+| <ul><li>NewUnifiedGroupWritebackDefault<li>Type: Boolean<li>Default: "True" |The flag that allows an admin to create new Microsoft 365 groups without setting the groupWritebackConfiguration resource type in the request payload. This setting is applicable when group writeback is configured in Azure AD Connect. "NewUnifiedGroupWritebackDefault" is a global Microfot 365 group setting. Default value is true. Updating the setting value to false will change the default writeback behavior for newly created Microsoft 365 groups, and will not change isEnabled property value for existing Microsoft 365 groups. Group admin will need to explicitly update the group isEnabled property value to change the writeback state for existing Microsoft 365 groups. |

+Managing access to all the resources employees need, such as groups, applications, and sites, is an important function for organizations. You want to grant employees the right level of access they need to be productive and remove their access when it's no longer needed.

+In this tutorial, you work for Woodgrove Bank as an IT administrator. You've been asked to create a package of resources for a marketing campaign that internal users can use to self-service request. Requests don't require approval and user's access expires after 30 days. For this tutorial, the marketing campaign resources are just membership in a single group, but it could be a collection of groups, applications, or SharePoint Online sites.

+

+1. In the left navigation, select **Azure Active Directory**.

+1. [Create two users](../fundamentals/add-users-azure-active-directory.md). Use the following names or different names.

+ | **Admin1** | Global administrator, or User administrator. This user can be the user you're currently signed in. |

+4. [Create an Azure AD security group](../fundamentals/active-directory-groups-create-azure-portal.md) named **Marketing resources** with a membership type of **Assigned**. This group will be the target resource for entitlement management. The group should be empty of members to start.

+

+1. In the Azure portal, in the left navigation, select **Azure Active Directory**.

+1. In the left menu, select **Identity Governance**

+1. In the left menu, select **Access packages**. If you see **Access denied**, ensure that an Azure AD Premium P2 license is present in your directory.

+1. Select **New access package**.

+ 

+1. On the **Basics** tab, type the name *Marketing Campaign* access package and description *Access to resources for the campaign*.

+1. Leave the **Catalog** drop-down list set to **General**.

+ 

+1. Select **Next** to open the **Resource roles** tab. On this tab, select the resources and the resource role to include in the access package. You can choose to manage access to groups and teams, applications, and SharePoint Online sites. In this scenario, select **Groups and Teams**.

+ 

+1. In the **Select groups** pane, find and select the **Marketing resources** group you created earlier.

+ 

+1. Choose **Select** to add the group to the list.

+1. In the **Role** drop-down list, select **Member**. If you select the Owner role, it allows users to add or remove other members or owners. For more information on selecting the appropriate roles for a resource, read [add resource roles](entitlement-management-access-package-resources.md#add-resource-roles).

+ :::image type="content" source="./media/entitlement-management-access-package-first/resource-roles.png" alt-text="Screenshot the shows how to select the member role." lightbox="./media/entitlement-management-access-package-first/resource-roles.png":::

+ >The [role-assignable groups](../roles/groups-concept.md) added to an access package will be indicated using the Sub Type **Assignable to roles**. For more information, check out the [Create a role-assignable group](../roles/groups-create-eligible.md) article. Keep in mind that once a role-assignable group is present in an access package catalog, administrative users who are able to manage in entitlement management, including global administrators, user administrators and catalog owners of the catalog, will be able to control the access packages in the catalog, allowing them to choose who can be added to those groups. If you don't see a role-assignable group that you want to add or you are unable to add it, make sure you have the required Azure AD role and entitlement management role to perform this operation. You might need to ask someone with the required roles add the resource to your catalog. For more information, see [Required roles to add resources to a catalog](entitlement-management-delegate.md#required-roles-to-add-resources-to-a-catalog).

+ > 

+1. Select **Next** to open the **Requests** tab. On the Requests tab, you create a request policy. A *policy* defines the rules or guardrails to access an access package. You create a policy that allows a specific user in the resource directory to request this access package.

+1. In the **Users who can request access** section, select **For users in your directory** and then select **Specific users and groups**.

+ :::image type="content" source="./media/entitlement-management-access-package-first/new-access-package-requests.png" alt-text="Screenshot of the access package requests tab." lightbox="./media/entitlement-management-access-package-first/new-access-package-requests.png":::

+1. Select **Add users and groups**.

+1. In the Select users and groups pane, select the **Requestor1** user you created earlier.

+ 

+1. Choose **Select** to add the user to the list.

+1. Scroll down to the **Approval** and **Enable requests** sections.

+1. Leave **Require approval** set to **No**.

+1. For **Enable requests**, select **Yes** to enable this access package to be requested as soon as it's created.

+1. Select **Next** to open the **Requestor information** tab.

+ 

+1. On the **Requestor information** tab, you can ask questions to collect more information from the requestor. The questions are shown on the request form and can be either required or optional. In this scenario, you haven't been asked to include requestor information for the access package, so you can leave these boxes empty. Select **Next** to open the **Lifecycle** tab.

+1. On the **Lifecycle** tab, you specify when a user's assignment to the access package expires. You can also specify whether users can extend their assignments. In the **Expiration** section:

+ 1. Set the **Access package assignments expire** to **Number of days**.

+ 1. Set the **Assignments expire after** to **30** days.

+ 1. Leave the **Users can request specific timeline** default value, **Yes**.

+ 1. Set the **Require access reviews** to **No**.

+ 

+1. Skip the **Custom extensions (Preview)** step.

+1. Select **Next** to open the **Review + Create** tab.

+1. On the **Review + Create** tab, select **Create**. After a few moments, you should see a notification that the access package was successfully created.

+1. In left menu of the Marketing Campaign access package, select **Overview**.

+1. Copy the **My Access portal link**.

+ 

+1. In the **Business justification** box, type the justification *I'm working on the new marketing campaign*.

+ 

+1. Select **Submit**.

+1. In the left menu, select **Request history** to verify that your request was delivered. For more details, select **View**.

+ 

+In this step, you confirm that the **internal requestor** was assigned the access package and that they're now a member of the **Marketing resources** group.

+1. Select **Azure Active Directory** and then select **Identity Governance**.

+1. In the left menu, select **Access packages**.

+1. Find and select **Marketing Campaign** access package.

+1. In the left menu, select **Requests**.

+1. Select the request to see the request details.

+ :::image type="content" source="./media/entitlement-management-access-package-first/request-details.png" alt-text="Screenshot of the access package request details." lightbox="./media/entitlement-management-access-package-first/request-details.png":::

+1. In the left navigation, select **Azure Active Directory**.

+1. Select **Groups** and open the **Marketing resources** group.

+1. Select **Members**.

+ 

+1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

+1. Select **Assignments**.

+1. For **Requestor1**, select the ellipsis (**...**) and then select **Remove access**. In the message that appears, select **Yes**.

+1. Select **Resource roles**.

+1. For **Marketing resources**, select the ellipsis (**...**) and then select **Remove resource role**. In the message that appears, select **Yes**.

+1. For **Marketing Campaign**, select the ellipsis (**...**) and then select **Delete**. In the message that appears, select **Yes**.

+To set up group writeback for Microsoft 365 groups in access packages, you must complete the following prerequisites:

+Using group writeback, you can now sync Microsoft 365 groups that are part of access packages to on-premises Active Directory. To sync the groups, follow the steps below:

+1. Create an Azure Active Directory Microsoft 365 group.

+1. After you've assigned a user to the access package, confirm that the user is now a member of the on-premises group once Azure AD Connect Sync cycle completes:

+1. In the Azure portal, select **Azure Active Directory** and then select **Identity Governance**.

+1. To create a new access policy, in the left menu, select **Access packages**, then select **New access** package.

+1. To edit an existing access policy, in the left menu, select **Access packages** and open the access package you want to edit. Then, in the left menu, select **Policies** and select the policy that has the lifecycle settings you want to edit.

+Employees in organizations need access to various groups, applications, and SharePoint Online sites to perform their job. Managing this access is challenging, as requirements change. New applications are added or users need more access rights. This scenario gets more complicated when you collaborate with outside organizations. You may not know who in the other organization needs access to your organization's resources, and they won't know what applications, groups, or sites your organization is using.

+- Control who can get access to applications, groups, Teams and SharePoint sites, with multi-stage approval, and ensure users don't retain access indefinitely through time-limited assignments and recurring access reviews.

+- Select connected organizations whose users can request access. When a user who isn't yet in your directory requests access, and is approved, they're automatically invited into your directory and assigned access. When their access expires, if they have no other access package assignments, their B2B account in your directory can be automatically removed.

+

+- Either the already-existing users (typically employees or already-invited guests), or the partner organizations of external users that are eligible to request access

+

+Access packages don't replace other mechanisms for access assignment. They're most appropriate in situations such as:

+- Employees need time-limited access for a particular task. For example, you might use group-based licensing and a dynamic group to ensure all employees have an Exchange Online mailbox, and then use access packages for situations in which employees need more access rights. For example, rights to read departmental resources from another department.

+| resource role | A collection of permissions associated with and defined by a resource. A group has two roles - member and owner. SharePoint sites typically have three roles but may have other custom roles. Applications can have custom roles. |

+Specialized clouds, such as Azure Germany, and Azure China 21Vianet, aren't currently available for use.

+| A Global Administrator at Woodgrove Bank creates initial catalogs and delegates administrative tasks to six other users. One of the policies specifies that **All employees** (2,000 employees) can request a specific set of access packages. 150 employees request the access packages. | 2,000 employees who **can** request the access packages | 2,000 |

+| A Global Administrator at Woodgrove Bank creates initial catalogs and delegates administrative tasks to six other users. One of the policies specifies that **All employees** (2,000 employees) can request a specific set of access packages. Another policy specifies that some users from **Users from partner Contoso** (guests) can request the same access packages subject to approval. Contoso has 30,000 users. 150 employees request the access packages and 10,500 users from Contoso request access. | 2,000 employees need licenses, guest users are billed on a monthly active user basis and no additional licenses are required for them. * | 2,000 |

+- If you're interested in using the Azure portal to manage access to resources, see [Tutorial: Manage access to resources - Azure portal](entitlement-management-access-package-first.md).

+- if you're interested in using Microsoft Graph to manage access to resources, see [Tutorial: manage access to resources - Microsoft Graph](/graph/tutorial-access-package-api?toc=/azure/active-directory/governance/toc.json&bc=/azure/active-directory/governance/breadcrumb/toc.json)

+1. **Collect the roles and permissions that each application provides.** Some applications may have only a single role, for example, an application that only has the role "User". More complex applications may surface multiple roles to be managed through Azure AD. These application roles typically make broad constraints on the access a user with that role would have within the app. For example, an application that has an administrator persona might have two roles, "User" and "Administrator". Other applications may also rely upon group memberships or claims for finer-grained role checks, which can be provided to the application from Azure AD in provisioning or claims issued using federation SSO protocols, or written to AD as a security group membership. Finally, there may be roles that don't surface in Azure AD - perhaps the application doesn't permit defining the administrators in Azure AD, instead relying upon its own authorization rules to identify administrators.

+1. **Bring the application web endpoint into scope of the appropriate conditional access policy**. If you have an existing conditional access policy that was created for another application subject to the same governance requirements, you could update that policy to have it apply to this application as well, to avoid having a large number of policies. Once you have made the updates, check to ensure that the expected policies are being applied. You can see what policies would apply to a user with the [Conditional Access what if tool](../conditional-access/troubleshoot-conditional-access-what-if.md).

+* The application relies upon user or group lists that are provided to the application by Azure AD. This fulfillment could be done through a provisioning protocol such as SCIM, by the application querying Azure AD via Microsoft Graph, or the application using AD Kerberos to obtain a user's group memberships.

+ * If this application uses AD, then configure group writeback, and either update the application to use the Azure AD-created groups, or nest the Azure AD-created groups into the applications' existing AD security groups.

+ |Application supports| Next steps|

+ |-|--|

+ | Kerberos | Configure Azure AD Connect [group writeback to AD](../hybrid/how-to-connect-group-writeback-v2.md), create groups in Azure AD and [write those groups to AD](../enterprise-users/groups-write-back-portal.md) |

+ * Otherwise, if this is an on-premises or IaaS hosted application, and is not integrated with AD, then configure provisioning to that application, either via SCIM or to the underlying database or directory of the application.

+1. If the application was not using Azure AD or AD, bring in any [existing users and create application role assignments](identity-governance-applications-existing-users.md) for them. If the application was using AD security groups, then you'll need to review the membership of those security groups.

+1. If the application had its own directory or database and wasn't integrated for provisioning, then once the review is complete, you may need to manually update the application's internal database or directory to remove those users who were denied.

+1. If the application was using AD security groups, and those groups were created in AD, then once the review is complete, you'll need to manually update the AD groups to remove memberships of those users who were denied. Subsequently, to have denied access rights removed automatically, you can either update the application to use an AD group that was created in Azure AD and [written back to Azure AD](../enterprise-users/groups-write-back-portal.md), or move the membership from the AD group to the Azure AD group, and nest the written back group as the only member of the AD group.

+Identity Governance helps organizations achieve a balance between productivity. How quickly can a person have access to the resources they need, such as when they join my organization? And security. And how should their access change over time, such as due to changes to that person's employment status?

+

+A digital identity is information on an entity used by one or more computing resources, such as operating systems or applications. These entities may represent people, organizations, applications, or devices. The identity is usually described by the attributes that are associated with it, such as the name, identifiers, and properties such as roles used for access management. These attributes help systems make determinations such who has access to what, and who is allowed to use that resource.

+Managing digital identities is a complex task, especially as it relates correlating real-world objects, such as a person and their relationship with an organization as an employee of that organization, with a digital representation. In small organizations, keeping the digital representation of individuals who require an identity can be a manual process. For example, when someone is hired, or a contractor arrives, an IT specialist can create an account for them in a directory, and assign them the access they need. However, in mid-size and large organizations, automation can enable the organization to scale more effectively and keep the identities accurate.

+1. Determine whether there are already systems of record - data sources, which the organization treats as authoritative. For example, the organization may have an HR system Workday, and that system is authoritative for providing the current list of employees, and some of their properties such as the employee's name or department. Or an email system such as Exchange Online may be authoritative for an employee's email address.

+2. Connect those systems of record with one or more directories and databases used by applications, and resolve any inconsistencies between the directories and the systems of record. For example, a directory may have obsolete data, such as an account for a former employee that is no longer needed.

+3. Determine what processes can be used to supply authoritative information in the absence of a system of record. For example, if there are digital identities for visitors, but the organization has no database for visitors, then it may be necessary to find an alternate way to determine when a digital identity for a visitor is no longer needed.

+When planning identity lifecycle management for employees, or other individuals with an organizational relationship such as a contractor or student, many organizations model the "join, move, and leave" as following process:

+- Join - when an individual comes into scope of needing access, an identity is needed by those applications, so a new digital identity may need to be created if one isn't already available

+- Move - when an individual moves between boundaries that require additional access authorizations to be added or removed to their digital identity

+- Leave - when an individual leaves the scope of needing access, access may need to be removed, and subsequently the identity may no longer be required by applications other than for audit or forensics purposes

+So for example, if a new employee joins your organization and that employee has never been affiliated with your organization before, that employee will require a new digital identity, represented as a user account in Azure AD. The creation of this account would fall into a "Joiner" process, which could be automated if there was a system of record such as Workday that could indicate when the new employee starts work. Later, if your organization has an employee move from say, Sales to Marketing, they would fall into a "Mover" process. This move would require removing the access rights they had in the Sales organization, which they no longer require, and granting them rights in the Marketing organization that they new require.

+Provisioning and deprovisioning are the processes that ensure consistency of digital identities across multiple systems. These processes are typically used as part of [identity lifecycle management](what-is-identity-lifecycle-management.md).

+For example, when a new employee joins your organization, that employee is entered in to the HR system. At that point, provisioning **from** HR **to** Azure Active Directory (Azure AD) can create a corresponding user account in Azure AD. Applications which query Azure AD can see the account for that new employee. If there are applications that don't use Azure AD, then provisioning **from** Azure AD **to** those applications' databases, ensures that the user will be able to access all of the applications that the user needs access to. This process allows the user to start work and have access to the applications and systems they need on day one. Similarly, when their properties, such as their department or employment status, change in the HR system, synchronization of those updates from the HR system to Azure AD, and furthermore to other applications and target databases, ensures consistency.

+

+

+The most common scenario would be, when a new employee joins your company, they're entered into the HR system. Once that occurs, they're automatically provisioned as a new user in Azure AD, without needing administrative involvement for each new hire. In general, provisioning from HR can cover the following scenarios.

+- **Hiring new employees** - When a new employee is added to an HR system, a user account is automatically created in Active Directory, Azure AD, and optionally in the directories for other applications supported by Azure AD, with write-back of the email address to the HR system.

+- **Employee rehires** - When an employee is rehired in cloud HR, their old account can be automatically reactivated or reprovisioned (depending on your preference).

+1. For organizations with a single subscription to Workday or SuccessFactors, and don't use Active Directory

+

+

+As many organizations historically have deployed HR-driven provisioning on-premises, they may already have user identities for all their employees in Active Directory. The most common scenario for inter-directory provisioning is when a user already in Active Directory is provisioned into Azure AD. This provisioning is usually accomplished by Azure AD Connect sync or Azure AD Connect cloud provisioning.

+In addition, organizations may wish to also provision to on-premises systems from Azure AD. For example, an organization may have brought guests into the Azure AD directory, but those guests will need access to on-premises Windows Integrated Authentication (WIA) based web applications via the app proxy. This scenario requires the provisioning of on-premises AD accounts for those users in Azure AD.

+## Next steps

+## I'm using Alias minor version, but I can't seem to upgrade in the same minor version? Why?

+When upgrading by alias minor version, only a higher minor version is supported. For example, upgrading from 1.14.x to 1.14 will not trigger an upgrade to the latest GA 1.14 patch, but upgrading to 1.15 will trigger an upgrade to the latest GA 1.15 patch.

+* Event hub must be at least Standard tier. Basic tier is not supported.

+> After completion of migration, smart detection settings must be configured using smart detection alert rule templates, and can no longer be configured using the [Application Insights Resource Manager template](./proactive-arm-config.md#smart-detection-rule-configuration).

+- [Learn more about smart detection in Application Insights](./proactive-diagnostics.md)

+- Learn more about [Smart Detection](proactive-failure-diagnostics.md).

+ Title: Security detection Pack with Azure Application Insights

+description: Monitor application with Azure Application Insights and smart detection for potential security issues.

+# Application security detection pack (preview)

+Smart detection automatically analyzes the telemetry generated by your application, and detects potential security issues. It enables you to identify potential security problems. You can mitigate these problems by fixing the application, or by taking the necessary security measures.

+This feature requires no special setup, other than [configuring your app to send telemetry](../app/usage-overview.md).

+## When would I get this type of smart detection notification?

+There are three types of security issues that are detected:

+1. Insecure URL access: a URL in the application is accessible via both HTTP and HTTPS. Typically, a URL that accepts HTTPS requests shouldn't accept HTTP requests. This detection may indicate a bug or security issue in your application.

+2. Insecure form: a form (or other "POST" request) in the application uses HTTP instead of HTTPS. Using HTTP can compromise the user data that is sent by the form.

+3. Suspicious user activity: the same user accesses the application from multiple countries or regions, around the same time. For example, the same user accessed the application from Spain and the United States within the same hour. This detection indicates a potentially malicious access attempt to your application.

+## Does my app definitely have a security issue?

+A notification doesn't mean that your app definitely has a security issue. A detection of any of the scenarios above can, in many cases, indicate a security issue. In other cases, the detection may have a natural business justification, and can be ignored.

+## How do I fix the "Insecure URL access" detection?

+1. **Triage.** The notification provides the number of users who accessed insecure URLs, and the URL that was most affected by insecure access. This information can help you assign a priority to the problem.

+3. **Scope.** What percentage of the users accessed insecure URLs? How many URLs were affected? This information can be obtained from the notification.

+4. **Diagnose.** The detection provides the list of insecure requests, and the lists of URLs and users that were affected, to help you further diagnose the issue.

+## How do I fix the "Insecure form" detection?

+1. **Triage.** The notification provides the number of insecure forms, and number of users whose data was potentially compromised. This information can help you assign a priority to the problem.

+2. **Scope.** Which form was involved in the largest number of insecure transmissions, and what is the distribution of insecure transmissions over time? This information can be obtained from the notification.

+3. **Diagnose.** The detection provides the list of insecure forms, and a breakdown of insecure transmissions for each form, to help you further diagnose the issue.

+## How do I fix the "Suspicious user activity" detection?

+1. **Triage.** The notification provides the number of different users that presented the suspicious behavior. This information can help you assign a priority to the problem.

+2. **Scope.** From which countries or regions did the suspicious requests originate? Which user was the most suspicious? This information can be obtained from the notification.

+3. **Diagnose.** The detection provides the list of suspicious users and the list of countries or regions for each user, to help you further diagnose the issue.

+ Title: Smart detection rule settings - Azure Application Insights

+description: Automate management and configuration of Azure Application Insights smart detection rules with Azure Resource Manager Templates

+# Manage Application Insights smart detection rules using Azure Resource Manager templates

+>[!NOTE]

+>You can migrate your Application Insight resources to alerts-bases smart detection (preview). The migration creates alert rules for the different smart detection modules. Once created, you can manage and configure these rules just like any other Azure Monitor alert rules. You can also configure action groups for these rules, thus enabling multiple methods of taking actions or triggering notification on new detections.

+>

+> See [Smart Detection Alerts migration](./alerts-smart-detections-migration.md) for more details on the migration process and the behavior of smart detection after the migration.

+>

+Smart detection rules in Application Insights can be managed and configured using [Azure Resource Manager templates](../../azure-resource-manager/templates/syntax.md).

+This method can be used when deploying new Application Insights resources with Azure Resource Manager automation, or for modifying the settings of existing resources.

+## Smart detection rule configuration

+You can configure the following settings for a smart detection rule:

+- If the rule is enabled (the default is **true**.)

+- If emails should be sent to users associated to the subscriptionΓÇÖs [Monitoring Reader](../../role-based-access-control/built-in-roles.md#monitoring-reader) and [Monitoring Contributor](../../role-based-access-control/built-in-roles.md#monitoring-contributor) roles when a detection is found (the default is **true**.)

+- Any additional email recipients who should get a notification when a detection is found.

+ - Email configuration is not available for Smart Detection rules marked as _preview_.

+To allow configuring the rule settings via Azure Resource Manager, the smart detection rule configuration is now available as an inner resource within the Application Insights resource, named **ProactiveDetectionConfigs**.

+For maximal flexibility, each smart detection rule can be configured with unique notification settings.

+## Examples

+Below are a few examples showing how to configure the settings of smart detection rules using Azure Resource Manager templates.

+All samples refer to an Application Insights resource named _ΓÇ£myApplicationΓÇ¥_, and to the "long dependency duration smart detection rule", which is internally named _ΓÇ£longdependencydurationΓÇ¥_.

+Make sure to replace the Application Insights resource name, and to specify the relevant smart detection rule internal name. Check the table below for a list of the corresponding internal Azure Resource Manager names for each smart detection rule.

+### Disable a smart detection rule

+```json

+{

+ "apiVersion": "2018-05-01-preview",

+ "name": "myApplication",

+ "type": "Microsoft.Insights/components",

+ "location": "[resourceGroup().location]",

+ "properties": {

+ "Application_Type": "web"

+ },

+ "resources": [

+ {

+ "apiVersion": "2018-05-01-preview",

+ "name": "longdependencyduration",

+ "type": "ProactiveDetectionConfigs",

+ "location": "[resourceGroup().location]",

+ "dependsOn": [

+ "[resourceId('Microsoft.Insights/components', 'myApplication')]"

+ ],

+ "properties": {

+ "name": "longdependencyduration",

+ "sendEmailsToSubscriptionOwners": true,

+ "customEmails": [],

+ "enabled": false

+ }

+ }

+ ]

+ }

+```

+### Disable sending email notifications for a smart detection rule

+```json

+{

+ "apiVersion": "2018-05-01-preview",

+ "name": "myApplication",

+ "type": "Microsoft.Insights/components",

+ "location": "[resourceGroup().location]",

+ "properties": {

+ "Application_Type": "web"

+ },

+ "resources": [

+ {

+ "apiVersion": "2018-05-01-preview",

+ "name": "longdependencyduration",

+ "type": "ProactiveDetectionConfigs",

+ "location": "[resourceGroup().location]",

+ "dependsOn": [

+ "[resourceId('Microsoft.Insights/components', 'myApplication')]"

+ ],

+ "properties": {

+ "name": "longdependencyduration",

+ "sendEmailsToSubscriptionOwners": false,

+ "customEmails": [],

+ "enabled": true

+ }

+ }

+ ]

+ }

+```

+### Add additional email recipients for a smart detection rule

+```json

+{

+ "apiVersion": "2018-05-01-preview",

+ "name": "myApplication",

+ "type": "Microsoft.Insights/components",

+ "location": "[resourceGroup().location]",

+ "properties": {

+ "Application_Type": "web"

+ },

+ "resources": [

+ {

+ "apiVersion": "2018-05-01-preview",

+ "name": "longdependencyduration",

+ "type": "ProactiveDetectionConfigs",

+ "location": "[resourceGroup().location]",

+ "dependsOn": [

+ "[resourceId('Microsoft.Insights/components', 'myApplication')]"

+ ],

+ "properties": {

+ "name": "longdependencyduration",

+ "sendEmailsToSubscriptionOwners": true,

+ "customEmails": ["alice@contoso.com", "bob@contoso.com"],

+ "enabled": true

+ }

+ }

+ ]

+ }

+```

+## Smart detection rule names

+Below is a table of smart detection rule names as they appear in the portal, along with their internal names, that should be used in the Azure Resource Manager template.

+> [!NOTE]

+> Smart detection rules marked as _preview_ donΓÇÖt support email notifications. Therefore, you can only set the _enabled_ property for these rules.

+| Azure portal rule name | Internal name

+|:|:|

+| Slow page load time | slowpageloadtime |

+| Slow server response time | slowserverresponsetime |

+| Long dependency duration | longdependencyduration |

+| Degradation in server response time | degradationinserverresponsetime |

+| Degradation in dependency duration | degradationindependencyduration |

+| Degradation in trace severity ratio (preview) | extension_traceseveritydetector |

+| Abnormal rise in exception volume (preview) | extension_exceptionchangeextension |

+| Potential memory leak detected (preview) | extension_memoryleakextension |

+| Potential security issue detected (preview) | extension_securityextensionspackage |

+| Abnormal rise in daily data volume (preview) | extension_billingdatavolumedailyspikeextension |

+### Failure Anomalies alert rule

+This Azure Resource Manager template demonstrates configuring a Failure Anomalies alert rule with a severity of 2.

+> [!NOTE]

+> Failure Anomalies is a global service therefore rule location is created on the global location.

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "resources": [

+ {

+ "type": "microsoft.alertsmanagement/smartdetectoralertrules",

+ "apiVersion": "2019-03-01",

+ "name": "Failure Anomalies - my-app",

+ "location": "global",

+ "properties": {

+ "description": "Failure Anomalies notifies you of an unusual rise in the rate of failed HTTP requests or dependency calls.",

+ "state": "Enabled",

+ "severity": "2",

+ "frequency": "PT1M",

+ "detector": {

+ "id": "FailureAnomaliesDetector"

+ },

+ "scope": ["/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/MyResourceGroup/providers/microsoft.insights/components/my-app"],

+ "actionGroups": {

+ "groupIds": ["/subscriptions/00000000-1111-2222-3333-444444444444/resourcegroups/MyResourceGroup/providers/microsoft.insights/actiongroups/MyActionGroup"]

+ }

+ }

+ }

+ ]

+}

+```

+> [!NOTE]

+> This Azure Resource Manager template is unique to the Failure Anomalies alert rule and is different from the other classic Smart Detection rules described in this article. If you want to manage Failure Anomalies manually this is done in Azure Monitor Alerts whereas all other Smart Detection rules are managed in the Smart Detection pane of the UI.

+## Next Steps

+Learn more about automatically detecting:

+- [Failure anomalies](./proactive-failure-diagnostics.md)

+- [Memory Leaks](./proactive-potential-memory-leak.md)

+- [Performance anomalies](./proactive-performance-diagnostics.md)

+ Title: Smart detection in Azure Application Insights | Microsoft Docs

+description: Application Insights performs automatic deep analysis of your app telemetry and warns you of potential problems.

+# Smart detection in Application Insights

+>[!NOTE]

+>You can migrate smart detection on your Application Insights resource to be based on alerts. The migration creates alert rules for the different smart detection modules. Once created, you can manage and configure these rules just like any other Azure Monitor alert rules. You can also configure action groups for these rules, thus enabling multiple methods of taking actions or triggering notification on new detections.

+>

+> For more information, see [Smart Detection Alerts migration](./alerts-smart-detections-migration.md).

+Smart detection automatically warns you of potential performance problems and failure anomalies in your web application. It performs proactive analysis of the telemetry that your app sends to [Application Insights](../app/app-insights-overview.md). If there is a sudden rise in failure rates, or abnormal patterns in client or server performance, you get an alert. This feature needs no configuration. It operates if your application sends enough telemetry.

+You can access the detections issued by smart detection both from the emails you receive, and from the smart detection blade.

+## Review your smart detections

+You can discover detections in two ways:

+* **You receive an email** from Application Insights. Here's a typical example:

+

+ 

+

+ Click the large button to open more detail in the portal.

+* **The smart detection blade** in Application Insights. Select **Smart detection** under the **Investigate** menu to see a list of recent detections.

+

+Select a detection to view its details.

+## What problems are detected?

+Smart detection detects and notifies about various issues, such as:

+* [Smart detection - Failure Anomalies](./proactive-failure-diagnostics.md). We use machine learning to set the expected rate of failed requests for your app, correlating with load, and other factors. Notifies if the failure rate goes outside the expected envelope.

+* [Smart detection - Performance Anomalies](./proactive-performance-diagnostics.md). Notifies if response time of an operation or dependency duration is slowing down, compared to historical baseline. It also notifies if we identify an anomalous pattern in response time, or page load time.

+* General degradations and issues, like [Trace degradation](./proactive-trace-severity.md), [Memory leak](./proactive-potential-memory-leak.md), [Abnormal rise in Exception volume](./proactive-exception-volume.md) and [Security anti-patterns](./proactive-application-security-detection-pack.md).

+(The help links in each notification take you to the relevant articles.)

+## Smart detection email notifications

+All smart detection rules, except for rules marked as _preview_, are configured by default to send email notifications when detections are found.

+Configuring email notifications for a specific smart detection rule can be done by opening the smart detection **Settings** blade and selecting the rule, which will open the **Edit rule** blade.

+Alternatively, you can change the configuration using Azure Resource Manager templates. For more information, see [Manage Application Insights smart detection rules using Azure Resource Manager templates](./proactive-arm-config.md) for more details.

+## Next steps

+These diagnostic tools help you inspect the telemetry from your app:

+* [Metric explorer](../essentials/metrics-charts.md)

+* [Search explorer](../app/diagnostic-search.md)

+* [Analytics - powerful query language](../logs/log-analytics-tutorial.md)

+Smart Detection is automatic. But maybe you'd like to set up some more alerts?

+* [Manually configured metric alerts](./alerts-log.md)

+* [Availability web tests](../app/monitor-web-app-availability.md)

+ Title: Smart Detection notification change - Azure Application Insights

+description: Change to the default notification recipients from Smart Detection. Smart Detection lets you monitor application traces with Azure Application Insights for unusual patterns in trace telemetry.

+# Smart Detection e-mail notification change

+>[!NOTE]

+>You can migrate your Application Insight resources to alerts-bases smart detection (preview). The migration creates alert rules for the different smart detection modules. Once created, you can manage and configure these rules just like any other Azure Monitor alert rules. You can also configure action groups for these rules, thus enabling multiple methods of taking actions or triggering notification on new detections.

+>

+> See [Smart Detection Alerts migration](./alerts-smart-detections-migration.md) for more details on the migration process and the behavior of smart detection after the migration.

+Based on customer feedback, on April 1, 2019, weΓÇÖre changing the default roles who receive email notifications from Smart Detection.

+## What is changing?

+Currently, Smart Detection email notifications are sent by default to the _Subscription Owner_, _Subscription Contributor_, and _Subscription Reader_ roles. These roles often include users who are not actively involved in monitoring, which causes many of these users to receive notifications unnecessarily. To improve this experience, we are making a change so that email notifications only go to the [Monitoring Reader](../../role-based-access-control/built-in-roles.md#monitoring-reader) and [Monitoring Contributor](../../role-based-access-control/built-in-roles.md#monitoring-contributor) roles by default.

+## Scope of this change

+This change will affect all Smart Detection rules, excluding the following ones:

+* Smart Detection rules marked as preview. These Smart Detection rules donΓÇÖt support email notifications today.

+* Failure Anomalies rule.

+## How to prepare for this change?

+To ensure that email notifications from Smart Detection are sent to relevant users, those users must be assigned to the [Monitoring Reader](../../role-based-access-control/built-in-roles.md#monitoring-reader) or [Monitoring Contributor](../../role-based-access-control/built-in-roles.md#monitoring-contributor) roles of the subscription.

+To assign users to the Monitoring Reader or Monitoring Contributor roles via the Azure portal, follow the steps described in the [Assign Azure roles](../../role-based-access-control/role-assignments-portal.md) article. Make sure to select the _Monitoring Reader_ or _Monitoring Contributor_ as the role to which users are assigned.

+> [!NOTE]

+> Specific recipients of Smart Detection notifications, configured using the _Additional email recipients_ option in the rule settings, will not be affected by this change. These recipients will continue receiving the email notifications.

+If you have any questions or concerns about this change, donΓÇÖt hesitate to [contact us](mailto:smart-alert-feedback@microsoft.com).

+## Next steps

+Learn more about Smart Detection:

+- [Failure anomalies](./proactive-failure-diagnostics.md)

+- [Memory Leaks](./proactive-potential-memory-leak.md)

+- [Performance anomalies](./proactive-performance-diagnostics.md)

+ Title: Abnormal rise in exception volume - Azure Application Insights

+description: Monitor application exceptions with smart detection in Azure Application Insights for unusual patterns in exception volume.

+# Abnormal rise in exception volume (preview)

+>[!NOTE]

+>You can migrate your Application Insight resources to alerts-bases smart detection (preview). The migration creates alert rules for the different smart detection modules. Once created, you can manage and configure these rules just like any other Azure Monitor alert rules. You can also configure action groups for these rules, thus enabling multiple methods of taking actions or triggering notification on new detections.

+>

+> For more information, see [Smart Detection Alerts migration](./alerts-smart-detections-migration.md).

+Smart detection automatically analyze the exceptions thrown in your application, and can warn you about unusual patterns in your exception telemetry.

+This feature requires no special setup, other than [configuring exception reporting](../app/asp-net-exceptions.md#set-up-exception-reporting) for your app. It's active when your app generates enough exception telemetry.

+## When would I get this type of smart detection notification?

+You get this type of notification if your app is showing an abnormal rise in the number of exceptions of a specific type, during a day. This number is compared to a baseline calculated over the previous seven days.

+Machine learning algorithms are used for detecting the rise in exception count, while taking into account a natural growth in your application usage.

+## Does my app definitely have a problem?

+No, a notification doesn't mean that your app definitely has a problem. Although an excessive number of exceptions usually indicates an application issue, these exceptions might be benign and handled correctly by your application.

+## How do I fix it?

+The notifications include diagnostic information to support in the diagnostics process:

+1. **Triage.** The notification shows you how many users or how many requests are affected. This information can help you assign a priority to the problem.

+2. **Scope.** Is the problem affecting all traffic, or just some operation? This information can be obtained from the notification.

+3. **Diagnose.** The detection contains information about the method from which the exception was thrown, and the exception type. You can also use the related items and reports linking to supporting information, to help you further diagnose the issue.

+ Title: Smart Detection of Failure Anomalies in Application Insights | Microsoft Docs

+description: Alerts you to unusual changes in the rate of failed requests to your web app, and provides diagnostic analysis. No configuration is needed.

+# Smart Detection - Failure Anomalies

+[Application Insights](../app/app-insights-overview.md) automatically alerts you in near real time if your web app experiences an abnormal rise in the rate of failed requests. It detects an unusual rise in the rate of HTTP requests or dependency calls that are reported as failed. For requests, failed requests usually have response codes of 400 or higher. To help you triage and diagnose the problem, an analysis of the characteristics of the failures and related application data is provided in the alert details. There are also links to the Application Insights portal for further diagnosis. The feature needs no set-up nor configuration, as it uses machine learning algorithms to predict the normal failure rate.

+This feature works for any web app, hosted in the cloud or on your own servers, that generate application request or dependency data. For example, if you have a worker role that calls [TrackRequest()](../app/api-custom-events-metrics.md#trackrequest) or [TrackDependency()](../app/api-custom-events-metrics.md#trackdependency).

+After setting up [Application Insights for your project](../app/app-insights-overview.md), and if your app generates a certain minimum amount of data, Smart Detection of Failure Anomalies takes 24 hours to learn the normal behavior of your app, before it is switched on and can send alerts.

+Here's a sample alert:

+The alert details will tell you:

+* The failure rate compared to normal app behavior.

+* How many users are affected - so you know how much to worry.

+* A characteristic pattern associated with the failures. In this example, there's a particular response code, request name (operation), and application version. That immediately tells you where to start looking in your code. Other possibilities could be a specific browser or client operating system.

+* The exception, log traces, and dependency failure (databases or other external components) that appear to be associated with the characterized failures.

+* Links directly to relevant searches on the data in Application Insights.

+## Benefits of Smart Detection

+Ordinary [metric alerts](./alerts-log.md) tell you there might be a problem. But Smart Detection starts the diagnostic work for you, performing much the analysis you would otherwise have to do yourself. You get the results neatly packaged, helping you to get quickly to the root of the problem.

+## How it works

+Smart Detection monitors the data received from your app, and in particular the failure rates. This rule counts the number of requests for which the `Successful request` property is false, and the number of dependency calls for which the `Successful call` property is false. For requests, by default, `Successful request == (resultCode < 400)` (unless you have written custom code to [filter](../app/api-filtering-sampling.md#filtering) or generate your own [TrackRequest](../app/api-custom-events-metrics.md#trackrequest) calls).

+Your app's performance has a typical pattern of behavior. Some requests or dependency calls will be more prone to failure than others; and the overall failure rate may go up as load increases. Smart Detection uses machine learning to find these anomalies.

+As data comes into Application Insights from your web app, Smart Detection compares the current behavior with the patterns seen over the past few days. If an abnormal rise in failure rate is observed by comparison with previous performance, an analysis is triggered.

+When an analysis is triggered, the service performs a cluster analysis on the failed request, to try to identify a pattern of values that characterize the failures.

+In the example above, the analysis has discovered that most failures are about a specific result code, request name, Server URL host, and role instance.

+When your service is instrumented with these calls, the analyzer looks for an exception and a dependency failure that are associated with requests in the cluster it has identified, together with an example of any trace logs associated with those requests.

+The resulting analysis is sent to you as alert, unless you have configured it not to.

+Like the [alerts you set manually](./alerts-log.md), you can inspect the state of the fired alert, which can be resolved if the issue is fixed. Configure the alert rules in the Alerts page of your Application Insights resource. But unlike other alerts, you don't need to set up or configure Smart Detection. If you want, you can disable it or change its target email addresses.

+### Alert logic details

+The alerts are triggered by our proprietary machine learning algorithm so we can't share the exact implementation details. With that said, we understand that you sometimes need to know more about how the underlying logic works. The primary factors that are evaluated to determine if an alert should be triggered are:

+* Analysis of the failure percentage of requests/dependencies in a rolling time window of 20 minutes.

+* A comparison of the failure percentage of the last 20 minutes to the rate in the last 40 minutes and the past seven days, and looking for significant deviations that exceed X-times that standard deviation.

+* Using an adaptive limit for the minimum failure percentage, which varies based on the appΓÇÖs volume of requests/dependencies.

+* There is logic that can automatically resolve the fired alert monitor condition, if the issue is no longer detected for 8-24 hours.

+ Note: in the current design. a notification or action will not be sent when a Smart Detection alert is resolved. You can check if a Smart Detection alert was resolved in the Azure portal.

+## Configure alerts

+You can disable Smart Detection alert rule from the portal or using Azure Resource Manager ([see template example](./proactive-arm-config.md)).

+This alert rule is created with an associated [Action Group](./action-groups.md) named "Application Insights Smart Detection" that contains email and webhook actions, and can be extended to trigger additional actions when the alert fires.

+> [!NOTE]

+> Email notifications sent from this alert rule are now sent by default to users associated with the subscription's Monitoring Reader and Monitoring Contributor roles. More information on this is available [here](./proactive-email-notification.md).

+> Notifications sent from this alert rule follow the [common alert schema](./alerts-common-schema.md).

+>

+Open the Alerts page. Failure Anomalies alert rules are included along with any alerts that you have set manually, and you can see whether it is currently in the alert state.

+Click the alert to configure it.

+## Delete alerts

+You can disable or delete a Failure Anomalies alert rule, but once deleted you can't create another one for the same Application Insights resource.

+Notice that if you delete an Application Insights resource, the associated Failure Anomalies alert rule doesn't get deleted automatically. You can do so manually on the Alert rules page or with the following Azure CLI command:

+```azurecli

+az resource delete --ids <Resource ID of Failure Anomalies alert rule>

+```

+## Example of Failure Anomalies alert webhook payload

+```json

+{

+ "properties": {

+ "essentials": {

+ "severity": "Sev3",

+ "signalType": "Log",

+ "alertState": "New",

+ "monitorCondition": "Resolved",

+ "monitorService": "Smart Detector",

+ "targetResource": "/subscriptions/4f9b81be-fa32-4f96-aeb3-fc5c3f678df9/resourcegroups/test-group/providers/microsoft.insights/components/test-rule",

+ "targetResourceName": "test-rule",

+ "targetResourceGroup": "test-group",

+ "targetResourceType": "microsoft.insights/components",

+ "sourceCreatedId": "1a0a5b6436a9b2a13377f5c89a3477855276f8208982e0f167697a2b45fcbb3e",

+ "alertRule": "/subscriptions/4f9b81be-fa32-4f96-aeb3-fc5c3f678df9/resourcegroups/test-group/providers/microsoft.alertsmanagement/smartdetectoralertrules/failure anomalies - test-rule",

+ "startDateTime": "2019-10-30T17:52:32.5802978Z",

+ "lastModifiedDateTime": "2019-10-30T18:25:23.1072443Z",

+ "monitorConditionResolvedDateTime": "2019-10-30T18:25:26.4440603Z",

+ "lastModifiedUserName": "System",

+ "actionStatus": {

+ "isSuppressed": false

+ },

+ "description": "Failure Anomalies notifies you of an unusual rise in the rate of failed HTTP requests or dependency calls."

+ },

+ "context": {

+ "DetectionSummary": "An abnormal rise in failed request rate",

+ "FormattedOccurenceTime": "2019-10-30T17:50:00Z",

+ "DetectedFailureRate": "50.0% (200/400 requests)",

+ "NormalFailureRate": "0.0% (over the last 30 minutes)",

+ "FailureRateChart": [

+ [

+ "2019-10-30T05:20:00Z",

+ 0

+ ],

+ [

+ "2019-10-30T05:40:00Z",

+ 100

+ ],

+ [

+ "2019-10-30T06:00:00Z",

+ 0

+ ],

+ [

+ "2019-10-30T06:20:00Z",

+ 0

+ ],

+ [

+ "2019-10-30T06:40:00Z",

+ 100

+ ],

+ [

+ "2019-10-30T07:00:00Z",

+ 0

+ ],

+ [

+ "2019-10-30T07:20:00Z",

+ 0

+ ],

+ [

+ "2019-10-30T07:40:00Z",

+ 100

+ ],

+ [

+ "2019-10-30T08:00:00Z",

+ 0

+ ],

+ [

+ "2019-10-30T08:20:00Z",

+ 0

+ ],

+ [

+ "2019-10-30T08:40:00Z",

+ 100

+ ],

+ [

+ "2019-10-30T17:00:00Z",

+ 0

+ ],

+ [

+ "2019-10-30T17:20:00Z",

+ 0

+ ],

+ [

+ "2019-10-30T09:00:00Z",

+ 0

+ ],

+ [

+ "2019-10-30T09:20:00Z",

+ 0

+ ],

+ [

+ "2019-10-30T09:40:00Z",

+ 100

+ ],

+ [

+ "2019-10-30T10:00:00Z",

+ 0

+ ],

+ [

+ "2019-10-30T10:20:00Z",

+ 0

+ ],

+ [

+ "2019-10-30T10:40:00Z",

+ 100

+ ],

+ [

+ "2019-10-30T11:00:00Z",

+ 0

+ ],

+ [

+ "2019-10-30T11:20:00Z",

+ 0

+ ],

+ [

+ "2019-10-30T11:40:00Z",

+ 100

+ ],

+ [

+ "2019-10-30T12:00:00Z",

+ 0

+ ],

+ [

+ "2019-10-30T12:20:00Z",

+ 0

+ ],

+ [

+ "2019-10-30T12:40:00Z",

+ 100

+ ],

+ [

+ "2019-10-30T13:00:00Z",

+ 0

+ ],

+ [

+ "2019-10-30T13:20:00Z",

+ 0

+ ],

+ [

+ "2019-10-30T13:40:00Z",

+ 100

+ ],

+ [

+ "2019-10-30T14:00:00Z",

+ 0

+ ],

+ [

+ "2019-10-30T14:20:00Z",

+ 0

+ ],

+ [

+ "2019-10-30T14:40:00Z",

+ 100

+ ],

+ [

+ "2019-10-30T15:00:00Z",

+ 0

+ ],

+ [

+ "2019-10-30T15:20:00Z",

+ 0

+ ],

+ [

+ "2019-10-30T15:40:00Z",

+ 100

+ ],

+ [

+ "2019-10-30T16:00:00Z",

+ 0

+ ],

+ [

+ "2019-10-30T16:20:00Z",

+ 0

+ ],

+ [

+ "2019-10-30T16:40:00Z",

+ 100

+ ],

+ [

+ "2019-10-30T17:30:00Z",

+ 50

+ ]

+ ],

+ "ArmSystemEventsRequest": "/subscriptions/4f9b81be-fa32-4f96-aeb3-fc5c3f678df9/resourceGroups/test-group/providers/microsoft.insights/components/test-rule/query?query=%0d%0a++++++++++++++++systemEvents%0d%0a++++++++++++++++%7c+where+timestamp+%3e%3d+datetime(%272019-10-30T17%3a20%3a00.0000000Z%27)+%0d%0a++++++++++++++++%7c+where+itemType+%3d%3d+%27systemEvent%27+and+name+%3d%3d+%27ProactiveDetectionInsight%27+%0d%0a++++++++++++++++%7c+where+dimensions.InsightType+in+(%275%27%2c+%277%27)+%0d%0a++++++++++++++++%7c+where+dimensions.InsightDocumentId+%3d%3d+%27718fb0c3-425b-4185-be33-4311dfb4deeb%27+%0d%0a++++++++++++++++%7c+project+dimensions.InsightOneClassTable%2c+%0d%0a++++++++++++++++++++++++++dimensions.InsightExceptionCorrelationTable%2c+%0d%0a++++++++++++++++++++++++++dimensions.InsightDependencyCorrelationTable%2c+%0d%0a++++++++++++++++++++++++++dimensions.InsightRequestCorrelationTable%2c+%0d%0a++++++++++++++++++++++++++dimensions.InsightTraceCorrelationTable%0d%0a++++++++++++&api-version=2018-04-20",

+ "LinksTable": [

+ {

+ "Link": "<a href=\"https://portal.azure.com/#blade/AppInsightsExtension/ProactiveDetectionFeedBlade/ComponentId/{\"SubscriptionId\":\"4f9b81be-fa32-4f96-aeb3-fc5c3f678df9\",\"ResourceGroup\":\"test-group\",\"Name\":\"test-rule\"}/SelectedItemGroup/718fb0c3-425b-4185-be33-4311dfb4deeb/SelectedItemTime/2019-10-30T17:50:00Z/InsightType/5\" target=\"_blank\">View full details in Application Insights</a>"

+ }

+ ],

+ "SmartDetectorId": "FailureAnomaliesDetector",

+ "SmartDetectorName": "Failure Anomalies",

+ "AnalysisTimestamp": "2019-10-30T17:52:32.5802978Z"

+ },

+ "egressConfig": {

+ "displayConfig": [

+ {

+ "rootJsonNode": null,

+ "sectionName": null,

+ "displayControls": [

+ {

+ "property": "DetectionSummary",

+ "displayName": "What was detected?",

+ "type": "Text",

+ "isOptional": false,

+ "isPropertySerialized": false

+ },

+ {

+ "property": "FormattedOccurenceTime",

+ "displayName": "When did this occur?",

+ "type": "Text",

+ "isOptional": false,

+ "isPropertySerialized": false

+ },

+ {

+ "property": "DetectedFailureRate",

+ "displayName": "Detected failure rate",

+ "type": "Text",

+ "isOptional": false,

+ "isPropertySerialized": false

+ },

+ {

+ "property": "NormalFailureRate",

+ "displayName": "Normal failure rate",

+ "type": "Text",

+ "isOptional": false,

+ "isPropertySerialized": false

+ },

+ {

+ "chartType": "Line",

+ "xAxisType": "Date",

+ "yAxisType": "Percentage",

+ "xAxisName": "",

+ "yAxisName": "",

+ "property": "FailureRateChart",

+ "displayName": "Failure rate over last 12 hours",

+ "type": "Chart",

+ "isOptional": false,

+ "isPropertySerialized": false

+ },

+ {

+ "defaultLoad": true,

+ "displayConfig": [

+ {

+ "rootJsonNode": null,

+ "sectionName": null,

+ "displayControls": [

+ {

+ "showHeader": false,

+ "columns": [

+ {

+ "property": "Name",

+ "displayName": "Name"

+ },

+ {

+ "property": "Value",

+ "displayName": "Value"

+ }

+ ],

+ "property": "tables[0].rows[0][0]",

+ "displayName": "All of the failed requests had these characteristics:",

+ "type": "Table",

+ "isOptional": false,

+ "isPropertySerialized": true

+ }

+ ]

+ }

+ ],

+ "property": "ArmSystemEventsRequest",

+ "displayName": "",

+ "type": "ARMRequest",

+ "isOptional": false,

+ "isPropertySerialized": false

+ },

+ {

+ "showHeader": false,

+ "columns": [

+ {

+ "property": "Link",

+ "displayName": "Link"

+ }

+ ],

+ "property": "LinksTable",

+ "displayName": "Links",

+ "type": "Table",

+ "isOptional": false,

+ "isPropertySerialized": false

+ }

+ ]

+ }

+ ]

+ }

+ },

+ "id": "/subscriptions/4f9b81be-fa32-4f96-aeb3-fc5c3f678df9/resourcegroups/test-group/providers/microsoft.insights/components/test-rule/providers/Microsoft.AlertsManagement/alerts/7daf8739-ca8a-4562-b69a-ff28db4ba0a5",

+ "type": "Microsoft.AlertsManagement/alerts",

+ "name": "Failure Anomalies - test-rule"

+}

+```

+## Triage and diagnose an alert

+An alert indicates that an abnormal rise in the failed request rate was detected. It's likely that there is some problem with your app or its environment.

+To investigate further, click on 'View full details in Application Insights' the links in this page will take you straight to a [search page](../app/diagnostic-search.md) filtered to the relevant requests, exception, dependency, or traces.

+You can also open the [Azure portal](https://portal.azure.com), navigate to the Application Insights resource for your app, and open the Failures page.

+Clicking on 'Diagnose failures' will help you get more details and resolve the issue.

+From the percentage of requests and number of users affected, you can decide how urgent the issue is. In the example above, the failure rate of 78.5% compares with a normal rate of 2.2%, indicates that something bad is going on. On the other hand, only 46 users were affected. If it was your app, you'd be able to assess how serious that is.

+In many cases, you will be able to diagnose the problem quickly from the request name, exception, dependency failure, and trace data provided.

+In this example, there was an exception from SQL Database due to request limit being reached.

+## Review recent alerts

+Click **Alerts** in the Application Insights resource page to get to the most recent fired alerts:

+## What's the difference ...

+Smart Detection of Failure Anomalies complements other similar but distinct features of Application Insights.

+* [metric alerts](./alerts-log.md) are set by you and can monitor a wide range of metrics such as CPU occupancy, request rates, page load times, and so on. You can use them to warn you, for example, if you need to add more resources. By contrast, Smart Detection of Failure Anomalies covers a small range of critical metrics (currently only failed request rate), designed to notify you in near real-time manner once your web app's failed request rate increases compared to web app's normal behavior. Unlike metric alerts, Smart Detection automatically sets and updates thresholds in response changes in the behavior. Smart Detection also starts the diagnostic work for you, saving you time in resolving issues.

+* [Smart Detection of performance anomalies](proactive-performance-diagnostics.md) also uses machine intelligence to discover unusual patterns in your metrics, and no configuration by you is required. But unlike Smart Detection of Failure Anomalies, the purpose of Smart Detection of performance anomalies is to find segments of your usage manifold that might be badly served - for example, by specific pages on a specific type of browser. The analysis is performed daily, and if any result is found, it's likely to be much less urgent than an alert. By contrast, the analysis for Failure Anomalies is performed continuously on incoming application data, and you will be notified within minutes if server failure rates are greater than expected.

+## If you receive a Smart Detection alert

+*Why have I received this alert?*

+* We detected an abnormal rise in failed requests rate compared to the normal baseline of the preceding period. After analysis of the failures and associated application data, we think that there is a problem that you should look into.

+*Does the notification mean I definitely have a problem?*

+* We try to alert on app disruption or degradation, but only you can fully understand the semantics and the impact on the app or users.

+*So, you are looking at my application data?*

+* No. The service is entirely automatic. Only you get the notifications. Your data is [private](../app/data-retention-privacy.md).

+*Do I have to subscribe to this alert?*

+* No. Every application that sends request data has the Smart Detection alert rule.

+*Can I unsubscribe or get the notifications sent to my colleagues instead?*

+* Yes, In Alert rules, click the Smart Detection rule to configure it. You can disable the alert, or change recipients for the alert.

+*I lost the email. Where can I find the notifications in the portal?*

+* In the Activity logs. In Azure, open the Application Insights resource for your app, then select Activity logs.

+*Some of the alerts are about known issues and I do not want to receive them.*

+* You can use [alert action rules](./alerts-processing-rules.md) suppression feature.

+## Next steps

+These diagnostic tools help you inspect the data from your app:

+* [Metric explorer](../essentials/metrics-charts.md)

+* [Search explorer](../app/diagnostic-search.md)

+* [Analytics - powerful query language](../logs/log-analytics-tutorial.md)

+Smart detections are automatic. But maybe you'd like to set up some more alerts?

+* [Manually configured metric alerts](./alerts-log.md)

+* [Availability web tests](../app/monitor-web-app-availability.md)

+ Title: Smart detection - performance anomalies | Microsoft Docs

+description: Smart detection analyzes your app telemetry and warns you of potential problems. This feature needs no setup.

+# Smart detection - Performance Anomalies

+>[!NOTE]

+>You can migrate your Application Insight resources to alerts-based smart detection (preview). The migration creates alert rules for the different smart detection modules. Once created, you can manage and configure these rules just like any other Azure Monitor alert rules. You can also configure action groups for these rules, thus enabling multiple methods of taking actions or triggering notification on new detections.

+>

+> For more information on the migration process, see [Smart Detection Alerts migration](./alerts-smart-detections-migration.md).

+[Application Insights](../app/app-insights-overview.md) automatically analyzes the performance of your web application, and can warn you about potential problems.

+This feature requires no special setup, other than configuring your app for Application Insights for your [supported language](../app/platforms.md). It's active when your app generates enough telemetry.

+## When would I get a smart detection notification?

+Application Insights has detected that the performance of your application has degraded in one of these ways:

+* **Response time degradation** - Your app has started responding to requests more slowly than it used to. The change might have been rapid, for example because there was a regression in your latest deployment. Or it might have been gradual, maybe caused by a memory leak.

+* **Dependency duration degradation** - Your app makes calls to a REST API, database, or other dependency. The dependency is responding more slowly than it used to.

+* **Slow performance pattern** - Your app appears to have a performance issue that is affecting only some requests. For example, pages are loading more slowly on one type of browser than others; or requests are being served more slowly from one particular server. Currently, our algorithms look at page load times, request response times, and dependency response times.

+To establish a baseline of normal performance, smart detection requires at least eight days of sufficient telemetry volume. After your application has been running for that period, significant anomalies will result in a notification.

+## Does my app definitely have a problem?

+No, a notification doesn't mean that your app definitely has a problem. It's simply a suggestion about something you might want to look at more closely.

+## How do I fix it?

+The notifications include diagnostic information. Here's an example:

+

+1. **Triage**. The notification shows you how many users or how many operations are affected. This information can help you assign a priority to the problem.

+2. **Scope**. Is the problem affecting all traffic, or just some pages? Is it restricted to particular browsers or locations? This information can be obtained from the notification.

+3. **Diagnose**. Often, the diagnostic information in the notification will suggest the nature of the problem. For example, if response time slows down when request rate is high, it may indicate that your server or dependencies are beyond their capacity.

+ Otherwise, open the Performance blade in Application Insights. You'll find there [Profiler](../profiler/profiler.md) data. If exceptions are thrown, you can also try the [snapshot debugger](../snapshot-debugger/snapshot-debugger.md).

+## Configure Email Notifications

+Smart detection notifications are enabled by default. They are sent to users that have [Monitoring Reader](../../role-based-access-control/built-in-roles.md#monitoring-reader) and [Monitoring Contributor](../../role-based-access-control/built-in-roles.md#monitoring-contributor) access to the subscription in which the Application Insights resource resides. To change the default notification, either click **Configure** in the email notification, or open **Smart detection settings** in Application Insights.

+

+ 

+

+ * You can disable the default notification, and replace it with a specified list of emails.

+Emails about smart detection performance anomalies are limited to one email per day per Application Insights resource. The email will be sent only if there is at least one new issue that was detected on that day. You won't get repeats of any message.

+## FAQ

+* *So, Microsoft staff look at my data?*

+ * No. The service is entirely automatic. Only you get the notifications. Your data is [private](../app/data-retention-privacy.md).

+* *Do you analyze all the data collected by Application Insights?*

+ * Currently, we analyze request response time, dependency response time, and page load time. Analysis of other metrics is on our backlog looking forward.

+* What types of application does this detection work for?

+ * These degradations are detected in any application that generates the appropriate telemetry. If you installed Application Insights in your web app, then requests and dependencies are automatically tracked. But in backend services or other apps, if you inserted calls to [TrackRequest()](../app/api-custom-events-metrics.md#trackrequest) or [TrackDependency](../app/api-custom-events-metrics.md#trackdependency), then smart detection will work in the same way.

+* *Can I create my own anomaly detection rules or customize existing rules?*

+ * Not yet, but you can:

+ * [Set up alerts](./alerts-log.md) that tell you when a metric crosses a threshold.

+ * [Export telemetry](../app/export-telemetry.md) to a [database](../../stream-analytics/app-insights-export-sql-stream-analytics.md) or [to Power BI](../app/export-power-bi.md), where you can analyze it yourself.

+* *How often is the analysis done?*

+ * We run the analysis daily on the telemetry from the previous day (full day in UTC timezone).

+* *Does this replace [metric alerts](./alerts-log.md)?*

+ * No. We don't commit to detecting every behavior that you might consider abnormal.

+* *If I don't do anything in response to a notification, will I get a reminder?*

+ * No, you get a message about each issue only once. If the issue persists, it will be updated in the smart detection feed blade.

+* *I lost the email. Where can I find the notifications in the portal?*

+ * In the Application Insights overview of your app, click the **Smart detection** tile. There you'll find all notifications up to 90 days back.

+## How can I improve performance?

+Slow and failed responses are one of the biggest frustrations for web site users, as you know from your own experience. So, it's important to address the issues.

+### Triage

+First, does it matter? If a page is always slow to load, but only 1% of your site's users ever have to look at it, maybe you have more important things to think about. However, if only 1% of users open it, but it throws exceptions every time, that might be worth investigating.

+Use the impact statement, such as affected users or % of traffic, as a general guide. Be aware that it may not be telling the whole story. Gather other evidence to confirm.

+Consider the parameters of the issue. If it's geography-dependent, set up [availability tests](../app/monitor-web-app-availability.md) including that region: there might be network issues in that area.

+### Diagnose slow page loads

+Where is the problem? Is the server slow to respond, is the page too long, or does the browser need too much work to display it?

+Open the Browsers metric blade. The segmented display of browser page load time shows where the time is going.

+* If **Send Request Time** is high, either the server is responding slowly, or the request is a post with large amount of data. Look at the [performance metrics](../app/performance-counters.md) to investigate response times.

+* Set up [dependency tracking](../app/asp-net-dependencies.md) to see whether the slowness is because of external services or your database.

+* If **Receiving Response** is predominant, your page and its dependent parts - JavaScript, CSS, images, and so on (but not asynchronously loaded data) are long. Set up an [availability test](../app/monitor-web-app-availability.md), and be sure to set the option to load dependent parts. When you get some results, open the detail of a result and expand it to see the load times of different files.

+* High **Client Processing time** suggests scripts are running slowly. If the reason isn't obvious, consider adding some timing code and send the times in trackMetric calls.

+### Improve slow pages

+There's a web full of advice on improving your server responses and page load times, so we won't try to repeat it all here. Here are a few tips that you probably already know about, just to get you thinking:

+* Slow loading because of large files: Load the scripts and other parts asynchronously. Use script bundling. Break the main page into widgets that load their data separately. Don't send plain old HTML for long tables: use a script to request the data as JSON or other compact format, then fill the table in place. There are great frameworks to help with such tasks. (They also include large scripts, of course.)

+* Slow server dependencies: Consider the geographical locations of your components. For example, if you're using Azure, make sure the web server and the database are in the same region. Do queries retrieve more information than they need? Would caching or batching help?

+* Capacity issues: Look at the server metrics of response times and request counts. If response times peak disproportionately with peaks in request counts, it's likely that your servers are stretched.

+## Server Response Time Degradation

+The response time degradation notification tells you:

+* The response time compared to normal response time for this operation.

+* How many users are affected.

+* Average response time and 90th percentile response time for this operation on the day of the detection and seven days before.

+* Count of this operation requests on the day of the detection and seven days before.

+* Correlation between degradation in this operation and degradations in related dependencies.

+* Links to help you diagnose the problem.

+ * Profiler traces can help you view where operation time is spent. The link is available if Profiler trace examples exist for this operation.

+ * Performance reports in Metric Explorer, where you can slice and dice time range/filters for this operation.

+ * Search for this call to view specific call properties.

+ * Failure reports - If count > 1, it means that there were failures in this operation that might have contributed to performance degradation.

+## Dependency Duration Degradation

+Modern applications often adopt a micro services design approach, which in many cases rely heavily on external services. For example, if your application relies on some data platform, or on a critical services provider such as cognitive services.

+Example of dependency degradation notification:

+

+Notice that it tells you:

+* The duration compared to normal response time for this operation

+* How many users are affected

+* Average duration and 90th percentile duration for this dependency on the day of the detection and seven days before

+* Number of dependency calls on the day of the detection and seven days before

+* Links to help you diagnose the problem

+ * Performance reports in Metric Explorer for this dependency

+ * Search for this dependency calls to view calls properties

+ * Failure reports - If count > 1, it means that there were failed dependency calls during the detection period that might have contributed to duration degradation.

+ * Open Analytics with queries that calculate this dependency duration and count

+## Smart detection of slow performing patterns

+Application Insights finds performance issues that might only affect some portion of your users, or only affect users in some cases. For example, if a page loads slower on a specific browser types compared to others, or if a particular server handles requests more slowly than other servers. It can also discover problems that are associated with combinations of properties, such as slow page loads in one geographical area for clients using particular operating system.

+Anomalies like these are hard to detect just by inspecting the data, but are more common than you might think. Often they only surface when your customers complain. By that time, it's too late: the affected users are already switching to your competitors!

+Currently, our algorithms look at page load times, request response times at the server, and dependency response times.

+You don't have to set any thresholds or configure rules. Machine learning and data mining algorithms are used to detect abnormal patterns.

+

+* **When** shows the time the issue was detected.

+* **What** describes te problem that was detected, and th characteristics of the set of events that we found, which displayed the problem behavior.

+* The table compares the poorly performing set with the average behavior of all other events.

+Click the links to open Metric Explorer to view reports, filtered by the time and properties of the slow performing set.

+Modify the time range and filters to explore the telemetry.

+## Next steps

+These diagnostic tools help you inspect the telemetry from your app:

+* [Profiler](../profiler/profiler.md)

+* [snapshot debugger](../snapshot-debugger/snapshot-debugger.md)

+* [Analytics](../logs/log-analytics-tutorial.md)

+* [Analytics smart diagnostics](../logs/log-query-overview.md)

+Smart detection is automatic. But maybe you'd like to set up some more alerts?

+* [Manually configured metric alerts](./alerts-log.md)

+* [Availability web tests](../app/monitor-web-app-availability.md)

+ Title: Detect memory leak - Azure Application Insights smart detection

+description: Monitor applications with Azure Application Insights for potential memory leaks.

+# Memory leak detection (preview)

+>[!NOTE]

+>You can migrate your Application Insight resources to alerts-bases smart detection (preview). The migration creates alert rules for the different smart detection modules. Once created, you can manage and configure these rules just like any other Azure Monitor alert rules. You can also configure action groups for these rules, thus enabling multiple methods of taking actions or triggering notification on new detections.

+>

+> For more information, see [Smart Detection Alerts migration](./alerts-smart-detections-migration.md).

+Smart detection automatically analyzes the memory consumption of each process in your application, and can warn you about potential memory leaks or increased memory consumption.

+This feature requires no special setup, other than [configuring performance counters](../app/performance-counters.md) for your app. It's active when your app generates enough memory performance counters telemetry (for example, Private Bytes).

+## When would I get this type of smart detection notification?

+A typical notification will follow a consistent increase in memory consumption, over a long period of time, in one or more processes or machines, which are part of your application. Machine learning algorithms are used for detecting increased memory consumption that matches the pattern of a memory leak.

+## Does my app really have a problem?

+A notification doesn't mean that your app definitely has a problem. Although memory leak patterns many times indicate an application issue, these patterns could be typical to your specific process, or could have a natural business justification. In such case the notification can be ignored.

+## How do I fix it?

+The notifications include diagnostic information to support in the diagnostic analysis process:

+1. **Triage.** The notification shows you the amount of memory increase (in GB), and the time range in which the memory has increased. This information can help you assign a priority to the problem.

+2. **Scope.** How many machines exhibited the memory leak pattern? How many exceptions were triggered during the potential memory leak? This information can be obtained from the notification.

+3. **Diagnose.** The detection contains the memory leak pattern, showing memory consumption of the process over time. You can also use the related items and reports linking to supporting information, to help you further diagnose the issue.

+ Title: Degradation in trace severity ratio - Azure Application Insights

+description: Monitor application traces with Azure Application Insights for unusual patterns in trace telemetry with smart detection.

+# Degradation in trace severity ratio (preview)

+>[!NOTE]

+>You can migrate your Application Insight resources to alerts-bases smart detection (preview). The migration creates alert rules for the different smart detection modules. Once created, you can manage and configure these rules just like any other Azure Monitor alert rules. You can also configure action groups for these rules, thus enabling multiple methods of taking actions or triggering notification on new detections.

+>

+> For more information, see [Smart Detection Alerts migration](./alerts-smart-detections-migration.md).

+>

+Traces are widely used in applications, and they help tell the story of what happens behind the scenes. When things go wrong, traces provide crucial visibility into the sequence of events leading to the undesired state. While traces are mostly unstructured, their severity level can still provide valuable information. In an applicationΓÇÖs steady state, we would expect the ratio between ΓÇ£goodΓÇ¥ traces (*Info* and *Verbose*) and ΓÇ£badΓÇ¥ traces (*Warning*, *Error*, and *Critical*) to remain stable.

+It's normal to expect some level of ΓÇ£BadΓÇ¥ traces because of any number of reasons, such as transient network issues. But when a real problem begins growing, it usually manifests as an increase in the relative proportion of ΓÇ£badΓÇ¥ traces vs ΓÇ£goodΓÇ¥ traces. Smart detection automatically analyzes the trace telemetry that your application logs, and can warn you about unusual patterns in their severity.

+This feature requires no special setup, other than configuring trace logging for your app. See how to configure a trace log listener for [.NET](../app/asp-net-trace-logs.md) or [Java](../app/java-in-process-agent.md). It's active when your app generates enough trace telemetry.

+## When would I get this type of smart detection notification?

+You get this type of notification if the ratio between ΓÇ£goodΓÇ¥ traces (traces logged with a level of *Info* or *Verbose*) and ΓÇ£badΓÇ¥ traces (traces logged with a level of *Warning*, *Error*, or *Fatal*) is degrading in a specific day, compared to a baseline calculated over the previous seven days.

+## Does my app definitely have a problem?

+A notification doesn't mean that your app definitely has a problem. Although a degradation in the ratio between ΓÇ£goodΓÇ¥ and ΓÇ£badΓÇ¥ traces might indicate an application issue, it can also be benign. For example, the increase can be because of a new flow in the application emitting more ΓÇ£badΓÇ¥ traces than existing flows).

+## How do I fix it?

+The notifications include diagnostic information to support in the diagnostics process:

+1. **Triage.** The notification shows you how many operations are affected. This information can help you assign a priority to the problem.

+2. **Scope.** Is the problem affecting all traffic, or just some operation? This information can be obtained from the notification.

+3. **Diagnose.** You can use the related items and reports linking to supporting information, to help you further diagnose the issue.

+- [Smart detection in Application Insights](../alerts/proactive-diagnostics.md)

+[Proactive diagnostics](../alerts/proactive-diagnostics.md) is a recent feature. Without any special configuration by you, Application Insights automatically detects and alerts you about unusual rises in failure rates in your app. It's smart enough to ignore a background of occasional failures, and also rises that are simply proportionate to a rise in requests. So for example, if there's a failure in one of the services you depend on, or if the new build you just deployed isn't working so well, then you'll know about it as soon as you look at your email. (And there are webhooks so that you can trigger other apps.)

+* [Smart diagnostics](../alerts/proactive-diagnostics.md): These tests run automatically, so you don't have to do anything to set them up. They tell you if your app has an unusual rate of failed requests.

+This article describes Microsoft Azure autoscale and its benefits.

+Azure autoscale supports many resource types. For more information about supported resources, see [autoscale supported resources](#supported-services-for-autoscale).

+> [Availability sets](/archive/blogs/kaevans/autoscaling-azurevirtual-machines) are an older scaling feature for virtual machines with limited support. We recommend migrating to [virtual machine scale sets](/azure/virtual-machine-scale-sets/overview) for faster and more reliable autoscale support.

+## What is autoscale

+Autoscale is a service that allows you to automatically add and remove resources according to the load on your application.

+When your application experiences higher load, autoscale adds resources to handle the increased load. When load is low, autoscale reduces the number of resources, lowering your costs. You can scale your application based on metrics like CPU usage, queue length, and available memory, or based on a schedule. Metrics and schedules are set up in rules. The rules include a minimum level of resources that you need to run your application, and a maximum level of resources that won't be exceeded.

+For example, scale out your application by adding VMs when the average CPU usage per VM is above 70%. Scale it back in removing VMs when CPU usage drops to 40%.

+ 

+When the conditions in the rules are met, one or more autoscale actions are triggered, adding or removing VMs. In addition, you can perform other actions like sending email notifications, or webhooks to trigger processes in other systems..

+### Predictive autoscale (preview)

+[Predictive autoscale](/azure/azure-monitor/autoscale/autoscale-predictive) uses machine learning to help manage and scale Azure virtual machine scale sets with cyclical workload patterns. It forecasts the overall CPU load on your virtual machine scale set, based on historical CPU usage patterns. The scale set can then be scaled out in time to meet the predicted demand.

+## Autoscale setup

+You can set up autoscale via:

+* [Azure portal](autoscale-get-started.md)

+* [PowerShell](../powershell-samples.md#create-and-manage-autoscale-settings)

+* [Cross-platform Command Line Interface (CLI)](../cli-samples.md#autoscale)

+* [Azure Monitor REST API](/rest/api/monitor/autoscalesettings)

+## Architecture

+The following diagram shows the autoscale architecture.

+ 

+### Resource metrics

+Resources generate metrics that are used in autoscale rules to trigger scale events. Virtual machine scale sets use telemetry data from Azure diagnostics agents to generate metrics. Telemetry for Web apps and Cloud services comes directly from the Azure Infrastructure.

+Some commonly used metrics include CPU usage, memory usage, thread counts, queue length, and disk usage. See [Autoscale Common Metrics](autoscale-common-metrics.md) for a list of available metrics.

+### Custom metrics

+Use your own custom metrics that your application generates. Configure your application to send metrics to [Application Insights](/azure/azure-monitor/app/app-insights-overview) so you can use those metrics decide when to scale.

+### Time

+Set up schedule-based rules to trigger scale events. Use schedule-based rules when you see time patterns in your load, and want to scale before an anticipated change in load occurs.

+

+### Rules

+Rules define the conditions needed to trigger a scale event, the direction of the scaling, and the amount to scale by. Rules can be:

+* Metric-based

+Trigger based on a metric value, for example when CPU usage is above 50%.

+* Time-based

+Trigger based on a schedule, for example, every Saturday at 8am.

+You can combine multiple rules using different metrics, for example CPU usage and queue length.

+* The OR operator is used when scaling out with multiple rules.

+* The AND operator is used when scaling in with multiple rules.

+### Actions and automation

+Rules can trigger one or more actions. Actions include:

+- Scale - Scale resources in or out.

+- Email - Send an email to the subscription admins, co-admins, and/or any other email address.

+- Webhooks - Call webhooks to trigger multiple complex actions inside or outside Azure. In Azure, you can:

+ + Start an [Azure Automation runbook](/azure/automation/overview).

+ + Call an [Azure Function](/azure/azure-functions/functions-overview).

+ + Trigger an [Azure Logic App](/azure/logic-apps/logic-apps-overview).

+## Autoscale settings

+Autoscale settings contain the autoscale configuration. The setting including scale conditions that define rules, limits, and schedules and notifications. Define one or more scale conditions in the settings, and one notification setup.

+Autoscale uses the following terminology and structure. The UI and JSON

+| UI | JSON/CLI | Description |

+||--|-|

+| Scale conditions | profiles | A collection of rules, instance limits and schedules, based on a metric or time. You can define one or more scale conditions or profiles. |

+| Rules | rules | A set of time or metric-based conditions that trigger a scale action. You can define one or more rules for both scale in and scale out actions. |

+| Instance limits | capacity | Each scale condition or profile defines th default, max, and min number of instances that can run under that profile. |

+| Schedule | recurrence | Indicates when autoscale should put this scale condition or profile into effect. You can have multiple scale conditions, which allow you to handle different and overlapping requirements. For example, you can have different scale conditions for different times of day, or days of the week. |

+| Notify | notification | Defines the notifications to send when an autoscale event occurs. Autoscale can notify one or more email addresses or make a call one or more webhooks. You can configure multiple webhooks in the JSON but only one in the UI. |

+

+* [Advanced Autoscale configuration using Resource Manager templates for virtual machine scale sets](autoscale-virtual-machine-scale-sets.md)

+Autoscale scales horizontally, which is an increase, or decrease of the number of resource instances. For example, in a virtual machine scale set, scaling out means adding more virtual machines Scaling in means removing virtual machines. Horizontal scaling is flexible in a cloud situation as it allows you to run a large number of VMs to handle load.

+In contrast, vertical scaling, keeps the same number of resources constant, but gives them more capacity in terms of memory, CPU speed, disk space and network. Adding or removing capacity in vertical scaling is known as scaling or down. Vertical scaling is limited by the availability of larger hardware, which eventually reaches an upper limit. Hardware size availability varies in Azure by region. Vertical scaling may also require a restart of the virtual machine during the scaling process.

+The following services are supported by autoscale:

+| Service | Schema & Documentation |

+| Virtual Machines: Windows scale sets |[Scaling virtual machine scale sets in Windows](../../virtual-machine-scale-sets/tutorial-autoscale-powershell.md) |

+| Virtual Machines: Linux scale sets |[Scaling virtual machine scale sets in Linux](../../virtual-machine-scale-sets/tutorial-autoscale-cli.md) |

+| Virtual Machines: Windows Example |[Advanced Autoscale configuration using Resource Manager templates for virtual machine scale sets](autoscale-virtual-machine-scale-sets.md) |

+To learn more about autoscale, see the following resources:

+* [Scale virtual machine scale sets](/azure/virtual-machine-scale-sets/tutorial-autoscale-powershell?toc=/azure/azure-monitor/toc.json)

+* [Autoscale using Resource Manager templates for virtual machine scale sets](/azure/virtual-machine-scale-sets/tutorial-autoscale-powershell?toc=/azure/azure-monitor/toc.json)

+* [Troubleshooting virtual machine scale sets and autoscale](../../virtual-machine-scale-sets/virtual-machine-scale-sets-troubleshoot.md)

+* [Troubleshooting Azure Monitor autoscale](/azure/azure-monitor/autoscale/autoscale-troubleshoot)

+- Perform advanced analysis using features such as [distributed tracing](app/distributed-tracing.md) and [smart detection](alerts/proactive-diagnostics.md).

+If you are [deploying a new AKS cluster using Terraform](/azure/developer/terraform/create-k8s-cluster-with-tf-and-aks), you specify the arguments required in the profile [to create a Log Analytics workspace](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace) if you do not choose to specify an existing one. To add Container insights to the workspace, see [azurerm_log_analytics_solution](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_solution) and complete the profile by including the [**addon_profile**](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster) and specify **oms_agent**.

+| Resource configurations and settings changes | Change Analysis securely queries and computes IP Configuration rules, TLS settings, and extension versions to provide more change details in the app. | [Azure Resource Manager configuration changes](./change/change-analysis.md#azure-resource-manager-configuration-changes) |

+Azure Commitment Discounts such as those received from [Microsoft Enterprise Agreements](https://www.microsoft.com/licensing/licensing-programs/enterprise) are applied to Azure Monitor Logs Commitment Tier pricing just as they are to Pay-As-You-Go pricing (whether the usage is being billed per workspace or per dedicated cluster).

+> Legacy queries are only available in a Log Analytics Workspace.

+* [Smart Detection](../alerts/proactive-diagnostics.md) automatically discovers performance anomalies.

+> [!WARNING]

+> When moving a workspace-based Application Insights component to a different subscription, telemetry stored in the original subscription will not be accessible anymore. This is because telemetry is identified by the Application Insights resource ID, which changes when you move the component to a different subscription. Please notice that once moved, there is no way to retrieve telemetry from the original subscription.

+In this article, you'll learn how to evaluate pronunciation with the Speech-to-Text capability through the Speech SDK. To [get pronunciation assessment results](#get-pronunciation-assessment-results), you'll apply the `PronunciationAssessmentConfig` settings to a `SpeechRecognizer` object.

+Pronunciation assessment uses the Speech-to-Text capability to provide subjective and objective feedback for language learners. Practicing pronunciation and getting timely feedback are essential for improving language skills. Assessments driven by experienced teachers can take a lot of time and effort and makes a high-quality assessment expensive for learners. Pronunciation assessment can help make the language assessment more engaging and accessible to learners of all backgrounds.

+ Title: Continuous export can send Microsoft Defender for Cloud's alerts and recommendations to Log Analytics or Azure Event Hubs

+description: Learn how to configure continuous export of security alerts and recommendations to Log Analytics or Azure Event Hubs

+Microsoft Defender for Cloud generates detailed security alerts and recommendations. To analyze the information in these alerts and recommendations, you can export them to Azure Log Analytics, Event Hubs, or to another [SIEM, SOAR, or IT Service Management solution](export-to-siem.md). You can stream the alerts and recommendations as they're generated or define a schedule to send periodic snapshots of all of the new data.

+With **continuous export**, you fully customize *what* will be exported and *where* it will go. For example, you can configure it so that:

+- All high severity alerts are sent to an Azure event hub

+- Specific recommendations are delivered to an event hub or Log Analytics workspace whenever they're generated

+- The secure score for a subscription is sent to a Log Analytics workspace whenever the score for a control changes by 0.01 or more

+This article describes how to configure continuous export to Log Analytics workspaces or Azure event hubs.

+|Required roles and permissions:|<ul><li>**Security admin** or **Owner** on the resource group</li><li>Write permissions for the target resource.</li><li>If you're using the Azure Policy 'DeployIfNotExist' policies described below, you'll also need permissions for assigning policies</li><li>To export data to Event Hubs, you'll need Write permission on the Event Hubs Policy.</li><li>To export to a Log Analytics workspace:<ul><li>if it **has the SecurityCenterFree solution**, you'll need a minimum of read permissions for the workspace solution: `Microsoft.OperationsManagement/solutions/read`</li><li>if it **doesn't have the SecurityCenterFree solution**, you'll need write permissions for the workspace solution: `Microsoft.OperationsManagement/solutions/action`</li><li>Learn more about [Azure Monitor and Log Analytics workspace solutions](../azure-monitor/insights/solutions.md)</li></ul></li></ul>|

+|Clouds:|:::image type="icon" source="./media/icons/yes-icon.png"::: Commercial clouds<br>:::image type="icon" source="./media/icons/yes-icon.png"::: National (Azure Government, Azure China 21Vianet)|

+- Security findings. Findings can be thought of as 'sub' recommendations and belong to a 'parent' recommendation. For example:

+ > If youΓÇÖre configuring a continuous export with the REST API, always include the parent with the findings.

+The steps below are necessary whether you're setting up a continuous export to Log Analytics or Azure Event Hubs.

+1. From the sidebar of the settings page for that subscription, select **Continuous export**.

+ :::image type="content" source="./media/continuous-export/continuous-export-options-page.png" alt-text="Export options in Microsoft Defender for Cloud." lightbox="./media/continuous-export/continuous-export-options-page.png":::

+ Here you see the export options. There's a tab for each available export target, either Event hub or Log Analytics workspace.

+1. Select the export frequency:

+ If your selection includes one of these recommendations, you can include the vulnerability assessment findings together with them:

+ You can also send the data to an [Event hub or Log Analytics workspace in a different tenant](#export-data-to-an-azure-event-hub-or-log-analytics-workspace-in-another-tenant).

+- Azure Logic Apps

+You can also send the data to an [Event hub or Log Analytics workspace in a different tenant](#export-data-to-an-azure-event-hub-or-log-analytics-workspace-in-another-tenant).

+Here are some examples of options that you can only use in the the API:

+* **Greater volume** - You can create multiple export configurations on a single subscription with the API. The **Continuous Export** page in the Azure portal supports only one export configuration per subscription.

+* **Additional features** - The API offers parameters that aren't shown in the Azure portal. For example, you can add tags to your automation resource and define your export based on a wider set of alert and recommendation properties than the ones offered in the **Continuous Export** page in the Azure portal.

+* **More focused scope** - The API provides a more granular level for the scope of your export configurations. When defining an export with the API, you can do so at the resource group level. If you're using the **Continuous Export** page in the Azure portal, you have to define it at the subscription level.

+ > These API-only options are not shown in the Azure portal. If you use them, there'll be a banner informing you that other configurations exist.

+ |Continuous export to Event Hubs|[Deploy export to Event Hubs for Microsoft Defender for Cloud alerts and recommendations](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2fproviders%2fMicrosoft.Authorization%2fpolicyDefinitions%2fcdfcce10-4578-4ecd-9703-530938e4abcb)|cdfcce10-4578-4ecd-9703-530938e4abcb|

+ > 2. From the Azure Policy menu, select **Definitions** and search for them by name.

+ 1. In the **Basics** tab, set the scope for the policy. To use centralized management, assign the policy to the Management Group containing the subscriptions that will use continuous export configuration.

+ 1. In the **Parameters** tab, set the resource group and data type details.

+## Exporting to a Log Analytics workspace

+Security alerts and recommendations are stored in the *SecurityAlert* and *SecurityRecommendation* tables respectively.

+The name of the Log Analytics solution containing these tables depends on whether you've enabled the enhanced security features: Security ('Security and Audit') or SecurityCenterFree.

+## Export data to an Azure Event hub or Log Analytics workspace in another tenant

+You can export data to an Azure Event hub or Log Analytics workspace in a different tenant, which can help you to gather your data for central analysis.

+To export data to an Azure Event hub or Log Analytics workspace in a different tenant:

+1. In the tenant that has the Azure Event hub or Log Analytics workspace, [invite a user](../active-directory/external-identities/what-is-b2b.md#easily-invite-guest-users-from-the-azure-ad-portal) from the tenant that hosts the continuous export configuration.

+1. For a Log Analytics workspace: After the user accepts the invitation to join the tenant, assign the user in the workspace tenant one of these roles: Owner, Contributor, Log Analytics Contributor, Sentinel Contributor, Monitoring Contributor

+1. Configure the continuous export configuration and select the Event hub or Analytics workspace to send the data to.

+You might also choose to view exported Security Alerts and/or recommendations in [Azure Monitor](../azure-monitor/alerts/alerts-overview.md).

+Azure Monitor provides a unified alerting experience for various Azure alerts including Diagnostic Log, Metric alerts, and custom alerts based on Log Analytics workspace queries.

+ * For **Condition**, select **Custom log search**. In the page that appears, configure the query, lookback period, and frequency period. In the search query, you can type *SecurityAlert* or *SecurityRecommendation* to query the data types that Defender for Cloud continuously exports to as you enable the Continuous export to Log Analytics feature.

+

+There's no cost for enabling a continuous export. Costs might be incurred for ingestion and retention of data in your Log Analytics workspace, depending on your configuration there.

+Many alerts are only provided when you've enabled Defender plans for your resources. A good way to preview the alerts you'll get in your exported data is to see the alerts shown in Defender for Cloud's pages in the Azure portal.

+Learn more about [Log Analytics workspace pricing](https://azure.microsoft.com/pricing/details/monitor/).

+Learn more about [Azure Event Hubs pricing](https://azure.microsoft.com/pricing/details/event-hubs/).

+- **Secure score** per security control or subscription is sent when a security control's score changes by 0.01 or more.

+Different recommendations have different compliance evaluation intervals, which can range from every few minutes to every few days. So, the amount of time that it takes for recommendations to appear in your exports varies.

+Continuous export can be helpful in to prepare for BCDR scenarios where the target resource is experiencing an outage or other disaster. However, it's the organization's responsibility to prevent data loss by establishing backups according to the guidelines from Azure Event Hubs, Log Analytics workspace, and Logic App.

+In this article, you learned how to configure continuous exports of your recommendations and alerts. You also learned how to download your alerts data as a CSV file.

+For related material, see the following documentation:

+- [How can I check that the Qualys extension is properly installed?](#how-can-i-check-that-the-qualys-extension-is-properly-installed)

+### How can I check that the Qualys extension is properly installed?

+You can use the `curl` command to check the connectivity to the relevant Qualys URL. A valid response would be: `{"code":404,"message":"HTTP 404 Not Found"}`

+In addition, make sure that the DNS resolution for these URLs is successful and that everything is [valid with the certificate authority](https://success.qualys.com/support/s/article/000001856) that is used.

+To manually run a Logic App, open an alert, or a recommendation and select **Trigger Logic App**:

+ |Workflow automation for security alerts |[Deploy Workflow Automation for Microsoft Defender for Cloud alerts](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff1525828-9a90-4fcf-be48-268cdd02361e)|f1525828-9a90-4fcf-be48-268cdd02361e|

+ |Workflow automation for security recommendations |[Deploy Workflow Automation for Microsoft Defender for Cloud recommendations](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F73d6ab6c-2475-4850-afd6-43795f3492ef)|73d6ab6c-2475-4850-afd6-43795f3492ef|

+ |Workflow automation for regulatory compliance changes|[Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F509122b9-ddd9-47ba-a5f1-d0dac20be63c)|509122b9-ddd9-47ba-a5f1-d0dac20be63c|

+ > [!NOTE]

+ > The three workflow automation policies have recently been rebranded. nfortunately, this change came with an unavoidable breaking change. To learn how to mitigate this breaking change, see [mitigate breaking change](#mitigate-breaking-change),

+### Mitigate breaking change

+Recently we've rebranded the following recommendation:

+- [Deploy Workflow Automation for Microsoft Defender for Cloud alerts](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff1525828-9a90-4fcf-be48-268cdd02361e)

+- [Deploy Workflow Automation for Microsoft Defender for Cloud recommendations](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F73d6ab6c-2475-4850-afd6-43795f3492ef)

+- [Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F509122b9-ddd9-47ba-a5f1-d0dac20be63c)

+Unfortunately, this change came with an unavoidable breaking change. The breaking change causes all of the old workflow automation policies that used the built-in connectors to be uncompliant.

+**To mitigate this issue**:

+1. Navigate to the logic app that is connected to the policy.

+1. Select **Logic app designer**.

+1. Select the **three dot** > **Rename**.

+1. Rename the Defender for cloud connector as follows:

+

+ | Original name | New name|

+ |--|--|

+ |Deploy Workflow Automation for Microsoft Defender for Cloud alerts | When an Microsoft Defender for Clou dAlert is created or triggered ^{[1](#footnote1)}|

+ | Deploy Workflow Automation for Microsoft Defender for Cloud recommendations | When an Microsoft Defender for Cloud Recommendation is created or triggered |

+ | Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance | When a Microsoft Defender for Cloud Regulatory Compliance Assessment is created or triggered |

+ ^{<a name="footnote1"></a>1} The typo `Clou dAlert` is intentional.

+Working with map views helps expedite forensics when analyzing large networks. Map views include the following options:

+| 22.1.7 | 07/2022 | 4/2023 |

+|**OT networks** |**Sensor software version 22.2.4**: <br>- [Device inventory enhancements](#device-inventory-enhancements)<br>- [Enhancements for the ServiceNow integration API](#enhancements-for-the-servicenow-integration-api)<br><br>**Sensor software version 22.2.3**:<br>- [OT appliance hardware profile updates](#ot-appliance-hardware-profile-updates)<br>- [PCAP access from the Azure portal](#pcap-access-from-the-azure-portal-public-preview)<br>- [Bi-directional alert synch between sensors and the Azure portal](#bi-directional-alert-synch-between-sensors-and-the-azure-portal-public-preview)<br>- [Support diagnostic log enhancements](#support-diagnostic-log-enhancements-public-preview)<br>- [Improved security for uploading protocol plugins](#improved-security-for-uploading-protocol-plugins)<br>- [Sensor names shown in browser tabs](#sensor-names-shown-in-browser-tabs)<br><br>**Sensor software version 22.1.7**: <br>- [Same passwords for *cyberx_host* and *cyberx* users](#same-passwords-for-cyberx_host-and-cyberx-users) <br><br>**To update to version 22.2.x**:<br>- **From version 22.1.x**, update directly to the latest **22.2.x** version<br>- **From version 10.x**, first update to the latest **22.1.x** version, and then update again to the latest **22.2.x** version <br><br>For more information, see [Update Defender for IoT OT monitoring software](update-ot-software.md). |

+### Same passwords for cyberx_host and cyberx users

+During OT monitoring software installations and updates, the **cyberx** user is assigned a random password. When updating from version 10.x.x to version 22.1.7, the **cyberx_host** password is assigned with an identical password to the **cyberx** user.

+For more information, see [Update Defender for IoT OT monitoring software](update-ot-software.md).

+1. Name the project *SendCloudToDevice*, then select **Next**.

+1. Accept the most recent version of the .NET Framework. Select **Create** to create the project.

+In the [first part of this tutorial](tutorial-routing.md), you saw how to create custom endpoints and route messages to other Azure services. In this tutorial, you see how to create and configure the extra resources needed to test message enrichments for an IoT hub. The resources include a second storage container for an existing storage account (created in the first part of the tutorial) to hold the enriched messages and a message route to send them there. After the configurations for the message routing and message enrichments are finished, you use an application to send messages to the IoT hub. The hub then routes them to both storage containers. Only the messages sent to the endpoint for the **enriched** storage container are enriched.

+> * Create a second container in your storage account.

+> * Create another custom endpoint and route messages to it from the IoT hub.

+> * Configure message enrichments that are routed to the new endpoint.

+> * View the results and verify that the message enrichments are being applied to the targeted messages.

+* You must have completed [Tutorial: Send device data to Azure Storage using IoT Hub message routing](tutorial-routing.md) and maintained the resources you created for it.

+# [Azure portal](#tab/portal)

+There are no other prerequisites for the Azure portal.

+# [Azure CLI](#tab/cli)

+## Create a second container in your storage account

+In [the first part](tutorial-routing.md#create-a-storage-account) of this tutorial, you created a storage account and container for routed messages. Now you should create a second container for enriched messages.

+# [Azure portal](#tab/portal)

+1. In the Azure portal, search for **Storage accounts**.

+1. Select the account you created earlier.

+1. In the storage account menu, select **Containers** from the **Data storage** section.

+1. Select **Container** to create the new container.

+ :::image type="content" source="./media/tutorial-message-enrichments/create-storage-container.png" alt-text="Screenshot of creating a storage container.":::

+1. Name the container *enriched* and select **Create**.

+# [Azure CLI](#tab/cli)

+> [!TIP]

+> Many of the CLI commands used throughout this tutorial use the same parameters. For your convenience, we have you define local variables that can be called as needed. Be sure to run all the commands in the same session, or else you will have to redefine the variables.

+The values for these variables should be for the same resources you used in the first part of this tutorial.

+1. Define the variables for your IoT hub, storage account, and container.

+ *GROUP_NAME*: Replace this placeholder with the name of the resource group that contains your IoT hub.

+ *IOTHUB_NAME*: Replace this placeholder with the name of your IoT hub.

+ *DEVICE_ID*: Replace this placeholder with the ID of your device.

+ *STORAGE_NAME*: Replace this placeholder with the name of your storage account.

+ For this tutorial, the value for the `containerName` variable should be *enriched*.

+ ```azurecli-interactive

+ resourceGroup=GROUP_NAME

+ hubName=IOTHUB_NAME

+ deviceId=DEVICE_ID

+ storageName=STORAGE_NAME

+ containerName=enriched

+ ```

+1. Use the [az storage container create](/cli/azure/storage/container#az-storage-container-create) command to add the container to your storage account.

+ ```azurecli-interactive

+ az storage container create --auth-mode login --account-name $storageName --name $containerName

+ ```

+## Route messages to a second endpoint

+Create a second endpoint and route for the enriched messages.

+# [Azure portal](#tab/portal)

+1. In the Azure portal, navigate to your IoT hub.

+1. Select **Message Routing** from the **Hub settings** section of the menu.

+1. In the **Routes** tab, select **Add**.

+ :::image type="content" source="./media/tutorial-message-enrichments/add-route.png" alt-text="Screenshot of adding a new message route.":::

+1. Select **Add endpoint** next to the **Endpoint** field, then select **Storage** from the dropdown menu.

+ :::image type="content" source="./media/tutorial-message-enrichments/add-storage-endpoint.png" alt-text="Screenshot of adding a new endpoint for a route.":::

+1. Provide the following information for the new storage endpoint:

+ | Parameter | Value |

+ | | -- |

+ | **Endpoint name** | ContosoStorageEndpointEnriched |

+ | **Azure Storage container** | Select **Pick a container**, which takes you to a list of storage accounts. Choose the storage account that you created in the previous section, then choose the **enriched** container that you created in that account. Select **Select**.|

+ | **Encoding** | Select **JSON**. If this field is greyed out, then your storage account region doesn't support JSON. In that case, continue with the default **AVRO**. |

+ :::image type="content" source="./media/tutorial-message-enrichments/create-storage-endpoint.png" alt-text="Screenshot showing selecting a container for an endpoint.":::

+1. Accept the default values for the rest of the parameters and select **Create**.

+1. Continue creating the new route, now that you've added the storage endpoint. Provide the following information for the new route:

+ | Parameter | Value |

+ | -- | -- |

+ | **Name** | ContosoStorageRouteEnriched |

+ | **Data source** | Verify that **Device Telemetry Messages** is selected from the dropdown list. |

+ | **Enable route** | Verify that this field is set to `enabled`. |

+ | **Routing query** | Enter `level="storage"` as the query string. |

+ :::image type="content" source="./media/tutorial-message-enrichments/create-storage-route.png" alt-text="Screenshot showing saving routing query information.":::

+1. Select **Save**.

+# [Azure CLI](#tab/cli)

+1. Configure the variables for the endpoint and route commands to use the values *ContosoStorageEndpointEnriched* and *ContosoStorageRouteEnriched*, respectively.

+ ```azurecli-interactive

+ endpointName=ContosoStorageEndpointEnriched

+ routeName=ContosoStorageRouteEnriched

+ ```

+1. Use the [az iot hub routing-endpoint create](/cli/azure/iot/hub/routing-endpoint#az-iot-hub-routing-endpoint-create) command to create a custom endpoint that points to the storage container you made in the previous section.

+ ```azurecli-interactive

+ az iot hub routing-endpoint create \

+ --connection-string $(az storage account show-connection-string --name $storageName --query connectionString -o tsv) \

+ --endpoint-name $endpointName \

+ --endpoint-resource-group $resourceGroup \

+ --endpoint-subscription-id $(az account show --query id -o tsv) \

+ --endpoint-type azurestoragecontainer

+ --hub-name $hubName \

+ --container $containerName \

+ --resource-group $resourceGroup \

+ --encoding json

+ ```

+1. Use the [az iot hub route create](/cli/azure/iot/hub/route#az-iot-hub-route-create) command to create a route that passes any message where `level=storage` to the storage container endpoint.

+ ```azurecli-interactive

+ az iot hub route create \

+ --name $routeName \

+ --hub-name $hubName \

+ --resource-group $resourceGroup \

+ --source devicemessages \

+ --endpoint-name $endpointName \

+ --enabled true \

+ --condition 'level="storage"'

+ ```

+## Add message enrichment to the new endpoint

+Create three message enrichments that will be routed to the **enriched** storage container.

+# [Azure portal](#tab/portal)

+1. In the Azure portal, navigate to your IoT hub.

+1. Select **Message routing** for the IoT hub.

+ :::image type="content" source="./media/tutorial-message-enrichments/select-iot-hub.png" alt-text="Screenshot that shows how to select message routing.":::

+ The message routing pane has three tabs labeled **Routes**, **Custom endpoints**, and **Enrich messages**.

+1. Select the **Enrich messages** tab to add three message enrichments for the messages going to the endpoint for the storage container called **enriched**.

+1. For each message enrichment, fill in the name and value, and then select the endpoint **ContosoStorageEndpointEnriched** from the drop-down list. Here's an example of how to set up an enrichment that adds the IoT hub name to the message:

+ :::image type="content" source="./media/tutorial-message-enrichments/add-message-enrichments.png" alt-text="Screenshot that shows adding the first enrichment.":::

+ Add these values to the list for the ContosoStorageEndpointEnriched endpoint:

+ | Name | Value | Endpoint |

+ | - | -- | -- |

+ | myIotHub | `$hubname` | ContosoStorageEndpointEnriched |

+ | DeviceLocation | `$twin.tags.location` (assumes that the device twin has a location tag) | ContosoStorageEndpointEnriched |

+ | customerID | `6ce345b8-1e4a-411e-9398-d34587459a3a` | ContosoStorageEndpointEnriched |

+ When you're finished, your pane should look similar to this image:

+ :::image type="content" source="./media/tutorial-message-enrichments/all-message-enrichments.png" alt-text="Screenshot of table with all enrichments added.":::

+1. Select **Apply** to save the changes.

+# [Azure CLI](#tab/cli)

+Make three calls to the [az iot hub message-enrichment create](/cli/azure/iot/hub/message-enrichment#az-iot-hub-message-enrichment-create) command to add message enrichments to the route going to the endpoint created earlier.

+```azurecli-interactive

+az iot hub message-enrichment create \

+ --key myIotHub \

+ --value $hubName \

+ --endpoints ContosoStorageEndpointEnriched \

+ --name $hubName

+# This assumes that the device twin has a location tag.

+az iot hub message-enrichment create \

+ --key DeviceLocation \

+ --value '$twin.tags.location' \

+ --endpoints ContosoStorageEndpointEnriched \

+ --name $hubName

+az iot hub message-enrichment create \

+ --key customerID \

+ --value 6ce345b8-1e4a-411e-9398-d34587459a3a \

+ --endpoints ContosoStorageEndpointEnriched \

+ --name $hubName

+```

+You now have message enrichments set up for all messages routed to the endpoint you created for enriched messages. If you don't want to add a location tag to the device twin, you can skip to the [Test message enrichments](#test-message-enrichments) section to continue the tutorial.

+One of the message enrichments configured on your IoT hub specifies a key of **DeviceLocation** with its value determined by the following device twin path: `$twin.tags.location`. If your device twin doesn't have a location tag, the twin path, `$twin.tags.location`, will be stamped as a string for the **DeviceLocation** key in the message enrichments.

+Follow these steps to add a location tag to your device's twin:

+# [Azure portal](#tab/portal)

+ :::image type="content" source="./media/tutorial-message-enrichments/add-location-tag-to-device-twin.png" alt-text="Screenshot of adding location tag to device twin in Azure portal.":::

+# [Azure CLI](#tab/cli)

+Use the [az iot hub device-twin update](/cli/azure/iot/hub/device-twin#az-iot-hub-device-twin-update) command to update the device twin with a new tag key and value.

+```azurecli-interactive

+az iot hub device-twin update \

+ --hub-name $hubName \

+ --device-id $deviceId \

+ --tags '{"location": "Plant 43"}'

+```

+> [!TIP]

+> Wait about five minutes before continuing to the next section. It can take up to that long for updates to the device twin to be reflected in message enrichment values.

+To learn more about how device twin paths are handled with message enrichments, see [Message enrichments limitations](iot-hub-message-enrichments-overview.md#limitations). To learn more about device twins, see [Understand and use device twins in IoT Hub](iot-hub-devguide-device-twins.md).

+## Test message enrichments

+Now that the message enrichments are configured for the **ContosoStorageEndpointEnriched** endpoint, run the simulated device application to send messages to the IoT hub. At this point, message routing has been set up as follows:

+* Messages routed to the [storage endpoint you created](tutorial-routing.md#route-to-a-storage-account) in the first part of the tutorial won't be enriched and will be stored in the storage container you created then.

+* Messages routed to the storage endpoint **ContosoStorageEndpointEnriched** will be enriched and stored in the storage container **enriched**.

+If you aren't still running the SimulatedDevice console application from the first part of this tutorial, run it again:

+> [!TIP]

+> If you're following the Azure CLI steps for this tutorial, run the sample code in a separate session. That way, you can allow the sample code to continue running while you follow the rest of the CLI steps.

+1. In the sample folder, navigate to the `/iot-hub/Tutorials/Routing/SimulatedDevice/` folder.

+1. The variable definitions you updated before should still be valid but, if not, edit them in the `Program.cs` file:

+ 1. Find the variable definitions at the top of the **Program** class. Update the following variables with your own information:

+ * **s_myDeviceId**: The device ID that you assigned when registering the device to your IoT hub.

+ * **s_iotHubUri**: The hostname of your IoT hub, which takes the format `IOTHUB_NAME.azure-devices.net`.

+ * **s_deviceKey**: The device primary key found in the device identity information.

+ 1. Save and close the file.

+1. Run the sample code:

+ ```console

+ dotnet run

+ ```

+After leaving the console application to run for a few minutes, view the data:

+1. In the [Azure portal](https://portal.azure.com), navigate to your storage account.

+1. Select **Storage browser** from the navigation menu. Select **Blob containers** to see the two containers that you created over the course of these tutorials.

+ :::image type="content" source="./media/tutorial-message-enrichments/show-blob-containers.png" alt-text="Screenshot showing the blob containers in the storage account.":::

+The messages in the container called **enriched** have the message enrichments included in the messages. The messages in the container you created earlier have the raw messages with no enrichments. Drill down into the **enriched** container until you get to the bottom and then open the most recent message file. Then do the same for the other container to verify that one is enriched and one isn't.

+When you look at messages that have been enriched, you should see `"myIotHub"` with the hub name, the location, and the customer ID, like this:

+ "myIotHub":"{your hub name}",

+## Clean up resources

+To remove all of the resources you created in both parts of this tutorial, delete the resource group. This action deletes all resources contained within the group. If you don't want to delete the entire resource group, you can select individual resources within to delete.

+# [Azure portal](#tab/portal)

+1. In the Azure portal, navigate to the resource group that contains the IoT hub and storage account for this tutorial.

+1. Review all the resources that are in the resource group to determine which ones you want to clean up.

+ * If you want to delete all the resource, select **Delete resource group**.

+ * If you only want to delete certain resource, use the check boxes next to each resource name to select the ones you want to delete. Then select **Delete**.

+# [Azure CLI](#tab/cli)

+1. Use the [az resource list](/cli/azure/resource#az-resource-list) command to view all the resources in your resource group.

+ ```azurecli-interactive

+ az resource list --resource-group $resourceGroup --output table

+ ```

+1. Review all the resources that are in the resource group to determine which ones you want to clean up.

+ * If you want to delete all the resources, use the [az group delete](/cli/azure/group#az-group-delete) command.

+ ```azurecli-interactive

+ az group delete --name $resourceGroup

+ ```

+ * If you only want to delete certain resources, use the [az resource delete](/cli/azure/resource#az-resource-delete) command. For example:

+ ```azurecli-interactive

+ az resource delete --resource-group $resourceGroup --name $storageName

+ ```

+In this tutorial, you configured and tested message enrichments for IoT Hub messages as they're routed to an endpoint.

+ az iot hub device-identity create --device-id $deviceName --hub-name $hubName

+>[!TIP]

+>If you intend to complete [Tutorial: Use Azure IoT Hub message enrichments](tutorial-message-enrichments.md), be sure to maintain the resources you created here.

+* [Alert on privileged Azure role assignments](role-assignments-alert.md)

+ Title: Alert on privileged Azure role assignments

+description: Alert on privileged Azure role assignments by creating an alert rule using Azure Monitor.

+# Alert on privileged Azure role assignments

+Privileged Azure roles, such as Contributor, Owner, or User Access Administrator, are powerful roles and may introduce risk into your system. You might want to be notified by email or text message when these or other roles are assigned. This article describes how to get notified of privileged role assignments at a subscription scope by creating an alert rule using Azure Monitor.

+## Prerequisites

+To create an alert rule, you must have:

+- Access to an Azure subscription

+- Permission to create resource groups and resources within the subscription

+- [Log Analytics configured](../azure-monitor/logs/quick-create-workspace.md) so it has access to the AzureActivity table

+## Estimate costs before using Azure Monitor

+There's a cost associated with using Azure Monitor and alert rules. The cost is based on the frequency the query is executed and the notifications selected. For more information, see [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/).

+## Create an alert rule

+To get notified of privileged role assignments, you create an alert rule in Azure Monitor.

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Navigate to **Monitor**.

+1. In the left navigation, click **Alerts**.

+1. Click **Create** > **Alert rule**. The **Create an alert rule** page opens.

+1. On the **Scope** tab, select your subscription.

+1. On the **Condition** tab, select the **Custom log search** signal name.

+1. In the **Log query** box, add the following Kusto query that will run on the subscription's log and trigger the alert.

+ This query filters for attempts to assign the [Contributor](built-in-roles.md#contributor), [Owner](built-in-roles.md#owner), or [User Access Administrator](built-in-roles.md#user-access-administrator) roles at the scope of the selected subscription.

+ ```kusto

+ AzureActivity

+ | where CategoryValue == "Administrative" and

+ OperationNameValue == "Microsoft.Authorization/roleAssignments/write" and

+ (ActivityStatusValue == "Start" or ActivityStatus == "Started")

+ | extend RoleDefinition = extractjson("$.Properties.RoleDefinitionId",tostring(Properties_d.requestbody),typeof(string))

+ | extend PrincipalId = extractjson("$.Properties.PrincipalId",tostring(Properties_d.requestbody),typeof(string))

+ | extend PrincipalType = extractjson("$.Properties.PrincipalType",tostring(Properties_d.requestbody),typeof(string))

+ | extend Scope = extractjson("$.Properties.Scope",tostring(Properties_d.requestbody),typeof(string))

+ | where Scope !contains "resourcegroups"

+ | extend RoleId = split(RoleDefinition,'/')[-1]

+ | extend RoleDisplayName = case(

+ RoleId == 'b24988ac-6180-42a0-ab88-20f7382dd24c', "Contributor",

+ RoleId == '8e3af657-a8ff-443c-a75c-2fe8c4bcb635', "Owner",

+ RoleId == '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9', "User Access Administrator",

+ "Irrelevant")

+ | where RoleDisplayName != "Irrelevant"

+ | project TimeGenerated,Scope, PrincipalId,PrincipalType,RoleDisplayName

+ ```

+ :::image type="content" source="./media/role-assignments-alert/alert-rule-condition.png" alt-text="Screenshot of Create an alert rule condition tab in Azure Monitor." lightbox="./media/role-assignments-alert/alert-rule-condition.png":::

+1. In the **Measurement** section, set the following values:

+ - **Measure**: Table rows

+ - **Aggregation type**: Count

+ - **Aggregation granularity**: 5 minutes

+ For **Aggregation granularity**, you can change the default value to a frequency you desire.

+1. In the **Split by dimensions** section, set **Resource ID column** to **Don't split**.

+1. In the **Alert logic** section, set the following values:

+ - **Operator**: Greater than

+ - **Threshold value**: 0

+ - **Frequency of evaluation**: 5 minutes

+ For **Frequency of evaluation**, you can change the default value to a frequency you desire.

+1. On the **Actions** tab, create an action group or select an existing action group.

+ An action group defines the actions and notifications that are executed when the alert is triggered.

+ When you create an action group, you must specify the resource group to put the action group within. Then, select the notifications (Email/SMS message/Push/Voice action) to invoke when the alert rule triggers. You can skip the **Actions** and **Tag** tabs. For more information, see [Create and manage action groups in the Azure portal](../azure-monitor/alerts/action-groups.md).

+1. On the **Details** tab, select the resource group to save the alert rule.

+1. In the **Alert rule details** section, select a **Severity** and specify an **Alert rule name**.

+1. For **Region**, you can select any region since Azure activity logs are global.

+1. Skip the **Tags** tab.

+1. On the **Review + create** tab, click **Create** to create your alert rule.

+## Test the alert rule

+Once you've created an alert rule, you can test that it fires.

+1. Assign the Contributor, Owner, or User Access Administrator role at subscription scope. For more information, see [Assign Azure roles using the Azure portal](role-assignments-portal.md).

+1. Wait a few minutes to receive the alert based on the aggregation granularity and the frequency of evaluation of the log query.

+1. On the **Alerts** page, monitor for alert you specified in the action group.

+ :::image type="content" source="./media/role-assignments-alert/alert-fired.png" alt-text="Screenshot of the Alerts page showing that role assignment alert fired." lightbox="./media/role-assignments-alert/alert-fired.png":::

+ The following image shows an example of the email alert.

+ :::image type="content" source="./media/role-assignments-alert/alert-email.png" alt-text="Screenshot of an email alert for a role assignment." lightbox="./media/role-assignments-alert/alert-email.png":::

+## Delete the alert rule

+Follow these steps to delete the role assignment alert rule and stop additional costs.

+1. In **Monitor**, navigate to **Alerts**.

+1. In the bar, click **Alert rules**.

+1. Add a checkmark next to the alert rule you want to delete.

+1. Click **Delete** to remove the alert.

+## Next steps

+- [Create, view, and manage activity log alerts by using Azure Monitor](../azure-monitor/alerts/alerts-activity-log.md)

+- [View activity logs for Azure RBAC changes](change-history-report.md)

+- [Alert on privileged Azure role assignments](role-assignments-alert.md)

+You'll receive the following error message:

+Number of authentication tokens for concurrent links in a single connection to a Service Bus namespace has exceeded the limit: 1000.

+Do one of the following steps:

+- Reduce the number of concurrent links in a single connection or use a new connection

+- Use SDKs for Azure Service Bus, which ensures that you don't get into this situation (recommended)

+1. To create a new service connection in App Service, select the **Search resources, services and docs (G +/)** search bar at the top of the Azure portal, type ***App Services***, and select **App Services**.

+ :::image type="content" source="./media/app-service-quickstart/select-app-services.png" alt-text="Screenshot of the Azure portal, selecting App Services.":::

+1. Select the Azure App Services resource you want to connect to a target resource.

+1. Select **Service Connector** from the left table of contents. Then select **Create**.

+ :::image type="content" source="./media/app-service-quickstart/select-service-connector.png" alt-text="Screenshot of the Azure portal, selecting Service Connector and creating new connection.":::

+1. Select or enter the following settings.

+ | Setting | Example | Description |

+ ||-|-|

+ | **Service type** | Storage - Blob | The target service type. If you don't have a Microsoft Blob Storage, you can [create one](../storage/blobs/storage-quickstart-blobs-portal.md) or use another service type. |

+ | **Subscription** | My subscription | The subscription for your target service (the service you want to connect to). The default value is the subscription for this App Service resource. |

+ | **Connection name** | *my_connection* | The connection name that identifies the connection between your App Service and target service. Use the connection name provided by Service Connector or choose your own connection name. |

+ | **Storage account** | *my_storage_account* | The target storage account you want to connect to. Target service instances to choose from vary according to the selected service type. |

+ | **Client type** | The same app stack on this App Service | The default value comes from the App Service runtime stack. Select the app stack that's on this App Service instance. |

+ :::image type="content" source="./media/app-service-quickstart/basics-tab.png" alt-text="Screenshot of the Azure portal, filling out the Basics tab.":::

+1. Select **Next: Authentication** to choose an authentication method.

+ ### [System-assigned managed identity](#tab/SMI)

+ System-assigned managed identity is the recommended authentication option. Select **System-assigned managed identity** to connect through an identity that's generated in Azure Active Directory and tied to the lifecycle of the service instance.

+ ### [User-assigned managed identity](#tab/UMI)

+ Select **User-assigned managed identity** to authenticate through a standalone identity assigned to one or more instances of an Azure service.

+ ### [Connection string](#tab/CS)

+ Select **Connection string** to generate or configure one or multiple key-value pairs with pure secrets or tokens.

+ ### [Service principal](#tab/SP)

+ Select **Service principal** to use a service principal that defines the access policy and permissions for the user/application in Azure Active Directory.

+1. Select **Next: Networking** to configure the network access to your target service and select **Configure firewall rules to enable access to your target service**.

+1. Select **Next: Review + Create** to review the provided information. Then select **Create** to create the service connection. This operation may take a minute to complete.

+1. The **Service Connector** tab displays existing App Service connections.

+1. Select the **>** button to expand the list and see the environment variables required by your application code. Select **Hidden value** to view the hidden value.

+ :::image type="content" source="./media/app-service-quickstart/show-values.png" alt-text="Screenshot of the Azure portal, viewing connection details.":::

+1. Select **Validate** to check your connection. You can see the connection validation details in the panel on the right.

+ :::image type="content" source="./media/app-service-quickstart/validation.png" alt-text="Screenshot of the Azure portal, validating the connection.":::

+> [Tutorial: WebApp + Storage with Azure CLI](./tutorial-csharp-webapp-storage-cli.md)

+> [!div class="nextstepaction"]

+> [Tutorial: WebApp + PostgreSQL with Azure CLI](./tutorial-django-webapp-postgres-cli.md)

+* [Smart Detection in Application Insights](../azure-monitor/alerts/proactive-diagnostics.md) performs a proactive analysis of the telemetry being sent to AI to warn you of potential performance problems

+* [Smart Detection in Application Insights](../azure-monitor/alerts/proactive-diagnostics.md) performs a proactive analysis of the telemetry being sent to Application Insights to warn you of potential performance problems

+ Title: Azure Virtual Desktop setup file share MSIX app attach - Azure

+MSIX app attach image size limits for your system depend on the storage type you're using to store the VHD or VHDX files, as well as the size limitations of the VHD, VHDX or CIM files and the file system.

+ Title: Set up FSLogix Profile Container with Azure Files and AD DS or Azure AD DS - Azure Virtual Desktop

+description: This article describes how to create a FSLogix Profile Container with Azure Files and Active Directory Domain Services or Azure Active Directory Domain Services.

+# Set up FSLogix Profile Container with Azure Files and Active Directory Domain Services or Azure Active Directory Domain Services

+This article will show you how to set up FSLogix Profile Container with Azure Files when your session host virtual machines (VMs) are joined to an Active Directory Domain Services (AD DS) domain or Azure Active Directory Domain Services (Azure AD DS) managed domain.

+## Prerequisites

+You'll need the following:

+- A host pool where the session hosts are joined to an AD DS domain or Azure AD DS managed domain and users are assigned.

+- A security group in your domain that contains the users who will use Profile Container. If you're using AD DS, this must be synchronized to Azure AD.

+- Permission on your Azure subscription to create a storage account and add role assignments.

+- A domain account to join computers to the domain and open an elevated PowerShell prompt.

+- The subscription ID of your Azure subscription where your storage account will be.

+- A computer joined to your domain for installing and running PowerShell modules that will join a storage account to your domain. This device will need to be running a [Supported version of Windows](/powershell/scripting/install/installing-powershell-on-windows.md#supported-versions-of-windows). Alternatively, you can use a session host.

+> [!IMPORTANT]

+> If users have previously signed in to the session hosts you want to use, local profiles will have been created for them and must be deleted first by an administrator for their profile to be stored in a Profile Container.

+## Set up a storage account for Profile Container

+To set up a storage account:

+1. Sign in to the Azure portal.

+1. Search for **Storage accounts** in the search bar.

+1. Select **+ Create**.

+1. Enter the following information into the **Basics** tab on the **Create storage account** page:

+ - Create a new resource group or select an existing one to store the storage account in.

+ - Enter a unique name for your storage account. This storage account name needs to be between 3 and 24 characters.

+ - For **Region**, we recommend you choose the same location as the Azure Virtual Desktop host pool.

+ - For **Performance**, select **Standard** as a minimum.

+ - If you select Premium performance, set the **Premium account type** to **File shares**.

+ - For **Redundancy**, select **Locally-redundant storage (LRS)** as a minimum.

+ - The defaults on the remaining tabs don't need to be changed.

+

+ > [!TIP]

+ > Your organization may have requirements to change these defaults:

+ >

+ > - Whether you should select **Premium** depends on your IOPS and latency requirements. For more information, see [Storage options for FSLogix Profile Containers in Azure Virtual Desktop](store-fslogix-profile.md).

+ > - On the **Advanced** tab, **Enable storage account key access** must be left enabled.

+ > - For more information on the remaining configuration options, see [Planning for an Azure Files deployment](../storage/files/storage-files-planning.md).

+1. Select **Review + create**. Review the parameters and the values that will be used, then select **Create**.

+1. Once the storage account has been created, select **Go to resource**.

+1. In the **Data storage** section, select **File shares**.

+1. Select **+ File share**.

+1. Enter a **Name**, such as *Profiles*, then for the tier select **Transaction optimized**.

+## Join your storage account to Active Directory

+To use Active Directory accounts for the share permissions of your file share, you need to enable AD DS or Azure AD DS as a source. This process joins your storage account to a domain, representing it as a computer account. Select the relevant tab below for your scenario and follow the steps.

+# [AD DS](#tab/adds)

+1. Sign in to a computer that is joined to your AD DS domain. Alternatively, sign in to one of your session hosts.

+1. Download and extract [the latest version of AzFilesHybrid](https://github.com/Azure-Samples/azure-files-samples/releases) from the Azure Files samples GitHub repo. Make a note of the folder you extract the files to.

+1. Open an elevated PowerShell prompt and change to the directory where you extracted the files.

+1. Run the following command to add the `AzFilesHybrid` module to your user's PowerShell modules directory:

+ ```powershell

+ .\CopyToPSPath.ps1

+ ```

+1. Import the `AzFilesHybrid` module by running the following command:

+ ```powershell

+ Import-Module -Name AzFilesHybrid

+ ```

+ > [!IMPORTANT]

+ > This module requires requires the [PowerShell Gallery](/powershell/scripting/gallery/overview) and [Azure PowerShell](/powershell/azure/what-is-azure-powershell). You may be prompted to install these if they are not already installed or they need updating. If you are prompted for these, install them, then close all instances of PowerShell. Re-open an elevated PowerShell prompt and import the `AzFilesHybrid` module again before continuing.

+1. Sign in to Azure by running the command below. You will need to use an account that has one of the following role-based access control (RBAC) roles:

+ - Storage account owner

+ - Owner

+ - Contributor

+ ```powershell

+ Connect-AzAccount

+ ```

+ > [!TIP]

+ > If your Azure account has access to multiple tenants and/or subscriptions, you will need to select the correct subscription by setting your context. For more information, see [Azure PowerShell context objects](/powershell/azure/context-persistence.md)

+1. Join the storage account to your domain by running the commands below, replacing the values for `$subscriptionId`, `$resourceGroupName`, and `$storageAccountName` with your values. You can also add the parameter `-OrganizationalUnitDistinguishedName` to specify an Organizational Unit (OU) in which to place the computer account.

+

+ ```powershell

+ $subscriptionId = "subscription-id"

+ $resourceGroupName = "resource-group-name"

+ $storageAccountName = "storage-account-name"

+ Join-AzStorageAccount `

+ -ResourceGroupName $ResourceGroupName `

+ -StorageAccountName $StorageAccountName `

+ -DomainAccountType "ComputerAccount" `

+ -EncryptionType "'RC4','AES256'"

+ ```

+1. To verify the storage account has joined your domain, run the commands below and review the output, replacing the values for `$resourceGroupName` and `$storageAccountName` with your values:

+ ```powershell

+ $resourceGroupName = "resource-group-name"

+ $storageAccountName = "storage-account-name"

+ (Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName).AzureFilesIdentityBasedAuth.DirectoryServiceOptions; (Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName).AzureFilesIdentityBasedAuth.ActiveDirectoryProperties

+ ```

+1. From the Azure portal, open the storage account you created previously.

+1. In the **Data storage** section, select **File shares**.

+1. In the main section of the page, next to **Active Directory**, select **Not configured**.

+1. In the box for **Active Directory Domain Services**, select **Set up**.

+> [!IMPORTANT]

+> If your domain enforces password expiration, you must update the password before it expires to prevent authentication failures when accessing Azure file shares. For more information, see [Update the password of your storage account identity in AD DS](../storage/files/storage-files-identity-ad-ds-update-password.md) for details.

+# [Azure AD DS](#tab/aadds)

+1. From the Azure portal, open the storage account you created previously.

+1. In the **Data storage** section, select **File shares**.

+1. In the main section of the page, next to **Active Directory**, select **Not configured**.

+1. In the box for **Azure Active Directory Domain Services**, select **Set up**.

+1. Tick the box to **Enable Azure Active Directory Domain Services (Azure AD DS) for this file share**, then select **Save**. An Organizational Unit (OU) called **AzureFilesConfig** will be created at the root of your domain and a computer account named the same as the storage account will be created in that OU.

+1. To verify the storage account has joined your domain, run the commands below and review the output, replacing the values for `$resourceGroupName` and `$storageAccountName` with your values:

+ ```powershell

+ $resourceGroupName = "resource-group-name"

+ $storageAccountName = "storage-account-name"

+ (Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName).AzureFilesIdentityBasedAuth.DirectoryServiceOptions; (Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName).AzureFilesIdentityBasedAuth.ActiveDirectoryProperties

+ ```

+## Assign RBAC role to users

+Users needing to store profiles in your file share will need permission to access it. To do this, you'll need to assign each user the *Storage File Data SMB Share Contributor* role.

+To assign users the role:

+1. From the Azure portal, browse to the storage account, then to the file share you created previously.

+1. Select **Access control (IAM)**.

+1. Select **+ Add**, then select **Add role assignment** from the drop-down menu.

+1. Select the role **Storage File Data SMB Share Contributor** and select **Next**.

+1. On the **Members** tab, select **User, group, or service principal**, then select **+Select members**. In the search bar, search for and select the security group that contains the users who will use Profile Container.

+1. Select **Review + assign** to complete the assignment.

+## Set NTFS permissions

+Next, you'll need to set NTFS permissions on the folder, which requires you to get the access key for your Storage account.

+To get the Storage account access key:

+1. From the Azure portal, search for and select **storage account** in the search bar.

+1. From the list of storage accounts, select the account that you enabled Azure AD DS and assigned the RBAC role for in the previous sections.

+1. Under **Security + networking**, select **Access keys**, then show and copy the key from **key1**.

+To set the correct NTFS permissions on the folder:

+1. Sign in to a session host that is part of your host pool.

+1. Open an elevated PowerShell prompt and run the command below to map the storage account as a drive on your session host. The mapped drive will not show in File Explorer, but can be viewed with the `net use` command. This is so you can set permissions on the share.

+ ```cmd

+ net use <desired-drive-letter>: \\<storage-account-name>.file.core.windows.net\<share-name> <storage-account-key> /user:Azure\<storage-account-name>

+ ```

+ - Replace `<desired-drive-letter>` with a drive letter of your choice (for example, `y:`).

+ - Replace all instances of `<storage-account-name>` with the name of the storage account you specified earlier.

+ - Replace `<share-name>` with the name of the share you created earlier.

+ - Replace `<storage-account-key>` with the storage account key from Azure.

+ For example:

+ ```cmd

+ net use y: \\fsprofile.file.core.windows.net\share HDZQRoFP2BBmoYQ(truncated)== /user:Azure\fsprofile

+ ```

+1. Run the following commands to set permissions on the share that allow your Azure Virtual Desktop users to create their own profile while blocking access to the profiles of other users. You should use an Active Directory security group that contains the users you want to use Profile Container. In the commands below, replace `<mounted-drive-letter>` with the letter of the drive you used to map the drive and `<upn>` with the UPN name of the Active Directory group or user that will require access to the share.

+ ```cmd

+ icacls <mounted-drive-letter>: /grant "<upn>:(M)"

+ icacls <mounted-drive-letter>: /grant "Creator Owner:(OI)(CI)(IO)(M)"

+ icacls <mounted-drive-letter>: /remove "Authenticated Users"

+ icacls <mounted-drive-letter>: /remove "Builtin\Users"

+ ```

+ For example:

+ ```cmd

+ icacls y: /grant "avdusers@contoso.com:(M)"

+ icacls y: /grant "Creator Owner:(OI)(CI)(IO)(M)"

+ icacls y: /remove "Authenticated Users"

+ icacls y: /remove "Builtin\Users"

+ ```

+## Configure session hosts to use Profile Container

+In order to use Profile Container, you'll need to make sure FSLogix Apps is installed on your session host VMs. FSLogix Apps is preinstalled in Windows 10 Enterprise multi-session and Windows 11 Enterprise multi-session operating systems, but you should still follow the steps below as it might not have the latest version installed. If you're using a [custom image](set-up-golden-image.md), you can install FSLogix Apps in your image.

+To configure Profile Container, we recommend you use Group Policy Preferences to set registry keys and values at scale across all your session hosts. You can also set these in your custom image.

+To configure Profile Container on your session host VMs:

+1. Sign in to the VM used to create your custom image or a session host VM from your host pool.

+1. If you need to install or update FSLogix Apps, download the latest version of [FSLogix](https://aka.ms/fslogix-latest) and install it by running `FSLogixAppsSetup.exe`, then following the instructions in the setup wizard. For more details about the installation process, including customizations and unattended installation, see [Download and Install FSLogix](/fslogix/install-ht).

+1. Open an elevated PowerShell prompt and run the following commands, replacing `\\<storage-account-name>.file.core.windows.net\<share-name>` with the UNC path to your storage account you created earlier. These commands enable Profile Container and configure the location of the share.

+ ```powershell

+ $regPath = "HKLM:\SOFTWARE\FSLogix\Profiles"

+ New-ItemProperty -Path $regPath -Name Enabled -PropertyType DWORD -Value 1 -Force

+ New-ItemProperty -Path $regPath -Name VHDLocations -PropertyType MultiString -Value \\<storage-account-name>.file.core.windows.net\<share-name> -Force

+ ```

+1. Restart the VM used to create your custom image or a session host VM. You will need to repeat these steps for any remaining session host VMs.

+You have now finished the setting up Profile Container. If you are installing Profile Container in your custom image, you will need to finish creating the custom image. For more information, follow the steps in [Create a custom image in Azure](set-up-golden-image.md) from the section [Take the final snapshot](set-up-golden-image.md#take-the-final-snapshot) onwards.

+## Validate profile creation

+Once you've installed and configured Profile Container, you can test your deployment by signing in with a user account that's been assigned an app group or desktop on the host pool.

+If the user has signed in before, they'll have an existing local profile that they'll use during this session. Either delete the local profile first, or create a new user account to use for tests.

+Users can check that Profile Container is set up by following the steps below:

+1. Sign in to Azure Virtual Desktop as the test user.

+1. When the user signs in, the message "Please wait for the FSLogix Apps Services" should appear as part of the sign-in process, before reaching the desktop.

+Administrators can check the profile folder has been created by following the steps below:

+1. Open the Azure portal.

+1. Open the storage account you created in previously.

+1. Go to **Data storage** in your storage account, then select **File shares**.

+1. Open your file share and make sure the user profile folder you've created is in there.

+## Next steps

+You can find more detailed information about concepts related to FSlogix Profile Container for Azure Files in [FSLogix Profile Container for Azure Files](fslogix-containers-azure-files.md).

+- [Set up FSLogix Profile Container with Azure Files and Active Directory](fslogix-profile-container-configure-azure-files-active-directory.md)

+- [Set up FSLogix Profile Container with Azure NetApp Files](create-fslogix-profile-container.md)

+# Troubleshoot Azure Files authentication with Active Directory

+This article describes common issues related to Azure Files authentication with an Active Directory Domain Services (AD DS) domain or Azure Active Directory Domain Services (Azure AD DS) managed domain, and suggestions for how to fix them.

+When you add a virtual machine (VM) to an AD DS group, you must restart that VM to activate its membership within the service.

+## I can't add my storage account to my AD DS domain

+If your storage account needs additional permissions, you may not have assigned the required Azure role-based access control (RBAC) role to users or NTFS permissions. To fix this issue, make sure you've assigned one of these permissions to users who need to access the share:

+If you need to refresh your memory about the Azure Files setup process, see [Set up FSLogix Profile Container with Azure Files and Active Directory Domain Services or Azure Active Directory Domain Services](fslogix-profile-container-configure-azure-files-active-directory.md).

+All Premium SSD v2 disks have a baseline IOPS of 3000 that is free of charge. After 6 GiB, the maximum IOPS a disk can have increases at a rate of 500 per GiB, up to 80,000 IOPS. So an 8 GiB disk can have up to 4,000 IOPS, and a 10 GiB can have up to 5,000 IOPS. To be able to set 80,000 IOPS on a disk, that disk must have at least 160 GiB. Increasing your IOPS beyond 3000 increases the price of your disk.

+All Premium SSD v2 disks have a baseline throughput of 125 MB/s, that is free of charge. After 6 GiB, the maximum throughput that can be set increases by 0.25 MB/s per set IOPS. If a disk has 3,000 IOPS, the max throughput it can set is 750 MB/s. To raise the throughput for this disk beyond 750 MB/s, its IOPS must be increased. For example, if you increased the IOPS to 4,000, then the max throughput that can be set is 1,000. 1,200 MB/s is the maximum throughput supported for disks that have 5,000 IOPS or more. Increasing your throughput beyond 125 increases the price of your disk.

+## Enable SSH

+Learn how to transfer files to an existing VM, see [Use SCP to move files to and from a Linux VM](../linux/copy-files-to-linux-vm-using-scp.md). The same steps will also work for Windows machines.

+When you use Microsoft Azure, you can reliably run your mission-critical SAP workloads and scenarios on a scalable, compliant, and enterprise-proven platform. You get the scalability, flexibility, and cost savings of Azure. With the expanded partnership between Microsoft and SAP, you can run SAP applications across development and test and production scenarios in Azure and be fully supported. From SAP NetWeaver to SAP S/4HANA, SAP BI on Linux to Windows, and SAP HANA to SQL Server, Oracle, Db2, etc, we've got you covered.

+Besides hosting SAP NetWeaver and S/4HANA scenarios with the different DBMS on Azure, you can host other SAP workload scenarios, like SAP BI on Azure.

+We just announced our new services of Azure Center for SAP solutions and Azure Monitor for SAP 2.0 entering the public previev stage. These services will give you the possibility to deploy SAP workload on Azure in a highly automated manner in an optimal architecture and configuration. And monitor your Azure infrastructure, OS, DBMS, and ABAP stack deployments on one single pane of glass.

+For customers and partners who are focussed on deploying and operating their assets in public cloud through Terraform and Ansible, leverage our SAP Deployment Automation Framework (SDAF) to jump start your SAP deployments into Azure using our public Terraform and Ansible modules on [github](https://github.com/Azure/sap-automation).

+- July 18, 2022: Clarify statement around Pacemaker support on Oracle Linux in [Azure Virtual Machines Oracle DBMS deployment for SAP workload](./dbms_guide_oracle.md)

+# Configure a point-to-site VPN connection to a VNet using multiple authentication types: Azure portal

+This article helps you securely connect individual clients running Windows, Linux, or macOS to an Azure VNet. point-to-site VPN connections are useful when you want to connect to your VNet from a remote location, such when you are telecommuting from home or a conference. You can also use P2S instead of a Site-to-Site VPN when you have only a few clients that need to connect to a VNet. Point-to-site connections do not require a VPN device or a public-facing IP address. P2S creates the VPN connection over either SSTP (Secure Socket Tunneling Protocol), or IKEv2. For more information about point-to-site VPN, see [About point-to-site VPN](point-to-site-about.md).

+* **Client address pool:** 172.16.201.0/24<br>VPN clients that connect to the VNet using this point-to-site connection receive an IP address from the client address pool.

+The client address pool is a range of private IP addresses that you specify. The clients that connect over a point-to-site VPN dynamically receive an IP address from this range. Use a private IP address range that does not overlap with the on-premises location that you connect from, or the VNet that you want to connect to. If you configure multiple protocols and SSTP is one of the protocols, then the configured address pool is split between the configured protocols equally.

+ :::image type="content" source="./media/howto-point-to-site-multi-auth/address-pool.png" alt-text="Screenshot of client address pool.":::

+ :::image type="content" source="./media/howto-point-to-site-multi-auth/authentication-types.png" alt-text="Screenshot of authentication types and tunnel type.":::

+## <a name="faq"></a>Point-to-site FAQ

+For point-to-site FAQ information, see the point-to-site sections of the [VPN Gateway FAQ](vpn-gateway-vpn-faq.md#P2S).

+ Title: 'Configure Azure AD tenant and settings for P2S VPN connections: Azure AD authentication: OpenVPN'

+# Configure an Azure AD tenant and P2S configuration for VPN Gateway P2S connections

+This article helps you configure your AD tenant and P2S settings for Azure AD authentication. For more information about point-to-site protocols and authentication, see [About VPN Gateway point-to-site VPN](point-to-site-about.md). To authenticate using the Azure AD authentication type, you must include the OpenVPN tunnel type in your point-to-site configuration.

+### Configure point-to-site settings

+1. Enable Azure AD authentication on the VPN gateway by going to **Point-to-site configuration** and picking **OpenVPN (SSL)** as the **Tunnel type**. Select **Azure Active Directory** as the **Authentication type**, then fill in the information under the **Azure Active Directory** section. Replace {AzureAD TenantID} with your tenant ID.

+1. At the top of the page, click **Download VPN client**. It takes a few minutes for the client configuration package to generate.

+1. Your browser indicates that a client configuration zip file is available. It's named the same name as your gateway.

+1. Make a note of the location of the ΓÇ£azurevpnconfig.xmlΓÇ¥ file. The azurevpnconfig.xml contains the setting for the VPN connection. You can also distribute this file to all the users that need to connect via e-mail or other means. The user will need valid Azure AD credentials to connect successfully. For more information, see [Azure VPN client profile config files for Azure AD authentication](about-vpn-profile-download.md).

+* [Configure a VPN client for P2S VPN connections](openvpn-azure-ad-client.md).