+The custom neural (custom document) model uses deep learning models and base model trained on a large collection of documents. This model is then fine-tuned or adapted to your data when you train the model with a labeled dataset. Custom neural models support structured, semi-structured, and unstructured documents to extract fields. When you're choosing between the two model types, start with a neural model to determine if it meets your functional needs. See [neural models](concept-custom-neural.md) to learn more about custom document models.

+* Neural models support documents that have the same information, but different page structures. Examples of these documents include United States W2 forms, which share the same information, but vary in appearance across companies.

+* First, your application submits the SAS token to Azure Storage as part of a REST API request.

+* Next, if the storage service verifies that the SAS is valid, the request is authorized. If, the SAS token is deemed invalid, the request is declined and the error code 403 (Forbidden) is returned.

+ > * [Azure role-based access control](../../role-based-access-control/overview.md) (Azure RBAC) is the authorization system used to manage access to Azure resources. Azure RBAC helps you manage access and permissions for your Azure resources.

+ * **Account key**: No imposed maximum time limit; however, best practices recommended that you configure an expiration policy to limit the interval and minimize compromise. [Configure an expiration policy for shared access signatures](/azure/storage/common/sas-expiration-policy).

+ * **User delegation key**: The value for the expiry time is a maximum of seven days from the creation of the SAS token. The SAS is invalid after the user delegation key expires, so a SAS with an expiry time of greater than seven days will still only be valid for seven days. For more information, *see* [Use Microsoft Entra credentials to secure a SAS](/azure/storage/blobs/storage-blob-user-delegation-sas-create-cli#use-azure-ad-credentials-to-secure-a-sas).

+1. The **Allowed IP addresses** field is optional and specifies an IP address or a range of IP addresses from which to accept requests. If the request IP address doesn't match the IP address or address range specified on the SAS token, authorization fails. The IP address or a range of IP addresses must be public IPs, not private. For more information, *see*, [**Specify an IP address or IP range**](/rest/api/storageservices/create-account-sas#specify-an-ip-address-or-ip-range).

+1. Copy and paste the **Blob SAS token** and **Blob SAS URL** values in a secure location. The values are displayed only once and can't be retrieved after the window is closed.

+That's it! You learned how to create SAS tokens to authorize how clients access your data.

+* [Use and contribute to the open-source Form Labeling Tool](#open-source-on-github)

+After you create your web app, you can enable the continuous deployment option:

+* `DNS_NAME_LABEL=aci-demo-$RANDOM` generates a random Domain Name System (DNS) identity.

+* This command automatically accepts End User License Agreement (EULA).

+We recommend that you connect your web app to Microsoft Entra ID. This connection ensures that only users with valid credentials can sign in and use your web app. Follow the instructions in [Configure your App Service app](../../app-service/configure-authentication-provider-aad.md) to connect to Microsoft Entra ID.

+The Form Labeling Tool is also available as an open-source project on GitHub. The tool is a web application built using React + Redux, and is written in TypeScript. To learn more or contribute, see [Form Labeling Tool](https://github.com/microsoft/OCR-Form-Tools/blob/master/README.md).

+description: How to use the Document Intelligence sample tool to analyze documents, invoices, receipts etc. Label and create a custom model to extract text, tables, selection marks, structure, and key-value pairs from documents.

+The labeling tool also shows which tables were automatically extracted. To see extracted tables, select the table/grid icon on the left hand of the document. In this quickstart, because the table content is automatically extracted, we don't label the table content, but rather rely on the automated extraction.

+Once you define your table tag, tag the cell values.

+To open the Training page, choose the Train icon on the left pane. Then select the **Train** button to begin training the model. Once the training process completes, you see the following information:

+After training finishes, examine the **Average Accuracy** value. If it's low, you should add more input documents and repeat the labeling steps. The documents you already labeled remain in the project index.

+To test your model, select the `Analyze` icon from the navigation bar. Select source *Local file*. Browse for a file and select a file from the sample dataset that you unzipped in the test folder. Then choose the **Run analysis** button to get key/value pairs, text, and tables predictions for the form. The tool applies tags in bounding boxes and reports the confidence of each tag.

+> You can also run the `Analyze` API with a REST call. To learn how to do this, see [Train with labels using Python](https://github.com/Azure-Samples/cognitive-services-quickstart-code/blob/master/python/FormRecognizer/rest/python-labeled-data.md).

+Depending on the reported accuracy, you may want to do further training to improve the model. After you complete a prediction, examine the confidence values for each of the applied tags. If the average accuracy training value is high, but the confidence scores are low (or the results are inaccurate), add the prediction file to the training set, label it, and train again.

+In this quickstart, you learned how to use the Document Intelligence Sample Labeling tool to train a model with manually labeled data. If you'd like to build your own utility to label training data, use the REST APIs that deal with labeled data training.

+In this article, learn how to train your custom template model with table tags (labels). Some scenarios require more complex labeling than simply aligning key-value pairs. Such scenarios include extracting information from forms with complex hierarchical structures or encountering items that not automatically detected and extracted by the service. In these cases, you can use table tags to train your custom template model.

+* There's data that you wish to extract presented as tables in your forms, and the structure of the tables are meaningful. For instance, each row of the table represents one item and each column of the row represents a specific feature of that item. In this case, you could use a table tag where a column represents features and a row represents information about each feature.

+* There's data you wish to extract that isn't presented in specific form fields but semantically, the data could fit in a two-dimensional grid. For instance, your form has a list of people, and includes, a first name, a surname, and an email address. You would like to extract this information. In this case, you could use a table tag with first name, surname, and email address as columns and each row is populated with information about a person from your list.

+Document Intelligence uses a unified design to represent all errors encountered in the REST APIs. Whenever an API operation returns a 4xx or 5xx status code, additional information about the error is returned in the response JSON body as follows:

+For long-running operations where multiple errors are encountered, the top-level error code is set to the most severe error, with the individual errors listed under the *error.details* property. In such scenarios, the *target* property of each individual error specifies the trigger of the error.

+| ServiceUnavailable | A transient error occurred. Try again. | 503 |

+| NotFound | ModelNotFound | The requested model wasn't found. It was deleted or still building. |

+| NotFound | OperationNotFound | The requested operation wasn't found. The identifier is invalid or the operation is expired. |

+| (retired) | Understand natural language in your apps. |

+* [How to create an account](multi-service-resource.md?pivots=azportal)

+## Notifications

+1. At model launch, we programmatically designate a "not sooner than" retirement date (typically six months to one year out).

+2. At least 60 days notice before model retirement for Generally Available (GA) models.

+3. At least 14 days notice before preview model version upgrades.

+## Model availability

+1. At least one year of model availability for GA models after the release date of a model in at least one region worldwide

+2. For global deployments, all future model versions starting with `gpt-4o` and `gpt-4 0409` will be available with their (`N`) next succeeding model (`N+1`) for comparison together.

+1. Customers have 60 days to try out a new GA model in at least one global, or standard region, before any upgrades happen to a newer GA model.

+### Considerations for the Azure public cloud

+Be aware of the following:

+1. All model version combinations will **not** be available in all regions.

+2. Model version `N` and `N+1` might not always be available in the same region.

+3. GA model version `N` might upgrade to a future model version `N+X` in some regions based on capacity limitations, and without the new model version `N+X` separately being available to test in the same region. The new model version will be available to test in other regions before any upgrades are scheduled.

+4. Preview model versions and GA versions of the same model won't always be available to test together in the same region. There will be preview and GA versions available to test in different regions.

+5. We reserve the right to limit future customers using a particular region to balance service quality for existing customers.

+6. As always at Microsoft, security is of the utmost importance. If a model or model version is found to have compliance or security issues, we reserve the right to invoke the need to do emergency retirements. See the terms of service for more information.

+### Special considerations for Azure Government clouds

+1. Global standard deployments won't be available in government clouds.

+2. Not all models or model versions available in commercial / public cloud will be available in government clouds.

+3. In the Azure Government clouds, we intend to support only one version of a given model at a time.

+ 1. For example only one version of `gpt-35-turbo 0125` and `gpt-4o (2024-05-13)`.

+4. There will however be a 30 day overlap between new model versions, where more than two will be available.

+ 1. For example if `gpt-35-turbo 0125` or `gpt-4o (2024-05-13)` is updated to a future version, or

+ 2. for model family changes beyond version updates, such as when moving from `gpt-4 1106-preview` to `gpt-4o (2024-05-13)`.

+Now that you completed the prerequisites and initial setup, let's get started using the Translator V3 connector to create your document translation flow:

+ :::image type="content" source="../media/connectors/add-connection.png" alt-text="Screenshot showing the how-to-add connection window.":::

+ * **Location of the source documents**. Enter the URL for your documents in your Azure storage source document container.

+Now that you submitted your documents for translation, let's check the status of the operation.

+ 1. In the Choose an operation pop-up window, enter **SharePoint**, then select the **Get file content** content. Power Automate automatically signs you into your SharePoint accounts.

+ * **File Identifier**. Select the folder icon and choose the documents for translation.

+1. After you completed the **Azure Blob Storage** authentication, the **Create blob** step appears. Complete the fields as follows:

+ :::image type="content" source="../media/connectors/add-connection.png" alt-text="Screenshot showing the how-to-add connection window.":::

+Before retrieving the documents status, let's schedule a 30-second delay to ensure that the file is processed for translation:

+1. Select the **Blob path** field to show the **Dynamic content** window, select **Expression**, and enter the following logic in the formula field:

+ :::image type="content" source="../media/connectors/enter-custom-value.png" alt-text="Screenshot showing 'enter custom value' from the create-blob-(V2) window.":::

+That's it! You learned to automate document translation processes using the Microsoft Translator V3 connector and Power Automate.

+Now that you completed the prerequisites, let's get started.

+ :::image type="content" source="../media/connectors/add-connection.png" alt-text="Screenshot showing the add-connection window.":::

+ :::image type="content" source="../media/connectors/translate-text-step.png" alt-text="Screenshot showing the translate-text step.":::

+ :::image type="content" source="../media/connectors/add-connection.png" alt-text="Screenshot showing the add-connection window.":::

+ :::image type="content" source="../media/connectors/transliterate-text-step.png" alt-text="Screenshot showing the transliterate-text step.":::

+# Custom Translator for beginners

+The platform enables users to build and publish custom translation systems to and from English. The Custom Translator supports more than 60 languages that map directly to the languages available for Neural machine translation (NMT). For a complete list, *see* [Translator language support](../language-support.md).

+Training a full custom translation model requires a substantial amount of data. If you don't have at least 10,000 sentences of previously trained documents, you can't train a full-language translation model. However, you can either train a dictionary-only model or use the high-quality, out-of-the-box translations available with the Text Translation API.

+* Assessing translation quality or target language translations.

+* Is your desired outcome specified and how is it measured?

+* Is your business domain identified?

+* Does your company have previous translation data available that you can use? Enterprises often have a wealth of translation data accumulated over many years of using human translation.

+| Sentence dictionary | Forces the given translation 100% of the time. | **Be strict**. A sentence dictionary is case-insensitive and good for common in domain short sentences. For a sentence dictionary match to occur, the entire submitted sentence must match the source dictionary entry. If only a portion of the sentence matches, the entry doesn't match. |

+BLEU (Bilingual Evaluation Understudy) is an algorithm for evaluating the precision or accuracy of text that is machine translated from one language to another. Custom Translator uses the BLEU metric as one way of conveying translation accuracy.

+Tuning and test sentences are optimally representative of what you plan to translate in the future. If you don't submit any tuning or testing data, Custom Translator automatically excludes sentences from your training documents to use as tuning and test data.

+To prepare for training, documents undergo a series of processing and filtering steps. Knowledge of the filtering process may help with understanding the sentence count displayed as well as the steps you can take to prepare training documents for training with Custom Translator. The filtering steps are as follows:

+ If your document isn't in `XLIFF`, `XLSX`, `TMX`, or `ALIGN` format, Custom Translator aligns the sentences of your source and target documents to each other, sentence-by-sentence. Translator doesn't perform document alignmentΓÇöit follows your naming convention for the documents to find a matching document in the other language. Within the source text, Custom Translator tries to find the corresponding sentence in the target language. It uses document markup like embedded HTML tags to help with the alignment.

+* ### Tuning and testing data extraction

+ Tuning and testing data is optional. If you don't provide it, the system removes an appropriate percentage from your training documents to use for tuning and testing. The removal happens dynamically as part of the training process. Since this step occurs as part of training, your uploaded documents aren't affected. You can see the final used sentence counts for each category of dataΓÇötraining, tuning, testing, and dictionaryΓÇöon the Model details page after training succeeds.

+ * Removes sentences with more than 2,000 characters for Chinese, Japanese, Korean.

+* Align sentences (source-to-target), if feasible.

+* Avoid teaching errors to your model by making certain that grammar and typography are correct.

+* Have one source sentence mapped to one target sentence. Although our training process handles source and target lines containing multiple sentences, one-to-one mapping is a best practice.

+After your model is successfully trained, you can view the model's BLEU score and baseline model BLEU score on the model details page. We use the same set of test data to generate both the model's BLEU score and the baseline BLEU score. This data helps you make an informed decision regarding which model would be better for your use-case.

+available for training. If your models are trained within a narrow domain, and

+With Custom Translator, you can build neural translation systems that understand the terminology used in your own business and industry. The customized translation system integrates into existing applications, workflows, and websites.

+Use your previously translated documents (leaflets, webpages, documentation, etc.) to build a translation system that reflects your domain-specific terminology and style, better than a standard translation system. Users can upload `TMX`,`XLIFF`,`TXT`, `DOCX`, and `XLSX` documents.

+The system also accepts data that is parallel at the document level but isn't yet aligned at the sentence level. If users have access to versions of the same content in multiple languages but in separate documents, Custom Translator os able to automatically match sentences across documents. The system can also use monolingual data in either or both languages to complement the parallel training data to improve the translations.

+Given the appropriate type and amount of training data it isn't uncommon to expect gains between 5 and 10, or even more `BLEU` points on translation quality by using Custom Translator.

+A sentence dictionary is case-insensitive. The sentence dictionary allows you to specify an exact target translation for a source sentence. For a sentence dictionary match to occur, the entire submitted sentence must match the source dictionary entry. A source dictionary entry that ends with punctuation is ignored during the match. If only a portion of the sentence matches, the entry isn't matched. When a match is detected, the target entry of the sentence dictionary is returned.

+You can train a model using only dictionary data. To do so, select only the dictionary document (or multiple dictionary documents) that you wish to include and select **Create model**. Since this training is dictionary-only, there's no minimum number of training sentences required. Your model typically completes training faster than a standard training. The resulting models use the Microsoft baseline models for translation with the addition of the dictionaries you add. You don't get a test report.

+- The phrase dictionary works well for compound nouns like product names ("_Microsoft SQL Server_"), proper names ("_City of Hamburg_"), or product features ("_pivot table_"). It doesn't work as well for verbs or adjectives because, typically, those words are highly contextual within the source or target language. The best practice is to avoid phrase dictionary entries for anything but compound nouns.

+ - When you request translation of a sentence that includes the same phrase but **doesn't** match what is in your source file, such as _sql server_, _sql Server_, or _SQL Server_, it **won't** return a match from your dictionary.

+ - If your source dictionary contains "_This sentence ends with punctuation!_", then any translation requests that contain "_This sentence ends with punctuation_" matches.

+| `XLIFF` | `.XLF`, `.XLIFF` | A parallel document format, export of Translation Memory systems. The languages used are defined inside the file. |

+| `TMX` | `.TMX` | A parallel document format, export of Translation Memory systems. The languages used are defined inside the file. |

+| `ZIP` | `.ZIP` | An archive file format. |

+| `Locstudio` | `.LCL` | A Microsoft format for parallel documents |

+| Microsoft Word | `.DOCX` | Microsoft Word document |

+| Adobe Acrobat | `.PDF` | Adobe Acrobat portable document |

+| `HTML` | `.HTML`, `.HTM` | HyperText Markup Language document |

+| Text file | `.TXT` | UTF-16 or UTF-8 encoded text files. The file name must not contain Japanese characters. |

+| Aligned text file | `.ALIGN` | The extension `.ALIGN` is a special extension that you can use if you know that the sentences in the document pair are perfectly aligned. If you provide a `.ALIGN` file, Custom Translator doesn't align the sentences for you. |

+| Excel file | `.XLSX` | Excel file (2013 or later). First line/ row of the spreadsheet should be language code. |

+## ZIP file formats

+Documents can be grouped into a single zip file and uploaded. The Custom Translator supports zip file formats (`ZIP`, `GZ`, and `TGZ`).

+Spanish system, the files should be named `data_en` and `data_es`.

+Translation Memory files (`TMX`, `XLF`, `XLIFF`, `LCL`, `XLSX`) aren't required to follow the specific language-naming convention.

+If only training data is provided when queuing a training, Custom Translator automatically assembles tuning and testing data. It uses a random subset of sentences from your training documents, and exclude these sentences from the training data itself.

+The tuning data is used during training to adjust all parameters and weights of the translation system to the optimal values. Choose your tuning data carefully: the tuning data should be representative of the content of the documents you intend to translate in the future. The tuning data has a major influence on the quality of the translations produced. Tuning enables the translation system to provide translations that are closest to the samples you provide in the tuning data. You don't need more than 2,500 sentences in your tuning data. For optimal translation quality, we recommend selecting the tuning set manually by choosing the most representative selection of sentences.

+When creating your tuning set, choose sentences that are a meaningful and representative length of the future sentences that you expect to translate. Choose sentences that have words and phrases that you intend to translate in the approximate distribution that you expect in your future translations. In practice, a sentence length of 7 to 10 words produces the best results. These sentences contain enough context to show inflection and provide a phrase length that is significant, without being overly complex.

+If you aren't sure what to choose for your tuning data, just select the training data and let Custom Translator select the tuning data for you. When you let the Custom Translator choose the tuning data automatically, it uses a random subset of sentences from your bilingual training documents and exclude these sentences from the training material itself.

+The test data should include parallel documents where the target language sentences are the most desirable translations of the corresponding source language sentences in the source-target pair. You may want to use the same criteria you used to compose the tuning data. However, the testing data has no influence over the quality of the translation system and is used exclusively to generate the BLEU score for you.

+You don't need more than 2,500 sentences as the testing data. When you let the system choose the testing set automatically, it uses a random subset of sentences from your bilingual training documents, and exclude these sentences from the training material itself.

+You need a minimum of 10,000 unique aligned parallel sentences to train a system. This limitation is a safety net to ensure your parallel sentences contain enough unique vocabulary to successfully train a translation model. As a best practice, continuously add more parallel content and retrain to improve the quality of your translation system. For more information, *see* [Sentence Alignment](./sentence-alignment.md).

+Microsoft requires that documents uploaded to the Custom Translator don't violate a third-party copyright or intellectual properties. For more information, please see the [Terms of Use](https://azure.microsoft.com/support/legal/cognitive-services-terms/). Uploading a document using the portal doesn't alter the ownership of the intellectual property in the document itself.

+repository, you can't download the documents in the same

+format that was uploaded.

+- Files for translation must be less than 100 MB in size.

+- Monolingual data isn't supported. A monolingual file has a single language not paired with another file of a different language.

+## When should I request deployment for a trained translation system?

+It may take several trainings to create the optimal translation system for your project. You may want to try using more training data or more carefully filtered data, if the `BLEU` score and/ or the test results aren't satisfactory. You should be strict and careful in designing your tuning set and your test set. Make certain your sets fully represent the terminology and style of material you want to translate. You can be more liberal in composing your training data, and experiment with different options. Request a system deployment when the translations in your system test results are satisfactory and you don't have more data to add to improve your trained system.

+Only one trained system can be deployed per project. It may take several trainings to create a suitable translation system for your project and we encourage you to request deployment of a training that gives you the best result. You can determine the quality of the training by the `BLEU` score (higher is better), and by consulting with reviewers before deciding that the quality of translations is suitable for deployment.

+The Custom Translator skips sentence alignment and sentence breaking for `TMX` files and for text files with the `.align` extension. `.align` files give users an option to skip Custom Translator's sentence breaking and alignment process for the files that are perfectly aligned, and need no further processing. We recommend using `.align` extension only for files that are perfectly aligned.

+If the number of extracted sentences doesn't match the two files with the same base name, Custom Translator runs the sentence aligner on `.align` files.

+## I tried uploading my Translation Memory Exchange (TMX) file, but it says "document processing failed"

+ :::image type="content" source="../media/how-to/create-project-dialog.png" alt-text="Screenshot illustrating the create-project fields.":::

+1. Select **Delete** and read the deleted message before you select **Delete project** to confirm.

+Before uploading your documents, review the [document formats and naming convention guidance](../concepts/document-formats-naming-convention.md) to make sure Custom Translator supports your file format.

+- Does your company have previous translation data available that you can use? Enterprises often have a wealth of translation data accumulated over many years of using human translation.

+| Bilingual training documents | Teaches the system your terminology and style. | **Be liberal**. Any in-domain human translation is better than machine translation. Add and remove documents as you go and try to improve the [`BLEU` score](../concepts/bleu-score.md?WT.mc_id=aiml-43548-heboelma). |

+| Test documents | Calculate the [`BLEU` score](../beginners-guide.md#what-is-a-bleu-score).| **Be strict**. Compose test documents to be optimally representative of what you plan to translate in the future. |

+| Sentence dictionary | Forces the given translation 100% of the time. | **Be strict**. A sentence dictionary is case-insensitive and good for common in domain short sentences. For a sentence dictionary match to occur, the entire submitted sentence must match the source dictionary entry. If only a portion of the sentence matches, the entry doesn't match. |

+At this point, Custom Translator is processing your documents and attempting to extract sentences as indicated in the upload notification. Once done processing, you see the upload successful notification.

+1. The upload history tab shows history from the [Custom Translator](https://portal.customtranslator.azure.ai) portal workspace page.

+ uploads from most recent to least recent. Each upload status shows document name, created by, upload status, upload date, number of files uploaded, type of file uploaded, and language pairs. You can use filter to quickly find documents by name, status, language, and date range.

+3. The upload history details page shows the files uploaded as part of the uploaded status of the file, language of the file, and error message (if there's an error in upload).

+|East Asia|`AE`|

+|Southeast Asia|`ASE`|

+|Australia East|`AUE`|

+|Brazil South|`BRS`|

+|Canada Central|`CAC`|

+|France Central|`FC`|

+|Global|`GBL`|

+|Central India|`INC`|

+|Japan East|`JPE`|

+|Japan West|`JPW`|

+|Korea Central|`KC`|

+|North Europe|`NEU`|

+|South Africa North|`SAN`|

+|Sweden Central|`SWC`|

+|UAE North|`UAEN`|

+|UK South|`UKS`|

+|Central US|`USC`|

+|East US|`USE`|

+|East US 2|`USE2`|

+|North Central US|`USNC`|

+|South Central US|`USSC`|

+|West US|`USW`|

+|West US 2|`USW2`|

+|West Central US|`USWC`|

+|West Europe|`WEU`|

+# Publish a custom model

+1. Select the `Publish model` blade.

+1. Select *en-de with sample data* and select `Publish`.

+1. Check the desired regions.

+1. Select `Publish`. The status should transition from _Deploying_ to _Deployed_.

+ :::image type="content" source="../media/quickstart/publish-model.png" alt-text="Screenshot illustrating the publish-model blade.":::

+To replace a published model, you can exchange the published model with a different model in the same region:

+1. Select `Publish`.

+1. Select `publish` once more in the `Publish model` dialog window.

+Once your model is successfully trained, you can use translations to evaluate the quality of your model. In order to make an informed decision about whether to use our standard model or your custom model, you should evaluate the delta between your custom model [**BLEU score**](#bleu-score) and our standard model **Baseline BLEU**. If your model is trained within a narrow domain, and your training data is consistent with the test data, you can expect a high BLEU score.

+BLEU (Bilingual Evaluation Understudy) is an algorithm for evaluating the precision or accuracy of text that is machine translated from one language to another. Custom Translator uses the BLEU metric as one way of conveying translation accuracy.

+1. Select the model name. Review the training date/time, total training time, number of sentences used for training, tuning, testing, and dictionary. Check whether the system generated the test and tuning sets. Use the `Category ID` to make translation requests.

+1. Evaluate the model [BLEU](../beginners-guide.md#what-is-a-bleu-score) score. Review the test set: the **BLEU score** is the custom model score and the **Baseline BLEU** is the pretrained baseline model used for customization. A higher **BLEU score** means there's high translation quality using the custom model.

+1. Human evaluate translation from your **Custom model** and the **Baseline model** (our pretrained baseline used for customization) against **Reference** (target translation from the test set).

+1. If the training results are satisfactory, place a deployment request for the trained model.

+A model provides translations for a specific language pair. The outcome of a successful training is a model. To train a custom model, three mutually exclusive document types are required: training, tuning, and testing. If only training data is provided when queuing a training, Custom Translator automatically assembles tuning and testing data. It uses a random subset of sentences from your training documents, and exclude these sentences from the training data itself. A minimum of 10,000 parallel training sentences are required to train a full model.

+For better results, we recommended letting the system learn from your training data. However, when you don't have enough parallel sentences to meet the 10,000 minimum requirements, or sentences and compound nouns must be rendered as-is, use dictionary-only training. Your model typically completes training faster than with full training. The resulting models use the baseline models for translation along with the dictionaries you added. You don't see `BLEU` scores or get a test report.

+1. Select the **Model Name** to review training date/time, total training time, number of sentences used for training, tuning, testing, dictionary, and whether the system generated the test and tuning sets. You use `Category ID` to make translation requests.

+1. Evaluate the model [`BLEU` score](../beginners-guide.md#what-is-a-bleu-score). Review the test set: the **BLEU score** is the custom model score and the **Baseline BLEU** is the pretrained baseline model used for customization. A higher **BLEU score** means higher translation quality using the custom model.

+1. Keep **Train immediately** checked if no further data is selected or uploaded, otherwise, check **Save as draft**

+ > To add more documents, select on the model name and follow the steps in the [Create model](#create-model) section.

+description: How to make translation requests using custom models published with the Azure AI Translator Custom Translator.

+# Translate text with a custom model

+After you publish your custom model, you can access it with the Translator API by using the `Category ID` parameter.

+1. You can also download and install our free [DocumentTranslator app for Windows](https://github.com/MicrosoftTranslator/DocumentTranslation/releases).

+|[Access your custom translation model](./how-to/translate-with-custom-model.md) | You can access your custom translation model anytime using your existing applications/ programs via Microsoft Translator Text API V3. |

+You can use previously translated documents to build a translation system. These documents include domain-specific terminology and style, better than a standard translation system. Users can upload `ALIGN`, `PDF`, `LCL`, `HTML`, `HTM`, `XLF`, `TMX`, `XLIFF`, `TXT`, `DOCX`, and `XLSX` documents.

+Custom Translator also accepts data that's parallel at the document level to make data collection and preparation more effective. If users have access to versions of the same content in multiple languages but in separate documents, Custom Translator is able to automatically match sentences across documents.

+If the appropriate type and amount of training data is supplied, it's not uncommon to see [`BLEU` score](concepts/bleu-score.md) gains between 5 and 10 points by using Custom Translator.

+The secure [Custom Translator](https://portal.customtranslator.azure.ai) portal enables users to upload training data, train systems, test systems, and deploy them to a production environment through an intuitive user interface. The system is available for use at scale within a few hours (actual time depends on training data size).

+[Custom Translator](https://portal.customtranslator.azure.ai) can also be programmatically accessed through a dedicated API. The API allows users to manage the creating or updating of training through their own app or web service.

+* Learn more about [pricing details](https://azure.microsoft.com/pricing/details/cognitive-services/translator-text-api/).

+* Try the [Quickstart](./quickstart.md) and learn to build a translation model in Custom Translator.

+Translator is a cloud-based neural machine translation service that is part of the Azure AI services family of REST API that can be used with any operating system. Translator powers many Microsoft products and services used by thousands of businesses worldwide to perform language translation and other language-related operations. In this quickstart, learn to build custom solutions for your applications across all [supported languages](../language-support.md).

+Once you complete the prerequisites, sign in to the [Custom Translator](https://portal.customtranslator.azure.ai/) portal to create workspaces, build projects, upload files, train models, and publish your custom solution.

+1. [**Test (human evaluate) your model**](#test-your-model). The testing set is used to compute the [`BLEU`](beginners-guide.md#what-is-a-bleu-score) score. This score indicates the quality of your translation system.

+Once the workspace is created successfully, you see the **Projects** page.

+In this quickstart, we show you how to upload [training](concepts/model-training.md#training-document-type-for-custom-translator) documents for customization.

+1. Evaluate the model [`BLEU`](beginners-guide.md#what-is-a-bleu-score) score. The test set **BLEU score** is the custom model score and **Baseline BLEU** is the pretrained baseline model used for customization. A higher **BLEU score** means higher translation quality using the custom model.

+Once the training completes successfully, inspect the test set translated sentences.

+1. Check the desired regions.

+ The following English-source glossary contains words that can have different meanings depending upon the context. The glossary provides the expected translation for each word in the file to help ensure accuracy.

+1. To grant access to an internet IP range, enter the IP address or address range (in [`CIDR` notation](https://tools.ietf.org/html/rfc4632)) under **Firewall** > **Address Range**. Only valid public IP (`non-reserved`) addresses are accepted.

+> V2 was deprecated on April 30, 2018. Please migrate your applications to V3 in order to take advantage of new functionality available exclusively in V3. V2 was retired on May 24, 2021.

+Version 3 (V3) of the Translator service is generally available. The release includes new features, deprecated methods and a new format for sending to, and receiving data from the Microsoft Translator Service. This document provides information for changing applications to use V3.

+* No Trace - In V3 No-Trace applies to all pricing tiers in the Azure portal. This feature means that the service doesn't save text submitted to the V3 API.

+* JSON - XML replaces JSON. All data sent to the service and received from the service is in JSON format.

+* Multiple target languages in a single request - The Translate method accepts multiple `to` languages for translation in a single request. For example, a single request can be `from` English and `to` German, Spanish and Japanese, or any other group of languages.

+* Bilingual dictionary - A bilingual dictionary method is added to the API. This method includes `lookup` and `examples`.

+* Transliteration - A transliterate method is added to the API. This method converts words and sentences in one script into another script. For example, Arabic to Latin.

+* Languages - A new `languages` method delivers language information, in JSON format, for use with the `translate`, `dictionary`, and `transliterate` methods.

+* New to Translate - New capabilities are added to the `translate` method to support some of the features that were in the V2 API as separate methods. An example is TranslateArray.

+* Speech method - Text to speech functionality is no longer supported in the Microsoft Translator. Text to speech functionality is available in [Microsoft Speech Service](../speech-service/text-to-speech.md).

+The following list of V2 and V3 methods identifies the V3 methods and APIs that provide the functionality that came with V2.

+Microsoft Translator Translation V2 accepted and returned data in XML format. In V3, all data sent and received using the API is in JSON format. XML is no longer accepted or returned in V3.

+This change affects several aspects of an application written for the V2 Text Translation API. As an example: The Languages API returns language information for text translation, transliteration, and the two dictionary methods. You can request all language information for all methods in one call or request them individually.

+The languages method doesn't require authentication; by selecting the following link you can see all the language information for V3 in JSON:

+The authentication key used for V2 is accepted for V3. You don't need to get a new subscription. You can mix V2 and V3 in your apps during the yearlong migration period, making it easier for you to release new versions while you migrate from V2-XML to V3-JSON.

+ | `Translate` | Count is based on how many characters are submitted for translation, and how many languages the characters are translated into. 50 characters submitted, and 5 counted as 50x5. |

+>

+> The Microsoft Translator Hub will be retired on May 17, 2019. [View important migration information and dates](https://www.microsoft.com/translator/business/hub/).

+Microsoft Translator V3 uses neural machine translation by default. As such, it can't be used with the Microsoft Translator Hub. The Translator Hub only supports legacy statistical machine translation. Customization for neural translation is now available using the Custom Translator. [Learn more about customizing neural machine translation](custom-translator/overview.md)

+Neural translation with the V3 text API doesn't support the use of standard categories (`SMT`, `speech`, `tech`, `generalnn`).

+* It's GDPR-compliant as a processor and satisfies all ISO 20001 and 20018 as well as SOC 3 certification requirements.

+* It allows you to invoke the neural network translation systems you customized with Custom Translator (Preview), the new Translator neural machine translation (NMT) customization feature.

+You're using Version 3 of the Translator if you're using the api.cognitive.microsofttranslator.com endpoint.

+* Doesn't satisfy all ISO 20001,20018 and SOC 3 certification requirements.

+* Doesn't allow you to invoke the neural network translation systems you customized with the Translator customization feature.

+* Does provide access to custom translation systems created using the Microsoft Translator Hub.

+* Uses the api.microsofttranslator.com endpoint.

+2. Tag your content with `translate="no"`. This tag only works when the input textType is set as HTML

+> [Translate text reference](reference/v3-0-translate.md)

+# Add profanity filtering with Translator

+The Translate() method takes the "options" parameter, which contains the new element "ProfanityAction." The accepted values of ProfanityAction are "NoAction," "Marked," and "Deleted." For the value of "Marked," another optional element "ProfanityMarker" can take the values "Asterisk" (default) and "Tag."

+| NoAction| | Default. Same as not setting the option. Profanity passes from source to target. | `Que coche de` \<insert-profane-word> | What a \<insert-profane-word> car |

+| Marked | Asterisk | Asterisks replace profane words (default). | `Que coche de` \<insert-profane-word> | What a *** car |

+| Marked | Tag | Profane words are surrounded by XML tags \<profanity\>...\</profanity>. | `Que coche de` \<insert-profane-word> | What a \<profanity> \<insert-profane-word> \</profanity> car |

+| Deleted | | Profane words are removed from the output without replacement. | `Que coche de` \<insert-profane-word> | What a car |

+ Title: "Quickstart: Azure AI Translator client libraries"

+# Quickstart: Azure AI Translator client libraries (preview)

+ * Get the key, endpoint, and region from the resource and connect your application to the Translator service. Paste these values into the code later in the quickstart. You can find them on the Azure portal **Keys and Endpoint** page:

+|[Java&#x2731; → 1.0.0-beta.1](https://azuresdkdocs.blob.core.windows.net/$web/java/azure-ai-translation-text/1.0.0-beta.1/https://docsupdatetracker.net/index.html)|[Maven repository](https://mvnrepository.com/artifact/com.azure/azure-ai-translation-text/1.0.0-beta.1)|[Azure SDK for Java](/java/api/overview/azure/ai-translation-text-readme?view=azure-java-preview&preserve-view=true)|Translator v3.0|

+The [Microsoft Q & A](/answers/tags/132/azure-translator) and [Stack Overflow](https://stackoverflow.com/questions/tagged/azure-text-translation) forums are available for the developer community to ask and answer questions about Azure Text Translation and other services. Microsoft monitors the forums and replies to questions that the community has yet to answer. To make sure that we see your question, tag it with **`azure-text-translation`**.

+* A repeated translation, even if you previously translated the same text. Every character submitted to the translate function is counted even when the content is unchanged or the source and target language are the same.

+Attribution isn't required when using Translator for text and speech translation. We recommended that you inform users that the content they're viewing is machine translated.

+Machine translation os used as a first pass, before using human translation, by several of our [language service provider (LSP)](https://www.microsoft.com/translator/business/partners/) partners and can improve productivity by up to 50 percent. For a list of LSP partners, visit the Translator partner page.

+description: "Learn to translate text, transliterate text, detect language, and more with the Translator service. Examples are provided in C#, Java, JavaScript, and Python."

+* [Language Translation](#translate-text)

+* [Language Transliteration](#transliterate-text)

+* [Sentence length calculation](#get-sentence-length)

+* [Alternate translations](#dictionary-lookup-alternate-translations) and [examples of word usage in a sentence](#dictionary-examples-translations-in-context)

+1. Select install from the right package manager window and add the package to your project.

+1. Once you add a desired code sample to your application, choose the green **start button** next to formRecognizer_quickstart to build and run your program, or press **F5**.

+You can use any text editor to write Go applications. We recommend using the latest version of [Visual Studio Code and the Go application extension](/azure/developer/go/configure-visual-studio-code).

+1. If you don't have it in your dev environment, [download and install Go](https://go.dev/doc/install).

+ * Download the Go application version for your operating system.

+1. Once you add a code sample to your application, your Go program can be executed in a command or terminal prompt. Make sure your prompt's path is set to the **translator-text-app** folder and use the following command:

+1. Once you add a code sample to your application, navigate back to your main project directoryΓÇö**translator-text-app**, open a console window, and enter the following commands:

+1. If it isn't installed in your dev environment, download the latest version of [Node.js](https://nodejs.org/en/download/). Node Package Manager (npm) is included with the Node.js installation.

+ * After you complete the prompts, a `package.json` file will be created in your translator-text-app directory.

+1. Once you add the code sample to your application, run your program:

+1. If you don't have it in your dev environment, install the latest version of [Python 3.x](https://www.python.org/downloads/). The Python installer package (pip) is included with the Python installation.

+1. Once you add a desired code sample to your application, build and run your program:

+After you perform a dictionary lookup, pass the source and translation text to the `dictionary/examples` endpoint, to get a list of examples that show both terms in the context of a sentence or phrase. Building on the previous example, you use the `normalizedText` and `normalizedTarget` from the dictionary lookup response as `text` and `translation` respectively. The source language (`from`) and output target (`to`) parameters are required.

+| 429 | Too Many Requests | You exceeded the quota or rate of requests allowed for your subscription. |

+If you're encountering connection issues, it may be that your TLS/SSL certificate is expired. To resolve this issue, install the [DigiCertGlobalRootG2.crt](http://cacerts.digicert.com/DigiCertGlobalRootG2.crt) to your private store.

+In other words, the colon separates start and end index, the dash separates the languages, and space separates the words. One word may align with zero, one, or multiple words in the other language, and the aligned words may be noncontiguous. When no alignment information is available, the Alignment element is empty. The method returns no error in that case.

+You don't receive alignment information if the sentence is a canned translation. Example of a canned translation is `This is a test`, `I love you`, and other high frequency sentences.

+The risk and safety metrics draw on insights gained from our previous Large Language Model projects such as GitHub Copilot and Bing. This ensures a comprehensive approach to evaluating generated responses for risk and safety severity scores. These metrics are generated through our safety evaluation service, which employs a set of LLMs. Each model is tasked with assessing specific risks that could be present in the response (for example, sexual content, violent content, etc.). These models are provided with risk definitions and severity scales, and they annotate generated conversations accordingly. Currently, we calculate a ΓÇ£defect rateΓÇ¥ for the risk and safety metrics below. For each of these metrics, the service measures whether these types of content were detected and at what severity level. Each of the four types has four severity levels (Very low, Low, Medium, High). Users specify a threshold of tolerance, and the defect rates are produced by our service correspond to the number of instances that were generated at and above each threshold level.

+# [Meta Llama 3](#tab/llama-three)

+| **Package** | **Sample Notebook** |

+|-|-|

+| OpenAI SDK (experimental) | [openaisdk.ipynb](https://github.com/Azure/azureml-examples/blob/main/sdk/python/foundation-models/meta-llama3/openaisdk.ipynb) |

+| LangChain | [langchain.ipynb](https://github.com/Azure/azureml-examples/blob/main/sdk/python/foundation-models/meta-llama3/langchain.ipynb) |

+| WebRequests | [webrequests.ipynb](https://github.com/Azure/azureml-examples/blob/main/sdk/python/foundation-models/meta-llama3/webrequests.ipynb) |

+| LiteLLM SDK | [litellm.ipynb](https://github.com/Azure/azureml-examples/blob/main/sdk/python/foundation-models/meta-llama3/litellm.ipynb) |

+# [Meta Llama 2](#tab/llama-two)

+| OpenAI SDK (experimental) | [openaisdk.ipynb](https://github.com/Azure/azureml-examples/blob/main/sdk/python/foundation-models/llama2/openaisdk.ipynb) |

+| LangChain | [langchain.ipynb](https://github.com/Azure/azureml-examples/blob/main/sdk/python/foundation-models/llama2/langchain.ipynb) |

+| WebRequests | [webrequests.ipynb](https://github.com/Azure/azureml-examples/blob/main/sdk/python/foundation-models/llama2/webrequests.ipynb) |

+| LiteLLM SDK | [litellm.ipynb](https://github.com/Azure/azureml-examples/blob/main/sdk/python/foundation-models/llama2/litellm.ipynb) |

+Network isolation | [Configure managed networks for Azure AI Studio hubs.](configure-managed-network.md) | MaaS endpoint will follow your hub's public network access (PNA) flag setting. For more information, see the [Network isolation for models deployed via Serverless APIs](#network-isolation-for-models-deployed-via-serverless-apis) section.

+### Content safety for models deployed via Serverless APIs

+### Network isolation for models deployed via Serverless APIs

+Endpoints for models deployed as Serverless APIs follow the public network access (PNA) flag setting of the AI Studio Hub that has the project in which the deployment exists. To secure your MaaS endpoint, disable the PNA flag on your AI Studio Hub. You can secure inbound communication from a client to your endpoint by using a private endpoint for the hub.

+To set the PNA flag for the Azure AI hub:

+* Go to the [Azure portal](https://ms.portal.azure.com/)

+* Search for the Resource group to which the hub belongs, and select your Azure AI hub from the resources listed for this Resource group.

+* On the hub Overview page, use the left navigation pane to go to **Settings** > **Networking**.

+* Under the __Public access__ tab, you can configure settings for the public network access flag.

+* Save your changes. Your changes might take up to five minutes to propagate.

+#### Limitations

+* If you have an AI Studio hub with a private endpoint created before July 11, 2024, new MaaS endpoints added to projects in this hub won't follow the networking configuration of the hub. Instead, you need to create a new private endpoint for the hub and create new serverless API deployments in the project so that the new deployments can follow the hub's networking configuration.

+* If you have an AI studio hub with MaaS deployments created before July 11, 2024, and you enable a private endpoint on this hub, the existing MaaS deployments won't follow the hub's networking configuration. For serverless API deployments in the hub to follow the hub's networking configuration, you need to create the deployments again.

+* Currently [On Your Data](#rag-with-models-deployed-as-serverless-apis) support isn't available for MaaS deployments in private hubs, since private hubs have the PNA flag disabled.

+* Any network configuration change (for example, enabling or disabling the PNA flag) might take up to five minutes to propagate.

+## Next step

+You can configure your AKS clusters with API Server VNet Integration in managed VNet or bring-your-own VNet mode. You can create them as public clusters (with API server access available via a public IP) or private clusters (where the API server is only accessible via private VNet connectivity). You can also toggle between a public and private state without redeploying your cluster.

+If using the `node-image` (legacy and not to be used) cluster auto-upgrade channel or the `NodeImage` node image auto-upgrade channel, Linux [unattended upgrades][unattended-upgrades] are disabled by default.

+| `node-image`(legacy)| automatically upgrades the node image to the latest version available.| Microsoft provides patches and new images for image nodes frequently (usually weekly), but your running nodes don't get the new images unless you do a node image upgrade. Turning on the node-image channel automatically updates your node images whenever a new version is available. If you use this channel, Linux [unattended upgrades] are disabled by default. Node image upgrades work on patch versions that are deprecated, so long as the minor Kubernetes version is still supported. This channel is no longer recommended and is set to be deprecated in future. For an option that can automatically upgrade node images, see the `NodeImage` channel in [node image auto-upgrade][node-image-auto-upgrade]. |

+### How can I check the current nodeOsUpgradeChannel value on a cluster?

+### How can I monitor the status of node OS auto-upgrades?

+### Can I change the node OS auto-upgrade channel value if my cluster auto-upgrade channel is set to `node-image` ?

+### Why is `SecurityPatch` recommended over `Unmanaged` channel?

+### Does `SecurityPatch` always lead to a reimage of my nodes?

+### How do I know if a `SecurityPatch` or `NodeImage` upgrade is applied on my node?

+Then, use the following command to create an environment variable in your shell for the resource group name for the database:

+- Run your Java application on Oracle WebLogic Server (WLS).

+- Stand up a WebLogic Server cluster on AKS using an Azure Marketplace offer.

+- Build an application Docker image that includes WebLogic Deploy Tooling (WDT) models.

+- Deploy the containerized application to the WebLogic Server cluster on AKS with connection to Microsoft Azure SQL.

+This article uses the [Azure Marketplace offer for WebLogic Server](https://aka.ms/wlsaks) to accelerate your journey to AKS. The offer automatically provisions several Azure resources, including the following resources:

+Then, the article introduces building an image to update the WebLogic Server cluster. The image provides the application and WDT models.

+If you prefer a less automated approach to deploying WebLogic on AKS, see the step-by-step guidance included in the official documentation from Oracle for [Azure Kubernetes Service](https://oracle.github.io/weblogic-kubernetes-operator/samples/azure-kubernetes-service/).

+ > [!NOTE]

+ > Get a support entitlement from Oracle before going to production. Failure to do so results in running insecure images that are not patched for critical security flaws. For more information on Oracle's critical patch updates, see [Critical Patch Updates, Security Alerts and Bulletins](https://www.oracle.com/security-alerts/) from Oracle.

+- Prepare a local machine with Unix-like operating system installed - for example, Ubuntu, Azure Linux, macOS, Windows Subsystem for Linux.

+ - A Java Development Kit (JDK) compatible with the version of WebLogic Server you intend to run. The article directs you to install a version of WebLogic Server that uses JDK 11. Ensure that your `JAVA_HOME` environment variable is set correctly in the shells in which you run the commands.

+ > [!NOTE]

+ > You can perform all the steps of this article in the Azure Cloud Shell, except for those involving Docker. To learn more about Azure Cloud Shell, see [What is Azure Cloud Shell?](/azure/cloud-shell/overview)

+1. In the search bar at the top of the Azure portal, enter *weblogic*. In the autosuggested search results, in the **Marketplace** section, select **WebLogic Server on AKS**.

+1. On the **Basics** pane, ensure the value shown in the **Subscription** field is the same one that you logged into in Azure. Make sure you have the roles listed in the prerequisites section for the subscription.

+1. Make sure you note the steps in the info box starting with **Before moving forward, you must accept the Oracle Standard Terms and Restrictions.**

+1. Depending on whether or not the Oracle SSO account has an Oracle support entitlement, select the appropriate option for **Select the type of WebLogic Server Images**. If the account has a support entitlement, select **Patched WebLogic Server Images**. Otherwise, select **General WebLogic Server Images**.

+ :::image type="content" source="media/howto-deploy-java-wls-app/configure-load-balancing.png" alt-text="Screenshot of the Azure portal that shows the simplest possible load balancer configuration on the Create Oracle WebLogic Server on Azure Kubernetes Service page." lightbox="media/howto-deploy-java-wls-app/configure-load-balancing.png":::

+1. The **shellCmdtoOutputWlsImageModelYaml** value is the base64 string of the WDT model that is used to build the container image. Save this value aside for later.

+1. The **shellCmdtoOutputWlsImageProperties** value is the base64 string of the WDT model properties that is used to build the container image. Save this value aside for later.

+1. The **shellCmdtoConnectAks** value is the Azure CLI command to connect to this specific AKS cluster.

+Then, create a schema for the sample application by using the following steps:

+1. Open the **Query editor** pane by following the steps in the [Query the database](/azure/azure-sql/database/single-database-create-quickstart#query-the-database) section of [Quickstart: Create a single database - Azure SQL Database](/azure/azure-sql/database/single-database-create-quickstart).

+1. Enter and run the following query:

+ After a successful run, you should see the message **Query succeeded: Affected rows: 1**. If you don't see this message, troubleshoot and resolve the problem before proceeding.

+- The Java Database Connectivity (JDBC) driver archive file

+1. If you successfully created the image, then it should now be in your local machine's Docker repository. You can verify the image creation by using the following command:

+ After the image is created, it should have the WDT executables in */auxiliary/weblogic-deploy*, and WDT model, property, and archive files in */auxiliary/models*. Use the following command to verify the contents of the image:

+In the previous steps, you created the auxiliary image including models and WDT. Before you apply the auxiliary image to the WebLogic Server cluster, use the following steps to create the secret for the datasource URL, username, and password. The secret is used as part of the placeholder in *dbmodel.yaml*.

+1. Use the following steps to get values for the variables shown in the following table. You use these values to create the secret for the datasource connection.

+1. Use the following commands to create the Kubernetes Secret. This article uses the secret name `sqlserver-secret` for the secret of the datasource connection. If you use a different name, make sure the value is the same as the one in *dbmodel.yaml*.

+ In the following commands, be sure to set the variables `DB_CONNECTION_STRING`, `DB_USER`, and `DB_PASSWORD` correctly by replacing the placeholder examples with the values described in the previous steps. To prevent the shell from interfering with them, enclose the value of the `DB_` variables in single quotes.

+ The auxiliary image is defined in `spec.configuration.model.auxiliaryImages`, as shown in the following example.

+

+1. In the **Deployments** table, there should be one row. The name should be the same value as the `Application` value in your *appmodel.yaml* file. Click on the name.

+1. Select the **Testing** tab.

+To avoid Azure charges, you should clean up unnecessary resources. When you no longer need the cluster, use the [az group delete](/cli/azure/group#az-group-delete) command. The following command removes the resource group, container service, container registry, database, and all related resources:

+Application deployment can be streamlined using [automated deployments][automated-deployments] from source control, which creates Kubernetes manifest and generates CI/CD workflows. Additionally, the cluster is configured with monitoring tools such as Managed Prometheus for metrics, Managed Grafana for visualization, and Container Insights for log collection.

+| Monitoring, logging, and visualization | **Default:** <ul><li>[Managed Prometheus][managed-prometheus] for metric collection when using Azure CLI or the Azure portal. </li><li>[Managed Grafana][managed-grafana] for visualization when using Azure CLI or the Azure portal.</li><li>[Container insights][container-insights] for log collection when using Azure CLI or the Azure portal.</li></ul> | **Optional:** <ul><li>[Managed Prometheus][managed-prometheus] for metric collection.</li><li>[Managed Grafana][managed-grafana] for visualization.</li><li>[Container insights][container-insights] for log collection.</li></ul> |

+Istio-based service mesh add-on for AKS has the following limitations:

+* The add-on doesn't yet support Windows Server containers as this is not available in open source Istio right now. Issue tracking this feature ask can be found [here][istio-oss-windows-issue].

+* For `EnvoyFilter`, the add-on only supports filter of the type Lua for now (`type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua`). While this EnvoyFilter is allowed, any issue arising from the Lua script itself is not supported. Other `EnvoyFilter` types are currently blocked.

+## Feedback and feature asks

+Feedback and feature asks for the Istio add-on can be provided by creating [issues with label 'service-mesh' on AKS GitHub repository][aks-github-service-mesh-issues].

+[istio-oss-windows-issue]: https://github.com/istio/istio/issues/27893

+[aks-github-service-mesh-issues]: https://github.com/Azure/AKS/issues?q=is%3Aopen+is%3Aissue+label%3Aservice-mesh

+This guide assumes you followed the [documentation][istio-deploy-add-on] to enable the Istio add-on on an AKS cluster.

+> A default ConfigMap (for example, `istio-asm-1-18` for revision asm-1-18) is created in `aks-istio-system` namespace on the cluster when the Istio add-on is enabled. However, this default ConfigMap gets reconciled by the managed Istio add-on and thus users should NOT directly edit this ConfigMap. Instead users should create a revision specific Istio shared ConfigMap (for example `istio-shared-configmap-asm-1-18` for revision asm-1-18) in the aks-istio-system namespace, and then the Istio control plane will merge this with the default ConfigMap, with the default settings taking precedence.

+- **Blocked**: Disallowed fields are blocked via add-on managed admission webhooks. API server immediately publishes the error message to the user that the field is disallowed.

+Fields present in [open source MeshConfig reference documentation][istio-meshconfig] that are not covered in the following table are blocked. For example, `configSources` is blocked.

+| **Field** | **Supported/Allowed** | **Notes** |

+| proxyListenPort | Allowed | - |

+| proxyInboundListenPort | Allowed | - |

+| proxyHttpPort | Allowed | - |

+| connectTimeout | Allowed | Configurable in [DestinationRule](https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-TCPSettings) |

+| tcpKeepAlive | Allowed | Configurable in [DestinationRule](https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-TCPSettings) |

+| defaultConfig | Supported | Used to configure [ProxyConfig](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig) |

+| outboundTrafficPolicy | Supported | Also configurable in [Sidecar CR](https://istio.io/latest/docs/reference/config/networking/sidecar/#OutboundTrafficPolicy) |

+| extensionProviders | Allowed | - |

+| defaultProviders | Allowed | - |

+| accessLogFile | Supported | This field addresses the generation of the access logs. For a managed experience on collection and querying of logs, refer to [Azure Monitor Container Insights on AKS][container-insights-docs] |

+| accessLogFormat | Supported | This field addresses the generation of the access logs. For a managed experience on collection and querying of logs, refer to [Azure Monitor Container Insights on AKS][container-insights-docs] |

+| accessLogEncoding | Supported | This field addresses the generation of the access logs. For a managed experience on collection and querying of logs, refer to [Azure Monitor Container Insights on AKS][container-insights-docs] |

+| enableTracing | Allowed | |

+| enableEnvoyAccessLogService | Supported | This field addresses the generation of the access logs. For a managed experience on collection and querying of logs, refer to [Azure Monitor Container Insights on AKS][container-insights-docs] |

+| disableEnvoyListenerLog | Supported | This field addresses the generation of the access logs. For a managed experience on collection and querying of logs, refer to [Azure Monitor Container Insights on AKS][container-insights-docs] |

+| trustDomain | Allowed | - |

+| trustDomainAliases | Allowed | - |

+| caCertificates | Allowed | Configurable in [DestinationRule](https://istio.io/latest/docs/reference/config/networking/destination-rule/#ClientTLSSettings) |

+| defaultServiceExportTo | Allowed | Configurable in [ServiceEntry](https://istio.io/latest/docs/reference/config/networking/service-entry/#ServiceEntry) |

+| defaultVirtualServiceExportTo | Allowed | Configurable in [VirtualService](https://istio.io/latest/docs/reference/config/networking/virtual-service/#VirtualService) |

+| defaultDestinationRuleExportTo | Allowed | Configurable in [DestinationRule](https://istio.io/latest/docs/reference/config/networking/destination-rule/#DestinationRule) |

+| localityLbSetting | Allowed | Configurable in [DestinationRule](https://istio.io/latest/docs/reference/config/networking/destination-rule/#LoadBalancerSettings) |

+| dnsRefreshRate | Allowed | - |

+| h2UpgradePolicy | Allowed | Configurable in [DestinationRule](https://istio.io/latest/docs/reference/config/networking/destination-rule/#ConnectionPoolSettings-HTTPSettings) |

+| enablePrometheusMerge | Allowed | - |

+| discoverySelectors | Supported | - |

+| pathNormalization | Allowed | - |

+| defaultHttpRetryPolicy | Allowed | Configurable in [VirtualService](https://istio.io/latest/docs/reference/config/networking/virtual-service/#HTTPRetry) |

+| serviceSettings | Allowed | - |

+| meshMTLS | Allowed | - |

+| tlsDefaults | Allowed | - |

+Fields present in [open source MeshConfig reference documentation](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#ProxyConfig) that are not covered in the following table are blocked.

+| **Field** | **Supported/Allowed** |

+| tracingServiceName | Allowed |

+| drainDuration | Supported |

+| statsUdpAddress | Allowed |

+| proxyAdminPort | Allowed |

+| tracing | Allowed |

+| concurrency | Supported |

+| envoyAccessLogService | Allowed |

+| envoyMetricsService | Allowed |

+| proxyMetadata | Allowed |

+| statusPort | Allowed |

+| extraStatTags | Allowed |

+| proxyStatsMatcher | Allowed |

+| terminationDrainDuration | Supported |

+| meshId | Allowed |

+| holdApplicationUntilProxyStarts | Supported |

+| caCertificatesPem | Allowed |

+| privateKeyProvider | Allowed |

+> **Support scope of configurations:** Mesh configuration allows for extension providers such as self-managed instances of Zipkin or Apache Skywalking to be configured with the Istio add-on. However, these extension providers are outside the support scope of the Istio add-on. Any issues associated with extension tools are outside the support boundary of the Istio add-on.

+[istio-deploy-add-on]: istio-deploy-addon.md

+[container-insights-docs]: ../azure-monitor/containers/container-insights-overview.md

+A `default` maintenance window has the following legacy properties (no longer recommended):

+> [!NOTE]

+> From the 2023-05-01 API version onwards, please use the below properties for `default` configuration.

+An `aksManagedAutoUpgradeSchedule` or `aksManagedNodeOSUpgradeSchedule` maintenance window and `default` configuration from 2023-05-01 API version onwards has the following properties:

+ AKS auto-upgrade needs a certain amount of time, usually not more than 15 minutes, to take the maintenance window into consideration. We recommend at least 15 minutes between the creation or update of a maintenance configuration and the scheduled start time.

+| Microsoft.WindowsAzure.ApiManagement.Gateway.Security.Backend.Protocols.Tls13 | Indication whether or not TLS 1.3 is allowed towards the backend. Similar to [managing protocol ciphers in managed gateway](api-management-howto-manage-protocols-ciphers.md). | No | `true` | v2.0+ |

+The V2 API doesn't support creation or editing of Microsoft Account as a distinct provider as was done in V1. Rather, it uses the converged [Microsoft identity platform](../active-directory/develop/v2-overview.md) to sign-in users with both Microsoft Entra and personal Microsoft accounts. When switching to the V2 API, the V1 Microsoft Entra configuration is used to configure the Microsoft identity platform provider. The V1 Microsoft Account provider will be carried forward in the migration process and continue to operate as normal, but you should move to the newer Microsoft identity platform model. See [Support for Microsoft Account provider registrations](#support-for-microsoft-account-provider-registrations) to learn more.

+ * Microsoft Entra: `clientSecret`

+ * Microsoft Entra: `clientSecretSettingName`

+1. Configure the Microsoft Entra provider using the "Advanced" management mode, supplying the client ID and client secret values you collected in the previous step. For the Issuer URL, use `<authentication-endpoint>/<tenant-id>/v2.0`, and replace *\<authentication-endpoint>* with the [authentication endpoint for your cloud environment](../active-directory/develop/authentication-national-cloud.md#azure-ad-authentication-endpoints) (e.g., "https://login.microsoftonline.com" for global Microsoft Entra ID), also replacing *\<tenant-id>* with your **Directory (tenant) ID**.

+> [!NOTE]

+> Due to a known bug, web jobs might not start during the hybrid deployment step. If you use web jobs, this bug might cause app issues/downtime. Open a support case if you have any questions or concerns about this issue.

+>

+By using the new outbound IPs, update any of your resources or networking components to ensure that your new environment functions as intended after migration is started. It's your responsibility to make any necessary updates. The new outbound IPs are used once the App Service Environment v3 is created during the migration step. For example, if you have a custom domain suffix and an Azure Key Vault and are managing access restrictions with a firewall, you need to update the Azure Key Vault's firewall to allow either just the new outbound IPs or the entire new subnet.

+This step takes three to six hours complete. During that time, there's no application downtime if you've followed the previous steps. Scaling, deployments, and modifications to your existing App Service Environment are blocked during this step.

+> [!NOTE]

+> Due to a known bug, web jobs might not start during the hybrid deployment step. If you use web jobs, this bug may cause app issues/downtime. Open a support case if you have any questions or concerns about this issue.

+>

+## Supported TLS Version on App Service?

+For incoming requests to your web app, App Service supports TLS versions 1.0, 1.1, 1.2, and 1.3.

+### TLS 1.0 and 1.1

+TLS 1.0 and 1.1 are considered legacy protocols and are no longer considered secure. It's generally recommended for customers to use TLS 1.2 or above as the minimum TLS version. When creating a web app, the default minimum TLS version would be TLS 1.2.

+* [Secure a custom DNS name with a TLS/SSL binding](configure-ssl-bindings.md)

+For a complete list of network requirements for Azure Arc features and Azure Arc-enabled services, see [Azure Arc network requirements (Consolidated)](../network-requirements-consolidated.md).

+The following is an example of a minimal `project` file with these changes:

+| [Azure Blob storage](../storage/blobs/storage-blobs-introduction.md) | Maintain bindings state and function keys¹.<br/>Deployment source for apps that run in a [Flex Consumption plan](flex-consumption-plan.md).<br/>Used by default for [task hubs in Durable Functions](durable/durable-functions-task-hubs.md). <br/>Can be used to store function app code for [Linux Consumption remote build](functions-deployment-technologies.md#remote-build) or as part of [external package URL deployments](functions-deployment-technologies.md#external-package-url). |

+>The [Flex Consumption plan](flex-consumption-plan.md) supports only the event-based Blob storage trigger.

+> Action Groups only supports emailing the following roles: Owner, Contributor, Reader, Monitoring Contributor, Monitoring Reader.

+#### [Java native](#tab/java-native)

+For Quarkus native applications, please look at the [Quarkus documentation](https://quarkus.io/guides/opentelemetry).

+### [Java native](#tab/java-native)

+#### [Java native](#tab/java-native)

+#### [Java native](#tab/java-native)

+#### [Java native](#tab/java-native)

+#### [Java native](#tab/java-native)

+#### [Java native](#tab/java-native)

+#### [Java native](#tab/java-native)

+#### [Java native](#tab/java-native)

+It's not possible to send custom telemetry using the Application Insights Classic API in Java native.

+##### [Java native](#tab/java-native)

+##### [Java native](#tab/java-native)

+##### [Java native](#tab/java-native)

+#### [Java native](#tab/java-native)

+### [Java native](#tab/java-native)

+It's not possible to filter telemetry in Java native.

+### [Java native](#tab/java-native)

+### [Java native](#tab/java-native)

+### [Java native](#tab/java-native)

+### [Java native](#tab/java-native)

+### [ASP.NET Core](#tab/aspnetcore)

+### [.NET](#tab/net)

+### [Java](#tab/java)

+### [Java native](#tab/java-native)

+### [Node.js](#tab/nodejs)

+### [Python](#tab/python)

+### [ASP.NET Core](#tab/aspnetcore)

+### [.NET](#tab/net)

+### [Java](#tab/java)

+### [Java native](#tab/java-native)

+### [Node.js](#tab/nodejs)

+### [Python](#tab/python)

+### [ASP.NET Core](#tab/aspnetcore)

+### [.NET](#tab/net)

+### [Java](#tab/java)

+### [Java native](#tab/java-native)

+### [Node.js](#tab/nodejs)

+### [Python](#tab/python)

+### [Java native](#tab/java-native)

+### [ASP.NET Core](#tab/aspnetcore)

+### [.NET](#tab/net)

+### [Java](#tab/java)

+### [Java native](#tab/java-native)

+### [Node.js](#tab/nodejs)

+1. Add the following code snippet. This example assumes you have an OpenTelemetry Collector with an OTLP receiver running. For details, see the [example on GitHub](https://github.com/open-telemetry/opentelemetry-js/tree/main/examples/otlp-exporter-node).

+### [Python](#tab/python)

+### [Java native](#tab/java-native)

+#### [ASP.NET Core](#tab/aspnetcore)

+#### [.NET](#tab/net)

+#### [Java](#tab/java)

+#### [Java native](#tab/java-native)

+#### [Node.js](#tab/nodejs)

+#### [Python](#tab/python)

+#### [.NET](#tab/net)

+#### [Java native](#tab/java-native)

+##### [Java native](#tab/java-native)

+### [ASP.NET Core](#tab/aspnetcore)

+### [.NET](#tab/net)

+### [Java](#tab/java)

+### [Java native](#tab/java-native)

+### [Node.js](#tab/nodejs)

+### [Python](#tab/python)

+### [.NET](#tab/net)

+### [Java native](#tab/java-native)

+This article describes how to set up [remote write](prometheus-remote-write.md) to send data from a self-managed Prometheus server running in your Azure Kubernetes Service (AKS) cluster or Azure Arc-enabled Kubernetes cluster by using Microsoft Entra authentication and a side car container that Azure Monitor provides. Note that you can also directly configure remote-write in the Prometheus configuration for the same.

+> [!NOTE]

+> We recommend that you directly configure Prometheus running on your Kubernetes cluster to remote-write into Azure Monitor Workspace. See [Send Prometheus data to Azure Monitor using Microsoft Entra Id authentication](../essentials/prometheus-remote-write-virtual-machines.md#set-up-authentication-for-remote-write) to learn more. The steps below use the Azure Monitor side car container.

+This article describes how to set up [remote write](prometheus-remote-write.md) to send data from a self-managed Prometheus server running in your Azure Kubernetes Service (AKS) cluster or Azure Arc-enabled Kubernetes cluster by using managed identity authentication and a side car container provided by Azure Monitor. You can either use an existing identity that's created by AKS or [create your own](../../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md). Both options are described here.

+> [!NOTE]

+> If you are using the user-assigned managed identity, we recommend that you directly configure Prometheus running on your Kubernetes cluster to remote-write into Azure Monitor Workspace. See [Send Prometheus data to Azure Monitor using user-assigned managed identity](../essentials/prometheus-remote-write-virtual-machines.md#set-up-authentication-for-remote-write) to learn more. The steps below use the Azure Monitor side car container.

+Azure Monitor managed service for Prometheus is intended to be a replacement for self managed Prometheus so you don't need to manage a Prometheus server in your Kubernetes clusters. You may also choose to use the managed service to centralize data from self-managed Prometheus clusters for long term data retention and to create a centralized view across your clusters. In this case, you can use [remote_write](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write) to send data from your self-managed Prometheus into the Azure managed service.

+You can configure Prometheus running on your Kubernetes cluster to remote-write into Azure Monitor Workspace. Currently user-assigned managed identity or Microsoft Entra ID application are the supported authentication types using Prometheus remote-write configuration to ingest metrics to Azure Monitor Workspace.

+Azure Monitor also provides a reverse proxy container (Azure Monitor [side car container](/azure/architecture/patterns/sidecar)) that provides an abstraction for ingesting Prometheus remote write metrics and helps in authenticating packets.

+We recommend configuring remote-write directly in your self-managed Prometheus config running in your environment. The Azure Monitor side car container can be used in case your preferred authentication is not supported through directly configuration. We plan to add those authentication options to the direct configuration and deprecate the side-car container.

+- Microsoft Entra ID can be used for Azure Kubernetes service (AKS) and Azure Arc-enabled Kubernetes cluster and is required for Kubernetes cluster running in another cloud or on-premises.

+- (**Recommended**) [Send Prometheus data to Azure Monitor by directly configuring Prometheus remote-write](../essentials/prometheus-remote-write-virtual-machines.md#set-up-authentication-for-remote-write). This option can be used for self-managed Prometheus running in any environment. The supported authentication options are user-assigned managed identity and Microsoft Entra ID application.

+- [Send Prometheus data from AKS to Azure Monitor using side car container with managed identity authentication](/azure/azure-monitor/containers/prometheus-remote-write-managed-identity)

+- [Send Prometheus data from AKS to Azure Monitor using side car container with Microsoft Entra ID authentication](/azure/azure-monitor/containers/prometheus-remote-write-active-directory)

+- [Send Prometheus data to Azure Monitor using side car container with Microsoft Entra ID pod-managed identity (preview) authentication](/azure/azure-monitor/containers/prometheus-remote-write-azure-ad-pod-identity)

+- [Send Prometheus data to Azure Monitor using side car container with Microsoft Entra ID Workload ID (preview) authentication](/azure/azure-monitor/containers/prometheus-remote-write-azure-workload-identity)

+ ```bicep

+ param shortAppName string = 'toy'

+ param shortEnvironmentName string = 'prod'

+ param appServiceAppName string = '${shortAppName}-${shortEnvironmentName}-${uniqueString(resourceGroup().id)}'

+ ```

+

+ resource cosmosDBAccountName 'Microsoft.DocumentDB/databaseAccounts@2023-11-15' = {

+ resource cosmosDBAccount 'Microsoft.DocumentDB/databaseAccounts@2023-11-15' = {

+ "v0.28.1",

+ "v0.27.1",

+ "v0.26.170",

+ "v0.26.54",

+ "v0.25.53",

+ "v0.25.3",

+ "v0.24.24",

+ "v0.23.1",

+ "v0.22.6",

+ "v0.21.1",

+ "v0.7.4"

+> resource AKS 'Microsoft.ContainerService/managedClusters@2024-02-01' = {

+resource aks 'Microsoft.ContainerService/managedClusters@2024-02-01' existing = {

+resource vnet 'Microsoft.Network/virtualNetworks@2023-11-01' = {

+resource exampleApim 'Microsoft.ApiManagement/service@2023-05-01-preview' = {

+resource networkInterface 'Microsoft.Network/networkInterfaces@2023-11-01' = [for i in range(0, numberOfInstances): {

+resource vm 'Microsoft.Compute/virtualMachines@2024-03-01' = [for i in range(0, numberOfInstances): {

+resource scheduler 'Microsoft.Automation/automationAccounts/schedules@2023-11-01' = {

+resource myRg 'Microsoft.Resources/resourceGroups@2024-03-01' = {

+resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2023-04-01' = {

+resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' = {

+resource sqlServer 'Microsoft.Sql/servers@2023-08-01-preview' = {

+resource keyVault 'Microsoft.KeyVault/vaults@2023-07-01' existing = {

+resource storageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+resource dScript 'Microsoft.Resources/deploymentScripts@2023-08-01' = {

+resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2023-04-01' = {

+resource location_lock 'Microsoft.Authorization/policyAssignments@2024-04-01' = {

+resource storageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+resource storageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' existing = {

+resource storageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+resource storageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' existing = {

+ name: storageAccountName

+resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' = {

+resource newMG 'Microsoft.Management/managementGroups@2023-04-01' = {

+resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {

+resource myStorage 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+resource mystorage 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+resource virtualMachine 'Microsoft.Compute/virtualMachines@2024-03-01' = {

+ "apiVersion": "2024-03-01",

+resource virtualMachine 'Microsoft.Compute/virtualMachines@2024-03-01' = if(deployVM) {

+ "apiVersion": "2024-03-01",

+resource netSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-11-01' = {

+resource nic1 'Microsoft.Network/networkInterfaces@2023-11-01' = {

+resource storageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' existing = {

+resource dnsZone 'Microsoft.Network/dnsZones@2023-07-01-preview' = if (deployZone) {

+resource saNew 'Microsoft.Storage/storageAccounts@2023-04-01' = if (newOrExisting == 'new') {

+resource saExisting 'Microsoft.Storage/storageAccounts@2023-04-01' existing = if (newOrExisting == 'existing') {

+resource vmName_omsOnboarding 'Microsoft.Compute/virtualMachines/extensions@2024-03-01' = if (!empty(logAnalytics)) {

+resource newRG 'Microsoft.Resources/resourceGroups@2024-03-01' = {

+resource newRG 'Microsoft.Resources/resourceGroups@2024-03-01' = {

+resource storageAcct 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+ "apiVersion": "2023-04-01",

+var storageAccountName = 'store${uniqueString(resourceGroup().id)}'

+resource storageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+ name: storageAccountName

+output storageAccountName string = storageAccountName

+resource exampleStorage 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+resource exampleStorage 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2023-04-01' = {

+resource newMG 'Microsoft.Management/managementGroups@2023-04-01' = {

+resource newMG 'Microsoft.Management/managementGroups@2023-04-01' = {

+resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2023-04-01' = {

+resource policyAssignment 'Microsoft.Authorization/policyAssignments@2024-04-01' = {

+resource exampleResource 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+resource managementGroup 'Microsoft.Management/managementGroups@2023-04-01' = {

+resource storageAcct 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+resource exampleResource 'Microsoft.Resources/resourceGroups@2024-03-01' = {

+resource managementGroup 'Microsoft.Management/managementGroups@2023-04-01' = {

+resource policyAssign 'Microsoft.Authorization/policyAssignments@2024-04-01' = {

+resource locationPolicy 'Microsoft.Authorization/policyDefinitions@2023-04-01' = {

+resource locationRestrict 'Microsoft.Authorization/policyAssignments@2024-04-01' = {

+resource newResourceGroup 'Microsoft.Resources/resourceGroups@2024-03-01' = {

+resource mgName_resource 'Microsoft.Management/managementGroups@2023-04-01' = {

+resource mgName_resource 'Microsoft.Management/managementGroups@2023-04-01' = {

+resource storageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+resource fileshare 'Microsoft.Storage/storageAccounts/fileServices/shares@2023-04-01' = {

+resource stg 'Microsoft.Storage/storageAccounts@2023-04-01' existing = {

+resource stg 'Microsoft.Storage/storageAccounts@2023-04-01' existing = {

+resource stg 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+resource storageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+resource stg 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+resource stg 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+resource storageAccountResources 'Microsoft.Storage/storageAccounts@2023-04-01' = [for storageName in storageAccounts: {

+resource dnsZone 'Microsoft.Network/dnsZones@2023-07-01-preview' = if (deployZone) {

+resource sa 'Microsoft.Storage/storageAccounts@2023-04-01' = if (newOrExisting == 'new') {

+resource sa 'Microsoft.Storage/storageAccounts@2023-04-01' =

+resource nic1 'Microsoft.Network/networkInterfaces@2023-11-01' = {

+ ...

+resource storageaccount 'Microsoft.Storage/storageAccounts@2024-03-01' = {

+resource stg 'Microsoft.Storage/storageAccounts@2024-03-01' = {

+resource storageaccount 'Microsoft.Storage/storageAccounts@2024-03-01' = {

+resource nested 'Microsoft.Resources/deployments@2024-03-01' = {

+ apiVersion: '2024-03-01'

+ "apiVersion": "2023-04-01",

+resource nestedTemplate1 'Microsoft.Resources/deployments@2024-03-01' = {

+ apiVersion: '2023-04-01'

+resource storageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+ "apiVersion": "2023-04-01",

+resource sa 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+ resource stg 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+ resource stg 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+ resource stg 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+ resource stg 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+resource storageaccount 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+resource storageaccount 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+resource storageaccount 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+resource appServicePlan 'Microsoft.Web/serverfarms@2023-12-01' = {

+resource webApplication 'Microsoft.Web/sites@2023-12-01' = {

+resource appServicePlan 'Microsoft.Web/serverfarms@2023-12-01' = {

+resource webApplication 'Microsoft.Web/sites@2023-12-01' = {

+resource stg 'Microsoft.Storage/storageAccounts@2023-04-01' existing = {

+resource stg 'Microsoft.Storage/storageAccounts@2023-04-01' existing = {

+resource storageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' existing = {

+resource customScriptExtension 'Microsoft.HybridCompute/machines/extensions@2023-10-03-preview' = {

+resource storageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' existing = {

+resource customScriptExtension 'Microsoft.HybridCompute/machines/extensions@2023-10-03-preview' = {

+resource nested 'Microsoft.Resources/deployments@2024-03-01' = {

+ apiVersion: '2023-11-01'

+resource nested 'Microsoft.Resources/deployments@2024-03-01' = {

+ apiVersion: '2023-11-01'

+resource AutomationAccount 'Microsoft.Automation/automationAccounts@2023-11-01' = {

+resource AutomationAccount 'Microsoft.Automation/automationAccounts@2023-11-01' = {

+resource apiManagementService 'Microsoft.ApiManagement/service@2023-05-01-preview' = {

+resource apiManagementService 'Microsoft.ApiManagement/service@2023-05-01-preview' = {

+resource storage 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+resource service 'Microsoft.Storage/storageAccounts/fileServices@2023-04-01' = {

+resource share 'Microsoft.Storage/storageAccounts/fileServices/shares@2023-04-01' = {

+resource storage 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+resource service 'Microsoft.Storage/storageAccounts/fileServices@2023-04-01' = {

+resource share 'Microsoft.Storage/storageAccounts/fileServices/shares@2023-04-01' = {

+resource storageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' existing = {

+resource cluster 'Microsoft.HDInsight/clusters@2023-08-15-preview' = {

+ name: replace(replace(reference(storageAccount.id, '2023-04-01').primaryEndpoints.blob, 'https://', ''), '/', '')

+ key: listKeys(storageAccount.id, '2023-04-01').keys[0].value

+resource storageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' existing = {

+resource cluster 'Microsoft.HDInsight/clusters@2023-08-15-preview' = {

+resource ubuntuVM 'Microsoft.Compute/virtualMachineScaleSets@2024-03-01' = {

+resource ubuntuVM 'Microsoft.Compute/virtualMachines@2024-03-01' = {

+resource ubuntuVM 'Microsoft.Compute/virtualMachines@2024-03-01' = {

+resource ubuntuVM 'Microsoft.Compute/virtualMachines@2024-03-01' = {

+resource sa 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+resource sa 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+resource vm 'Microsoft.Compute/virtualMachines@2024-03-01' = {

+resource vm 'Microsoft.Compute/virtualMachines@2024-03-01' = {

+resource storageAcct 'Microsoft.Storage/storageAccounts@2023-04-01' = [for i in range(0, storageCount): {

+resource storageAcct 'Microsoft.Storage/storageAccounts@2023-04-01' = [for name in storageNames: {

+resource storageAccountResources 'Microsoft.Storage/storageAccounts@2023-04-01' = [for (config, i) in storageConfigurations: {

+resource nsg 'Microsoft.Network/networkSecurityGroups@2023-11-01' = [for name in orgNames: {

+resource nsg 'Microsoft.Network/networkSecurityGroups@2023-11-01' = [for nsg in items(nsgValues): {

+resource parentResources 'Microsoft.Example/examples@2024-06-06' = [for parent in parents: if(parent.enabled) {

+resource storageAcct 'Microsoft.Storage/storageAccounts@2023-04-01' = [for i in range(0, 4): {

+resource stg 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+resource stg 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+resource service 'Microsoft.Storage/storageAccounts/fileServices@2023-04-01' = {

+resource share 'Microsoft.Storage/storageAccounts/fileServices/shares@2023-04-01' = [for i in range(0, 3): {

+resource storageAcct 'Microsoft.Storage/storageAccounts@2023-04-01' = [for i in range(0, storageCount): {

+ "apiVersion": "2023-04-01",

+ resource storageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+resource storage 'Microsoft.Storage/storageAccounts@2023-04-01' = [for i in range(0, storageCount): {

+resource kv 'Microsoft.KeyVault/vaults@2023-07-01' existing = {

+resource demoParent 'demo.Rp/parentType@2024-01-01' = {

+resource publicIp 'Microsoft.Network/publicIPAddresses@2023-11-01' = {

+resource myStorageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' = if (deployStorage) {

+resource nsg 'Microsoft.Network/networkSecurityGroups@2023-11-01' = [for name in orgNames: {

+ resource storageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' = {

+ "apiVersion": "2023-04-01",

+ - You can use the query [List Arc-enabled SQL Server instances subscribed to ESU](https://learn.microsoft.com/sql/sql-server/azure-arc/manage-configuration?view=sql-server-ver16&tabs=azure&branch=main#list-arc-enabled-sql-server-instances-subscribed-to-esu) as an example to show how you can view eligible SQL Server ESU instances and their ESU subscription status.

+

+| Windows | [Time Change](#time-change) | Time synchronization issues |

+| Windows | [Virtual Memory Pressure](#virtual-memory-pressure) | Memory capacity loss, resource pressure |

+In a Teams Interoperability Chat ("Interop Chat"), we can enable file sharing between Azure Communication Services end users and Teams users. Note, Interop Chat is different from the Azure Communication Services Chat. If you want to enable file sharing in an Azure Communication Services Chat, refer to [Add file sharing with UI Library in Azure Communication Services Chat](./file-sharing-tutorial-acs-chat.md). Currently, the Azure Communication Services end user is only able to receive file attachments from the Teams user. Refer to [UI Library Use Cases](../concepts/ui-library/ui-library-use-cases.md) to learn more.

+- Using the UI library version [1.17.0](https://www.npmjs.com/package/@azure/communication-react/v/1.17.0) or the latest.

+ locator: TeamsMeetingLinkLocator | TeamsMeetingIdLocator | CallAndChatLocator;

+To be able to start the Composite for meeting chat, we need to pass `TeamsMeetingLinkLocator` or `TeamsMeetingIdLocator`, which looks like this:

+Or

+```js

+{ "meetingId": "<TEAMS_MEETING_ID>", "passcode": "<TEAMS_MEETING_PASSCODE>"}

+```

+## Azure Data Studio (Online)

+| `crts` | The epoch time at which the Multi-Write conflict was resolved, or the absence of a conflict was confirmed. For Multi-Write region configuration, this timestamp defines the order of changes for Change Feed:<br><br><ul><li>Used to find start time for Change Feed requests</li><li>Used as sort order in Change Feed response.</li></ul> | Exposed in response to Change Feed requests and only when "New Wire Model" is enabled by the request. This is the default for [All versions and deletes](change-feed.md#all-versions-and-deletes-mode-preview) Change Feed mode. |

+- Unsupported client: Blobs uploaded with Network File System (NFS) 3.0 protocol will not be scanned for malware upon upload.

+## Permissions on AWS

+When you onboard an Amazon Web Services (AWS) connector, Defender for Cloud will create roles and assign permissions on your AWS account. The following table shows the roles and permission assigned by each plan on your AWS account.

+| Defender for Cloud plan | Role created | Permission assigned on AWS account |

+|--|--|--|

+| Defender CSPM | CspmMonitorAws | To discover AWS resources permissions, read all resources except:<br> "consolidatedbilling:*"<br> "freetier:*"<br> "invoicing:*"<br> "payments:*"<br> "billing:*"<br> "tax:*"<br> "cur:*" |

+| Defender CSPM <br><br> Defender for Servers | DefenderForCloud-AgentlessScanner | To create and clean up disk snapshots (scoped by tag) ΓÇ£CreatedByΓÇ¥: "Microsoft Defender for Cloud" Permissions:<br> "ec2:DeleteSnapshot" "ec2:ModifySnapshotAttribute"<br> "ec2:DeleteTags"<br> "ec2:CreateTags"<br> "ec2:CreateSnapshots"<br> "ec2:CopySnapshot"<br> "ec2:CreateSnapshot"<br> "ec2:DescribeSnapshots"<br> "ec2:DescribeInstanceStatus"<br> Permission to EncryptionKeyCreation "kms:CreateKey"<br> "kms:ListKeys"<br> Permissions to EncryptionKeyManagement "kms:TagResource"<br> "kms:GetKeyRotationStatus"<br> "kms:PutKeyPolicy"<br> "kms:GetKeyPolicy"<br> "kms:CreateAlias"<br> "kms:TagResource"<br> "kms:ListResourceTags"<br> "kms:GenerateDataKeyWithoutPlaintext"<br> "kms:DescribeKey"<br> "kms:RetireGrant"<br> "kms:CreateGrant"<br> "kms:ReEncryptFrom" |

+| Defender CSPM <br><br> Defender for Storage | SensitiveDataDiscovery | Permissions to discover S3 buckets in the AWS account, permission for the Defender for Cloud scanner to access data in the S3 buckets.<br> S3 read only; KMS decrypt "kms:Decrypt" |

+| CIEM | DefenderForCloud-Ciem <br> DefenderForCloud-OidcCiem | Permissions for Ciem Discovery<br> "sts:AssumeRole"<br> "sts:AssumeRoleWithSAML"<br> "sts:GetAccessKeyInfo"<br> "sts:GetCallerIdentity"<br> "sts:GetFederationToken"<br> "sts:GetServiceBearerToken"<br> "sts:GetSessionToken"<br> "sts:TagSession" |

+| Defender for Servers | DefenderForCloud-DefenderForServers | Permissions to configure JIT Network Access: <br>"ec2:RevokeSecurityGroupIngress"<br> "ec2:AuthorizeSecurityGroupIngress"<br> "ec2:DescribeInstances"<br> "ec2:DescribeSecurityGroupRules"<br> "ec2:DescribeVpcs"<br> "ec2:CreateSecurityGroup"<br> "ec2:DeleteSecurityGroup"<br> "ec2:ModifyNetworkInterfaceAttribute"<br> "ec2:ModifySecurityGroupRules"<br> "ec2:ModifyInstanceAttribute"<br> "ec2:DescribeSubnets"<br> "ec2:DescribeSecurityGroups" |

+| Defender for Containers | DefenderForCloud-Containers-K8s | Permissions to List EKS clusters and Collect Data from EKS clusters. <br>"eks:UpdateClusterConfig"<br> "eks:DescribeCluster" |

+| Defender for Containers | DefenderForCloud-DataCollection | Permissions to CloudWatch Log Group created by Defender for Cloud <br>ΓÇ£logs:PutSubscriptionFilter"<br> "logs:DescribeSubscriptionFilters"<br> "logs:DescribeLogGroups" autp "logs:PutRetentionPolicy"<br><br> Permissions to use SQS queue created by Defender for Cloud <br>"sqs:ReceiveMessage"<br> "sqs:DeleteMessage" |

+| Defender for Containers | DefenderForCloud-Containers-K8s-cloudwatch-to-kinesis | Permissions to access Kinesis Data Firehose delivery stream created by Defender for Cloud<br> "firehose:*" |

+| Defender for Containers | DefenderForCloud-Containers-K8s-kinesis-to-s3 | Permissions to access S3 bucket created by Defender for Cloud <br> "s3:GetObject"<br> "s3:GetBucketLocation"<br> "s3:AbortMultipartUpload"<br> "s3:GetBucketLocation"<br> "s3:GetObject"<br> "s3:ListBucket"<br> "s3:ListBucketMultipartUploads"<br> "s3:PutObject" |

+| Defender for Containers <br><br> Defender CSPM | MDCContainersAgentlessDiscoveryK8sRole | Permissions to Collecting Data from EKS clusters. Updating EKS clusters to support IP restriction and create iamidentitymapping for EKS clusters<br> “eks:DescribeCluster” <br>“eks:UpdateClusterConfig*” |

+| Defender for Containers <br><br> Defender CSPM | MDCContainersImageAssessmentRole | Permissions to Scan images from ECR and ECR Public. <br>AmazonEC2ContainerRegistryReadOnlyΓÇ»<br>AmazonElasticContainerRegistryPublicReadOnly <br>AmazonEC2ContainerRegistryPowerUserΓÇ» <br> AmazonElasticContainerRegistryPublicPowerUser |

+| Defender for Servers | DefenderForCloud-ArcAutoProvisioning | Permissions to install Azure Arc on all EC2 instances using SSM <br>"ssm:CancelCommand"<br> "ssm:DescribeInstanceInformation"<br> "ssm:GetCommandInvocation"<br> "ssm:UpdateServiceSetting"<br> "ssm:GetServiceSetting"<br> "ssm:GetAutomationExecution"<br> "ec2:DescribeIamInstanceProfileAssociations"<br> "ec2:DisassociateIamInstanceProfile"<br> "ec2:DescribeInstances"<br> "ssm:StartAutomationExecution"<br> "iam:GetInstanceProfile"<br> "iam:ListInstanceProfilesForRole"<br> "ssm:GetAutomationExecution"<br> "ec2:DescribeIamInstanceProfileAssociations"<br> "ec2:DisassociateIamInstanceProfile"<br> "ec2:DescribeInstances"<br> "ssm:StartAutomationExecution"<br> "iam:GetInstanceProfile"<br> "iam:ListInstanceProfilesForRole" |

+| Defender CSPM | DefenderForCloud-DataSecurityPostureDB | Permission to Discover RDS instances in AWS account, create RDS instance snapshot, <br> - List all RDS DBs/clusters <br> - List all DB/Cluster snapshots <br> - Copy all DB/cluster snapshots <br> - Delete/update DB/cluster snapshot with prefixΓÇ»*defenderfordatabases* <br> - List all KMS keys <br> - Use all KMS keys only for RDS on source account <br> - List KMS keys with tag prefixΓÇ»*DefenderForDatabases* <br> - Create alias for KMS keys <br><br> Permissions required to discover, RDS instances<br> "rds:DescribeDBInstances"<br> "rds:DescribeDBClusters"<br> "rds:DescribeDBClusterSnapshots"<br> "rds:DescribeDBSnapshots"<br> "rds:CopyDBSnapshot"<br> "rds:CopyDBClusterSnapshot"<br> "rds:DeleteDBSnapshot"<br> "rds:DeleteDBClusterSnapshot"<br> "rds:ModifyDBSnapshotAttribute"<br> "rds:ModifyDBClusterSnapshotAttribute" "rds:DescribeDBClusterParameters"<br> "rds:DescribeDBParameters"<br> "rds:DescribeOptionGroups"<br> "kms:CreateGrant"<br> "kms:ListAliases"<br> "kms:CreateKey"<br> "kms:TagResource"<br> "kms:ListGrants"<br> "kms:DescribeKey"<br> "kms:PutKeyPolicy"<br> "kms:Encrypt"<br> "kms:CreateGrant"<br> "kms:EnableKey"<br> "kms:CancelKeyDeletion"<br> "kms:DisableKey"<br> "kms:ScheduleKeyDeletion"<br> "kms:UpdateAlias"<br> "kms:UpdateKeyDescription" |

+## Permissions on GCP

+When you onboard an Google Cloud Projects (GCP) connector, Defender for Cloud will create roles and assign permissions on your GCP project. The following table shows the roles and permission assigned by each plan on your GCP project.

+| Defender for Cloud plan | Role created | Permission assigned on AWS account |

+|--|--|--|

+| Defender CSPM | MDCCspmCustomRole | To discover GCP resources <br> resourcemanager.folders.getIamPolicy<br> resourcemanager.folders.list<br> resourcemanager.organizations.get<br> resourcemanager.organizations.getIamPolicy<br> storage.buckets.getIamPolicy resourcemanager.folders.get<br> resourcemanager.projects.get<br> resourcemanager.projects.list<br> serviceusage.services.enable<br> iam.roles.create<br> iam.roles.list<br> iam.serviceAccounts.actAs<br> compute.projects.get<br> compute.projects.setCommonInstanceMetadata" |

+| Defender for Servers | microsoft-defender-for-servers <br> azure-arc-for-servers-onboard | Read-only access to get and list Compute Engine <br> resources roles/compute.viewer<br> roles/iam.serviceAccountTokenCreator<br> roles/osconfig.osPolicyAssignmentAdmin<br> roles/osconfig.osPolicyAssignmentReportViewer |

+| Defender for Database | defender-for-databases-arc-ap | Permissions to Defender for databases ARC auto provisioning <br> roles/compute.viewer <br> roles/iam.workloadIdentityUser <br> roles/iam.serviceAccountTokenCreator<br> roles/osconfig.osPolicyAssignmentAdmin<br> roles/osconfig.osPolicyAssignmentReportViewer |

+| Defender CSPM <br><br> Defender for Storage | data-security-posture-storage | Permission for the Defender for Cloud scanner to discover GCP storage buckets, to access data in the GCP storage buckets <br> storage.objects.list<br> storage.objects.get<br> storage.buckets.get |

+| Defender CSPM <br><br> Defender for Storage | data-security-posture-storage | Permission for the Defender for Cloud scanner to discover GCP storage buckets, to access data in the GCP storage buckets<br> storage.objects.list<br> storage.objects.get<br> storage.buckets.get |

+| Defender CSPM | microsoft-defender-ciem | Permissions to get details about the organization resource.<br> resourcemanager.folders.getIamPolicy<br> resourcemanager.folders.list<br> resourcemanager.organizations.get<br> resourcemanager.organizations.getIamPolicy<br> storage.buckets.getIamPolicy |

+| Defender CSPM <br><br> Defender for Servers | MDCAgentlessScanningRole | Permissions for agentless disk scanning:<br> compute.disks.createSnapshot<br> compute.instances.get |

+| Defender CSPM <br><br> Defender for servers | cloudkms.cryptoKeyEncrypterDecrypter | Permissions to an existing GCP KMS role are granted to support scanning disks that are encrypted with CMEK |

+| Defender CSPM <br><br> Defender for Containers | mdc-containers-artifact-assess | Permission to Scan images from GAR and GCR. <br> Roles/artifactregistry.readerΓÇ»<br> Roles/storage.objectViewer |

+| Defender for Containers | mdc-containers-k8s-operator | Permissions to Collect Data from GKE clusters. Update GKE clusters to support IP restriction. <br> Roles/container.viewerΓÇ»<br> MDCGkeClusterWriteRole container.clusters.update* |

+| Defender for Containers | microsoft-defender-containers | Permissions to create and manage log sink to route logs to a Cloud Pub/Sub topic. <br> logging.sinks.list<br> logging.sinks.get<br> logging.sinks.create<br> logging.sinks.update<br> logging.sinks.delete<br> resourcemanager.projects.getIamPolicy<br> resourcemanager.organizations.getIamPolicy<br> iam.serviceAccounts.get <br>iam.workloadIdentityPoolProviders.get |

+| Defender for Containers | ms-defender-containers-stream | Permissions to allow logging to send logs to pub sub:<br> pubsub.subscriptions.consume <br> pubsub.subscriptions.get |

+> From August 5, 2024 to August 15, 2024, Azure Event Grid will rollout a security improvement which will increase the SAS key size from 44 to 84 characters. This change is being made to strengthen the security of your data in Event Grid resources. The change doesn't impact any application or service that currently publishes events to Event Grid with the old SAS key but it may impact only if you regenerate the SAS key of your Event Grid topics, domains, namespaces, and partner topics, after the update.

+> Defender EASM data connections do not support private links or networks.

+ New-MgServicePrincipal -AppId '205478c0-bd83-4e1b-a9d6-db63a3e1e1c8'

+ New-MgServicePrincipal -AppId 'd4631ece-daab-479b-be77-ccb713491fc0'

+- _Add_, _replace_, or _remove_ resource tags. Only tags can be removed. For tags, a Modify policy should have [mode](./definition-structure.md#resource-manager-modes) set to `indexed` unless the target resource is a resource group.

+- _Add_ or _replace_ the value of managed identity type (`identity.type`) of virtual machines and Virtual Machine Scale Sets. You can only modify the `identity.type` for virtual machines or Virtual Machine Scale Sets.

+- _Add_ or _replace_ the values of certain aliases.

+Modify evaluates before the request gets processed by a Resource Provider during the creation or updating of a resource. The `modify` operations are applied to the request content when the `if` condition of the policy rule is met. Each `modify` operation can specify a condition that determines when it's applied.

+When an alias is specified, more checks are performed to ensure that the `modify` operation doesn't change the request content in a way that causes the resource provider to reject it:

+There are some cases when modify operations are skipped during evaluation:

+- When the condition of an operation in the `operations` array is evaluated to _false_, that particular operation is skipped.

+- If an alias specified for an operation isn't modifiable in the request's API version, then evaluation uses the conflict effect. If the conflict effect is set to _deny_, the request is blocked. If the conflict effect is set to _audit_, the request is allowed through but the modify operation is skipped.

+- In some cases, modifiable properties are nested within other properties and have an alias like `Microsoft.Storage/storageAccounts/blobServices/deleteRetentionPolicy.enabled`. If the "parent" property, in this case `deleteRetentionPolicy`, isn't present in the request, modification is skipped because that property is assumed to be omitted intentionally.

+- When a modify operation attempts to add or replace the `identity.type` field on a resource other than a Virtual Machine or Virtual Machine Scale Set, policy evaluation is skipped altogether so the modification isn't performed. In this case, the resource is considered not [applicable](../concepts/policy-applicability.md) to the policy.

+ - Defines what action to take on a matching resource. Options are: `addOrReplace`, `Add`, and `Remove`.

+ - `Add` behaves similar to the [append](./effect-append.md) effect.

+ - `Remove` is only supported for resource tags.

+| `remove` | Removes the defined tag from the resource. Only supported for tags. |

+- Review [Azure management groups](../../management-groups/overview.md).

+ Backends determine where state is stored. When checkpointing is activated, state is persisted upon checkpoints to guard against data loss and recover consistently. How the state is represented internally, and how and where it's persisted upon checkpoints depends on the chosen State Backend. For more information, see [Flink overview](./flink/flink-overview.md)

+2. Create M-query for the source and invoke the function, which queries the data from storage account.

+3. Once the data is readily available, you can create reports.

+Previews are provided **as-is**, **with all faults**, and **as available**, and are excluded from the service level agreements and limited warranty. Customer support may not cover previews. We may change or discontinue Previews at any time without notice. We also may choose not to release a Preview into **General Availability**.

+We support Microsoft Entra ID and third party identity provider that support OpenID connect.

+Azure API for FHIR was our initial generally available product and is being retired as of September 30, 2026. Below table provides difference between Azure API for FHIR and Azure Health Data Services, FHIR service

+|Capabilities|Azure API for FHIR|Azure Health Data Services|

+|||--|

+|**Data ingress**|Tools available in OSS|$import operation. For information visit [Import operation](configure-import-data.md)|

+|**Autoscaling**|Supported on request and incurs charge|[Autoscaling](fhir-service-autoscale.md) enabled by default at no extra charge|

+|**Search parameters**|Bundle type supported: Batch <br> ΓÇó Include and revinclude, iterate modifier not supported <br> ΓÇó Sorting supported by first name, last name, birthdate and clinical date|Bundle type supported: Batch and transaction <br> ΓÇó [Selectable search parameters](selectable-search-parameters.md) <br> ΓÇó Include, revinclude, and iterate modifier is supported <br>ΓÇó Sorting supported by string and dateTime fields|

+|**Events**|Not Supported|Supported|

+|**Convert-data**|Supports enabling "Allow trusted services" in Account container registry| There is a known issue -Enabling private link with Azure Container Registry may result in access issues when attempting to use the container registry from the FHIR service.|

+|**Business continuity**|Supported:<br> ΓÇó Cross region DR (disaster recovery) <br>|Supported: <br> ΓÇó PITR (point in time recovery) <br> ΓÇó Availability zone support|

+### Message queue clean up is slow

+#### Symptoms

+The message queue isn't being cleaned up after messages are processed. The message queue grows over time and eventually causes the IoT Edge runtime to run out of memory.

+#### Cause

+The message cleanup interval is controlled by the client message TTL (time to live) and the *EdgeHub* *MessageCleanupIntervalSecs* environment variable. The default message TTL value is two hours and the default *MessageCleanupIntervalSecs* value is 30 minutes. If your application uses a TTL value that is shorter than the default and you don't adjust the *MessageCleanupIntervalSecs* value, expired messages won't be cleaned up until the next cleanup interval.

+#### Solution

+If you change the TTL value for your application that is shorter than the default, also adjust the *MessageCleanupIntervalSecs* value. The *MessageCleanupIntervalSecs* value should be significantly smaller than the smallest TTL value that the client is using. For example, if the client application defines a TTL of five minutes in the message header, set the *MessageCleanupIntervalSecs* value to one minute. These settings ensure that messages are cleaned up within six (5 + 1) minutes.

+To configure the *MessageCleanupIntervalSecs* value, set the environment variable in the deployment manifest for the IoT Edge hub module. For more information about setting runtime environment variables, see [Edge Agent and Edge Hub Environment Variables](https://github.com/Azure/iotedge/blob/main/doc/EnvironmentVariables.md).

+8. In **Public IP address**, select **Create new**. Enter **myPublicIP-cr** in **Name**. Select **Save** for the Add Public IP Address Dialog.

+9. Select **Save**.

+ :::image type="content" source="media/export-from-consumption-to-standard-logic-app/select-azure-view.png" alt-text="Screenshot showing Visual Studio Code Activity Bar with Azure icon selected." lightbox="media/export-from-consumption-to-standard-logic-app/select-azure-view.png":::

+ :::image type="content" source="media/export-from-consumption-to-standard-logic-app/select-export-logic-app.png" alt-text="Screenshot showing Azure window, Workspace section toolbar, and Export Logic App selected." lightbox="media/export-from-consumption-to-standard-logic-app/select-export-logic-app.png":::

+ :::image type="content" source="media/export-from-consumption-to-standard-logic-app/select-subscription-consumption.png" alt-text="Screenshot showing Export tab with Azure subscription and region selected." lightbox="media/export-from-consumption-to-standard-logic-app/select-subscription-consumption.png":::

+ :::image type="content" source="media/export-from-consumption-to-standard-logic-app/select-logic-apps.png" alt-text="Screenshot showing 'Select logic apps to export' section with logic apps selected for export." lightbox="media/export-from-consumption-to-standard-logic-app/select-logic-apps.png":::

+ :::image type="content" source="media/export-from-consumption-to-standard-logic-app/select-back-button-remove-app.png" alt-text="Screenshot showing 'Review export status' section and validation status for logic app workflow with error." lightbox="media/export-from-consumption-to-standard-logic-app/select-back-button-remove-app.png":::

+ :::image type="content" source="media/export-from-consumption-to-standard-logic-app/select-export-with-warnings.png" alt-text="Screenshot showing 'Review export status' section and validation status for logic app workflow with warning." lightbox="media/export-from-consumption-to-standard-logic-app/select-export-with-warnings.png":::

+ :::image type="content" source="media/export-from-consumption-to-standard-logic-app/select-local-folder.png" alt-text="Screenshot showing 'Finish export' section and 'Export location' property with selected local export project folder." lightbox="media/export-from-consumption-to-standard-logic-app/select-local-folder.png":::

+ :::image type="content" source="media/export-from-consumption-to-standard-logic-app/select-deploy-managed-connections-resource-group.png" alt-text="Screenshot showing 'Finish export' section with selected local export folder, 'Deploy managed connections' selected, and target resource group selected." lightbox="media/export-from-consumption-to-standard-logic-app/select-deploy-managed-connections-resource-group.png":::

+ :::image type="content" source="media/export-from-consumption-to-standard-logic-app/review-post-export-steps.png" alt-text="Screenshot showing 'After export steps' section and required post-export steps, if any." lightbox="media/export-from-consumption-to-standard-logic-app/review-post-export-steps.png":::

+ :::image type="content" source="media/export-from-consumption-to-standard-logic-app/export-status.png" alt-text="Screenshot showing the 'Export status' section with export progress." lightbox="media/export-from-consumption-to-standard-logic-app/export-status.png":::

+ :::image type="content" source="medi file opened." lightbox="media/export-from-consumption-to-standard-logic-app/open-readme.png":::

+ Title: Prevent overfitting and imbalanced data with Automated ML

+description: Identify and manage common pitfalls of machine learning models by using Automated ML solutions in Azure Machine Learning.

+#customer intent: As a developer, I want to use Automated ML solutions in Azure Machine Learning, so I can find and address common issues like overfitting and imbalanced data.

+Overfitting and imbalanced data are common pitfalls when you build machine learning models. By default, the Automated ML feature in Azure Machine Learning provides charts and metrics to help you identify these risks. This article describes how you can implement best practices in Automated ML to help mitigate common issues.

+Overfitting in machine learning occurs when a model fits the training data too well. As a result, the model can't make accurate predictions on unseen test data. The model memorized specific patterns and noise in the training data, and it's not flexible enough to make predictions on real data.

+Consider the following trained models and their corresponding train and test accuracies:

+| :: | :: | :: |

+| B | 87% | 87% |

+- Model **A**: The test for this model produces slightly less accuracy than the model training. There's a common misconception that if test accuracy on unseen data is lower than training accuracy, the model is overfitted. However, test accuracy should always be less than training accuracy. The distinction between overfitting versus appropriately fitting data comes down to measuring _how much_ less is the accuracy.

+- Model **A** versus model **B**: Model **A** is a better model because it has higher test accuracy. Although the test accuracy is slightly lower at 95%, it's not a significant difference that suggests overfitting is present. Model **B** isn't preferred because the train and test accuracies are similar.

+- Model **C**: This model represents a clear case of overfitting. The training accuracy is high and the test accuracy is low. This distinction is subjective, but comes from knowledge of your problem and data, and what are the acceptable magnitudes of error.

+In the most egregious cases, an overfitted model assumes the feature value combinations visible during training always result in the exact same output for the target. To avoid overfitting your data, the recommendation is to follow machine learning best practices. The are several methods you can configure in your model implementation. Automated ML also provides other options by default to help prevent overfitting.

+The following table summarizes common best practices:

+| Best practice | Implementation | Automated ML |

+| | :: | :: |

+| Use more training data, and eliminate statistical bias | X | |

+| Prevent target leakage | X | |

+| Incorporate fewer features | X | |

+| Support regularization and hyperparameter optimization | | X |

+| Apply model complexity limitations | | X |

+| Use cross-validation | | X |

+## Apply best practices to prevent overfitting

+The following sections describe best practices you can use in your machine learning model implementation to prevent overfitting.

+Using more data is the simplest and best possible way to prevent overfitting, and this approach typically increases accuracy. When you use more data, it becomes harder for the model to memorize exact patterns. The model is forced to reach solutions that are more flexible to accommodate more conditions. It's also important to recognize statistical bias, to ensure your training data doesn't include isolated patterns that don't exist in live-prediction data. This scenario can be difficult to solve because there can be overfitting present when compared to live test data.

+Target leakage is a similar issue. You might not see overfitting between the train and test sets, but the leakage issue appears at prediction-time. Target leakage occurs when your model "cheats" during training by accessing data that it shouldn't normally have at prediction-time. An example is for the model to predict on Monday what the commodity price is for Friday. If your features accidentally include data from Thursdays, the model has access to data not available at prediction-time because it can't see into the future. Target leakage is an easy mistake to miss. It's often visible where you have abnormally high accuracy for your problem. If you're attempting to predict stock price and trained a model at 95% accuracy, there's likely target leakage somewhere in your features.

+### Incorporate fewer features

+Removing features can also help with overfitting by preventing the model from having too many fields to use to memorize specific patterns, thus causing it to be more flexible. It can be difficult to measure quantitatively. If you can remove features and retain the same accuracy, your model can be more flexible and reduce the risk of overfitting.

+## Review Automated ML features to prevent overfitting

+The following sections describe best practices provided by default in Automated ML to help prevent overfitting.

+### Support regularization and hyperparameter tuning

+**Regularization** is the process of minimizing a cost function to penalize complex and overfitted models. There are different types of regularization functions. In general, all functions penalize model coefficient size, variance, and complexity. Automated ML uses L1 (Lasso), L2 (Ridge), and ElasticNet (L1 and L2 simultaneously) in different combinations with different model hyperparameter settings that control overfitting. Automated ML varies how much a model is regulated and chooses the best result.

+### Apply model complexity limitations

+Automated ML also implements explicit model complexity limitations to prevent overfitting. In most cases, this implementation is specifically for decision tree or forest algorithms. Individual tree max-depth is limited, and the total number of trees used in forest or ensemble techniques are limited.

+### Use cross-validation

+Cross-validation (CV) is the process of taking many subsets of your full training data and training a model on each subset. The idea is that a model might get "lucky" and have great accuracy with one subset, but by using many subsets, the model can't achieve high accuracy every time. When doing CV, you provide a validation holdout dataset, specify your CV folds (number of subsets) and Automated ML trains your model and tunes hyperparameters to minimize error on your validation set. One CV fold might be overfitted, but by using many of them, the process reduces the probability that your final model is overfitted. The tradeoff is that CV results in longer training times and greater cost, because you train a model one time for each *n* in the CV subsets.

+> [!NOTE]

+> Cross-validation isn't enabled by default. This feature must be configured in Automated machine learning settings. However, after cross-validation is configured and a validation data set is provided, the process is automated for you.

+| Chart | Description |

+| | |

+| [Confusion matrix](how-to-understand-automated-ml.md#confusion-matrix) | Evaluates the correctly classified labels against the actual labels of the data. |

+| [Precision-recall](how-to-understand-automated-ml.md#precision-recall-curve) | Evaluates the ratio of correct labels against the ratio of found label instances of the data. |

+| [ROC curves](how-to-understand-automated-ml.md#roc-curve) | Evaluates the ratio of correct labels against the ratio of false-positive labels. |

+As part of the goal to simplify the machine learning workflow, Automated ML offers built-in capabilities to help deal with imbalanced data:

+- Automated ML creates a **column of weights** as input to cause rows in the data to be weighted up or down, which can be used to make a class more or less "important."

+- The algorithms used by Automated ML detect imbalance when the number of samples in the minority class is equal to or fewer than 20% of the number of samples in the majority class. The minority class refers to the one with fewest samples and the majority class refers to the one with most samples. Later, automated machine learning runs an experiment with subsampled data to check if using class weights can remedy this problem and improve performance. If it ascertains a better performance through this experiment, it applies the remedy.

+- Use a performance metric that deals better with imbalanced data. For example, the AUC_weighted is a primary metric that calculates the contribution of every class based on the relative number of samples representing that class. This metric is more robust against imbalance.

+The following techniques are other options to handle imbalanced data outside of Automated ML:

+- Resample to even the class imbalance. You can up-sample the smaller classes or down-sample the larger classes. These methods require expertise to process and analyze.

+- Review performance metrics for imbalanced data. For example, the F1 score is the harmonic mean of precision and recall. Precision measures a classifier's exactness, where higher precision indicates fewer false positives. Recall measures a classifier's completeness, where higher recall indicates fewer false negatives.

+## Next step

+> [!div class="nextstepaction"]

+> [Train an object detection model with automated machine learning and Python](tutorial-auto-train-image-models.md)

+### Network isolation for models deployed via Serverless APIs

+Endpoints for models deployed as Serverless APIs follow the public network access (PNA) flag setting of the workspace in which the deployment exists. To secure your MaaS endpoint, disable the PNA flag on your workspace. You can secure inbound communication from a client to your endpoint by using a private endpoint for the workspace.

+To set the PNA flag for the workspace:

+* Go to the [Azure portal](https://ms.portal.azure.com/).

+* Search for _Azure Machine Learning_, and select your workspace from the list of workspaces.

+* On the Overview page, use the left navigation pane to go to **Settings** > **Networking**.

+* Under the **Public access** tab, you can configure settings for the public network access flag.

+* Save your changes. Your changes might take up to five minutes to propagate.

+#### Limitations

+* If you have a workspace with a private endpoint created before July 11, 2024, new MaaS endpoints added to this workspace won't follow its networking configuration. Instead, you need to create a new private endpoint for the workspace and create new serverless API deployments in the workspace so that the new deployments can follow the workspace's networking configuration.

+* If you have a workspace with MaaS deployments created before July 11, 2024, and you enable a private endpoint on this workspace, the existing MaaS deployments won't follow the workspace's networking configuration. For serverless API deployments in the workspace to follow the workspace's configuration, you need to create the deployments again.

+* Currently [On Your Data](#rag-with-models-deployed-through-maas) support isn't available for MaaS deployments in private workspaces, since private workspaces have the PNA flag disabled.

+* Any network configuration change (for example, enabling or disabling the PNA flag) might take up to five minutes to propagate.

+# [Meta Llama 3](#tab/llama-three)

+| OpenAI SDK (experimental) | [openaisdk.ipynb](https://github.com/Azure/azureml-examples/blob/main/sdk/python/foundation-models/meta-llama3/openaisdk.ipynb) |

+| LangChain | [langchain.ipynb](https://github.com/Azure/azureml-examples/blob/main/sdk/python/foundation-models/meta-llama3/langchain.ipynb) |

+| WebRequests | [webrequests.ipynb](https://github.com/Azure/azureml-examples/blob/main/sdk/python/foundation-models/meta-llama3/webrequests.ipynb) |

+| LiteLLM SDK | [litellm.ipynb](https://github.com/Azure/azureml-examples/blob/main/sdk/python/foundation-models/meta-llama3/litellm.ipynb) |

+# [Meta Llama 2](#tab/llama-two)

+| **Package** | **Sample Notebook** |

+|-|-|

+| OpenAI SDK (experimental) | [openaisdk.ipynb](https://github.com/Azure/azureml-examples/blob/main/sdk/python/foundation-models/llama2/openaisdk.ipynb) |

+| LangChain | [langchain.ipynb](https://github.com/Azure/azureml-examples/blob/main/sdk/python/foundation-models/llama2/langchain.ipynb) |

+| WebRequests | [webrequests.ipynb](https://github.com/Azure/azureml-examples/blob/main/sdk/python/foundation-models/llama2/webrequests.ipynb) |

+| LiteLLM SDK | [litellm.ipynb](https://github.com/Azure/azureml-examples/blob/main/sdk/python/foundation-models/llama2/litellm.ipynb) |

+ Title: Train regression model with Automated ML (SDK v1)

+description: Train a regression model to predict taxi fares with the Azure Machine Learning Python SDK by using the Azure Machine Learning Automated ML SDK (v1).

+#customer intent: As a developer, I want to train a regression model with Automated ML, so I can use the Azure Machine Learning Python SDK.

+# Train regression model with Automated ML and Python (SDK v1)

+In this article, you learn how to train a regression model with the Azure Machine Learning Python SDK by using Azure Machine Learning Automated ML. The regression model predicts passenger fares for taxi cabs operating in New York City (NYC). You write code with the Python SDK to configure a workspace with prepared data, train the model locally with custom parameters, and explore the results.

+The process accepts training data and configuration settings. It automatically iterates through combinations of different feature normalization/standardization methods, models, and hyperparameter settings to arrive at the best model. The following diagram illustrates the process flow for the regression model training:

+## Prerequisites

+- An Azure subscription. You can create a [free or paid account](https://azure.microsoft.com/free/) of Azure Machine Learning.

+- An Azure Machine Learning workspace or compute instance. To prepare these resources, see [Quickstart: Get started with Azure Machine Learning](../quickstart-create-resources.md).

+- Get the prepared sample data for the tutorial exercises by loading a notebook into your workspace:

+ 1. Go to your workspace in the Azure Machine Learning studio, select **Notebooks**, and then select the **Samples** tab.

+ 1. In the list of notebooks, expand the **Samples** > **SDK v1** > **tutorials** > **regression-automl-nyc-taxi-data** node.

+

+ 1. Select the _regression-automated-ml.ipynb_ notebook.

+ 1. To run each notebook cell as part of this tutorial, select **Clone this file**.

+ **Alternate approach**: If you prefer, you can run the tutorial exercises in a [local environment](how-to-configure-environment.md). The tutorial is available in the [Azure Machine Learning Notebooks repository](https://github.com/Azure/MachineLearningNotebooks/tree/master/tutorials) on GitHub. For this approach, follow these steps to get the required packages:

+

+ 1. [Install the full `automl` client](https://github.com/Azure/azureml-examples/blob/v1-archive/v1/python-sdk/tutorials/automl-with-azureml/README.md#setup-using-a-local-conda-environment).

+

+ 1. Run the `pip install azureml-opendatasets azureml-widgets` command on your local machine to get the required packages.

+The Open Datasets package contains a class that represents each data source (such as `NycTlcGreen`) to easily filter date parameters before downloading.

+The following code imports the necessary packages:

+The first step is to create a dataframe for the taxi data. When you work in a non-Spark environment, the Open Datasets package allows downloading only one month of data at a time with certain classes. This approach helps to avoid the `MemoryError` issue that can occur with large datasets.

+To download the taxi data, iteratively fetch one month at a time. Before you append the next set of data to the `green_taxi_df` dataframe, randomly sample 2,000 records from each month, and then preview the data. This approach helps to avoid bloating the dataframe.

+The following code creates the dataframe, fetches the data, and loads it into the dataframe:

+ temp_df_green = NycTlcGreen(start + relativedelta(months=sample_month), end + relativedelta(months=sample_month)) \

+ .to_pandas_dataframe()

+ green_taxi_df = green_taxi_df.append(temp_df_green.sample(2000))

+The following table shows the many columns of values in the sample taxi data:

+| vendorID | lpepPickupDatetime | lpepDropoffDatetime | passengerCount | tripDistance | puLocationId | doLocationId | pickupLongitude | pickupLatitude | dropoffLongitude |...| paymentType | fareAmount | extra | mtaTax | improvementSurcharge | tipAmount | tollsAmount | ehailFee | totalAmount | tripType |

+|::|::|::|::|::|::|::|::|::|::|::|::|::|::|::|::|::|::|::|::|::|

+| 2 | 2015-01-30 18:38:09 | 2015-01-30 19:01:49 | 1 | 1.88 | None | None | -73.996155 | 40.690903 | -73.964287 | ... | 1 | 15.0 | 1.0 | 0.5 | 0.3 | 4.00 | 0.0 | None | 20.80 | 1.0 |

+| 1 | 2015-01-17 23:21:39 | 2015-01-17 23:35:16 | 1 | 2.70 | None | None | -73.978508 | 40.687984 | -73.955116 | ... | 1 | 11.5 | 0.5 | 0.5 | 0.3 | 2.55 | 0.0 | None | 15.35 | 1.0 |

+| 2 | 2015-01-16 01:38:40 | 2015-01-16 01:52:55 | 1 | 3.54 | None | None | -73.957787 | 40.721779 | -73.963005 | ... | 1 | 13.5 | 0.5 | 0.5 | 0.3 | 2.80 | 0.0 | None | 17.60 | 1.0 |

+| 2 | 2015-01-04 17:09:26 | 2015-01-04 17:16:12 | 1 | 1.00 | None | None | -73.919914 | 40.826023 | -73.904839 | ... | 2 | 6.5 | 0.0 | 0.5 | 0.3 | 0.00 | 0.0 | None | 7.30 | 1.0 |

+| 1 | 2015-01-14 10:10:57 | 2015-01-14 10:33:30 | 1 | 5.10 | None | None | -73.943710 | 40.825439 | -73.982964 | ... | 1 | 18.5 | 0.0 | 0.5 | 0.3 | 3.85 | 0.0 | None | 23.15 | 1.0 |

+| 2 | 2015-01-19 18:10:41 | 2015-01-19 18:32:20 | 1 | 7.41 | None | None | -73.940918 | 40.839714 | -73.994339 | ... | 1 | 24.0 | 0.0 | 0.5 | 0.3 | 4.80 | 0.0 | None | 29.60 | 1.0 |

+| 2 | 2015-01-01 15:44:21 | 2015-01-01 15:50:16 | 1 | 1.03 | None | None | -73.985718 | 40.685646 | -73.996773 | ... | 1 | 6.5 | 0.0 | 0.5 | 0.3 | 1.30 | 0.0 | None | 8.60 | 1.0 |

+| 2 | 2015-01-12 08:01:21 | 2015-01-12 08:14:52 | 5 | 2.94 | None | None | -73.939865 | 40.789822 | -73.952957 | ... | 2 | 12.5 | 0.0 | 0.5 | 0.3 | 0.00 | 0.0 | None | 13.30 | 1.0 |

+| 1 | 2015-01-16 21:54:26 | 2015-01-16 22:12:39 | 1 | 3.00 | None | None | -73.957939 | 40.721928 | -73.926247 | ... | 1 | 14.0 | 0.5 | 0.5 | 0.3 | 2.00 | 0.0 | None | 17.30 | 1.0 |

+| 2 | 2015-01-06 06:34:53 | 2015-01-06 06:44:23 | 1 | 2.31 | None | None | -73.943825 | 40.810257 | -73.943062 | ... | 1 | 10.0 | 0.0 | 0.5 | 0.3 | 2.00 | 0.0 | None | 12.80 | 1.0 |

+It's helpful to remove some columns that you don't need for training or other feature building. For example, you might remove the **lpepPickupDatetime** column because Automated ML automatically handles time-based features.

+The following code removes 14 columns from the sample data:

+ "improvementSurcharge", "tollsAmount", "ehailFee", "tripType", "rateCodeID",

+ "storeAndFwdFlag", "paymentType", "fareAmount", "tipAmount"

+ ]

+ green_taxi_df.pop(col)

+The next step is to cleanse the data.

+The following code runs the `describe()` function on the new dataframe to produce summary statistics for each field:

+The following table shows summary statistics for the remaining fields in the sample data:

+

+| | vendorID | passengerCount | tripDistance | pickupLongitude | pickupLatitude | dropoffLongitude | dropoffLatitude | totalAmount |

+|::|::|::|::|::|::|::|::|::|

+| **count** | 24000.00 | 24000.00 | 24000.00 | 24000.00 | 24000.00 | 24000.00 | 24000.00 | 24000.00 |

+| **mean** | 1.777625 | 1.373625 | 2.893981 | -73.827403 | 40.689730 | -73.819670 | 40.684436 | 14.892744 |

+| **std** | 0.415850 | 1.046180 | 3.072343 | 2.821767 | 1.556082 | 2.901199 | 1.599776 | 12.339749 |

+| **min** | 1.00 | 0.00 | 0.00 | -74.357101 | 0.00 | -74.342766 | 0.00 | -120.80 |

+| **25%** | 2.00 | 1.00 | 1.05 | -73.959175 | 40.699127 | -73.966476 | 40.699459 | 8.00 |

+| **50%** | 2.00 | 1.00 | 1.93 | -73.945049 | 40.746754 | -73.944221 | 40.747536 | 11.30 |

+| **75%** | 2.00 | 1.00 | 3.70 | -73.917089 | 40.803060 | -73.909061 | 40.791526 | 17.80 |

+| **max** | 2.00 | 8.00 | 154.28 | 0.00 | 41.109089 | 0.00 | 40.982826 | 425.00 |

+The summary statistics reveal several fields that are outliers, which are values that reduce model accuracy. To address this issue, filter the latitude/longitude (lat/long) fields so the values are within the bounds of the Manhattan area. This approach filters out longer taxi trips or trips that are outliers in respect to their relationship with other features.

+Next, filter the `tripDistance` field for values that are greater than zero but less than 31 miles (the haversine distance between the two lat/long pairs). This technique eliminates long outlier trips that have inconsistent trip cost.

+Lastly, the `totalAmount` field has negative values for the taxi fares, which don't make sense in the context of the model. The `passengerCount` field also contains bad data where the minimum value is zero.

+The following code filters out these value anomalies by using query functions. The code then removes the last few columns that aren't necessary for training:

+ final_df.pop(col)

+The last step in this sequence is to call the `describe()` function again on the data to ensure cleansing worked as expected. You now have a prepared and cleansed set of taxi, holiday, and weather data to use for machine learning model training:

+Create a workspace object from the existing workspace. A [Workspace](/python/api/azureml-core/azureml.core.workspace.workspace) is a class that accepts your Azure subscription and resource information. It also creates a cloud resource to monitor and track your model runs.

+The following code calls the `Workspace.from_config()` function to read the _config.json_ file and load the authentication details into an object named `ws`.

+The `ws` object is used throughout the rest of the code in this tutorial.

+## Split data into train and test sets

+Split the data into training and test sets by using the `train_test_split` function in the _scikit-learn_ library. This function segregates the data into the x (**features**) data set for model training and the y (**values to predict**) data set for testing.

+The following code calls the `train_test_split` function to load the x and y datasets:

+The purpose of this step is to prepare data points to test the finished model that aren't used to train the model. These points are used to measure true accuracy. A well-trained model is one that can make accurate predictions from unseen data. You now have data prepared for autotraining a machine learning model.

+## Automatically train model

+1. Submit the experiment for model tuning. After you submit the experiment, the process iterates through different machine learning algorithms and hyperparameter settings, adhering to your defined constraints. It chooses the best-fit model by optimizing an accuracy metric.

+Define the experiment parameter and model settings for training. View the full list of [settings](how-to-configure-auto-train.md). Submitting the experiment with these default settings takes approximately 5-20 minutes. To decrease the run time, reduce the `experiment_timeout_hours` parameter.

+| Property | Value in this tutorial | Description |

+| `iteration_timeout_minutes` | 10 | Time limit in minutes for each iteration. Increase this value for larger datasets that need more time for each iteration. |

+| `experiment_timeout_hours` | 0.3 | Maximum amount of time in hours that all iterations combined can take before the experiment terminates. |

+| `enable_early_stopping` | True | Flag to enable early termination if the score isn't improving in the short term. |

+| `primary_metric` | spearman_correlation | Metric that you want to optimize. The best-fit model is chosen based on this metric. |

+| `featurization` | auto | The _auto_ value allows the experiment to preprocess the input data, including handling missing data, converting text to numeric, and so on. |

+| `verbosity` | logging.INFO | Controls the level of logging. |

+| `n_cross_validations` | 5 | Number of cross-validation splits to perform when validation data isn't specified. |

+The following code submits the experiment:

+ "iteration_timeout_minutes": 10,

+ "experiment_timeout_hours": 0.3,

+ "enable_early_stopping": True,

+ "primary_metric": 'spearman_correlation',

+ "featurization": 'auto',

+ "verbosity": logging.INFO,

+ "n_cross_validations": 5

+The following code lets you use your defined training settings as a `**kwargs` parameter to an `AutoMLConfig` object. Additionally, you specify your training data and the type of model, which is `regression` in this case.

+ debug_log='automated_ml_errors.log',

+ training_data=x_train,

+ label_column_name="totalAmount",

+ **automl_settings)

+> Automated ML pre-processing steps (feature normalization, handling missing data, converting text to numeric, and so on) become part of the underlying model. When you use the model for predictions, the same pre-processing steps applied during training are applied to your input data automatically.

+### Train automatic regression model

+Create an experiment object in your workspace. An experiment acts as a container for your individual jobs. Pass the defined `automl_config` object to the experiment, and set the output to _True_ to view progress during the job.

+After you start the experiment, the displayed output updates live as the experiment runs. For each iteration, you see the model type, run duration, and training accuracy. The field `BEST` tracks the best running training score based on your metric type:

+Here's the output:

+ ITERATION PIPELINE DURATION METRIC BEST

+ 0 StandardScalerWrapper RandomForest 0:00:16 0.8746 0.8746

+ 1 MinMaxScaler RandomForest 0:00:15 0.9468 0.9468

+ 2 StandardScalerWrapper ExtremeRandomTrees 0:00:09 0.9303 0.9468

+ 3 StandardScalerWrapper LightGBM 0:00:10 0.9424 0.9468

+ 4 RobustScaler DecisionTree 0:00:09 0.9449 0.9468

+ 5 StandardScalerWrapper LassoLars 0:00:09 0.9440 0.9468

+ 6 StandardScalerWrapper LightGBM 0:00:10 0.9282 0.9468

+ 7 StandardScalerWrapper RandomForest 0:00:12 0.8946 0.9468

+ 8 StandardScalerWrapper LassoLars 0:00:16 0.9439 0.9468

+ 9 MinMaxScaler ExtremeRandomTrees 0:00:35 0.9199 0.9468

+ 10 RobustScaler ExtremeRandomTrees 0:00:19 0.9411 0.9468

+ 11 StandardScalerWrapper ExtremeRandomTrees 0:00:13 0.9077 0.9468

+ 12 StandardScalerWrapper LassoLars 0:00:15 0.9433 0.9468

+ 13 MinMaxScaler ExtremeRandomTrees 0:00:14 0.9186 0.9468

+ 14 RobustScaler RandomForest 0:00:10 0.8810 0.9468

+ 15 StandardScalerWrapper LassoLars 0:00:55 0.9433 0.9468

+ 16 StandardScalerWrapper ExtremeRandomTrees 0:00:13 0.9026 0.9468

+ 17 StandardScalerWrapper RandomForest 0:00:13 0.9140 0.9468

+ 18 VotingEnsemble 0:00:23 0.9471 0.9471

+ 19 StackEnsemble 0:00:27 0.9463 0.9471

+## Explore results

+The following code produces a graph to explore the results:

+The run details for the Jupyter widget:

+The plot chart for the Jupyter widget:

+### Retrieve best model

+The following code lets you select the best model from your iterations. The `get_output` function returns the best run and the fitted model for the last fit invocation. By using the overloads on the `get_output` function, you can retrieve the best run and fitted model for any logged metric or a particular iteration.

+### Test best model accuracy

+Use the best model to run predictions on the test data set to predict taxi fares. The `predict` function uses the best model and predicts the values of y, **trip cost**, from the `x_test` data set.

+The following code prints the first 10 predicted cost values from the `y_predict` data set:

+Calculate the `root mean squared error` of the results. Convert the `y_test` dataframe to a list and compare with the predicted values. The `mean_squared_error` function takes two arrays of values and calculates the average squared error between them. Taking the square root of the result gives an error in the same units as the y variable, **cost**. It indicates roughly how far the taxi fare predictions are from the actual fares.

+ abs_error = actual_val - predict_val

+ if abs_error < 0:

+ abs_error = abs_error * -1

+ sum_errors = sum_errors + abs_error

+ sum_actuals = sum_actuals + actual_val

+Here's the output:

+The traditional machine learning model development process is highly resource-intensive. It requires significant domain knowledge and time investment to run and compare the results of dozens of models. Using automated machine learning is a great way to rapidly test many different models for your scenario.

+If you don't plan to work on other Azure Machine Learning tutorials, complete the following steps to remove the resources you no longer need.

+### Stop compute

+If you used a compute, you can stop the virtual machine when you aren't using it and reduce your costs:

+1. Go to your workspace in the Azure Machine Learning studio, and select **Compute**.

+1. In the list, select the compute you want to stop, and then select **Stop**.

+When you're ready to use the compute again, you can restart the virtual machine.

+### Delete other resources

+If you don't plan to use the resources you created in this tutorial, you can delete them and avoid incurring further charges.

+Follow these steps to remove the resource group and all resources:

+1. In the Azure portal, go to **Resource groups**.

+1. In the list, select the resource group you created in this tutorial, and then select **Delete resource group**.

+1. At the confirmation prompt, enter the resource group name, and then select **Delete**.

+If you want to keep the resource group, and delete a single workspace only, follow these steps:

+1. In the Azure portal, go to the resource group that contains the workspace you want to remove.

+1. Select the workspace, select **Properties**, and then select **Delete**.

+## Next step

+> [!div class="nextstepaction"]

+> [Set up Automated ML to train computer vision models with Python (v1)](how-to-auto-train-image-models.md)

+Readiness unknown | Azure Migrate can't identify Azure readiness, usually because data isn't available. |

+> | **SrcIp** | Source IP address | Blank in AzurePublic and ExternalPublic flows. |

+> | **DestIp** | Destination IP address | Blank in AzurePublic and ExternalPublic flows. |

+> | **NsgRule** | NSG_RULENAME | Network security group rule that allowed or denied the flow. |

+> | **NsgRuleType** | - User Defined <br> - Default | The type of network security group rule used by the flow. |

+> | **SrcNic** | \<resourcegroup_Name\>/\<NetworkInterfaceName\> | NIC associated with the source IP in the flow. |

+> | **DestNic** | \<resourcegroup_Name\>/\<NetworkInterfaceName\> | NIC associated with the destination IP in the flow. |

+> | **SrcVm** | \<resourcegroup_Name\>/\<VirtualMachineName\> | Virtual machine associated with the source IP in the flow. |

+> | **DestVm** | \<resourcegroup_Name\>/\<VirtualMachineName\> | Virtual machine associated with the destination IP in the flow. |

+- In case of `AzurePublic` and `ExternalPublic` flows, customer owned Azure virtual machine IP is populated in `VMIP_s` field, while the Public IP addresses are populated in the `PublicIPs_s` field. For these two flow types, you should use `VMIP_s` and `PublicIPs_s` instead of `SrcIP_s` and `DestIP_s` fields. For AzurePublic and ExternalPublic IP addresses, we aggregate further, so that the number of records ingested to Log Analytics workspace is minimal. (This field will be deprecated. Use SrcIP_s and DestIP_s depending on whether the virtual machine was the source or the destination in the flow).

+In addition to existing support to identify traffic that [network security group rules](../virtual-network/network-security-groups-overview.md) allow or deny, Virtual network flow logs support identification of traffic that [Azure Virtual Network Manager security admin rules](../virtual-network-manager/concept-security-admins.md) allow or deny. Virtual network flow logs also support evaluating the encryption status of your network traffic in scenarios where you're using [virtual network encryption](../virtual-network/virtual-network-encryption-overview.md?toc=/azure/network-watcher/toc.json).

+Traffic in your virtual networks is unencrypted (`NX`) by default. For encrypted traffic, see [Virtual network encryption](../virtual-network/virtual-network-encryption-overview.md?toc=/azure/network-watcher/toc.json).

+The 1000 Genomes Project ran between 2008 and 2015, to create the largest public catalog of human variation and genotype data. The final data set contains data for 2,504 individuals from 26 populations and 84 million identified variants. For more information, visit the 1000 Genome Project [website](https://www.internationalgenome.org/) and these publications:

+[Pilot Analysis: A map of human genome variation from population-scale sequencing Nature 467, 1061-1073 (28 October 2010)](https://www.nature.com/articles/nature09534)

+[Phase 1 Analysis: An integrated map of genetic variation from 1,092 human genomes Nature 491, 56-65 (01 November 2012)](https://www.nature.com/articles/nature11632)

+[Phase 3 Analysis: A global reference for human genetic variation Nature 526, 68-74 (01 October 2015) and An integrated map of structural variation in 2,504 human genomes Nature 526, 75-81](https://www.nature.com/articles/nature15394)

+Visit [this resource](http://www.internationalgenome.org/formats) for more information about the relevant data formats.

+**[NEW]**: The dataset is also available in [parquet format](https://github.com/microsoft/genomicsnotebook/tree/main/vcf2parquet-conversion/1000genomes).

+This dataset is a mirror of [this](ftp://ftp.1000genomes.ebi.ac.uk/vol1/ftp/) FTP resource.

+This dataset contains approximately 815 TB of data. It receives daily updates.

+Following the final publications, data from the 1000 Genomes Project is publicly available, without embargo, to anyone for use under the terms provided by the [dataset source](http://www.internationalgenome.org/data). Use of the data should be cited per details available in the 1000 Genome Project [FAQ resource](https://www.internationalgenome.org/faq).

+Scroll down at [this resource](https://www.internationalgenome.org/contact) for the contact information.

+ Title: Relocate Azure Automation to another region

+This article describes how to relocate your Azure Event Grid resources to another Azure region.

+This article covers the recommended approach, guidelines, and practices to relocate Event Grid domains to another region.

+This article covers the recommended approach, guidelines, and practices to relocate Event Grid system topics to another region.

+ Title: Relocate Azure Event Hubs to another region

+ Title: Relocate Log Analytics workspace to another region

+## Compliance

+Oracle Database@Azure is an Oracle Cloud database service that runs Oracle Database workloads in a customer's Azure environment. Oracle Database@Azure offers various Oracle Database Services through customerΓÇÖs Microsoft Azure environment. This service allows customers to monitor database metrics, audit logs, events, logging data, and telemetry natively in Azure. It runs on infrastructure managed by Oracle's Cloud Infrastructure operations team who performs software patching, infrastructure updates, and other operations through a connection to Oracle Cloud.

+All infrastructure for Oracle Database@Azure is co-located in Azure's physical data centers and uses Azure Virtual Network for networking, managed within the Azure environment. Federated identity and access management for Oracle Database@Azure is provided by Microsoft Entra ID.

+For detailed information on the compliance certifications please visit [Microsoft Services Trust Portal](https://servicetrust.microsoft.com/) and [Oracle compliance website](https://docs.oracle.com/en-us/iaas/Content/multicloud/compliance.htm). If you have further questions about OracleDB@Azure compliance please reach out to your account team and/or get information through [Oracle and Microsoft support for Oracle Database@Azure](https://docs.oracle.com/en-us/iaas/Content/multicloud/oaahelp.htm).

+## Data retention policy and pricing

+If you select Event Hubs or a Storage account, you can specify a retention policy. This policy deletes data that is older than a selected time period. If you specify Log Analytics, the retention policy depends on the selected pricing tier. Logs ingested into your **Log Analytics** workspace can be retained at no charge for up to first 31 days. Logs retained beyond these no-charge periods will be charged for each GB of data retained for a month (pro-rated daily). For more details, refer [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/).

+> [!IMPORTANT]

+> _Billing Model Update for Azure Database for PostgreSQL Flexible Server (v5 HA):_

+In April, we implemented a billing model update for v5 SKU with High Availability (HA) enabled servers. This change aims to correctly reflect the charges, by accounting for both the primary and standby servers. Before this change we were incorrectly charging customers for the primary server only. Customers using v5 SKU with HA enabled servers will now see billing quantities multiplied by 2. This update does not impact v4 and v3 SKUs.

+1. In the [Azure portal](https://portal.azure.com/), choose Azure Database for PostgreSQL flexible server and select create. For details on how to fill details such as **Subscription**, **Resource group**, **Server name**, **Region**, and other fields, see [how to create an Azure Database for PostgreSQL - Flexible Server](./quickstart-create-server-portal.md).

+> [!NOTE]

+> The nomination process is for users who want to voluntarily fast-track their migration to Flexible server.

+If you own a Single Server workload, you can now nominate yourself (if not already scheduled by the service) for automigration. Submit your server details through this [form](https://forms.office.com/r/4pF55L8TxY).

+Servers eligible for automigration are sent advance Azure health notifications by the service. The health notifications are sent **30 days, 14 days and 7 days** before the migration date. Notifications are also sent when the migration is **in progress, has completed, and 6 days after migration** before the legacy Single server is dropped. You can check and configure the Azure portal to receive the automigration notifications via email or SMS.

+Online migration makes use of [pgcopydb follow](https://pgcopydb.readthedocs.io/en/latest/ref/pgcopydb_follow.html) and some of the [logical decoding restrictions](https://pgcopydb.readthedocs.io/en/latest/ref/pgcopydb_follow.html#pgcopydb-follow) apply. In addition, it's recommended to have a primary key in all the tables of a database undergoing Online migration. If primary key is absent, the deficiency will result in only insert operations being reflected during migration, excluding updates or deletes. Add a temporary primary key to the relevant tables before proceeding with the online migration.

+> [!NOTE]

+> In the case of Online migration of tables without a primary key, only Insert operations are replayed on the target. This can potentially introduce inconsistency in the Database if records that are updated or deleted on the source do not reflect on the target.

+To use the Migration Runtime Server feature within the migration service in Azure Database for PostgreSQL, you can select the appropriate migration option either through the Azure portal during the setup or by specifying the `migrationRuntimeResourceId` in the JSON properties file during the migration create command in the Azure CLI. Here's how to do it in both methods:

+### Use the Azure portal

+- Choose your Azure subscription and resource group and the location of the VNet-integrated Azure Database for PostgreSQLΓÇöFlexible server.

+### Use Azure CLI

+- Open your command-line interface.

+- Ensure you have the Azure CLI installed and you're logged into your Azure account using az sign-in.

+- The version should be at least 2.62.0 or above to use the migration runtime server option.

+- The `az postgres flexible-server migration create` command requires a JSON file path as part of `--properties` parameter, which contains configuration details for the migration. Provide the `migrationRuntimeResourceId` in the JSON properties file.

+#### Workaround

+> Make sure you perform the above steps for all the databases included in the migration to avoid any permission-related issues during the migration.

+| `migrationRuntimeResourceId` | Required if a runtime server needs to be used for migration. The format is - `/subscriptions/<<Subscription ID>>/resourceGroups/<<Resource Group Name>>/providers/Microsoft.DBforPostgreSQL/flexibleServers/<<PostgreSQL Flexible Server name>>` |

+- couldn't receive data from client: Connection reset by peer

+These settings help maintain the connection by sending keepalive probes to prevent timeouts due to inactivity. Importantly, modifying these TCP parameters doesn't require a restart of the source or target PostgreSQL instances. Changes can be applied dynamically, allowing for a seamless continuation of service without interrupting the database operations.

+## Migration error codes

+| 603104 | Missing Replication Role. User `{0}` doesn't have the replication role on server `{1}`. Grant the replication role before retrying migration. | Use `ALTER ROLE <rolename> WITH REPLICATION;` to grant the required permission. |

+| 603110 | Insufficient privileges. Migration user lacks necessary permissions for database access. Ensure that the migration user is owner of source databases and has both read and write privileges and retry the migration.| N/A |

+| 603111 | Target database cleanup failed. Unable to terminate active connections on the target database during the premigration phase. Grant pg_signal_backend role to migration user and retry the migration. | Add pg_signal_backend role to migration user using the command 'GRANT pg_signal_backend to <migration_user>' |

+| 603112 | GUC settings error. Failed to set default_transaction_read_only GUC parameter to off. Ensure that user write access is properly set and retry the migration. | Set 'default_transaction_read_only' to OFF on source server via Azure portal or through psql command(for example, ALTER SYSTEM SET default_transaction_read_only = off). |

+| 603113 | Cutover failure. Cutover can't be initiated for database '{dbName}' as the migration has already been with the status Completed/Failed/Canceled. | N/A |

+| 603114 | Cutover failure. Cutover can't be initiated for database '{dbName}' for migration mode offline. | N/A |

+| 603115 | Missing user privileges. Migration user '{0}' isn't a member of azure_pg_admin role. Add necessary privileges on target server and retry the migration. | N/A |

+| 603116 | Missing user privileges. Migration user '{0}' doesn't have the create role privilege. Add necessary privileges on target server and retry the migration. | Run query `ALTER ROLE <rolename> WITH CREATEROLE;` on target server. |

+| 603117 | Missing user privileges. Migration user '{0}' lacks necessary privileges to delete the '{dbName}' database on the target server. Drop the database manually from the target server and retry the migration. | N/A |

+| 603410 | System table permission error. Users have access to system tables like pg_authid and pg_shadow that can't be migrated to the target. Revoke these permissions and retry the migration. | Validating the default permissions granted to `pg_catalog` tables/views (such as `pg_authid` and `pg_shadow`) is essential. However, these permissions can't be assigned to the target. Specifically, User `{1}` possesses `{2}` permissions, while User `{3}` holds `{4}` permissions. For a workaround, visit [User, Roles, and Permissions](https://aka.ms/troubleshooting-user-roles-permission-ownerships-issues) |

+| 603700 | Target database cleanup failed. Unable to terminate active connections on the target database during the pre-migration/post-migration phase. | N/A |

+| 603701 | Internal server error. Failed to create roles on the target server. | [Contact Microsoft support](https://support.microsoft.com/contactus) for further analysis. |

+| 603702 | Internal server error. Failed to dump roles from source server. | [Contact Microsoft support](https://support.microsoft.com/contactus) for further analysis. |

+| 603703 | Internal server error. Failed to edit the global role dump file. | [Contact Microsoft support](https://support.microsoft.com/contactus) for further analysis. |

+| 603704 | Internal server error. Failed to make all source roles a member of target migration user. | [Contact Microsoft support](https://support.microsoft.com/contactus) for further analysis. |

+| 603705 | Internal server error. Failed to restore grants/revokes. | [Contact Microsoft support](https://support.microsoft.com/contactus) for further analysis. |

+| 603706 | Internal server error. Failed to clean up the target server migration user. Your target migration user can be part of multiple roles. Remove all unnecessary roles from target server migration user and retry the migration. | [Contact Microsoft support](https://support.microsoft.com/contactus) for further analysis. |

+| 603707 | Internal server error. Failed to grant azure_pg_admin to the source server admin user. | [Contact Microsoft support](https://support.microsoft.com/contactus) for further analysis.|

+| 603708 | Internal server error. Failed to alter the owner of public schema to azure_pg_admin in database '{dbName}'. Change the owner of public schema to azure_pg_admin manually and retry the migration. | [Contact Microsoft support](https://support.microsoft.com/contactus) for further analysis. |

+| 603709 | Migration setup failed. | [Contact Microsoft support](https://support.microsoft.com/contactus) for further analysis. |

+| Mexico | Mexico Central |

+| Spain | Spain Central|

+ Title: 'Tutorial: Configure BGP peering between Azure Route Server and NVA'

+description: This tutorial shows you how to configure an Azure Route Server and peer it with a Network Virtual Appliance (NVA) using the Azure portal.

+# Tutorial: Configure BGP peering between Azure Route Server and network virtual appliance (NVA)

+This tutorial shows you how to deploy an Azure Route Server and a Windows Server network virtual appliance (NVA) into a virtual network and establish a BGP peering connection between them.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> - Create a virtual network

+> - Deploy an Azure Route Server

+> - Deploy a virtual machine

+> - Configure BGP on the virtual machine

+> - Configure BGP peering between the Route Server and the NVA

+> - Check learned routes

+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

+## Prerequisites

+- An active Azure subscription.

+## Sign in to Azure

+Sign in to the [Azure portal](https://portal.azure.com).

+## Create a virtual network

+Create a virtual network to deploy both the Route Server and the NVA in it. Azure Route Server must be deployed in a dedicated subnet called *RouteServerSubnet*.

+1. In the search box at the top of the portal, enter ***virtual network***, and select **Virtual networks** from the search results.

+ :::image type="content" source="./media/peer-route-server-with-virtual-appliance/portal-search.png" alt-text="Screenshot of searching for virtual networks in the Azure portal." lightbox="./media/peer-route-server-with-virtual-appliance/portal-search.png":::

+1. On the **Virtual networks** page, select **+ Create**.

+1. On the **Basics** tab of **Create virtual network**, enter, or select the following information:

+ | Settings | Value |

+ | -- | -- |

+ | **Project details** | |

+ | Subscription | Select your Azure subscription. |

+ | Resource group | Select **Create new**. </br>In **Name** enter ***myResourceGroup***. </br>Select **OK**. |

+ | **Instance details** | |

+ | Name | Enter ***myVirtualNetwork***. |

+ | Region | Select an Azure region. This tutorial uses **East US**. |

+ :::image type="content" source="./media/peer-route-server-with-virtual-appliance/create-virtual-network-basics.png" alt-text="Screenshot of the Basics tab of creating a virtual network in the Azure portal." lightbox="./media/peer-route-server-with-virtual-appliance/create-virtual-network-basics.png":::

+1. Select **IP Addresses** tab or **Next** button twice.

+1. On the **IP Addresses** tab, configure **IPv4 address space** to **10.0.0.0/16**, then configure the following subnets:

+ | Subnet name | Subnet address range |

+ | -- | -- |

+ | mySubnet | 10.0.0.0/24 |

+ | RouteServerSubnet | 10.0.1.0/24 |

+ :::image type="content" source="./media/peer-route-server-with-virtual-appliance/create-virtual-network-ip-addresses.png" alt-text="Screenshot of the IP addresses tab of creating a virtual network in the Azure portal." lightbox="./media/peer-route-server-with-virtual-appliance/create-virtual-network-ip-addresses.png":::

+1. Select **Review + create** and then select **Create** after the validation passes.

+## Create an Azure Route Server

+In this section, you create an Azure Route Server.

+1. In the search box at the top of the portal, enter ***route server***, and select **Route Servers** from the search results.

+1. On the **Route Servers** page, select **+ Create**.

+1. On the **Basics** tab of **Create a Route Server** page, enter, or select the following information:

+ | Settings | Value |

+ | -- | -- |

+ | **Project details** | |

+ | Subscription | Select your Azure subscription that you used for the virtual network. |

+ | Resource group | Select **myResourceGroup**. |

+ | **Instance details** | |

+ | Name | Enter *myRouteServer*. |

+ | Region | Select **East US** region. |

+ | Routing Preference | Select the default **ExpressRoute** option. Other available options are: **VPN** and **ASPath**. <br>You can change your selection later from the Route Server **Configuration**. |

+ | **Configure virtual networks** | |

+ | Virtual Network | Select **myVirtualNetwork**. |

+ | Subnet | Select **RouteServerSubnet (10.0.1.0/24)**. This subnet is a dedicated Route Server subnet. |

+ | **Public IP address** | |

+ | Public IP address | Select **Create new** and accept the default name **myVirtualNetwork-ip** or enter a different one. This Standard IP address ensures connectivity to the backend service that manages the Route Server configuration. |

+ :::image type="content" source="./media/peer-route-server-with-virtual-appliance/create-route-server.png" alt-text="Screenshot of creating a Route Server in the Azure portal." lightbox="./media/peer-route-server-with-virtual-appliance/create-route-server.png":::

+1. Select **Review + create** and then select **Create** after validation passes. The Route Server takes about 15 minutes to deploy.

+1. Once the deployment is complete, select **Go to resource** to go to the **Overview** page of **myRouteServer**.

+1. Take a note of the **ASN** and **Peer IPs** in the **Overview** page. You need this information to configure the NVA in the next section.

+ :::image type="content" source="./media/peer-route-server-with-virtual-appliance/route-server-overview.png" alt-text="Screenshot that shows the Route Server ASN and Peer IPs in the Overview page." lightbox="./media/peer-route-server-with-virtual-appliance/route-server-overview.png":::

+ > [!NOTE]

+ > - The ASN of Azure Route Server is always 65515.

+ > - The Peer IPs are the private IP addresses of the Route Server in the RouteServerSubnet.

+

+## Create a network virtual appliance (NVA)

+In this section, you create a Windows Server NVA that communicates and exchanges routes with the Route Server over a BGP peering connection.

+### Create a virtual machine (VM)

+In this section, you create a Windows Server VM in the virtual network you created earlier to act as a network virtual appliance.

+1. In the search box at the top of the portal, enter ***virtual machine***, and select **Virtual machines** from the search results.

+1. Select **Create**, then select **Azure virtual machine**.

+1. On the **Basics** tab of **Create a virtual machine**, enter, or select the following information:

+ | Settings | Value |

+ | -- | -- |

+ | **Project details** | |

+ | Subscription | Select your Azure subscription that you used for the virtual network. |

+ | Resource group | Select **myResourceGroup**. |

+ | **Instance details** | |

+ | Virtual machine name | Enter ***myNVA***. |

+ | Region | Select **(US) East US**. |

+ | Availability options | Select **No infrastructure required**. |

+ | Security type | Select a security type. This tutorial uses **Standard**. |

+ | Image | Select a **Windows Server** image. This tutorial uses **Windows Server 2022 Datacenter: Azure Edition - x64 Gen2** image. |

+ | Size | Choose a size or leave the default setting. |

+ | **Administrator account** | |

+ | Username | Enter a username. |

+ | Password | Enter a password. |

+ | Confirm password | Reenter the password. |

+ :::image type="content" source="./media/peer-route-server-with-virtual-appliance/create-virtual-machine-basics.png" alt-text="Screenshot of the Basics tab of creating a VM in the Azure portal." lightbox="./media/peer-route-server-with-virtual-appliance/create-virtual-machine-basics.png":::

+1. Select **Networking** tab or **Next: Disks >** then **Next: Networking >**.

+1. On the **Networking** tab, select the following network settings:

+ | Settings | Value |

+ | -- | -- |

+ | Virtual network | Select **myVirtualNetwork**. |

+ | Subnet | Select **mySubnet (10.0.0.0/24)**. |

+ | Public IP | Leave as default. |

+ | NIC network security group | Select **Basic**. |

+ | Public inbound ports | Select **Allow selected ports**. |

+ | Select inbound ports | Select **RDP (3389)**. |

+ > [!CAUTION]

+ > Leaving the RDP port open to the internet is not recommended. Restrict access to the RDP port to a specific IP address or range of IP addresses. For production environments, it's recommended to block internet access to the RDP port and use [Azure Bastion](../bastion/bastion-overview.md?toc=/azure/route-server/toc.json) to securely connect to your virtual machine from the Azure portal.

+ :::image type="content" source="./media/peer-route-server-with-virtual-appliance/create-virtual-machine-networking.png" alt-text="Screenshot of the Networking tab of creating a VM in the Azure portal." lightbox="./media/peer-route-server-with-virtual-appliance/create-virtual-machine-networking.png":::

+1. Select **Review + create** and then **Create** after validation passes.

+### Configure BGP on the virtual machine

+In this section, you configure BGP settings on the VM so it acts as an NVA and can exchange routes with the Route Server.

+1. Go to **myNVA** virtual machine and select **Connect**.

+ :::image type="content" source="./media/peer-route-server-with-virtual-appliance/connect-vm.png" alt-text="Screenshot that shows how to connect to a VM using RDP in the Azure portal." lightbox="./media/peer-route-server-with-virtual-appliance/connect-vm.png":::

+1. On the **Connect** page, select **Download RDP file** under **Native RDP**.

+1. Open the downloaded file.

+1. Select **Connect** and then enter the username and password that you created in the previous steps. Accept the certificate if prompted.

+1. Run PowerShell as an administrator.

+1. In PowerShell, execute the following cmdlets:

+ ```powershell

+ # Install required Windows features.

+ Install-WindowsFeature RemoteAccess

+ Install-WindowsFeature RSAT-RemoteAccess-PowerShell

+ Install-WindowsFeature Routing

+ Install-RemoteAccess -VpnType RoutingOnly

+

+ # Configure BGP & Router ID on the Windows Server

+ Add-BgpRouter -BgpIdentifier 10.0.0.4 -LocalASN 65001

+

+ # Configure Azure Route Server as a BGP Peer.

+ Add-BgpPeer -LocalIPAddress 10.0.0.4 -PeerIPAddress 10.0.1.4 -PeerASN 65515 -Name RS_IP1

+ Add-BgpPeer -LocalIPAddress 10.0.0.4 -PeerIPAddress 10.0.1.5 -PeerASN 65515 -Name RS_IP2

+

+ # Originate and announce BGP routes.

+ Add-BgpCustomRoute -network 172.16.1.0/24

+ Add-BgpCustomRoute -network 172.16.2.0/24

+ ```

+## Configure Route Server peering

+1. Go to the Route Server you created in the previous steps.

+1. Select **Peers** under **Settings**. Then, select **+ Add** to add a new peer.

+1. On the **Add Peer** page, enter the following information:

+ | Setting | Value |

+ | - | -- |

+ | Name | Enter ***myNVA***. Use this name to identify the peer. It doesn't have to be the same name of the VM that you configured as an NVA. |

+ | ASN | Enter ***65001***. This is the ASN of the NVA. You configured it in the previous section. |

+ | IPv4 Address | Enter ***10.0.0.4***. This is the private IP address of the NVA. |

+1. Select **Add** to save the configuration.

+ :::image type="content" source="./media/peer-route-server-with-virtual-appliance/add-peer.png" alt-text="Screenshot that shows how to add the NVA to the Route Server as a peer." lightbox="./media/peer-route-server-with-virtual-appliance/add-peer.png":::

+1. Once you add the NVA as a peer, the **Peers** page shows the **myNVA** as a peer:

+ :::image type="content" source="./media/peer-route-server-with-virtual-appliance/route-server-peers.png" alt-text="Screenshot that shows the peers of a Route Server." lightbox="./media/peer-route-server-with-virtual-appliance/route-server-peers.png":::

+

+## Check learned routes

+Use [Get-AzRouteServerPeerLearnedRoute](/powershell/module/az.network/get-azrouteserverpeerlearnedroute) cmdlet to check the routes learned by the Route Server.

+```azurepowershell-interactive

+Get-AzRouteServerPeerLearnedRoute -ResourceGroupName 'myResourceGroup' -RouteServerName 'myRouteServer' -PeerName 'myNVA'

+```

+The output should look like the following example. The output shows the two learned routes from the NVA:

+```output

+LocalAddress Network NextHop SourcePeer Origin AsPath Weight

+ - - -

+10.0.1.5 172.16.1.0/24 10.0.0.4 10.0.0.4 EBgp 65001 32768

+10.0.1.5 172.16.2.0/24 10.0.0.4 10.0.0.4 EBgp 65001 32768

+10.0.1.4 172.16.1.0/24 10.0.0.4 10.0.0.4 EBgp 65001 32768

+10.0.1.4 172.16.2.0/24 10.0.0.4 10.0.0.4 EBgp 65001 32768

+```

+## Clean up resources

+When no longer needed, you can delete all resources created in this tutorial by deleting **myResourceGroup** resource group:

+1. In the search box at the top of the portal, enter ***myResourceGroup***. Select **myResourceGroup** from the search results.

+1. Select **Delete resource group**.

+1. In **Delete a resource group**, select **Apply force delete for selected Virtual machines and Virtual machine scale sets**.

+1. Enter ***myResourceGroup***, and then select **Delete**.

+1. Select **Delete** to confirm the deletion of the resource group and all its resources.

+## Related content

+In this tutorial, you learned how to create and configure an Azure Route Server with a network virtual appliance (NVA). To learn more about Route Servers, see [Azure Route Server frequently asked questions (FAQ)](route-server-faq.md).

+To see your Azure bill, select **Cost Analysis** in the left navigation of **Cost Management**. On the **Cost analysis** screen, find and select the **Invoice details** from **All views**.

+This article describes the features available in Microsoft Sentinel across different Azure environments. Features are listed as GA (generally available), public preview, or shown as not available.

+While Microsoft Sentinel is also available in the [Microsoft Defender portal](microsoft-sentinel-defender-portal.md), this article only covers Azure environments. Microsoft Sentinel within the Microsoft unified security operations platform is currently supported only in the Azure commercial cloud.

+- Blog post: [General availability of the Microsoft unified security operations platform](https://aka.ms/unified-soc-announcement)

+The Defender XDR connector also brings incidents from Microsoft Defender for Cloud. To synchronize alerts and entities from these incidents as well, you must enable the Defender for Cloud connector in Microsoft Sentinel. Otherwise, your Defender for Cloud incidents appear empty. For more information, see [Ingest Microsoft Defender for Cloud incidents with Microsoft Defender XDR integration](ingest-defender-for-cloud-incidents.md).

+- Microsoft Sentinel's incident creation rules allowed you to filter the alerts that would be used to create incidents. With these rules disabled, preserve the alert filtering capability by configuring [alert tuning in the Microsoft Defender portal](/microsoft-365/security/defender/investigate-alerts), or by using [automation rules](automate-incident-handling-with-automation-rules.md#incident-suppression) to suppress or close incidents you don't want.

+- To use the unified security operations platform in the Defender portal, see [Connect Microsoft Sentinel to Microsoft Defender XDR](/defender-xdr/microsoft-sentinel-onboard).

+This article describes the Microsoft Sentinel experience in the Microsoft Defender portal. Microsoft Sentinel is now generally available within the Microsoft unified security operations platform in the Microsoft Defender portal. For more information, see:

+- Blog post: [General availability of the Microsoft unified security operations platform](https://aka.ms/unified-soc-announcement)

+- [Microsoft Defender XDR integration with Microsoft Sentinel](microsoft-365-defender-sentinel-integration.md)

+## July 2024

+- [Microsoft unified security platform now generally available](#microsoft-unified-security-platform-now-generally-available)

+### Microsoft unified security platform now generally available

+Microsoft Sentinel is now generally available within the Microsoft unified security operations platform in the Microsoft Defender portal. The Microsoft unified security operations platform brings together the full capabilities of Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Copilot for Security in Microsoft Defender. For more information, see the following resources:

+- Blog post: [General availability of the Microsoft unified security operations platform](https://aka.ms/unified-soc-announcement)

+- [Microsoft Sentinel in the Microsoft Defender portal](microsoft-sentinel-defender-portal.md)

+- [Connect Microsoft Sentinel to Microsoft Defender XDR](/defender-xdr/microsoft-sentinel-onboard)

+- [Microsoft Copilot for Security in Microsoft Defender](/defender-xdr/security-copilot-in-microsoft-365-defender)

+To automate the deployment of an Azure Synapse workspace to multiple environments, the following prerequisites and configurations must be in place. Note that you may choose to use **either** Azure DevOps **or** GitHub, according to your preference or existing setup.

+If you are using Azure DevOps:

+If you are using GitHub:

+> [!CAUTION]

+> We strongly recommend proactively upgrading workloads to a more recent GA version of the runtime which is [Azure Synapse Runtime for Apache Spark 3.4 (GA)](./apache-spark-34-runtime.md)). Refer to the [Apache Spark migration guide](https://spark.apache.org/docs/latest/sql-migration-guide.html).

+| [Azure Synapse Runtime for Apache Spark 3.3](./apache-spark-33-runtime.md) | Nov 17, 2022 | GA (as of Feb 23, 2023) | Q2/Q3 2024 | 3/31/2025 |

+> [!CAUTION]

+> Azure Synapse Runtime for Apache Spark 2.4, 3.1, and 3.2 are unsupported and deprecated. Using these runtimes after the deprecation date is at one's own risk, and with the agreement and acceptance of the risks that existing jobs running on Apache Spark 2.4, 3.1, or 3.2 pools will eventually stop executing.

+# Manage pre and post events maintenance configuration events (preview)

+This article describes on how to register your subscription and manage pre and post events in Azure Update Manager.

+## Manage pre and post events

+### View pre and post events

+To view the pre and post events, follow these steps:

+1. Sign in to the [Azure portal](https://portal.azure.com) and go to **Azure Update Manager**.

+1. Under **Manage**, select **Machines**, **Maintenance Configurations**.

+1. In the **Maintenance Configuration** page, select the maintenance configuration to which you want to add a pre and post event.

+1. Select **Overview** and check the **Maintenance events**. You can see the count of the pre and post events associated to the configuration.

+ :::image type="content" source="./media/manage-pre-post-events/view-configure-events-inline.png" alt-text="Screenshot that shows how to view and configure a pre and post event." lightbox="./media/manage-pre-post-events/view-configure-events-expanded.png":::

+1. Select the count of the pre and post events to view the list of events and the event types.

+ :::image type="content" source="./media/manage-pre-post-events/view-events-inline.png" alt-text="Screenshot that shows how to view the pre and post events." lightbox="./media/manage-pre-post-events/view-events-expanded.png":::

+### Edit pre and post events

+To edit the pre and post events, follow these steps:

+1. Follow the steps listed in [View pre and post events](#view-pre-and-post-events).

+1. In the selected **events** page, select the pre or post event you want to edit.

+1. In the selected **pre or post event** page, you can edit the Event handler/endpoint used or the location of the endpoint.

+## Manage the execution of pre/post event and schedule run

+To check the successful delivery of a pre and post event to an endpoint from Event Grid, follow these steps:

+ 1. Sign in to the [Azure portal](https://portal.azure.com/) and go to **Azure Update Manager**.

+ 2. Under **Manage**, select **Machines**.

+ 3. Select **Maintenance Configurations** from the ribbon at the top.

+ 4. In the **Maintenance Configuration** page, select the maintenance configuration for which you want to view a pre and post event.

+ 5. On the selected **Maintenance Configuration** page, under **Settings** in the ToC, select **Events**.

+ 6. In the **Essentials** section, you can view the metrics for all the events under the selected event subscription. In the graph, the count of the Published Events metric should match with the count of Matched Events metric. Both values should also correspond with the Delivered Events count.

+ 7. To view the metrics specific to a pre or a post event, select the name of the event from the grid. Here, the count of Matched Events metric should match with the Delivered Events count.

+ 8. To view the time at which the event was triggered, hover over the line graph. [Learn more](/azure/azure-monitor/reference/supported-metrics/microsoft-eventgrid-systemtopics-metrics).

+ > [!Note]

+ > Azure Event Grid adheres to an at-least-once delivery paradigm. This implies that, in exceptional circumstances, there is a chance of the event handler being invoked more than once for a given event. We recommend you to ensure that the event handler actions are idempotent. In other words, if the event handler is executed multiple times, it should not have any adverse effects. Implementing idempotency ensures the robustness of your application in the face of potential duplicate event invocations.

+**To check if the endpoint has been triggered and completed in the pre or post event**

+#### [Automation Runbooks via Webhooks](#tab/runbooks)

+1. Sign in to the [Azure portal](https://portal.azure.com/) and go to **Azure Automation account**.

+1. In your Automation account, under **Process Automation**, select **Runbooks**.

+1. Select the pre or post script that is linked to your Webhook in Event Grid.

+1. In **Overview**, you can view the status of the Runbook job. The trigger time should be approximately 30 minutes before the schedule start time. Once the job is finished, you can come back to the same section to confirm if the status is **Completed**. For example, ensure that the VM has been either powered on or off.

+ :::image type="content" source="./media/manage-pre-post-events/automation-runbooks-webhook.png" alt-text="Screenshot that shows how to check the status of runbook job." lightbox="./media/manage-pre-post-events/automation-runbooks-webhook.png":::

+

+ For more information on how to retrieve details from Automation account's activity log and job statuses, see [Manage runbooks in Azure Automation](../automation/automation-runbook-execution.md#jobs).

+#### [Azure Functions](#tab/functions)

+1. Sign in to the [Azure portal](https://portal.azure.com/) and go to **your Azure Function app.**

+2. In your Azure Function app, go to the **Overview** page.

+3. Select the specific **function** from the grid in the **Overview** page.

+4. Under the **Monitor** column, select **Invocations and more.**

+5. This will take you to the **Invocations** tab, which displays the execution details and status of the function.

+To use application insights to monitor executions in Azure functions, refer [here](/azure/azure-functions/functions-monitoring).

+### Cancel a schedule run before it begins to run

+To cancel the schedule run, the cancelation API in your pre-event must get triggered at least 10 minutes before the schedule maintenance configuration start time. You must call the cancelation API in your pre-event, that is, Runbook script or Azure function code.

+**To cancel the schedule maintenance run**

+#### [Azure portal](#tab/az-portal)

+1. Sign in to the [Azure portal](https://portal.azure.com/) and go to **Azure Update Manager**.

+1. Under **Manage** in the ToC, select **History**.

+1. Select the **By Maintenance run ID** tab, and select the maintenance run ID for which you want to view the history.

+1. Select **Cancel schedule update**. This option is enabled for 10 minutes before the start of the maintenance configuration.

+#### [REST API](#tab/rest)

+[Apply Updates - Create Or Update Or Cancel - REST API (Azure Maintenance) | Microsoft Learn](/rest/api/maintenance/apply-updates/create-or-update-or-cancel)

+#### [PowerShell](#tab/az-ps)

+[New-AzApplyUpdate (Az.Maintenance) | Microsoft Learn](/powershell/module/az.maintenance/new-azapplyupdate)

+#### [CLI](#tab/az-cli)

+[az maintenance applyupdate | Microsoft Learn](/cli/azure/maintenance/applyupdate)

+You can obtain the list of machines in the maintenance run from the following ARG query. You can also view the correlation ID by selecting **See details**:

+| where properties.correlationId has "/subscriptions/your- subscription -id/resourcegroups/your- ResourceGroupName/providers/microsoft.maintenance/maintenanceconfigurations/mc-name/providers/microsoft.maintenance/applyupdates/"

+>[!Note]

+>Azure Update Manager or maintenance configuration will not monitor and automatically cancel the schedule. If the user fails to cancel, the schedule run will proceed with installing updates during the user-defined maintenance window.

+## Post schedule run

+### View the history of pre and post events

+1. Sign in to the [Azure portal](https://portal.azure.com/) and go to **Azure Update Manager**.

+2. Under **Manage**, select **History**.

+3. Select the **By Maintenance run ID** tab, select the maintenance run ID for which you want to view the history.

+4. Select the **Events** tab in this history page of the selected maintenance run ID.

+5. You can view the count of events and event names along with the Event type and endpoint details.

+### Debug pre and post events

+#### [Automation-Webhook](#tab/az-webhook)

+To view the job history of an event created through Webhook, follow these steps:

+1. Find the event name for which you want to view the job logs.

+2. Under the **Job history** column, select **View runbook history** corresponding to the event name. This takes you to the Automation account where the runbooks reside.

+3. Select the specific runbook name that is associated to the pre or post event. In the **overview** page, you can view the recent jobs of the runbook along with the execution and status details.

+#### [Azure Function](#tab/az-function)

+To view the history of an event created through Azure Function, follow these steps:

+1. Find the event name for which you want to view the job logs.

+2. Under the **Job history** column, select **View Azure Function history** corresponding to the event name. This takes you to the Azure function **Invocations** page.

+3. You can view the recent invocations along with the execution and status details.

+### View the status of a canceled schedule run

+1. Sign in to the [Azure portal](https://portal.azure.com/) and go to **Azure Update Manager**.

+2. Under **Manage**, select **History**.

+3. Select the **By Maintenance run ID** tab, and then select the maintenance run ID for which you want to view the status.

+4. Refer to the **Status** to view the status. If the maintenance run has been canceled, the status will be displayed as **cancelled**. Select the status to view the details.

+There are two types of cancelations:

+- **Cancelation by user**: When you invoke the cancelation API from your script or code.

+- **Cancelation by system**: When the system invokes the cancelation API due to an internal error. This is done only if the system is unable to send the pre-event to the customer's end point that is 30 minutes before the scheduled patching job. In this case, the upcoming scheduled maintenance configuration will be canceled due to the failure of running the pre-events by the system.

+To confirm if the cancelation is by user or system, you can view the status of the maintenance run ID from the ARG query mentioned above in **See details**. The **error message** displays whether the schedule run has been canceled by the user or system and the **status** field confirms the status of the maintenance run.

+ :::image type="content" source="./media/manage-pre-post-events/cancelation-api-user-inline.png" alt-text="Screenshot that shows how to view the cancelation status." lightbox="./media/manage-pre-post-events/cancelation-api-user-expanded.png":::

+The above image shows an example of cancelation by the user, where the error message would be **Maintenance cancelled using cancellation API at YYYY-MM-DD**. If the maintenance run is canceled by the system due to any reason, the error message in the JSON would be **Maintenance cancelled due to internal platform failure at YYYY-MM-DD**.

+## Delete pre and post event

+#### [Using Azure portal](#tab/del-portal)

+To delete pre and post events, follow these steps:

+1. Sign in to the [Azure portal](https://portal.azure.com) and go to **Azure Update Manager**.

+1. Under **Manage**, select **Machines**, **Maintenance Configurations**.

+1. In the **Maintenance Configuration** page, select the maintenance configuration to which you want to add a pre and post event.

+1. In the selected **Maintenance configuration** page, under **Settings**, select **Events**.

+1. Select the event **Name** you want to delete from the grid.

+1. On the selected event page, select **Delete**.

+ :::image type="content" source="./media/manage-pre-post-events/delete-event-inline.png" alt-text="Screenshot that shows how to delete the pre and post events." lightbox="./media/manage-pre-post-events/delete-event-expanded.png":::

+#### [Using PowerShell](#tab/del-ps)

+#### Removing Event Subscription

+```powershell-interactive

+ Remove-AzEventGridSystemTopicEventSubscription -EventSubscriptionName $EventSubscriptionName -ResourceGroupName $ResourceGroupForSystemTopic -SystemTopicName $SystemTopicName

+```

+#### Remove System topic

+```powershell-interactive

+ Remove-AzEventGridSystemTopic -Name $SystemTopicName -ResourceGroupName $ResourceGroupForSystemTopic

+```

+#### [Using CLI](#tab/del-cli)

+#### Removing Event subscription

+```azurecli-interactive

+ az eventgrid system-topic event-subscription delete --name ΓÇ£<Event subscription name>ΓÇ¥ --resource-group $ResourceGroupName --system-topic-name $SystemTopicName

+#### Remove System topic

+```azurecli-interactive

+ az eventgrid system-topic delete --name $SystemTopicName --resource-group $ResourceGroupName

+```

+#### [Using REST API](#tab/del-api)

+#### Event subscription Deletion

+```rest

+ DELETE /subscriptions/<subscription Id>/resourceGroups/<resource group name>/providers/Microsoft.EventGrid/systemTopics/<system topic name>/eventSubscriptions/<Event Subscription name>?api-version=2022-06-15

+#### System topic deletion

+

+```rest

+ DELETE /subscriptions/<subscription Id>/resourceGroups/<resource group name>/providers/Microsoft.EventGrid/systemTopics/<system topic name>;?api-version=2022-06-15

+```

+- For an overview of pre and post events (preview) in Azure Update Manager, refer [here](pre-post-scripts-overview.md)

+- To learn on how to create pre and post events, see [pre and post maintenance configuration events](pre-post-events-schedule-maintenance-configuration.md).

+- To learn how to use pre and post events to turn on and off your VMs using Webhooks, refer [here](tutorial-webhooks-using-runbooks.md).

+- To learn how to use pre and post events to turn on and off your VMs using Azure Functions, refer [here](tutorial-using-functions.md).

+ Title: Create the pre and post maintenance configuration events (preview) in Azure Update Manager

+description: The article provides the steps to create the pre and post maintenance events in Azure Update Manager.

+zone_pivot_groups: create-pre-post-events-maintenance-configuration

+# Create pre and post events (preview)

+**Applies to:** :heavy_check_mark: Windows VMs :heavy_check_mark: Linux VMs :heavy_check_mark: On-premises environment :heavy_check_mark: Azure Arc-enabled servers :heavy_check_mark: Azure VMs.

+Pre and post events allows you to execute user-defined actions before and after the scheduled maintenance configuration. For more information, go through the [workings of a pre and post event in Azure Update Manager](pre-post-scripts-overview.md).

+This article describes on how to create pre and post events in Azure Update Manager.

+## Event Grid in schedule maintenance configurations

+Azure Update Manager leverages Event grid to create and manage pre and post events. For more information, go through the [overview of Event Grid](../event-grid/overview.md). To trigger an event either before or after a schedule maintenance window, you require the following:

+1. **Schedule maintenance configuration** - You can create Pre and post events for a schedule maintenance configuration in Azure Update Manager. For more information, see [schedule updates using maintenance configurations](scheduled-patching.md).

+1. **Action to be performed in the pre or post event** - You can use the [Event handlers](../event-grid/event-handlers.md) (Endpoints) supported by Event Grid to define actions or tasks. Here are examples on how to create Azure Automation Runbooks via Webhooks and Azure Functions. Within these Event handlers/Endpoints, you must define the actions that should be performed as part of pre and post events.

+ 1. **Webhook** - [Create a PowerShell 7.2 Runbook](../automation/automation-runbook-types.md#powershell-runbooks) and [link the Runbook to a webhook](../automation/automation-webhooks.md).

+ 1. **Azure Function** - [Create an Azure Function](../azure-functions/functions-create-function-app-portal.md).

+1. **Pre and post event** - You can follow the steps shared in the following section to create a pre and post event for schedule maintenance configuration. To learn more about the terms used in the Basics tab of Event Grid, see [Event Grid](../event-grid/concepts.md) terms.

+## Create a pre and post event (preview)

+### Create pre and post events while creating a new schedule maintenance configuration

+#### [Using Azure portal](#tab/portal)

+1. Sign in to the [Azure portal](https://portal.azure.com/) and go to **Azure Update Manager**.

+2. Under **Manage**, select **Machines**.

+3. Select **Schedule updates** from the ribbon at the top.

+4. In the **Create a maintenance configuration** page, select the **Events** tab.

+5. Select **+Event Subscription** to create pre/post event.

+6. On the **Add Event Subscription** page, enter the following details:

+In the **Event Subscription Details** section, provide an appropriate name.

+ - Keep the schema as **Event Grid Schema**.

+ - Enter the **System Topic Name** for the first event you create in this maintenance configuration. The same System Topic name will be auto populated for the consequent events.

+ - In the **Event Types** section, **Filter to Event Types**, select the event types that you want to get pushed to the endpoint or destination. You can select either **Pre Maintenance Event** or **Post Maintenance Event** or both. To learn more about event types that are specific to schedule maintenance configurations, see [Azure Event Types](../event-grid/event-schema-maintenance-configuration.md).

+ - In the **Endpoint details** section, select the endpoint where you want to receive the response from.

+7. Select **Add** to create the pre and post events for the schedule upon its creation.

+ :::image type="content" source="./media/manage-pre-post-events/add-event-subscription.png" alt-text="Screenshot that shows how to add an event subscription." lightbox="./media/manage-pre-post-events/add-event-subscription.png":::

+> [!NOTE]

+> In the above flow, Webhook and Azure Functions are the two Event handlers/endpoints you can choose from. When you select **Add**, the event subscription is not created but added to the maintenance configuration. Event subscription is created along with the schedule maintenance configuration.

+#### [Using PowerShell](#tab/powershell)

+1. Create a maintenance configuration by following the steps listed [here](../virtual-machines/maintenance-configurations-powershell.md#guest).

+1. ```powershell-interactive

+ # Obtain the Maintenance Configuration ID from Step 1 and assign it to MaintenanceConfigurationResourceId variable

+

+ $MaintenanceConfigurationResourceId = "/subscriptions/<subId>/resourceGroups/<Resource group>/providers/Microsoft.Maintenance/maintenanceConfigurations/<Maintenance configuration Name>"

+

+ # Use the same Resource Group that you used to create maintenance configuration in Step 1

+

+ $ResourceGroupForSystemTopic = "<Resource Group for System Topic>"

+

+ $SystemTopicName = "<System topic name>"

+

+ $TopicType = "Microsoft.Maintenance.MaintenanceConfigurations"

+

+ $SystemTopicLocation = "<System topic location>"

+

+ # System topic creation

+

+ New-AzEventGridSystemTopic -ResourceGroupName $ResourceGroupForSystemTopic -Name $SystemTopicName -Source $MaintenanceConfigurationResourceId -TopicType $TopicType -Location $SystemTopicLocation

+

+ # Event subscription creation

+

+ $IncludedEventTypes = @("Microsoft.Maintenance.PreMaintenanceEvent")

+

+ # Webhook

+

+ $EventSubscriptionName = "PreEventWebhook"

+

+ $PreEventWebhookEndpoint = "<Webhook URL>"

+

+ New-AzEventGridSystemTopicEventSubscription -ResourceGroupName $ResourceGroupForSystemTopic -SystemTopicName $SystemTopicName -EventSubscriptionName $EventSubscriptionName -Endpoint $PreEventWebhookEndpoint -IncludedEventType $IncludedEventTypes

+

+ # Azure Function

+

+ $dest = New-AzEventGridAzureFunctionEventSubscriptionDestinationObject -ResourceId "<Azure Function Resource Id>"

+

+ New-AzEventGridSystemTopicEventSubscription -ResourceGroupName $ResourceGroupForSystemTopic -SystemTopicName $SystemTopicName -EventSubscriptionName $EventSubscriptionName -Destination $dest -IncludedEventType $IncludedEventTypes

+ ```

+#### [Using CLI](#tab/cli)

+1. Create a maintenance configuration by following the steps listed [here](../virtual-machines/maintenance-configurations-cli.md#guest-vms).

+1. ```azurecli-interactive

+ SystemTopicName="<System topic name>

+ # Use the same Resource Group that you used to create maintenance configuration in Step 1

+

+ ResourceGroupName="<Resource Group mentioned in Step 1>"

+

+ # Obtain the Maintenance Configuration ID from Step 1 and assign it to Source variable

+

+ Source="/subscriptions/<subId>/resourceGroups/<Resource group>/providers/Microsoft.Maintenance/maintenanceConfigurations/<Maintenance configuration Name>"

+

+ TopicType="Microsoft.Maintenance.MaintenanceConfigurations"

+

+ Location="<System topic location> "

+

+ # System topic creation

+

+ az eventgrid system-topic create --name $SystemTopicName --resource-group $ResourceGroupName --source $Source --topic-type $TopicType --location $Location

+

+ # Event subscription creation

+

+ IncludedEventTypes='("Microsoft.Maintenance.PreMaintenanceEvent")'

+

+ # Webhook

+

+ az eventgrid system-topic event-subscription create --name "<Event subscription name>" --resource-group $ResourceGroupName --system-topic-name $SystemTopicName --endpoint-type webhook --endpoint "<webhook URL>" --included-event-types IncludedEventTypes

+

+ # Azure Function

+

+ az eventgrid system-topic event-subscription create ΓÇôname "<Event subscription name>" --resource-group $ResourceGroupName --system-topic-name $SystemTopicName --endpoint-type azurefunction --endpoint "<Azure Function ResourceId>" --included-event-types IncludedEventTypes

+

+ ```

+#### [Using API](#tab/api)

+1. Create a maintenance configuration by following the steps listed [here](https://learn.microsoft.com/rest/api/maintenance/maintenance-configurations/create-or-update?view=rest-maintenance-2023-09-01-preview&tabs=HTTP).

+1. **# System topic creation [Learn more](/rest/api/eventgrid/controlplane/system-topics/create-or-update)**

+ ```rest

+ PUT /subscriptions/<subscription Id>/resourceGroups/<resource group name>/providers/Microsoft.EventGrid/systemTopics/<system topic name>?api-version=2022-06-15

+ ```

+

+ Request Body:

+ ```

+ {

+ "properties": {

+ "source": "/subscriptions/<subscription Id>/resourceGroups/<resource group>/providers/Microsoft.Maintenance/maintenanceConfigurations/<maintenance configuration name> ",

+ "topicType": "Microsoft.Maintenance.MaintenanceConfigurations"

+ },

+ "location": "<location>"

+ }

+ ```

+

+ **# Event subscription creation [Learn more](/rest/api/eventgrid/controlplane/system-topic-event-subscriptions/create-or-update)**

+

+ Allowed Event types - Microsoft.Maintenance.PreMaintenanceEvent, Microsoft.Maintenance.PostMaintenanceEvent

+

+ **Webhook**

+

+ ```rest

+ PUT /subscriptions/<subscription Id>/resourceGroups/<resource group name>/providers/Microsoft.EventGrid/systemTopics/<system topic name>/eventSubscriptions/<Event Subscription name>?api-version=2022-06-15

+ ```

+

+ Request Body:

+

+ ```

+ {

+ "properties": {

+ "destination": {

+ "endpointType": "WebHook",

+ "properties": {

+ "endpointUrl": "<Webhook URL>"

+ }

+ },

+ "filter": {

+ "includedEventTypes": [

+ "Microsoft.Maintenance.PreMaintenanceEvent"

+ ]

+ }

+ }

+ }

+ ```

+ **Azure Function**

+

+ ```rest

+ PUT /subscriptions/<subscription Id>/resourceGroups/<resource group name>/providers/Microsoft.EventGrid/systemTopics/<system topic name>/eventSubscriptions/<Event Subscription name>?api-version=2022-06-15

+ ```

+

+ **Request Body**

+ ```

+ {

+ "properties": {

+ "destination": {

+ "endpointType": "AzureFunction",

+ "properties": {

+ "resourceId": "<Azure Function Resource Id>"

+ }

+ }

+ },

+ "filter": {

+ "includedEventTypes": [

+ "Microsoft.Maintenance.PostMaintenanceEvent"

+ ]

+ }

+ }

+ ```

+

+### Create pre and post events on an existing schedule maintenance configuration

+#### [Using Azure portal](#tab/az-portal)

+1. Sign in to the [Azure portal](https://portal.azure.com) and go to **Azure Update Manager**.

+1. Under **Manage**, select **Machines**, **Maintenance Configurations**.

+1. In the **Maintenance Configuration** page, select the maintenance configuration to which you want to add a pre and post event.

+1. In the selected **Maintenance configuration** page, under **Settings**, select **Events**. Alternatively, under the **Overview**, select the card **Create a maintenance event**.

+

+ :::image type="content" source="./media/manage-pre-post-events/create-maintenance-event-inline.png" alt-text="Screenshot that shows the options to select to create a maintenance event." lightbox="./media/manage-pre-post-events/create-maintenance-event-expanded.png":::

+

+1. Select **+Event Subscription** to create Pre/Post Maintenance Event.

+ :::image type="content" source="./media/manage-pre-post-events/maintenance-events-inline.png" alt-text="Screenshot that shows the maintenance events." lightbox="./media/manage-pre-post-events/maintenance-events-expanded.png":::

+1. On the **Create Event Subscription** page, enter the following details:

+ - In the **Event Subscription Details** section, provide an appropriate name.

+ - Keep the schema as **Event Grid Schema**.

+ - In the **Topic Details** section, provide an appropriate name to the **System Topic Name**.

+ - In the **Event Types** section, **Filter to Event Types**, select the event types that you want to get pushed to the endpoint or destination. You can select between **Pre Maintenance Event** and **Post Maintenance Event**. To learn more about event types that are specific to schedule maintenance configurations, see [Azure Event Types](../event-grid/event-schema-maintenance-configuration.md).

+ - In the **Endpoint details** section, select the endpoint from where you want to receive the response from.

+

+ :::image type="content" source="./media/manage-pre-post-events/create-event-subscription.png" alt-text="Screenshot on how to create event subscription.":::

+1. Select **Create** to configure the pre and post events on an existing schedule.

+#### [Using PowerShell](#tab/az-powershell)

+```powershell-interactive

+ $MaintenanceConfigurationResourceId = "/subscriptions/<subId>/resourceGroups/<Resource group>/providers/Microsoft.Maintenance/maintenanceConfigurations/<Maintenance configuration Name>"

+

+ $ResourceGroupForSystemTopic = "<Resource Group for System Topic>"

+

+ $SystemTopicName = "<System topic name>"

+

+ $TopicType = "Microsoft.Maintenance.MaintenanceConfigurations"

+

+ $SystemTopicLocation = "<System topic location>"

+

+ # System topic creation

+

+ New-AzEventGridSystemTopic -ResourceGroupName $ResourceGroupForSystemTopic -Name $SystemTopicName -Source $MaintenanceConfigurationResourceId -TopicType $TopicType -Location $SystemTopicLocation

+

+ # Event subscription creation

+

+ $IncludedEventTypes = @("Microsoft.Maintenance.PreMaintenanceEvent")

+

+ # Webhook

+

+ $EventSubscriptionName = "PreEventWebhook"

+

+ $PreEventWebhookEndpoint = "<Webhook URL>"

+

+ New-AzEventGridSystemTopicEventSubscription -ResourceGroupName $ResourceGroupForSystemTopic -SystemTopicName $SystemTopicName -EventSubscriptionName $EventSubscriptionName -Endpoint $PreEventWebhookEndpoint -IncludedEventType $IncludedEventTypes

+

+ # Azure Function

+

+ $dest = New-AzEventGridAzureFunctionEventSubscriptionDestinationObject -ResourceId "<Azure Function Resource Id>"

+

+ New-AzEventGridSystemTopicEventSubscription -ResourceGroupName $ResourceGroupForSystemTopic -SystemTopicName $SystemTopicName -EventSubscriptionName $EventSubscriptionName -Destination $dest -IncludedEventType $IncludedEventTypes

+```

+#### [Using CLI](#tab/az-cli)

+```azurecli-interactive

+ SystemTopicName="<System topic name>

+ ResourceGroupName="<Resource Group for System Topic>"

+ Source="/subscriptions/<subId>/resourceGroups/<Resource group>/providers/Microsoft.Maintenance/maintenanceConfigurations/<Maintenance configuration Name>"

+

+ TopicType="Microsoft.Maintenance.MaintenanceConfigurations"

+

+ Location="<System topic location> "

+

+ # System topic creation

+

+ az eventgrid system-topic create --name $SystemTopicName --resource-group $ResourceGroupName --source $Source --topic-type $TopicType --location $Location

+

+ # Event subscription creation

+

+ IncludedEventTypes='("Microsoft.Maintenance.PreMaintenanceEvent")'

+

+ # Webhook

+

+ az eventgrid system-topic event-subscription create --name "<Event subscription name>" --resource-group $ResourceGroupName --system-topic-name $SystemTopicName --endpoint-type webhook --endpoint "<webhook URL>" --included-event-types IncludedEventTypes

+

+ # Azure Function

+

+ az eventgrid system-topic event-subscription create ΓÇôname "<Event subscription name>" --resource-group $ResourceGroupName --system-topic-name $SystemTopicName --endpoint-type azurefunction --endpoint "<Azure Function ResourceId>" --included-event-types IncludedEventTypes

+```

+#### [Using API](#tab/az-api)

+**# System topic creation [Learn more](/rest/api/eventgrid/controlplane/system-topics/create-or-update)**

+```rest

+PUT /subscriptions/<subscription Id>/resourceGroups/<resource group name>/providers/Microsoft.EventGrid/systemTopics/<system topic name>?api-version=2022-06-15

+```

+

+Request Body:

+```

+{

+ "properties": {

+ "source": "/subscriptions/<subscription Id>/resourceGroups/<resource group>/providers/Microsoft.Maintenance/maintenanceConfigurations/<maintenance configuration name> ",

+ "topicType": "Microsoft.Maintenance.MaintenanceConfigurations"

+ },

+ "location": "<location>"

+}

+```

+**# Event subscription creation [Learn more](/rest/api/eventgrid/controlplane/system-topic-event-subscriptions/create-or-update)**

+Allowed Event types - Microsoft.Maintenance.PreMaintenanceEvent, Microsoft.Maintenance.PostMaintenanceEvent

+

+**Webhook**

+

+```rest

+PUT /subscriptions/<subscription Id>/resourceGroups/<resource group name>/providers/Microsoft.EventGrid/systemTopics/<system topic name>/eventSubscriptions/<Event Subscription name>?api-version=2022-06-15

+```

+

+Request Body:

+```

+{

+ "properties": {

+ "destination": {

+ "endpointType": "WebHook",

+ "properties": {

+ "endpointUrl": "<Webhook URL>"

+ }

+ },

+ "filter": {

+ "includedEventTypes": [

+ "Microsoft.Maintenance.PreMaintenanceEvent"

+ ]

+ }

+ }

+}

+```

+**Azure Function**

+```rest

+PUT /subscriptions/<subscription Id>/resourceGroups/<resource group name>/providers/Microsoft.EventGrid/systemTopics/<system topic name>/eventSubscriptions/<Event Subscription name>?api-version=2022-06-15

+```

+

+**Request Body**

+```

+{

+ "properties": {

+ "destination": {

+ "endpointType": "AzureFunction",

+ "properties": {

+ "resourceId": "<Azure Function Resource Id>"

+ }

+ }

+ },

+ "filter": {

+ "includedEventTypes": [

+ "Microsoft.Maintenance.PostMaintenanceEvent"

+ ]

+ }

+}

+```

+## Next steps

+- For an overview of pre and post events (preview) in Azure Update Manager, refer [here](pre-post-scripts-overview.md).

+- To learn on how to manage pre and post events or to cancel a schedule run, see [pre and post maintenance configuration events](manage-pre-post-events.md).

+- To learn how to use pre and post events to turn on and off your VMs using Webhooks, refer [here](tutorial-webhooks-using-runbooks.md).

+- To learn how to use pre and post events to turn on and off your VMs using Azure Functions, refer [here](tutorial-using-functions.md).

+## Using Application Health Extension

+### Keep credentials up to date

+If your scale set uses any credentials to access external resources, such as a VM extension configured to use a SAS token for storage account, then ensure that the credentials are updated. If any credentials, including certificates and tokens, have expired, the upgrade will fail and the first batch of VMs will be left in a failed state.

+The recommended steps to recover VMs and re-enable automatic OS upgrade if there's a resource authentication failure are:

+* Regenerate the token (or any other credentials) passed into your extension(s).

+* Ensure that any credential used from inside the VM to talk to external entities is up to date.

+* Update extension(s) in the scale set model with any new tokens.

+* Deploy the updated scale set, which will update all VM instances including the failed ones.

+## Leverage Activity Logs for Upgrade Notifications and Insights

+[Activity Log](https://learn.microsoft.com/azure/azure-monitor/essentials/activity-log?tabs=powershell) is a subscription log that provides insight into subscription-level events that have occurred in Azure. Customers are able to:

+* See events related to operations performed on their resources in Azure portal

+* Create action groups to tune notification methods like email, sms, webhooks, or ITSM

+* Set up suitable alerts using different criteria using Portal, ARM resource template, PowerShell or CLI to be sent to action groups

+Customers will receive three types of notifications related to Automatic OS Upgrade operation:

+* Submission of upgrade request for a particular resource

+* Outcome of submission request along with any error details

+* Outcome of upgrade completion along with any error details

+### Setting up Action Groups for Activity log alerts

+An [action group](https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups) is a collection of notification preferences defined by the owner of an Azure subscription. Azure Monitor and Service Health alerts use action groups to notify users that an alert has been triggered.

+Action groups can be created and managed using:

+* [ARM Resource Manager](https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups#create-an-action-group-with-a-resource-manager-template)

+* [Portal](https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups#create-an-action-group-in-the-azure-portal)

+* PowerShell:

+ * [New-AzActionGroup](https://learn.microsoft.com/powershell/module/az.monitor/new-azactiongroup?view=azps-12.0.0)

+ * [Get-AzActionGroup](https://learn.microsoft.com/powershell/module/az.monitor/get-azactiongroup?view=azps-12.0.0)

+ * [Remove-AzActionGroup](https://learn.microsoft.com/powershell/module/az.monitor/remove-azactiongroup?view=azps-12.0.0)

+* [CLI](https://learn.microsoft.com/cli/azure/monitor/action-group?view=azure-cli-latest#az-monitor-action-group-create)

+Customers can set up the following using action groups:

+* [SMS and/or Email notifications](https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups#email-azure-resource-manager)

+* [Webhooks](https://learn.microsoft.com/azure/azure-monitor/alerts/action-groups#webhook) - Customers can attach webhooks to their automation runbooks and configure their action groups to trigger the runbooks. You can start a runbook from a [webhook](https://docs.microsoft.com/azure/automation/automation-webhooks)

+* [ITSM Connections](https://learn.microsoft.com/azure/azure-monitor/alerts/itsmc-overview)

+The Msv3 and Mdsv3 Medium Memory(MM) Virtual Machine (VM) series, powered by 4^th generation Intel® Xeon® Scalable processors, are the next generation of memory-optimized VM sizes delivering faster performance, lower total cost of ownership (TCO) and improved resilience to failures compared to previous generation Mv2 VMs. The Mv3 MM offers VM sizes of up to 4TB of memory and 4,000 MBps throughout to remote storage and provides up to 25% networking performance improvements over previous generations.

+[Write Accelerator](./how-to-enable-write-accelerator.md): Supported<br>

+[Write Accelerator](./how-to-enable-write-accelerator.md): Supported<br>

+1. Under **Role**, select **Reader**.

+ --role "Reader" \

+ -RoleDefinitionName Reader `

+* **Profile XML:** You can modify the downloaded profile xml file and add the **\<includeroutes>\<route>\<destination>\<mask> \</destination>\</mask>\</route>\</includeroutes>** tags.

+# Configure P2S for access based on users and groups - Microsoft Entra ID authentication - manual app registration

+When you use Microsoft Entra ID as the authentication method for point-to-site (P2S), you can configure P2S to allow different access for different users and groups. This article helps you set up a Microsoft Entra tenant for P2S Microsoft Entra authentication and create and register multiple VPN apps in Microsoft Entra ID to allow different access for different users and groups. For more information about P2S protocols and authentication, see [About point-to-site VPN](point-to-site-about.md).

+Considerations:

+* You can't create this type of granular access if you have only one VPN gateway.

+* To assign different users and groups different access, register multiple apps with Microsoft Entra ID and then link them to different VPN gateways.

+* Microsoft Entra ID authentication is supported only for OpenVPN® protocol connections and requires the Azure VPN Client.

+ The global administrator account is used to grant consent to the Azure VPN app registration. The user account can be used to test OpenVPN authentication.

+1. Assign one of the accounts the **Global administrator** role. For steps, see [Assign user roles with Microsoft Entra ID](/entra/fundamentals/users-assign-role-azure-portal).

+In this section, you can register additional applications for various users and groups. Repeat the steps to create as many applications that are needed for your security requirements.

+* You must have more than one VPN gateway to configure this type of granular access.

+* Each application is associated to a different VPN gateway and can have a different set of users.

+1. On the **Register an application** page, enter the **Name**. For example, MarketingVPN or Group1. You can always change the name later.

+1. Copy the **Application (client) ID** from the **Overview** page and save it so that you can access this value later. You'll need this information to configure your VPN gateways.

+1. From the list, locate the application you registered and click to open it.

+ * **Audience ID**: Use the value that you created in the previous section that corresponds to **Application (client) ID**. Don't use the application ID for "Azure VPN" Microsoft Entra Enterprise App - use application ID that you created and registered. If you use the application ID for the "Azure VPN" Microsoft Entra Enterprise App instead, this grants all users access to the VPN gateway (which would be the default way to set up access), instead of granting only the users that you assigned to the application that you created and registered.

+Locate and unzip the VPN client profile configuration package you generated (listed in the [Prequisites](#prerequisites)). For P2S **Certificate authentication** and with an **OpenVPN** tunnel type, you'll see the **AzureVPN** folder. In the AzureVPN folder, locate the **azurevpnconfig.xml** file. This file contains the settings you use to configure the VPN client profile.

+For additional steps, return to the [P2S Azure portal](vpn-gateway-howto-point-to-site-resource-manager-portal.md) article.

+## <a name="active"></a>Active-active VPN gateways

+You can create an Azure VPN gateway in an active-active configuration, where both instances of the gateway VMs establish S2S VPN tunnels to your on-premises VPN device.

+For information about using active-active gateways in a highly available connectivity scenario, see [About highly available connectivity](vpn-gateway-highlyavailable.md).

+In this exercise, you create the required virtual networks (VNets) and VPN gateways. We have steps to connect VNets within the same subscription, as well as steps and commands for the more complicated scenario to connect VNets in different subscriptions.

+The Azure CLI command to create a connection is [az network vpn-connection](/cli/azure/network/vpn-connection). If you're connecting VNets from different subscriptions, use the steps in this article or in the [PowerShell](vpn-gateway-vnet-vnet-rm-ps.md) article. If you already have VNets that you want to connect and they're in the same subscription, you might want to use the [Azure portal](vpn-gateway-howto-vnet-vnet-resource-manager-portal.md) steps instead because the process is less complicated. Note that you can't connect VNets from different subscriptions using the Azure portal.

+In this exercise, you create the required virtual networks (VNets) and VPN gateways. We have steps to connect VNets within the same subscription, as well as steps and commands for the more complicated scenario to connect VNets in different subscriptions.

+The PowerShell cmdlet to create a connection is [New-AzVirtualNetworkGatewayConnection](/powershell/module/az.network/new-azvirtualnetworkgatewayconnection). The `-ConnectionType` is `Vnet2Vnet`. If you're connecting VNets from different subscriptions, use the steps in this article or in the [Azure CLI](vpn-gateway-howto-vnet-vnet-cli.md) article. If you already have VNets that you want to connect and they're in the same subscription, you might want to use the [Azure portal](vpn-gateway-howto-vnet-vnet-resource-manager-portal.md) steps instead because the process is less complicated. Note that you can't connect VNets from different subscriptions using the Azure portal.