ✅ |

+| West EuropeΓÇïΓÇï ¹| Γ£à | Γ£à | Γ£à |

+¹ This region runs on older infrastructure that has lower capacity per partition at every tier. You can't create a search service with [higher capacity](search-limits-quotas-capacity.md#service-limits) in this region.

+### Canary (US)

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| Central US EUAPΓÇï ¹ | | Γ£à | |

+| East US 2 EUAP ​ | | ✅ | |

+¹ This region runs on older infrastructure that has lower capacity per partition at every tier. You can't create a search service with [higher capacity](search-limits-quotas-capacity.md#service-limits) in this region.

+### Canada

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| Canada Central​​ | ✅ | ✅ | ✅ |

+| Canada East​​ ​ | | ✅ | |

+### Brazil

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| Brazil South​​ ​ | ✅ | ✅ | |

+### Asia Pacific

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| East Asia​ | ✅ | ✅ | ✅ |

+| Southeast Asia​ ​ ​ | ✅ | ✅ | ✅ |

+### Australia

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| Australia East​ ​ | ✅ | ✅ | ✅ |

+| Australia Southeast​​​ | | ✅ | | -->

+## Azure Government regions

+All of these regions support [higher capacity tiers](search-limits-quotas-capacity.md#service-limits).

+None of these regions support Azure [role-based access for data plane operations](search-security-rbac.md). You must use key-based authentication for indexing and query workloads.

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| Arizona | ✅ | | |

+| Texas | | | |

+| Virginia | ✅ | | ✅ |

+## Azure operated by 21Vianet

+You can install Azure AI Search in any of the following regions. If you need semantic ranking or AI enrichment, choose a region that provides the feature.

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| China East ¹ | | | |

+| China East 2 ¹ | Γ£à | | |

+| China East 3 | | | |

+| China North ¹ | | | |

+| China North 2 ¹ | | | |

+| China North 3 | | ✅ | ✅ |

+¹ These regions run on older infrastructure that has lower capacity per partition at every tier. Choose a different region if you want [higher capacity](search-limits-quotas-capacity.md#service-limits).

+<!-- ## Early Update Access Program (EUAP)

+These regions

+| Region | AI enrichment | Semantic ranking | Availability zones |

+|--|--|--|--|

+| Central US EUAPΓÇï ¹ | | Γ£à | |

+| East US 2 EUAP ​ | | ✅ | |

+¹ This region runs on older infrastructure that has lower capacity per partition at every tier. You can't create a search service with [higher capacity](search-limits-quotas-capacity.md#service-limits) in this region. -->

+## See also

+- [Azure AI Studio region availability](/azure/ai-studio/reference/region-support)

+- [Azure OpenAI model region availability](/azure/ai-services/openai/concepts/models#model-summary-table-and-region-availability)

+- [Availability zone region availability](/azure/reliability/availability-zones-service-support#azure-regions-with-availability-zone-support)

+- [Azure product by region page](https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=search)

+> [!NOTE]

+> Higher capacity partitions became available in selected regions starting in April 2024. A second wave of higher capacity partitions released in May 2024. If you're using an older search service, consider creating a new search service to benefit from more capacity at the same billing rate. For more information, see [Service limits](search-limits-quotas-capacity.md#service-limits)

+> * [Check regional availability](search-region-support.md)

+1. [A region for Azure AI Search](search-region-support.md).

+Integrated vectorization is available in all regions and tiers. However, if you're using Azure OpenAI and Azure AI skills and vectorizers, make sure your Azure AI multi-service account is [available in the same regions as Azure AI Search](search-region-support.md).

+If you're using a custom skill and an Azure hosting mechanism (such as an Azure function app, Azure Web App, and Azure Kubernetes), check the [Azure product by region page](https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=search) for feature availability.

+#customer intent: As a SOC admin, I want to integrate Microsoft Defender XDR with Microsoft Sentinel so my security operations center can work in a unified incident queue.

+Integrate Microsoft Defender XDR with Microsoft Sentinel to stream all Defender XDR incidents and advanced hunting events into Microsoft Sentinel and keep the incidents and events synchronized between the Azure and Microsoft Defender portals. Incidents from Defender XDR include all associated alerts, entities, and relevant information, providing you with enough context to perform triage and preliminary investigation in Microsoft Sentinel. Once in Microsoft Sentinel, incidents remain bi-directionally synced with Defender XDR, allowing you to take advantage of the benefits of both portals in your incident investigation.

+Alternatively, onboard Microsoft Sentinel with Defender XDR to the unified security operations platform in the Defender portal. The unified security operations platform brings together the full capabilities of Microsoft Sentinel, Defender XDR, and generative AI built specifically for cybersecurity. For more information, see the following resources:

+- [Unified security operations platform with Microsoft Sentinel and Defender XDR](https://aka.ms/unified-soc-announcement)

+- [Microsoft Sentinel in the Microsoft Defender portal](microsoft-sentinel-defender-portal.md)

+- [Microsoft Copilot in Microsoft Defender](/defender-xdr/security-copilot-in-microsoft-365-defender)

+## Microsoft Sentinel and Defender XDR

+Use one of the following methods to integrate Microsoft Sentinel with Microsoft Defender XDR

+- Ingest Microsoft Defender XDR service data into Microsoft Sentinel and view Microsoft Sentinel data in the Azure portal. Enable the Defender XDR connector in Microsoft Sentinel.

+- Integrate Microsoft Sentinel and Defender XDR into a single, unified security operations platform in the Microsoft Defender portal. In this case, view Microsoft Sentinel data directly in the Microsoft Defender portal with the rest of your Defender incidents, alerts, vulnerabilities, and other security data. Enable the Defender XDR connector in Microsoft Sentinel and onboard Microsoft Sentinel to unified operations platform in the Defender portal.

+Select the appropriate tab to see what the Microsoft Sentinel integration with Defender XDR looks like depending on which integration method you use.

+## [Azure portal](#tab/azure-portal)

+The following illustration shows how Microsoft's XDR solution seamlessly integrates with Microsoft Sentinel.

+In this diagram:

+- Insights from signals across your entire organization feed into Microsoft Defender XDR and Microsoft Defender for Cloud.

+- Microsoft Defender XDR and Microsoft Defender for Cloud send SIEM log data through Microsoft Sentinel connectors.

+- SecOps teams can then analyze and respond to threats identified in Microsoft Sentinel and Microsoft Defender XDR.

+- Microsoft Sentinel provides support for multicloud environments and integrates with third-party apps and partners.

+## [Defender portal](#tab/defender-portal)

+The following illustration shows how Microsoft's XDR solution seamlessly integrates with Microsoft Sentinel with the unified security operations platform.

+In this diagram:

+- Insights from signals across your entire organization feed into Microsoft Defender XDR and Microsoft Defender for Cloud.

+- Microsoft Sentinel provides support for multicloud environments and integrates with third-party apps and partners.

+- Microsoft Sentinel data is ingested together with your organization's data into the Microsoft Defender portal.

+- SecOps teams can then analyze and respond to threats identified by Microsoft Sentinel and Microsoft Defender XDR in the Microsoft Defender portal.

+With the integration of Defender XDR with Microsoft Sentinel, Defender XDR incidents are visible and manageable from within Microsoft Sentinel. This gives you a primary incident queue across the entire organization. See and correlate Defender XDR incidents together with incidents from all of your other cloud and on-premises systems. At the same time, this integration allows you to take advantage of the unique strengths and capabilities of Defender XDR for in-depth investigations and a Defender-specific experience across the Microsoft 365 ecosystem.

+Defender XDR enriches and groups alerts from multiple Microsoft Defender products, both reducing the size of the SOCΓÇÖs incident queue and shortening the time to resolve. Alerts from the following Microsoft Defender products and services are also included in the integration of Defender XDR to Microsoft Sentinel:

+- Onboard Microsoft Sentinel to the unified security operations platform in the Microsoft Defender portal. Enabling the Defender XDR connector is a prerequisite.

+Enable the Microsoft Defender XDR connector in Microsoft Sentinel to send all Defender XDR incidents and alerts information to Microsoft Sentinel and keep the incidents synchronized.

+- First, install the **Microsoft Defender XDR** solution for Microsoft Sentinel from the **Content hub**. Then, enable the **Microsoft Defender XDR** data connector to collect incidents and alerts. For more information, see [Connect data from Microsoft Defender XDR to Microsoft Sentinel](connect-microsoft-365-defender.md).

+- After you enable alert and incident collection in the Defender XDR data connector, Defender XDR incidents appear in the Microsoft Sentinel incidents queue shortly after they're generated in Defender XDR. It can take up to 10 minutes from the time an incident is generated in Defender XDR to the time it appears in Microsoft Sentinel. In these incidents, the **Alert product name** field contains **Microsoft Defender XDR** or one of the component Defender services' names.

+- To onboard your Microsoft Sentinel workspace to the unified security operations platform in the Defender portal, see [Connect Microsoft Sentinel to Microsoft Defender XDR](/defender-xdr/microsoft-sentinel-onboard).

+### Ingestion costs

+

+Alerts and incidents from Defender XDR, including items that populate the *SecurityAlert* and *SecurityIncident* tables, are ingested into and synchronized with Microsoft Sentinel at no charge. For all other data types from individual Defender components such as the *Advanced hunting* tables *DeviceInfo*, *DeviceFileEvents*, *EmailEvents*, and so on, ingestion is charged. For more information, see [Plan costs and understand Microsoft Sentinel pricing and billing](billing.md).

+### Data ingestion behavior

+When the Defender XDR connector is enabled, alerts created by Defender XDR-integrated products are sent to Defender XDR and grouped into incidents. Both the alerts and the incidents flow to Microsoft Sentinel through the Defender XDR connector. If you enabled any of the individual component connectors beforehand, they appear to remain connected, though no data flows through them.

+The exception to this process is Microsoft Defender for Cloud. Although its integration with Defender XDR means that you receive Defender for Cloud *incidents* through Defender XDR, you need to also have a Microsoft Defender for Cloud connector enabled in order to receive Defender for Cloud *alerts*. For the available options and more information, see the following articles:

+- [Microsoft Defender for Cloud in the Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-security-center-defender-cloud)

+- [Ingest Microsoft Defender for Cloud incidents with Microsoft Defender XDR integration](ingest-defender-for-cloud-incidents.md)

+### Microsoft incident creation rules

+To avoid creating *duplicate incidents for the same alerts*, the **Microsoft incident creation rules** setting is turned off for Defender XDR-integrated products when connecting Defender XDR. Defender XDR-integrated products include Microsoft Defender for Identity, Microsoft Defender for Office 365, and more. Also, Microsoft incident creation rules aren't supported in the unified security operations platform. Defender XDR has its own incident creation rules. This change has the following potential impacts:

+- Microsoft Sentinel's incident creation rules allowed you to filter the alerts that would be used to create incidents. With these rules disabled, preserve the alert filtering capability by configuring [alert tuning in the Microsoft Defender portal](/microsoft-365/security/defender/investigate-alerts), or by using [automation rules](automate-incident-handling-with-automation-rules.md#incident-suppression) to suppress or close incidents you don't want.

+- After you enable the Defender XDR connector, you can no longer predetermine the titles of incidents. The Defender XDR correlation engine presides over incident creation and automatically names the incidents it creates. This change is liable to affect any automation rules you created that use the incident name as a condition. To avoid this pitfall, use criteria other than the incident name as conditions for [triggering automation rules](automate-incident-handling-with-automation-rules.md#conditions). We recommend using *tags*.

+- If you use Microsoft Sentinel's incident creation rules for other Microsoft security solutions or products not integrated into Defender XDR, such as Microsoft Purview Insider Risk Management, and you plan to onboard to the unified security operations platform in the Defender portal, replace your incident creation rules with [scheduled analytic rules](create-analytics-rule-from-template.md).

+Defender XDR incidents appear in the Microsoft Sentinel incidents queue with the product name **Microsoft Defender XDR**, and with similar details and functionality to any other Microsoft Sentinel incidents. Each incident contains a link back to the parallel incident in the Microsoft Defender portal.

+The Defender XDR connector also lets you stream **advanced hunting** events&mdash;a type of raw event data&mdash;from Defender XDR and its component services into Microsoft Sentinel. Collect [advanced hunting](/microsoft-365/security/defender/advanced-hunting-overview) events from all Defender XDR components, and stream them straight into purpose-built tables in your Microsoft Sentinel workspace. These tables are built on the same schema that is used in the Defender portal giving you complete access to the full set of advanced hunting events, and allowing for the following tasks:

+## Related content

+In this document, you learned the benefits of enabling the Defender XDR connector in Microsoft Sentinel.

+$recoveryProtectionContainer = Get-AzRecoveryServicesAsrProtectionContainer -Fabric $fabric -Name "asr-a2a-default-westeurope-t-container"

+View the [Azure Site Recovery PowerShell reference](/powershell/module/az.RecoveryServices) to learn how you can do other tasks such as creating recovery plans and testing failover of recovery plans with PowerShell.

+ Title: Remove an Azure Site Recovery replication appliance

+description: Learn how to remove an Azure Site Recovery replication appliance using the Azure portal.

+# How to Delete the Replication Appliance

+## Overview

+The Azure Site Recovery replication appliance is a virtual machine that runs on-premises and replicates data from your on-premises servers to Azure for disaster recovery purposes. You can delete the appliance from the Azure portal, when you no longer need it.

+This article provides a step-by-step guide for removing the Azure Site Recovery replication appliance from the Azure portal.

+## Before you begin

+There are two ways to remove the replication appliance: **delete** and **reset**. If all the components of the appliance are in a healthy state and the appliance is still accessible, you're allowed to only *reset* the appliance. Resetting moves the appliance to its factory state, enabling it to be associated with any Recovery Service vault again.

+If all the appliance components are in a critical state and there's no connectivity with the appliance, it can be *deleted* from the Azure portal. Before deleting the Recovery Services vault, you must also *remove infrastructure* to ensure that all the resources created in the background for replication and appliance registration are also removed. However, before you delete the Azure Site Recovery replication appliance, you must complete some preparatory steps to avoid errors.

+## Prerequisites

+Before you delete the Azure Site Recovery replication appliance, ensure that you *disable replication of all servers* using the Azure Site Recovery replication appliance. To do this, go to Azure portal, select the Recovery Services vault > *Replicated items* blade. Select the servers you want to stop replicating, select **Stop replication**, and confirm the action.

+### Delete an unhealthy appliance

+You can only delete the Azure Site Recovery replication appliance from the Azure portal if all components are in a critical state and the appliance is no longer accessible.

+> [!IMPORTANT]

+> The appliance must be unhealthy (in a critical state) for at least 30 minutes before it is eligible for deletion. If the appliance is healthy, you can only reset it. Ensure that you have disabled replication for all servers before deleting the appliance.

+To delete an appliance, follow these steps:

+1. Sign in to the Azure portal.

+2. Go to the *Recovery Services vault* > *Site Recovery infrastructure* (under **Manage**), select Azure Site Recovery *replication appliances* under **For VMware & Physical machines**.

+3. For the Azure Site Recovery replication appliance you want to delete, select **Delete** from its menu.

+ :::image type="content" source="./media/delete-appliance/delete.png" alt-text="Screenshot of Site Recovery appliance page.":::

+1. Confirm that no replicated items are associated with the replication appliance. If there are replicated items associated, a pop-up appears to block the appliance deletion.

+ :::image type="content" source="./media/delete-appliance/notification.png" alt-text="Screenshot of pop-up notification.":::

+1. If no replicated items are associated with the appliance, a pop-up appears to inform you about the Microsoft Entra ID Apps that must be deleted. Note these App IDs and proceed with deletion.

+### Post delete appliance

+After successfully deleting the Azure Site Recovery replication appliance, you can:

+- Free up resources used by the Azure Site Recovery replication appliance, such as the storage account, network interface, and public IP address.

+- Delete the Recovery Services vault if it is no longer needed.

+- Remove Microsoft Entra Apps with the Azure Site Recovery replication appliance. To do this, go to Azure portal > *Microsoft Entra ID* > *App registrations* under the *Manage* blade. Select the app that you should delete, and select **Delete** then confirm the action. You can learn the app names by following the steps [here](#delete-an-unhealthy-appliance).

+## Reset a healthy appliance

+You can only reset the Azure Site Recovery replication appliance if all components are in a healthy state. To reset the appliance, follow these steps:

+1. On the Azure portal, go to the appliance you want to reset.

+ Ensure that no replicated items are associated with this appliance.

+1. On **Microsoft Azure Appliance Configuration Manager**, go to the *Reset appliance* section and select **Reset**.

+1. If no machines are associated with the appliance, the reset begins.

+1. Once completed successfully, ensure the following:

+ - Open `Services.msc` and restart the service `World Wide Web Publishing Service`.

+ - Clear the cache for Microsoft Edge or other browsers being used. Restart the browser after the cache cleanup. Learn more [here](https://www.microsoft.com/edge/learning-center/how-to-manage-and-clear-your-cache-and-cookies).

+ - Restart the machine.

+## Next steps

+In this article, you learned how to delete the Azure Site Recovery replication appliance from the Azure portal. You can now free up the associated resources and delete the Recovery Services vault as needed.

+Azure Site Recovery provides the following resource-specific and legacy tables. Each event provides detailed data on a specific set of site recovery related artifacts.

+**Resource-specific tables**:

+- Azure Site Recovery Replication Stats

+- Azure Site Recovery Points

+- Azure Site Recovery Replication Data Upload Rate

+- Azure Site Recovery Replicated Item Details

+### Event logs available for Azure Site Recovery

+Azure Site Recovery provides the following resource-specific and legacy tables. Each event provides detailed data on a specific set of site recovery related artifacts.

+**Resource-specific tables**:

+- [AzureSiteRecoveryJobs](/azure/azure-monitor/reference/tables/asrjobs)

+- [ASRReplicatedItems](/azure/azure-monitor/reference/tables/ASRReplicatedItems)

+**Legacy tables**:

+- Azure Site Recovery Events

+- Azure Site Recovery Replicated Items

+- Azure Site Recovery Replication Stats

+- Azure Site Recovery Points

+- Azure Site Recovery Replication Data Upload Rate

+- Azure Site Recovery Protected Disk Data Churn

+- Azure Site Recovery Replicated Item Details

+## Log Analytics data model

+This section describes the Log Analytics data model for Azure Site Recover that's added to the Azure Diagnostics table (if your vaults are configured with diagnostics settings to send data to a Log Analytics workspace in Azure Diagnostics mode). You can use this data model to write queries on Log Analytics data to create custom alerts or reporting dashboards.

+To understand the fields of each Site Recovery table in Log Analytics, review the details for the Azure Site Recovery Replicated Item Details and Azure Site Recovery Jobs tables. You can find information about the [diagnostic tables](/azure/azure-monitor/reference/tables/azurediagnostics).

+> [!TIP]

+> Expand this table for better readability.

+| Category | Category Display Name | Log Table | [Supports basic log plan](../azure-monitor/logs/basic-logs-configure.md#compare-the-basic-and-analytics-log-data-plans) | [Supports ingestion-time transformation](../azure-monitor/essentials/data-collection-transformations.md) | Example queries | Costs to export |

+| | | | | | | |

+| *ASRReplicatedItems* | Azure Site Recovery Replicated Item Details | [ASRReplicatedItems](/azure/azure-monitor/reference/tables/asrreplicateditems) <br> This table contains details of Azure Site Recovery replicated items, such as associated vault, policy, replication health, failover readiness. etc. Data is pushed once a day to this table for all replicated items, to provide the latest information for each item. | No | No | [Queries](/azure/azure-monitor/reference/queries/asrreplicateditems) | Yes |

+| *AzureSiteRecoveryJobs* | Azure Site Recovery Jobs | [ASRJobs](/azure/azure-monitor/reference/tables/asrjobs) <br> This table contains records of Azure Site Recovery jobs such as failover, test failover, reprotection etc., with key details for monitoring and diagnostics, such as the replicated item information, duration, status, description, and so on. Whenever an Azure Site Recovery job is completed (that is, succeeded or failed), a corresponding record for the job is sent to this table. You can view history of Azure Site Recovery jobs by querying this table over a larger time range, provided your workspace has the required retention configured. | No | No | [Queries](/azure/azure-monitor/reference/queries/asrjobs) | No |

+| *AzureSiteRecoveryEvents* | Azure Site Recovery Events | [AzureDiagnostics](/azure/azure-monitor/reference/tables/azurediagnostics) <br> Logs from multiple Azure resources. | No | No | [Queries](/azure/azure-monitor/reference/queries/azurediagnostics) | No |

+| *AzureSiteRecoveryProtectedDiskDataChurn* | Azure Site Recovery Protected Disk Data Churn | [AzureDiagnostics](/azure/azure-monitor/reference/tables/azurediagnostics) <br> Logs from multiple Azure resources. | No | No | [Queries](/azure/azure-monitor/reference/queries/azurediagnostics#queries-for-microsoftrecoveryservices) | No |

+| *AzureSiteRecoveryRecoveryPoints* | Azure Site Recovery Points | [AzureDiagnostics](/azure/azure-monitor/reference/tables/azurediagnostics) <br> Logs from multiple Azure resources. | No | No | [Queries](/azure/azure-monitor/reference/queries/azurediagnostics#queries-for-microsoftrecoveryservices) | No |

+| *AzureSiteRecoveryReplicatedItems* | Azure Site Recovery Replicated Items | [AzureDiagnostics](/azure/azure-monitor/reference/tables/azurediagnostics) <br> Logs from multiple Azure resources. | No | No | [Queries](/azure/azure-monitor/reference/queries/azurediagnostics#queries-for-microsoftrecoveryservices) | No |

+| *AzureSiteRecoveryReplicationDataUploadRate* | Azure Site Recovery Replication Data Upload Rate | [AzureDiagnostics](/azure/azure-monitor/reference/tables/azurediagnostics) <br> Logs from multiple Azure resources. | No | No | [Queries](/azure/azure-monitor/reference/queries/azurediagnostics#queries-for-microsoftrecoveryservices) | No |

+| *AzureSiteRecoveryReplicationStats* | Azure Site Recovery Replication Stats | [AzureDiagnostics](/azure/azure-monitor/reference/tables/azurediagnostics) <br> Logs from multiple Azure resources. | No | No | [Queries](/azure/azure-monitor/reference/queries/azurediagnostics#queries-for-microsoftrecoveryservices) | No |

+### ASRReplicatedItems

+This is a resource specific table that contains details of Azure Site Recovery replicated items, such as associated vault, policy, replication health, failover readiness. etc. Data is pushed once a day to this table for all replicated items, to provide the latest information for each item.

+#### Fields

+| Attribute | Value |

+|-|-|

+| Resource types | microsoft.recoveryservices/vaults |

+| Categories |Audit |

+| Solutions | LogManagement |

+| Basic log | No |

+| Ingestion-time transformation | No |

+| Sample Queries | Yes |

+#### Columns

+| Column Name | Type | Description |

+|-|-|-|

+| ActiveLocation | string | Current active location for the replicated item. If the item is in failed over state, the active location is the secondary (target) region. Otherwise, it is the primary region. |

+| BilledSize | real | The record size in bytes |

+| Category | string | The category of the log. |

+| DatasourceFriendlyName | string | Friendly name of the datasource being replicated. |

+| DatasourceType | string | ARM type of the resource configured for replication. |

+| DatasourceUniqueId | string | Unique ID of the datasource being replicated. |

+| FailoverReadiness | string | Denotes whether there are any configuration issues that could affect the failover operation success for the Azure Site Recovery replicated item. |

+| IRProgressPercentage | int | Progress percentage of the initial replication phase for the replicated item. |

+| IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |

+| LastHeartbeat | datetime | Time at which the Azure Site Recovery agent associated with the replicated item last made a call to the Azure Site Recovery service. Useful for debugging error scenarios where you wish to identify the time at which issues started arising. |

+| LastRpoCalculatedTime | datetime | Time at which the RPO was last calculated by the Azure Site Recovery service for the replicated item. |

+| LastSuccessfulTestFailoverTime | datetime | Time of the last successful failover performed on the replicated item. |

+| MultiVMGroupId | string | For scenarios where multi-VM consistency feature is enabled for replicated virtual machines, this field specifies the ID of the multi-VM group associated with the replicated virtual machine. |

+| OperationName | string | The name of the operation. |

+| OSFamily | string | OS family of the resource being replicated. |

+| PolicyFriendlyName | string | Friendly name of the replication policy applied to the replicated item. |

+| PolicyId | string | ARM ID of the replication policy applied to the replicated item. |

+| PolicyUniqueId | string | Unique ID of the replication policy applied for the replicated item. |

+| PrimaryFabricName | string | Represents the source region of the replicated item. By default, the value is the name of the source region, however if you have specified a custom name for the primary fabric while enabling replication, then that custom name shows up under this field. |

+| PrimaryFabricType | string | Fabric type associated with the source region of the replicated item. Depending on whether the replicated item is an Azure virtual machine, Hyper-V virtual machine or VMware virtual machine, the value for this field varies. |

+| ProtectionInfo | string | Protection status of the replicated item. |

+| RecoveryFabricName | string | Represents the target region of the replicated item. By default, the value is the name of the target region. However, if you specify a custom name for the recovery fabric while enabling replication, then that custom name shows up under this field. |

+| RecoveryFabricType | string | Fabric type associated with the target region of the replicated item. Depending on whether the replicated item is an Azure virtual machine, Hyper-V virtual machine or VMware virtual machine, the value for this field varies. |

+| RecoveryRegion | string | Target region to which the resource is replicated. |

+| ReplicatedItemFriendlyName | string | Friendly name of the resource being replicated. |

+| ReplicatedItemId | string | ARM ID of the replicated item. |

+| ReplicatedItemUniqueId | string | Unique ID of the replicated item. |

+| ReplicationHealthErrors | string | List of issues that might be affecting the recovery point generation for the replicated item. |

+| ReplicationStatus | string | Status of replication for the Azure Site Recovery replicated item. |

+| _ResourceId | string | A unique identifier for the resource that the record is associated with |

+| SourceResourceId | string | ARM ID of the datasource being replicated. |

+| SourceSystem | string | The agent type that collected the event. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |

+| _SubscriptionId | string | A unique identifier for the subscription that the record is associated with |

+| TenantId | string | The Log Analytics workspace ID |

+| TimeGenerated | datetime | The timestamp (UTC) when the log was generated. |

+| Type | string | The name of the table |

+| VaultLocation | string | Location of the vault associated with the replicated item. |

+| VaultName | string | Name of the vault associated with the replicated item. |

+| VaultType | string | Type of the vault associated with the replicated item. |

+| Version | string | The API version. |

+### AzureSiteRecoveryJobs

+This table contains records of Azure Site Recovery jobs such as failover, test failover, reprotection etc., with key details for monitoring and diagnostics, such as the replicated item information, duration, status, description, and so on. Whenever an Azure Site Recovery job is completed (that is, succeeded or failed), a corresponding record for the job is sent to this table. You can view history of Azure Site Recovery jobs by querying this table over a larger time range, provided your workspace has the required retention configured.

+#### Fields

+| Attribute | Value |

+|-|-|

+| Resource types | microsoft.recoveryservices/vaults |

+| Categories | Audit |

+| Solutions | LogManagement |

+| Basic log | No |

+| Ingestion-time transformation | No |

+| Sample Queries | Yes |

+#### Columns

+| Column Name | Type | Description |

+|-|-|-|

+| _BilledSize | real | The record size in bytes |

+| Category | string | The category of the log. |

+| CorrelationId | string | Correlation ID associated with the Azure Site Recovery job for debugging purposes. |

+| DurationMs | int | Duration of the Azure Site Recovery job. |

+| EndTime | datetime | End time of the Azure Site Recovery job. |

+| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |

+| JobUniqueId | string | Unique ID of the Azure Site Recovery job. |

+| OperationName | string | Type of Azure Site Recovery job, for example, Test failover. |

+| PolicyFriendlyName | string | Friendly name of the replication policy applied to the replicated item (if applicable). |

+| PolicyId | string | ARM ID of the replication policy applied to the replicated item (if applicable). |

+| PolicyUniqueId | string | Unique ID of the replication policy applied to the replicated item (if applicable). |

+| ReplicatedItemFriendlyName | string | Friendly name of replicated item associated with the Azure Site Recovery job (if applicable). |

+| ReplicatedItemId | string | ARM ID of the replicated item associated with the Azure Site Recovery job (if applicable). |

+| ReplicatedItemUniqueId | string | Unique ID of the replicated item associated with the Azure Site Recovery job (if applicable). |

+| ReplicationScenario | string | Field used to identify whether the replication is being done for an Azure resource or an on-premises resource. |

+| _ResourceId | string | A unique identifier for the resource that the record is associated with |

+| ResultDescription | string | Result of the Azure Site Recovery job. |

+| SourceFriendlyName | string | Friendly name of the resource on which the Azure Site Recovery job was executed. |

+| SourceResourceGroup | string | Resource Group of the source. |

+| SourceResourceId | string | ARM ID of the resource on which the Azure Site Recovery job was executed. |

+| SourceSystem | string | The agent type that collected the event. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |

+| SourceType | string | Type of resource on which the Azure Site Recovery job was executed. |

+| StartTime | datetime | Start time of the Azure Site Recovery job. |

+| Status | string | Status of the Azure Site Recovery job. |

+| _SubscriptionId | string | A unique identifier for the subscription that the record is associated with |

+| TenantId | string | The Log Analytics workspace ID |

+| TimeGenerated | datetime | The timestamp (UTC) when the log was generated. |

+| Type | string | The name of the table |

+| VaultLocation | string | Location of the vault associated with the Azure Site Recovery job. |

+| VaultName | string | Name of the vault associated with the Azure Site Recovery job. |

+| VaultType | string | Type of the vault associated with the Azure Site Recovery job. |

+| Version | string | The API version. |

+For information on data retention, see [Data retention and archive in Azure Monitor logs](/azure/azure-monitor/logs/data-retention-archive).

+You can modify the default retention period in the **Usage and Estimated Cost** section in the Log Analytics workspace. Click on **Data Retention**, and choose the range.

+Azure Resource Manager resources, like Recovery Services vaults, record information about site recovery jobs and replicated items as diagnostics data.

+To learn how to configure diagnostics settings, see [Diagnostic settings in Azure Monitor](/azure/azure-monitor/essentials/diagnostic-settings).

+You can also configure diagnostics settings for your vaults using the following steps in the Azure portal.

+1. Navigate to the chosen the Recovery Services vault, then select **Monitoring** > **Diagnostic settings**.

+1. Specify the target for the Recovery Services Vault's diagnostic data. Learn more about [using diagnostic events](../backup/backup-azure-diagnostic-events.md) for Recovery Services vaults.

+# Use the Recovery Services dashboard

+- local <-> Azure Files (Share/directory SAS authentication or OAuth authentication)

+- Azure File (SAS or OAuth authentication) <-> Azure File (SAS or OAuth authentication)

+Soft delete can be enabled on either new or existing file shares. Soft delete is also backwards compatible, so you don't have to make any changes to your applications to take advantage of the protections of soft delete.

+To permanently delete a file share in a soft delete state before its expiry time, you must undelete the share, disable soft delete, and then delete the share again. Then you should re-enable soft delete, because any other file shares in that storage account will be vulnerable to accidental deletion while soft delete is off.

+| | **CloudCasa**<br>CloudCasa by Catalogic is an award-winning backup, recovery, migration, and replication service, built specifically for Kubernetes, and cloud native applications. It supports AKS, and all other major Kubernetes distributions, and managed services. <br>From a single dashboard, CloudCasa makes managing cross-cluster, cross-tenant, cross-region, and cross-cloud backup and recovery easy. With CloudCasa's Azure integration, cluster recoveries, and migrations include the ability to automatically re-create entire AKS clusters along with their vNETs, add-ons, and load balancers.|[Partner page](https://cloudcasa.io/partners/microsoft-azure/)<br>[Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/catalogicsoftware1625626770507.cloudcasa-aks-app)|

+|  |**Kasten**<br>Kasten by Veeam provides a solution for Kubernetes backup and disaster recovery. Kasten helps enterprises overcome Day 2 data management challenges to confidently run applications on Kubernetes.<br><br>The Kasten K10 data management software platform provides enterprise operations teams a scalable and secure system for BCDR and mobility of Kubernetes applications.|[Partner page](https://docs.kasten.io/latest/install/azure/azure.html)<br>[Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/veeam.kasten_k10_by_veeam_byol?tab=Overview)|

+|  |**NetApp**<br>NetApp is a global cloud-led, data-centric software company that empowers organizations to lead with data in the age of accelerated digital transformation.<br><br>NetApp Astra Control Service is a fully managed service that makes it easier for customers to manage, protect, and move their data-rich containerized workloads running on Kubernetes within, and across public clouds, and on-premises. Astra Control provides persistent container storage with Azure NetApp Files offering advanced application-aware data management functionality (like snapshot-revert, backup-restore, activity log, and active cloning) for data protection, disaster recovery, data audit, and migration use-cases for your modern apps. |[Partner page](https://cloud.netapp.com/astra)<br>[Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/netapp.netapp-astra-acs)|

+|  |**Rackware**<br>RackWare provides an intelligent highly automated Hybrid Cloud Management Platform that extends across physical and virtual environments.<br><br>RackWare SWIFT is a converged disaster recovery, backup, and migration solution for Kubernetes and OpenShift. It's a cross-platform, cross-cloud, and cross-version solution that enables you to move and protect your stateful Kubernetes applications from any on-premises or cloud environment to Azure Kubernetes Service (AKS) and Azure Storage.|[Partner page](https://www.rackwareinc.com/rackware-swift-microsoft-azure)<br>[Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps?search=rackware%20swift&page=1&filters=virtual-machine-images)|

+Are you a storage partner but your solution isn't listed yet? Send us your info [here](https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbR3i8TQB_XnRAsV3-7XmQFpFUQjY4QlJYUzFHQ0ZBVDNYWERaUlNRVU5IMyQlQCN0PWcu).

+> [!CAUTION]

+> * In accordance with the Synapse runtime for Apache Spark lifecycle policy, Azure Synapse runtime for Apache Spark 3.2 will be retired as of July 8, 2024. After the End of Support date, the retired runtimes are unavailable for new Spark pools and existing workflows can't execute. Metadata will temporarily remain in the Synapse workspace.