+It's important that you monitor how you use your Azure AD B2C directory quota. Directory quota has a size that's expressed in number of objects. These objects include user accounts, app registrations, groups, etc. When the number of objects in your tenant reach quota size, the directory will generate an error when trying to create a new object.

+If your tenant usage is higher that 80%, you can remove inactive users or request for a quota size increase.

+## Increase directory quota size

+You can request to increase the quota size by [contacting support](find-help-open-support-ticket.md).

+## July 2024

+### Updated articles

+- [Developer notes for Azure Active Directory B2C](custom-policy-developer-notes.md) - Updated Twitter to X

+- [Custom email verification with SendGrid](custom-email-sendgrid.md) - Updated the localization script

+Prompt Shields have been specifically trained and tested on the following languages: Chinese, English, French, German, Italian, Japanese, Portuguese. However, the feature can work in many other languages, but the quality might vary. In all cases, you should do your own testing to ensure that it works for your application.

+description: Learn how to apply best practices when you use conversational language understanding.

+Use the following guidelines to create the best possible projects in conversational language understanding.

+Schema is the definition of your intents and entities. There are different approaches you could take when you define what you should create as an intent versus an entity. Ask yourself these questions:

+You can typically think of actions and queries as _intents_, while the information required to fulfill those queries are _entities_.

+For example, assume that you want your customers to cancel subscriptions for various products that you offer through your chatbot. You can create a _cancel_ intent with various examples like "Cancel the Contoso service" or "Stop charging me for the Fabrikam subscription." The user's intent here is to _cancel_, and the _Contoso service_ or _Fabrikam subscription_ are the subscriptions they want to cancel.

+To proceed, you create an entity for _subscriptions_. Then you can model your entire project to capture actions as intents and use entities to fill in those actions. This approach allows you to cancel anything you define as an entity, such as other products. You can then have intents for signing up, renewing, and upgrading that all make use of the _subscriptions_ and other entities.

+The preceding schema design makes it easy for you to extend existing capabilities (canceling, upgrading, or signing up) to new targets by creating a new entity.

+Another approach is to model the _information_ as intents and the _actions_ as entities. Let's take the same example of allowing your customers to cancel subscriptions through your chatbot.

+You can create an intent for each subscription available, such as _Contoso_, with utterances like "Cancel Contoso," "Stop charging me for Contoso services," and "Cancel the Contoso subscription." You then create an entity to capture the _cancel_ action. You can define different entities for each action or consolidate actions as one entity with a list component to differentiate between actions with different keys.

+Make sure to avoid trying to funnel all the concepts into intents. For example, don't try to create a _Cancel Contoso_ intent that only has the purpose of that one specific action. Intents and entities should work together to capture all the required information from the customer.

+You also want to avoid mixing different schema designs. Don't build half of your application with actions as intents and the other half with information as intents. To get the possible results, ensure that it's consistent.

+[Standard training](../how-to/train-model.md#training-modes) is free and faster than advanced training. It can help you quickly understand the effect of changing your training set or schema while you build the model. After you're satisfied with the schema, consider using advanced training to get the best AIQ out of your model.

+When you build an app, it's often helpful to catch errors early. It's usually a good practice to add a test set when you build the app. Training and evaluation results are useful in identifying errors or issues in your schema.

+## Machine-learning components and composition

+For more information, see [Component types](./entity-components.md#component-types).

+## Use the None score threshold

+If you see too many false positives, such as out-of-context utterances being marked as valid intents, see [Confidence threshold](./none-intent.md) for information on how it affects inference.

+* Non-machine-learned entity components, like lists and regex, are by definition not contextual. If you see list or regex entities in unintended places, try labeling the list synonyms as the machine-learned component.

+* For entities, you can use learned component as the Required component, to restrict when a composed entity should fire.

+For example, suppose you have an entity called **Ticket Quantity** that attempts to extract the number of tickets you want to reserve for booking flights, for utterances such as "Book two tickets tomorrow to Cairo."

+Typically, you add a prebuilt component for `Quantity.Number` that already extracts all numbers in utterances. However, if your entity was only defined with the prebuilt component, it also extracts other numbers as part of the **Ticket Quantity** entity, such as "Book two tickets tomorrow to Cairo at 3 PM."

+To resolve this issue, you label a learned component in your training data for all the numbers that are meant to be a ticket quantity. The entity now has two components:

+* The prebuilt component that can interpret all numbers.

+* The learned component that predicts where the ticket quantity is located in a sentence.

+If you require the learned component, make sure that **Ticket Quantity** is only returned when the learned component predicts it in the right context. If you also require the prebuilt component, you can then guarantee that the returned **Ticket Quantity** entity is both a number and in the correct position.

+## Address model inconsistencies

+If your model is overly sensitive to small grammatical changes, like casing or diacritics, you can systematically manipulate your dataset directly in Language Studio. To use these features, select the **Settings** tab on the left pane and locate the **Advanced project settings** section.

+First, you can enable the setting for **Enable data transformation for casing**, which normalizes the casing of utterances when training, testing, and implementing your model. If you migrated from LUIS, you might recognize that LUIS did this normalization by default. To access this feature via the API, set the `normalizeCasing` parameter to `true`. See the following example:

+Second, you can also enable the setting for **Enable data augmentation for diacritics** to generate variations of your training data for possible diacritic variations used in natural language. This feature is available for all languages. It's especially useful for Germanic and Slavic languages, where users often write words by using classic English characters instead of the correct characters. For example, the phrase "Navigate to the sports channel" in French is "Accédez à la chaîne sportive." When this feature is enabled, the phrase "Accedez a la chaine sportive" (without diacritic characters) is also included in the training dataset.

+If you enable this feature, the utterance count of your training set increases. For this reason, you might need to adjust your training data size accordingly. The current maximum utterance count after augmentation is 25,000. To access this feature via the API, set the `augmentDiacritics` parameter to `true`. See the following example:

+## Address model overconfidence

+Customers can use the LoraNorm recipe version if the model is being incorrectly overconfident. An example of this behavior can be like the following scenario where the model predicts the incorrect intent with 100% confidence. This score makes the confidence threshold project setting unusable.

+| "Who built the Eiffel Tower?" | `Sports` | 1.00 |

+| "Do I look good to you today?" | `QueryWeather` | 1.00 |

+| "I hope you have a good evening." | `Alarm` | 1.00 |

+To address this scenario, use the `2023-04-15` configuration version that normalizes confidence scores. The confidence threshold project setting can then be adjusted to achieve the desired result.

+After the request is sent, you can track the progress of the training job in Language Studio as usual.

+> You have to retrain your model after you update the `confidenceThreshold` project setting. Afterward, you need to republish the app for the new threshold to take effect.

+With model version 2023-04-15, conversational language understanding provides normalization in the inference layer that doesn't affect training.

+The normalization layer normalizes the classification confidence scores to a confined range. The range selected currently is from `[-a,a]` where "a" is the square root of the number of intents. As a result, the normalization depends on the number of intents in the app. If the number of intents is low, the normalization layer has a small range to work with. With a large number of intents, the normalization is more effective.

+If this normalization doesn't seem to help intents that are out of scope to the extent that the confidence threshold can be used to filter out-of-scope utterances, it might be related to the number of intents in the app. Consider adding more intents to the app. Or, if you're using an orchestrated architecture, consider merging apps that belong to the same domain together.

+## Debug composed entities

+Entities are functions that emit spans in your input with an associated type. One or more components define the function. You can mark components as needed, and you can decide whether to enable the **Combine components** setting. When you combine components, all spans that overlap are merged into a single span. If the setting isn't used, each individual component span is emitted.

+To better understand how individual components are performing, you can disable the setting and set each component to **Not required**. This setting lets you inspect the individual spans that are emitted and experiment with removing components so that only problematic components are generated.

+## Evaluate a model by using multiple test sets

+Data in a conversational language understanding project can have two datasets: a testing set and a training set. If you want to use multiple test sets to evaluate your model, you can:

+* Use the JSON to import a new project. Rename your second desired test set to "test."

+* Train the model to run the evaluation by using your second test set.

+If you're using [orchestrated apps](./app-architecture.md), you might want to send custom parameter overrides for various child apps. The `targetProjectParameters` field allows users to send a dictionary representing the parameters for each target project. For example, consider an orchestrator app named `Orchestrator` orchestrating between a conversational language understanding app named `CLU1` and a custom question answering app named `CQA1`. If you want to send a parameter named "top" to the question answering app, you can use the preceding parameter.

+Often you can copy conversational language understanding projects from one resource to another by using the **Copy** button in Language Studio. In some cases, it might be easier to copy projects by using the API.

+First, identify the:

+

+ * Source project name.

+ * Target project name.

+ * Source language resource.

+ * Target language resource, which is where you want to copy it to.

+Call the API to authorize the copy action and get `accessTokens` for the actual copy operation later.

+Call the API to complete the copy operation. Use the response you got earlier as the payload.

+## Address out-of-domain utterances

+Customers can use the new recipe version `2024-06-01-preview` if the model has poor AIQ on out-of-domain utterances. An example of this scenario with the default recipe can be like the following example where the model has three intents: `Sports`, `QueryWeather`, and `Alarm`. The test utterances are out-of-domain utterances and the model classifies them as `InDomain` with a relatively high confidence score.

+| "Who built the Eiffel Tower?" | `Sports` | 0.90 |

+| "Do I look good to you today?" | `QueryWeather` | 1.00 |

+| "I hope you have a good evening." | `Alarm` | 0.80 |

+To address this scenario, use the `2024-06-01-preview` configuration version that's built specifically to address this issue while also maintaining reasonably good quality on `InDomain` utterances.

+After the request is sent, you can track the progress of the training job in Language Studio as usual.

+- The None score threshold for the app (confidence threshold below which `topIntent` is marked as `None`) when you use this recipe should be set to 0. This setting is used because this new recipe attributes a certain portion of the in-domain probabilities to out of domain so that the model isn't incorrectly overconfident about in-domain utterances. As a result, users might see slightly reduced confidence scores for in-domain utterances as compared to the prod recipe.

+- We don't recommend this recipe for apps with only two intents, such as `IntentA` and `None`, for example.

+- We don't recommend this recipe for apps with a low number of utterances per intent. We highly recommend a minimum of 25 utterances per intent.

+ Title: Entity components in conversational language understanding

+description: Learn how conversational language understanding extracts entities from text.

+In conversational language understanding, entities are relevant pieces of information that are extracted from your utterances. An entity can be extracted by different methods. They can be learned through context, matched from a list, or detected by a prebuilt recognized entity. Every entity in your project is composed of one or more of these methods, which are defined as your entity's components.

+When an entity is defined by more than one component, their predictions can overlap. You can determine the behavior of an entity prediction when its components overlap by using a fixed set of options in the *entity options*.

+An entity component determines a way that you can extract the entity. An entity can contain one component, which determines the only method to be used to extract the entity. An entity can also contain multiple components to expand the ways in which the entity is defined and extracted.

+The learned component uses the entity tags you label your utterances with to train a machine-learned model. The model learns to predict where the entity is based on the context within the utterance. Your labels provide examples of where the entity is expected to be present in an utterance, based on the meaning of the words around it and as the words that were labeled.

+This component is only defined if you add labels by tagging utterances for the entity. If you don't tag any utterances with the entity, it doesn't have a learned component.

+### List component

+The list component represents a fixed, closed set of related words along with their synonyms. The component performs an exact text match against the list of values you provide as synonyms. Each synonym belongs to a *list key*, which can be used as the normalized, standard value for the synonym that returns in the output if the list component is matched. List keys *aren't* used for matching.

+In multilingual projects, you can specify a different set of synonyms for each language. When you use the prediction API, you can specify the language in the input request, which only matches the synonyms associated to that language.

+The prebuilt component allows you to select from a library of common types such as numbers, datetimes, and names. When added, a prebuilt component is automatically detected. You can have up to five prebuilt components per entity. For more information, see [the list of supported prebuilt components](../prebuilt-component-reference.md).

+The regex component matches regular expressions to capture consistent patterns. When added, any text that matches the regular expression is extracted. You can have multiple regular expressions within the same entity, each with a different key identifier. A matched expression returns the key as part of the prediction response.

+In multilingual projects, you can specify a different expression for each language. When you use the prediction API, you can specify the language in the input request, which only matches the regular expression associated to that language.

+When multiple components are defined for an entity, their predictions might overlap. When an overlap occurs, each entity's final prediction is determined by one of the following options.

+Use this option to combine all components when they overlap. When components are combined, you get all the extra information that's tied to a list or prebuilt component when they're present.

+Suppose you have an entity called **Software** that has a list component, which contains "Proseware OS" as an entry. In your utterance data, you have "I want to buy Proseware OS 9" with "Proseware OS 9" tagged as **Software**:

+By using combined components, the entity returns with the full context as "Proseware OS 9" along with the key from the list component:

+Suppose you had the same utterance, but only "OS 9" was predicted by the learned component:

+With combined components, the entity still returns as "Proseware OS 9" with the key from the list component:

+### Don't combine components

+Each overlapping component returns as a separate instance of the entity. Apply your own logic after prediction with this option.

+Suppose you have an entity called **Software** that has a list component, which contains "Proseware Desktop" as an entry. In your utterance data, you have "I want to buy Proseware Desktop Pro" with "Proseware Desktop Pro" tagged as **Software**:

+When you don't combine components, the entity returns twice:

+Sometimes an entity can be defined by multiple components but requires one or more of them to be present. Every component can be set as *required*, which means the entity *won't* be returned if that component wasn't present. For example, if you have an entity with a list component and a required learned component, it's guaranteed that any returned entity includes a learned component. If it doesn't, the entity isn't returned.

+Required components are most frequently used with learned components because they can restrict the other component types to a specific context, which is commonly associated to *roles*. You can also require all components to make sure that every component is present for an entity.

+In Language Studio, every component in an entity has a toggle next to it that allows you to set it as required.

+Suppose you have an entity called **Ticket Quantity** that attempts to extract the number of tickets you want to reserve for flights, for utterances such as "Book **two** tickets tomorrow to Cairo."

+Typically, you add a prebuilt component for `Quantity.Number` that already extracts all numbers. If your entity was only defined with the prebuilt component, it also extracts other numbers as part of the **Ticket Quantity** entity, such as "Book **two** tickets tomorrow to Cairo at **3** PM."

+To resolve this scenario, you label a learned component in your training data for all the numbers that are meant to be **Ticket Quantity**. The entity now has two components: the prebuilt component that knows all numbers, and the learned one that predicts where the ticket quantity is in a sentence. If you require the learned component, you make sure that **Ticket Quantity** only returns when the learned component predicts it in the right context. If you also require the prebuilt component, you can then guarantee that the returned **Ticket Quantity** entity is both a number and in the correct position.

+## Use components and options

+Components give you the flexibility to define your entity in more than one way. When you combine components, you make sure that each component is represented and you reduce the number of entities returned in your predictions.

+A common practice is to extend a prebuilt component with a list of values that the prebuilt might not support. For example, if you have an **Organization** entity, which has a `General.Organization` prebuilt component added to it, the entity might not predict all the organizations specific to your domain. You can use a list component to extend the values of the **Organization** entity and extend the prebuilt component with your own organizations.

+Other times, you might be interested in extracting an entity through context, such as a **Product** in a retail project. You label the learned component of the product to learn _where_ a product is based on its position within the sentence. You might also have a list of products that you already know beforehand that you want to always extract. Combining both components in one entity allows you to get both options for the entity.

+When you don't combine components, you allow every component to act as an independent entity extractor. One way of using this option is to separate the entities extracted from a list to the ones extracted through the learned or prebuilt components to handle and treat them differently.

+> Previously during the public preview of the service, there were four available options: **Longest overlap**, **Exact overlap**, **Union overlap**, and **Return all separately**. **Longest overlap** and **Exact overlap** are deprecated and are only supported for projects that previously had those options selected. **Union overlap** has been renamed to **Combine components**, while **Return all separately** has been renamed to **Do not combine components**.

+## Related content

+- [Supported prebuilt components](../prebuilt-component-reference.md)

+description: Learn about how to make use of multilingual projects in conversational language understanding.

+Conversational language understanding makes it easy for you to extend your project to several languages at once. When you enable multiple languages in projects, you can add language-specific utterances and synonyms to your project. You can get multilingual predictions for your intents and entities.

+When you enable multiple languages in a project, you can train the project primarily in one language and immediately get predictions in other languages.

+For example, you can train your project entirely with English utterances and query it in French, German, Mandarin, Japanese, Korean, and others. Conversational language understanding makes it easy for you to scale your projects to multiple languages by using multilingual technology to train your models.

+Whenever you identify that a particular language isn't performing as well as other languages, you can add utterances for that language in your project. In the [tag utterances](../how-to/tag-utterances.md) page in Language Studio, you can select the language of the utterance you're adding. When you introduce examples for that language to the model, it's introduced to more of the syntax of that language and learns to predict it better.

+You aren't expected to add the same number of utterances for every language. You should build most of your project in one language and only add a few utterances in languages that you observe aren't performing well. If you create a project that's primarily in English and start testing it in French, German, and Spanish, you might observe that German doesn't perform as well as the other two languages. In that case, consider adding 5% of your original English examples in German, train a new model, and test in German again. You should see better results for German queries. The more utterances you add, the more likely the results are going to get better.

+When you add data in another language, you shouldn't expect it to negatively affect other languages.

+Projects with multiple languages enabled allow you to specify synonyms *per language* for every list key. Depending on the language you query your project with, you only get matches for the list component with synonyms of that language. When you query your project, you can specify the language in the request body:

+If you don't provide a language, it falls back to the default language of your project. For a list of different language codes, see [Language support](../language-support.md).

+Prebuilt components are similar, where you should expect to get predictions for prebuilt components that are available in specific languages. The request's language again determines which components are attempting to be predicted. For information on the language support of each prebuilt component, see the [Supported prebuilt entity components](../prebuilt-component-reference.md).

+## Related content

+| `gpt-4` | 1106-preview | To be upgraded to `gpt-4` Version: `turbo-2024-04-09`, starting on November 15, 2024, or later **¹** |

+| `gpt-4` | 0125-preview |To be upgraded to `gpt-4` Version: `turbo-2024-04-09`, starting on November 15, 2024, or later **¹** |

+| `gpt-4` | vision-preview | To be upgraded to `gpt-4` Version: `turbo-2024-04-09`, starting on November 15, 2024, or later **¹** |

+### July 30, 2024

+* Updated `gpt-4` preview model upgrade date to November 15, 2024 or later for the following versions:

+ * 1106-preview

+ * 0125-preview

+ * vision-preview

+### July 18, 2024

+### June 19, 2024

+| [GPT-4o & GPT-4o mini & GPT-4 Turbo](#gpt-4o-and-gpt-4-turbo) | The latest most capable Azure OpenAI models with multimodal versions, which can accept both text and images as input. |

+### How do I access the GPT-4o and GPT-4o mini models?

+GPT-4o and GPT-4o mini are available for **standard** and **global-standard** model deployment.

+When your resource is created, you can [deploy](../how-to/create-resource.md#deploy-a-model) the GPT-4o models. If you are performing a programmatic deployment, the **model** names are:

+- `gpt-4o`, **Version** `2024-05-13`

+- `gpt-4o-mini` **Version** `2024-07-18`

+|`gpt-4o-mini` (2024-07-18) <br> **GPT-4o mini** | **Latest small GA model** <br> - Fast, inexpensive, capable model ideal for replacing GPT-3.5 Turbo series models. <br> - Text, image processing <br>- JSON Mode <br> - parallel function calling <br> - **Does not support enhancements** | Input: 128,000 <br> Output: 16,384 | Oct 2023 |

+|`gpt-4o` (2024-05-13) <br> **GPT-4o (Omni)** | **Latest large GA model** <br> - Text, image processing <br> - JSON Mode <br> - parallel function calling <br> - Enhanced accuracy and responsiveness <br> - Parity with English text and coding tasks compared to GPT-4 Turbo with Vision <br> - Superior performance in non-English languages and in vision tasks <br> - **Does not support enhancements** |Input: 128,000 <br> Output: 4,096| Oct 2023 |

+`gpt-4o` **Version:** `2024-05-13`

+`gpt-4o-mini` **Version:** `2024-07-18`

+**Supported regions:**

+- eastus

+| `gpt-4` (0613) ^**1** | North Central US <br> Sweden Central | 8192 | Sep 2021 |

+**¹** GPT-4 fine-tuning is currently in public preview. See our [GPT-4 fine-tuning safety evaluation guidance](/azure/ai-services/openai/how-to/fine-tuning?tabs=turbo%2Cpython-new&pivots=programming-language-python#safety-evaluation-gpt-4-fine-tuningpublic-preview) for more information.

+* `gpt-4o-mini` (2024-07-18)

+`gpt-4o` and `gpt-4o-mini` have rate limit tiers with higher limits for certain customer types.

+| Model|Tier| Quota Limit in tokens per minute (TPM) | Requests per minute |

+|||::|::|

+|`gpt-4o`|Enterprise agreement | 30 M | 180 K |

+|`gpt-4o-mini` | Enterprise agreement | 50 M | 300 K |

+|`gpt-4o` |Default | 450 K | 2.7 K |

+|`gpt-4o-mini` | Default | 2 M | 12 K |

+| Model|Tier| Quota Limit in tokens per minute (TPM) | Requests per minute |

+|||::|::|

+|`gpt-4o`|Enterprise agreement | 1 M | 6 K |

+|`gpt-4o-mini` | Enterprise agreement | 2 M | 12 K |

+|`gpt-4o`|Default | 150 K | 900 |

+|`gpt-4o-mini` | Default | 450 K | 2.7 K |

+### GPT-4o mini model available for deployment

+GPT-4o mini is the latest Azure OpenAI model first [announced on July 18, 2024](https://azure.microsoft.com/blog/openais-fastest-model-gpt-4o-mini-is-now-available-on-azure-ai/):

+*"GPT-4o mini allows customers to deliver stunning applications at a lower cost with blazing speed. GPT-4o mini is significantly smarter than GPT-3.5 TurboΓÇöscoring 82% on Measuring Massive Multitask Language Understanding (MMLU) compared to 70%ΓÇöand is more than 60% cheaper.1 The model delivers an expanded 128K context window and integrates the improved multilingual capabilities of GPT-4o, bringing greater quality to languages from around the world."*

+The model is currently available for both [standard and global standard deployment](./how-to/deployment-types.md) in the East US region.

+For information on model quota, consult the [quota and limits page](./quotas-limits.md) and for the latest info on model availability refer to the [models page](./concepts/models.md).

+> [!NOTE]

+> Pronunciation assessment uses a specific version of the speech-to-text model, different from the standard speech to text model, to ensure consistent and accurate pronunciation assessment.

+### Continuous recognition

+If your audio file exceeds 30 seconds, use continuous mode for processing. The sample code for continuous mode can be found on [GitHub](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/csharp/sharedcontent/console/speech_recognition_samples.cs) under the function `PronunciationAssessmentContinuousWithFile`.

+If your audio file exceeds 30 seconds, use continuous mode for processing.

+If your audio file exceeds 30 seconds, use continuous mode for processing. The sample code for continuous mode can be found on [GitHub](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/java/jre/console/src/com/microsoft/cognitiveservices/speech/samples/console/SpeechRecognitionSamples.java) under the function `pronunciationAssessmentContinuousWithFile`.

+If your audio file exceeds 30 seconds, use continuous mode for processing. The sample code for continuous mode can be found on [GitHub](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/261160e26dfcae4c3aee93308d58d74e36739b6f/samples/python/console/speech_sample.py) under the function `pronunciation_assessment_continuous_from_file`.

+If your audio file exceeds 30 seconds, use continuous mode for processing. The sample code for continuous mode can be found on [GitHub](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/261160e26dfcae4c3aee93308d58d74e36739b6f/samples/js/node/pronunciationAssessmentContinue.js).

+If your audio file exceeds 30 seconds, use continuous mode for processing. The sample code for continuous mode can be found on [GitHub](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/objective-c/ios/speech-samples/speech-samples/ViewController.m) under the function `pronunciationAssessFromFile`.

+If your audio file exceeds 30 seconds, use continuous mode for processing. The sample code for continuous mode can be found on [GitHub](https://github.com/Azure-Samples/cognitive-services-speech-sdk/blob/master/samples/swift/ios/speech-samples/speech-samples/ViewController.swift) under the function `continuousPronunciationAssessment`.

+>

+> There is no length limit for the topic parameter.

+## Supported features per locale

+### Assess spoken phonemes

+## Pronunciation score calculation

+Pronunciation scores are calculated by weighting accuracy, prosody, fluency, and completeness scores based on specific formulas for reading and speaking scenarios.

+

+When sorting the scores of accuracy, prosody, fluency, and completeness from low to high (if each score is available) and representing the lowest score to the highest score as s0 to s3, the pronunciation score is calculated as follows:

+For reading scenario:

+ - With prosody score: PronScore = 0.4 * s0 + 0.2 * s1 + 0.2 * s2 + 0.2 * s3

+ - Without prosody score: PronScore = 0.6 * s0 + 0.2 * s1 + 0.2 * s2

+For the speaking scenario (the completeness score isn't applicable):

+ - With prosody score: PronScore = 0.6 * s0 + 0.2 * s1 + 0.2 * s2

+ - Without prosody score: PronScore = 0.6 * s0 + 0.4 * s1

+This formula provides a weighted calculation based on the importance of each score, ensuring a comprehensive evaluation of pronunciation.

+ Title: Interactive language learning with pronunciation assessment

+description: Interactive language learning with pronunciation assessment gives you instant feedback on pronunciation, fluency, prosody, grammar, and vocabulary through interactive chats.

+# Interactive language learning with pronunciation assessment

+Learning a new language is an exciting journey. Interactive language learning can make your learning experience more engaging and effective. By using pronunciation assessment effectively, you get instant feedback on pronunciation accuracy, fluency, prosody, grammar, and vocabulary through your interactive language learning experience.

+

+> [!NOTE]

+> The language learning feature currently supports only `en-US`. For available regions, refer to [available regions for pronunciation assessment](regions.md#speech-service). If you turn on the **Avatar** button to interact with a text to speech avatar, refer to the available [regions](regions.md#speech-service) for text to speech avatar.

+>

+> If you have any feedback on the language learning feature, fill out [this form](https://aka.ms/speechpa/intake).

+## Common use cases

+Here are some common scenarios where you can make use of the language learning feature to improve your language skills:

+- **Assess pronunciations:** Practice your pronunciation and receive scores with detailed feedback to identify areas for improvement.

+- **Improve speaking skills:** Engage in conversations with a native speaker (or a simulated one) to enhance your speaking skills and build confidence.

+- **Learn new vocabulary:** Expand your vocabulary and work on advanced pronunciation by interacting with AI-driven language models.

+## Getting started

+In this section, you can learn how to immerse yourself in dynamic conversations with a GPT-powered voice assistant to enhance your speaking skills.

+To get started with language learning through chatting, follow these steps:

+1. Go to **Language learning** in the [Speech Studio](https://aka.ms/speechstudio).

+1. Decide on a scenario or context in which you'd like to interact with the voice assistant. This can be a casual conversation, a specific topic, or a language learning exercise.

+ :::image type="content" source="media/pronunciation-assessment/language-learning.png" alt-text="Screenshot of choosing chatting scenario to interact with the voice assistant." lightbox="media/pronunciation-assessment/language-learning.png":::

+ If you want to interact with an avatar, toggle the **Avatar** button in the upper right corner to **On**.

+1. Press the microphone icon to start speaking naturally, as if you were talking to a real person.

+

+ :::image type="content" source="media/pronunciation-assessment/language-learning-selecting-mic-icon.png" alt-text="Screenshot of selecting the microphone icon to interact with the voice assistant." lightbox="media/pronunciation-assessment/language-learning-selecting-mic-icon.png":::

+ For accurate vocabulary and grammar scores, speak at least 3 sentences before assessment.

+

+1. Press the stop button or **Assess my response** button to finish speaking. This action will trigger the assessment process.

+ :::image type="content" source="media/pronunciation-assessment/language-learning-assess-response.png" alt-text="Screenshot of selecting the stop button to assess your response." lightbox="media/pronunciation-assessment/language-learning-assess-response.png":::

+1. Wait for a moment, and you can get a detailed assessment report.

+ :::image type="content" source="media/pronunciation-assessment/language-learning-assess-report.png" alt-text="Screenshot of a detailed assessment report.":::

+ The assessment report may include feedback on:

+ - **Accuracy:** Accuracy indicates how closely the phonemes match a native speaker's pronunciation.

+ - **Fluency:** Fluency indicates how closely the speech matches a native speaker's use of silent breaks between words.

+ - **Prosody:** Prosody indicates the nature of the given speech, including stress, intonation, speaking speed, and rhythm.

+ - **Grammar:** Grammar considers lexical accuracy, grammatical accuracy, and diversity of sentence structures, providing a more comprehensive evaluation of language proficiency.

+ - **Vocabulary:** Vocabulary evaluates the speaker's effective usage of words and their appropriateness within the given context to express ideas accurately, as well as the level of lexical complexity.

+ When recording your speech for pronunciation assessment, ensure your recording time falls within the recommended range of 20 seconds (equivalent to more than 50 words) to 10 minutes per session. This time range is optimal for evaluating the content of your speech accurately. Whether you have a short and focused conversation or a more extended dialogue, as long as the total recorded time falls within this range, you'll receive comprehensive feedback on your pronunciation, fluency, and content.

+ To get feedback on how to improve for each aspect of the assessment, select **Get feedback on how to improve**.

+ :::image type="content" source="media/pronunciation-assessment/language-learning-feedback-improve.png" alt-text="Screenshot of selecting the button to get feedback on how to improve for each aspect of the assessment.":::

+ When you have completed the conversation, you can also download your chat audio. You can clear the current conversation by selecting **Clear chat**.

+## Next steps

+- Use [pronunciation assessment with the Speech SDK](how-to-pronunciation-assessment.md)

+- Try [pronunciation assessment in the studio](pronunciation-assessment-tool.md).

+ * When you use Speech SDK, don't set Endpoint ID, just like prebuild voice.

+## Supported and unsupported SSML elements for personal voice

+For detailed information on the supported and unsupported SSML elements for Phoenix and Dragon models, refer to the following table. For instructions on how to use SSML elements, refer to the [SSML document structure and events](speech-synthesis-markup-structure.md).

+| Element | Description | Supported in Phoenix | Supported in Dragon |

+|-|--|-||

+| `<voice>` | Specifies the voice and optional effects (`eq_car` and `eq_telecomhp8k`). | Yes | Yes |

+| `<mstts:express-as>` | Specifies speaking styles and roles. | No | No |

+| `<mstts:ttsembedding>` | Specifies the `speakerProfileId` property for a personal voice. | Yes | No |

+| `<lang xml:lang>` | Specifies the speaking language. | Yes | Yes |

+| `<prosody>` | Adjusts pitch, contour, range, rate, and volume. | | |

+|&nbsp;&nbsp;&nbsp;`pitch` | Indicates the baseline pitch for the text. | No | No |

+| &nbsp;&nbsp;&nbsp;`contour`| Represents changes in pitch. | No | No |

+| &nbsp;&nbsp;&nbsp;`range` | Represents the range of pitch for the text. | No | No |

+| &nbsp;&nbsp;&nbsp;`rate` | Indicates the speaking rate of the text. | Yes | Yes |

+| &nbsp;&nbsp;&nbsp;`volume`| Indicates the volume level of the speaking voice. | No | No |

+| `<emphasis>` | Adds or removes word-level stress for the text. | No | No |

+| `<audio>` | Embeds prerecorded audio into an SSML document. | Yes | No |

+| `<mstts:audioduration>` | Specifies the duration of the output audio. | No | No |

+| `<mstts:backgroundaudio>`| Adds background audio to your SSML documents or mixes an audio file with text to speech. | Yes | No |

+| `<phoneme>` | Specifies phonetic pronunciation in SSML documents. | | |

+| &nbsp;&nbsp;&nbsp;`ipa` | One of the phonetic alphabets. | Yes | No |

+| &nbsp;&nbsp;&nbsp;`sapi` | One of the phonetic alphabets. | No | No |

+| &nbsp;&nbsp;&nbsp;`ups` | One of the phonetic alphabets. | Yes | No |

+| &nbsp;&nbsp;&nbsp;`x-sampa`| One of the phonetic alphabets. | Yes | No |

+| `<lexicon>` | Defines how multiple entities are read in SSML. | Yes | Yes (only support alias) |

+| `<say-as>` | Indicates the content type, such as number or date, of the element's text. | Yes | Yes |

+| `<sub>` | Indicates that the alias attribute's text value should be pronounced instead of the element's enclosed text. | Yes | Yes |

+| `<math>` | Uses the MathML as input text to properly pronounce mathematical notations in the output audio. | Yes | No |

+| `<bookmark>` | Gets the offset of each marker in the audio stream. | Yes | No |

+| `<break>` | Overrides the default behavior of breaks or pauses between words. | Yes | Yes |

+| `<mstts:silence>` | Inserts pauses before or after text, or between two adjacent sentences. | Yes | No |

+| `<mstts:viseme>` | Defines the position of the face and mouth while a person is speaking. | Yes | No |

+| `<p>` | Denotes paragraphs in SSML documents. | Yes | Yes |

+| `<s>` | Denotes sentences in SSML documents. | Yes | Yes |

+| `pitch` | Indicates the baseline pitch for the text. Pitch changes can be applied at the sentence level. The pitch changes should be within 0.5 to 1.5 times the original audio. You can express the pitch as:<ul><li>An absolute value: Expressed as a number followed by "Hz" (Hertz). For example, `<prosody pitch="600Hz">some text</prosody>`.</li><li>A relative value:<ul><li>As a relative number: Expressed as a number preceded by "+" or "-" and followed by "Hz" or "st" that specifies an amount to change the pitch. For example: `<prosody pitch="+80Hz">some text</prosody>` or `<prosody pitch="-2st">some text</prosody>`. The "st" indicates the change unit is semitone, which is half of a tone (a half step) on the standard diatonic scale.<li>As a percentage: Expressed as a number preceded by "+" (optionally) or "-" and followed by "%", indicating the relative change. For example: `<prosody pitch="50%">some text</prosody>` or `<prosody pitch="-50%">some text</prosody>`.</li></ul></li><li>A constant value:<ul><li>`x-low` (equivalently 0.55,-45%)</li><li>`low` (equivalently 0.8, -20%)</li><li>`medium` (equivalently 1, default value)</li><li>`high` (equivalently 1.2, +20%)</li><li>`x-high` (equivalently 1.45, +45%)</li></ul></li></ul> | Optional |

+| `rate` | Indicates the speaking rate of the text. Speaking rate can be applied at the word or sentence level. The rate changes should be within `0.5` to `2` times the original audio. You can express `rate` as:<ul><li>A relative value: <ul><li>As a relative number: Expressed as a number that acts as a multiplier of the default. For example, a value of `1` results in no change in the original rate. A value of `0.5` results in a halving of the original rate. A value of `2` results in twice the original rate.</li><li>As a percentage: Expressed as a number preceded by "+" (optionally) or "-" and followed by "%", indicating the relative change. For example: `<prosody rate="50%">some text</prosody>` or `<prosody rate="-50%">some text</prosody>`.</li></ul><li>A constant value:<ul><li>`x-slow` (equivalently 0.5, -50%)</li><li>`slow` (equivalently 0.64, -46%)</li><li>`medium` (equivalently 1, default value)</li><li>`fast` (equivalently 1.55, +55%)</li><li>`x-fast` (equivalently 2, +100%)</li></ul></li></ul> | Optional |

+| `volume` | Indicates the volume level of the speaking voice. Volume changes can be applied at the sentence level. You can express the volume as:<ul><li>An absolute value: Expressed as a number in the range of `0.0` to `100.0`, from *quietest* to *loudest*, such as `75`. The default value is `100.0`.</li><li>A relative value: <ul><li>As a relative number: Expressed as a number preceded by "+" or "-" that specifies an amount to change the volume. Examples are `+10` or `-5.5`.</li><li>As a percentage: Expressed as a number preceded by "+" (optionally) or "-" and followed by "%", indicating the relative change. For example: `<prosody volume="50%">some text</prosody>` or `<prosody volume="+3%">some text</prosody>`.</li></ul><li>A constant value:<ul><li>`silent` (equivalently 0)</li><li>`x-soft` (equivalently 0.2)</li><li>`soft` (equivalently 0.4)</li><li>`medium` (equivalently 0.6)</li><li>`loud` (equivalently 0.8)</li><li>`x-loud` (equivalently 1, default value)</li></ul></li></ul> | Optional |

+| `level` | Indicates the strength of emphasis to be applied:<ul><li>`reduced`</li><li>`none`</li><li>`moderate`</li><li>`strong`</li></ul><br>When the `level` attribute isn't specified, the default level is `moderate`. For details on each attribute, see [emphasis element](https://www.w3.org/TR/speech-synthesis11/#S3.2.2). | Optional |

+> [!NOTE]

+> There might be additional considerations to take when using the NVIDIA GPU Operator and deploying on SPOT instances. Please refer to <https://github.com/NVIDIA/gpu-operator/issues/577>

+* A public virtual IP address is created in every region added with a virtual network. For virtual networks in either [external mode](api-management-using-with-vnet.md) or [internal mode](api-management-using-with-internal-vnet.md), this public IP address is used for management traffic on port `3443`.

+* **Internal VNet mode** - Private HTTP traffic isn't routed or load-balanced to the regional gateways by default. Users own the routing and are responsible for bringing their own solution to manage routing and private load balancing across multiple regions.

+## Support status

+App Service supports languages on both Linux and Windows operating systems. See the following resources for the list of OS support for each language:

+- [.NET](https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/dot_net_core.md#support-timeline)

+- [Java](#jdk-versions-and-maintenance)

+- [Node](https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/node_support.md#support-timeline)

+- [Python](https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/python_support.md#support-timeline)

+- [PHP](https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/php_support.md#support-timeline)

+- [Node](https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/node_support.md#node-on-linux-app-service)

+Your runbook is currently empty with only the required `workflow` keyword, the name of the runbook, and the braces that encase the entire workflow.

+workflow MyFirstRunbook-Workflow

+ parallel

+ {

+ Write-Output "Parallel"

+ Get-Date

+ Start-Sleep -Seconds 3

+ Get-Date

+ }

+

+ Write-Output " `r`n"

+ Write-Output "Non-Parallel"

+ Get-Date

+ Start-Sleep -Seconds 3

+ Get-Date

+ $resourceGroup = "resourceGroupName"

+

+ # Ensures you do not inherit an AzContext in your runbook

+ Disable-AzContextAutosave -Scope Process

+

+ # Connect to Azure with system-assigned managed identity

+ Connect-AzAccount -Identity

+

+ # set and store context

+ $AzureContext = Set-AzContext -SubscriptionId "<SubscriptionID>"

+ param

+ (

+ [string]$resourceGroup,

+ [string[]]$VMs,

+ [string]$action

+ )

+ # Ensures you do not inherit an AzContext in your runbook

+ Disable-AzContextAutosave -Scope Process

+ # Connect to Azure with system-assigned managed identity

+ Connect-AzAccount -Identity

+ # set and store context

+ $AzureContext = Set-AzContext -SubscriptionId "<SubscriptionID>"

+ # Start or stop VMs in parallel

+ if ($action -eq "Start")

+ {

+ ForEach -Parallel ($vm in $VMs)

+ {

+ Start-AzVM -Name $vm -ResourceGroupName $resourceGroup -DefaultProfile $AzureContext

+ }

+ }

+ elseif ($action -eq "Stop")

+ {

+ ForEach -Parallel ($vm in $VMs)

+ {

+ Stop-AzVM -Name $vm -ResourceGroupName $resourceGroup -DefaultProfile $AzureContext -Force

+ }

+ }

+ else

+ {

+ Write-Output "`r`n Action not allowed. Please enter 'stop' or 'start'."

+ }

+ }

+If the region or the tenant of an ESU license is changed, this is subject to back-billing charges.

+Note that estimates in the Azure Cost Management forecast may not accurately project monthly costs. Due to the episodic nature of back-billing charges, the projection of monthly costs may appear as overestimated during initial months.

+- **Core modification:** If cores are added to an existing ESU license, they're subject to back-billing (that is, charges for the time elapsed since EOS) and regularly billed from the calendar month in which they were added. If cores are reduced or decremented to an existing ESU license, the billing rate reflects the reduced number of cores within 5 days of the change.

+Purchase of Windows Server 2012/R2 ESUs enabled by Azure Arc provides you with the benefit of access to more Azure management services at no additional cost for enrolled servers. See [Access to Azure services](prepare-extended-security-updates.md#access-to-azure-services) to learn more.

+- You'll be billed if you connect an activated Azure Arc ESU license to environments like Azure Stack HCI or Azure VMware Solution. These environments are eligible for free Windows Server 2012 ESUs enabled by Azure Arc and shouldn't be activated through Azure Arc.

+- Plan your Arc-enabled SCVMM deployment by reviewing the [support matrix](support-matrix-for-system-center-virtual-machine-manager.md).

+- Once ready, [connect your SCVMM management server to Azure Arc using the onboarding script](quickstart-connect-system-center-virtual-machine-manager-to-arc.md).

+ npm install @azure/functions-opentelemetry-instrumentation

+ npm install @azure/functions-opentelemetry-instrumentation

+|[Pharicode LLC](https://glidefast.com/)|

+* Send data to Azure Storage for archiving or to analyze it with tools such as [Azure Storage Explorer](../../vs-azure-tools-storage-manage-with-storage-explorer.md).

+* Send data to [Azure Monitor Metrics](../essentials/data-platform-metrics.md) to analyze it with [metrics explorer](../essentials/metrics-getting-started.md) and to take advantage of features such as near-real-time [metric alerts](../alerts/alerts-metric-overview.md) and [autoscale](../autoscale/autoscale-overview.md) (Windows only).

+* Send data to third-party tools by using [Azure Event Hubs](./diagnostics-extension-stream-event-hubs.md).

+* Collect [boot diagnostics](/troubleshoot/azure/virtual-machines/boot-diagnostics) to investigate VM boot issues.

+* It can only be used with Azure resources.

+* It has limited ability to send data to Azure Monitor Logs.

+* Azure Diagnostics Extension can be used only with Azure virtual machines. The Log Analytics agent can be used with virtual machines in Azure, other clouds, and on-premises.

+* Azure Diagnostics extension sends data to Azure Storage, [Azure Monitor Metrics](../essentials/data-platform-metrics.md) (Windows only) and Azure Event Hubs. The Log Analytics agent collects data to [Azure Monitor Logs](../logs/data-platform-logs.md).

+* The Log Analytics agent is required for retired [solutions](/previous-versions/azure/azure-monitor/insights/solutions), [VM insights](../vm/vminsights-overview.md), and other services such as [Microsoft Defender for Cloud](../../security-center/index.yml).

+| Data source | Description |

+||-|

+| Windows event logs | Events from Windows event log. |

+| Performance counters | Numerical values measuring performance of different aspects of operating system and workloads. |

+| IIS logs | Usage information for IIS websites running on the guest operating system. |

+| Application logs | Trace messages written by your application. |

+| .NET EventSource logs | Code writing events using the .NET [EventSource](/dotnet/api/system.diagnostics.tracing.eventsource) class. |

+| [Manifest-based ETW logs](/windows/desktop/etw/about-event-tracing) | Event tracing for Windows events generated by any process. |

+| Crash dumps (logs) | Information about the state of the process if an application crashes. |

+| File-based logs | Logs created by your application or service. |

+| Agent diagnostic logs | Information about Azure Diagnostics itself. |

+| Data source | Description |

+|-|--|

+| Syslog | Events sent to the Linux event logging system |

+| Performance counters | Numerical values measuring performance of different aspects of operating system and workloads |

+| Log files | Entries sent to a file-based log |

+| Destination | Description |

+|:-|:--|

+| Azure Monitor Metrics | Collect performance data to Azure Monitor Metrics. See [Send Guest OS metrics to the Azure Monitor metric database](../essentials/collect-custom-metrics-guestos-resource-manager-vm.md). |

+| Event hubs | Use Azure Event Hubs to send data outside of Azure. See [Streaming Azure Diagnostics data to Azure Event Hubs](diagnostics-extension-stream-event-hubs.md). |

+| Azure Storage blobs | Write data to blobs in Azure Storage in addition to tables. |

+| Application Insights | Collect data from applications running in your VM to Application Insights to integrate with other application monitoring. See [Send diagnostic data to Application Insights](diagnostics-extension-to-application-insights.md). |

+You can also collect WAD data from storage into a Log Analytics workspace to analyze it with Azure Monitor Logs, although the Log Analytics agent is typically used for this functionality. It can send data directly to a Log Analytics workspace and supports solutions and insights that provide more functionality. See [Collect Azure diagnostic logs from Azure Storage](diagnostics-extension-logs.md).

+| Destination | Description |

+|:-|:|

+| Event hubs | Use Azure Event Hubs to send data outside of Azure. |

+| Azure Storage blobs | Write data to blobs in Azure Storage in addition to tables. |

+| Azure Monitor Metrics | Install the Telegraf agent in addition to LAD. See [Collect custom metrics for a Linux VM with the InfluxData Telegraf agent](../essentials/collect-custom-metrics-linux-telegraf.md). |

+* [Install and configure Azure Diagnostics extension for Windows](diagnostics-extension-windows-install.md)

+* [Use Linux diagnostics extension to monitor metrics and logs](../../virtual-machines/extensions/diagnostics-linux.md)

+## Supported operating systems

+The following tables list the operating systems that are supported by WAD and LAD. See the documentation for each agent for unique considerations and for the installation process. See Telegraf documentation for its supported operating systems. All operating systems are assumed to be x64. x86 is not supported for any operating system.

+### Windows

+| Operating system | Support |

+|:|:-:|

+| Windows Server 2022 | ❌ |

+| Windows Server 2022 Core | ❌ |

+| Windows Server 2019 | ✅ |

+| Windows Server 2019 Core | ❌ |

+| Windows Server 2016 | ✅ |

+| Windows Server 2016 Core | ✅ |

+| Windows Server 2012 R2 | ✅ |

+| Windows Server 2012 | ✅ |

+| Windows 11 Client & Pro | ❌ |

+| Windows 11 Enterprise (including multi-session) | ❌ |

+| Windows 10 1803 (RS4) and higher | ❌ |

+| Windows 10 Enterprise (including multi-session) and Pro (Server scenarios only) | ✅ |

+### Linux

+| Operating system | Support |

+|:-|:-:|

+| CentOS Linux 9 | ❌ |

+| CentOS Linux 8 | ❌ |

+| CentOS Linux 7 | ✅ |

+| Debian 12 | ❌ |

+| Debian 11 | ❌ |

+| Debian 10 | ❌ |

+| Debian 9 | ✅ |

+| Debian 8 | ❌ |

+| Oracle Linux 9 | ❌ |

+| Oracle Linux 8 | ❌ |

+| Oracle Linux 7 | ✅ |

+| Oracle Linux 6.4+ | ✅ |

+| Red Hat Enterprise Linux Server 9 | ❌ |

+| Red Hat Enterprise Linux Server 8\* | ✅ |

+| Red Hat Enterprise Linux Server 7 | ✅ |

+| SUSE Linux Enterprise Server 15 | ❌ |

+| SUSE Linux Enterprise Server 12 | ✅ |

+| Ubuntu 22.04 LTS | ❌ |

+| Ubuntu 20.04 LTS | ✅ |

+| Ubuntu 18.04 LTS | ✅ |

+| Ubuntu 16.04 LTS | ✅ |

+| Ubuntu 14.04 LTS | ✅ |

+\* Requires Python 2 to be installed on the machine and aliased to the python command.

+* [Introduction to Azure Cloud Services monitoring](../../cloud-services/cloud-services-how-to-monitor.md)

+* [Enabling Azure Diagnostics in Azure Cloud Services](../../cloud-services/cloud-services-dotnet-diagnostics.md)

+* [Application Insights for Azure Cloud Services](../app/azure-web-apps-net-core.md)

+* [Trace the flow of an Azure Cloud Services application with Azure Diagnostics](../../cloud-services/cloud-services-dotnet-diagnostics-trace-flow.md)

+Large organizations may also have a *fleet architect*, which is similar to the platform engineer but is responsible for multiple clusters. They need visibility across the entire environment and must perform administrative tasks at scale. At scale recommendations are included in the guidance below. See [What is Azure Kubernetes Fleet Manager?](../../kubernetes-fleet/overview.md) for details on creating a Fleet resource for multi-cluster and at-scale scenarios.

+| [Container Insights](container-insights-overview.md) | Azure service for AKS and Azure Arc-enabled Kubernetes clusters that use a containerized version of the [Azure Monitor agent](../agents/agents-overview.md) to collect stdout/stderr logs, performance metrics, and Kubernetes events from each node in your cluster. You can view the data in the Azure portal or query it using [Log Analytics](../logs/log-analytics-overview.md). Configure the [Prometheus experience](./container-insights-experience-v2.md) to use Container insights views with Prometheus data. |

+| [Azure Managed Grafana](../../managed-grafan) | Fully managed implementation of [Grafana](https://grafana.com/), which is an open-source data visualization platform commonly used to present Prometheus and other data. Multiple predefined Grafana dashboards are available for monitoring Kubernetes and full-stack troubleshooting. You may choose to use Grafana for performance monitoring of your cluster, or you can use Container insights by |

+Onboarding Container insights and Managed Prometheus can be part of the same experience as described in [Enable monitoring for Kubernetes clusters](../containers/kubernetes-monitoring-enable.md). The following sections described each separately so you can consider your all of your onboarding and configuration options for each.

+- Enable for an existing [AKS cluster](../containers/kubernetes-monitoring-enable.md#enable-prometheus-and-grafana) or [Arc-enabled Kubernetes cluster](../containers/kubernetes-monitoring-enable.md#enable-prometheus-and-grafana).

+> [!NOTE]

+> Use Grafana for your monitoring your Kubernetes environment if you have an existing investment in Grafana or if you prefer to use Grafana dashboards instead of Container insights to analyze your Prometheus data. If you don't want to use Grafana, then enable the [Prometheus experience in Container insights](./container-insights-experience-v2.md) so that you can use Container insights views with your Prometheus data.

+- Enable the [Prometheus experience in Container insights](./container-insights-experience-v2.md) so that you can use Container insights views with your Prometheus data.

+- Use cost presets described in [Enable cost optimization settings in Container insights](../containers/container-insights-cost-config.md#enable-cost-settings) to reduce your cost for Container insights data ingestion by reducing the amount of data that's collected. Disable collection of metrics by configuring Container insights to only collect **Logs and events** since many of the same metric values as [Prometheus](#enable-scraping-of-prometheus-metrics).

+The value for password1 is **base64encoded**.

+2. In the configmap for the custom scrape configuration use the following setting. The username field should contain the actual username string. The password_file field should contain the path to a file that contains the password.

+ username: <username string>

+> * Logs exported to a Log Analytics workspace can be [shown in Power BI](/power-bi/transform-model/log-analytics/desktop-log-analytics-overview)

+ >[!IMPORTANT]

+ > A volume with an active backup policy enabled can't be the destination volume in a reverse resync operation. You must suspend the backup policy on the volume prior to starting the reverse resync then resume when the reverse resync completes.

+| Microsoft.AzureData | [SQL Server enabled by Azure Arc](/sql/sql-server/azure-arc/overview) |

+| Microsoft.AzureArcData | [Azure Arc-enabled data services](/azure/azure-arc/data/overview) |

+- **SA password for the Azure SQL Edge instance**: This is the value specified for the `MSSQL_SA_PASSWORD` environment variable during deployment of Azure SQL Edge.

+To learn more about VMware Horizon on Azure VMware Solution, read the [VMware Horizon FAQ](https://www.vmware.com/docs/vmw-horizon-faqs).

+Disks with both public and private access disabled | Supported.

+Vaulted backup for blobs is available in all public regions.

+az role assignment create --role "Azure Kubernetes Service Cluster Admin Role" --assignee-principal-type "ServicePrincipal" --assignee-object-id $EXPERIMENT_PRINCIPAL_ID --scope subscriptions/$SUBSCRIPTION_ID/resourceGroups/$resourceGroupName/providers/Microsoft.ContainerService/managedClusters/$AKS_CLUSTER_NAME

+To save one of the "experiment.json" examples shown below, simply type *nano experiment.json* into your cloud shell, copy and paste any of the below experiment examples, save it (ctrl+o), exit nano (ctrl+x) and run the following command:

+ ```AzCLI

+az rest --method put --uri https://management.azure.com/subscriptions/6b052e15-03d3-4f17-b2e1-be7f07588291/resourceGroups/exampleRG/providers/Microsoft.Chaos/experiments/exampleExperiment?api-version=2024-01-01

+```

+> [!NOTE]

+> This is the generic command you would use to create any experiment from the Azure CLI

+> Make sure your experiment has permission to operate on **ALL** resources within the experiment. These examples exclusively use **System-assigned managed identity**, but we also support User-assigned managed identity. For more information, see [Experiment permissions](chaos-studio-permissions-security.md). These experiments will **NOT** run without granting the experiment permission to run on the target resources.

+Azure Kubernetes Service (AKS) - Network Delay

+**Experiment Description** This experiment delays network communication by 200ms

+### [Azure CLI Experiment.JSON](#tab/azure-CLI)

+```AzCLI

+Azure Kubernetes Service (AKS) - Pod Failure

+**Experiment Description** This experiment takes down all pods in the cluster for 10 minutes.

+### [Azure CLI Experiment.JSON](#tab/azure-CLI)

+Azure Kubernetes Service (AKS) - Memory Stress

+**Experiment Description** This experiment stresses the memory of 4 AKS pods to 95% for 10 minutes.

+Azure Kubernetes Service (AKS) - CPU Stress

+**Experiment Description** This experiment stresses the CPU of four pods in the AKS cluster to 95%.

+### [Azure CLI](#tab/azure-CLI)

+```AzCLI

+{

+ "identity": {

+ "type": "SystemAssigned"

+ },

+ "tags": {},

+ "location": "westus",

+ "properties": {

+ "selectors": [

+ {

+ "type": "List",

+ "targets": [

+ {

+ "id": "/subscriptions/123hdq8-123d-89d7-5670-123123/resourceGroups/aks_memory_stress_experiment/providers/Microsoft.ContainerService/managedClusters/nikhilAKScluster/providers/Microsoft.Chaos/targets/Microsoft-AzureKubernetesServiceChaosMesh",

+ "type": "ChaosTarget"

+ }

+ ],

+ "id": "Selector1"

+ }

+ ],

+ "steps": [

+ {

+ "name": "AKS CPU stress",

+ "branches": [

+ {

+ "name": "AKS CPU stress",

+ "actions": [

+ {

+ "type": "continuous",

+ "selectorId": "Selector1",

+ "duration": "PT10M",

+ "parameters": [

+ {

+ "key": "jsonSpec",

+ "value": "{\"mode\":\"all\",\"selector\":{\"namespaces\":[\"autoinstrumentationdemo\"]},\"stressors\":{\"cpu\":{\"workers\":4,\"load\":95}}}"

+ }

+ ],

+ "name": "urn:csci:microsoft:azureKubernetesServiceChaosMesh:stressChaos/2.1"

+ }

+ ]

+ }

+ ]

+ }

+ ]

+ }

+}

+```

+### [Azure portal parameters](#tab/azure-portal)

+```Azure portal

+{"mode":"all","selector":{"namespaces":["autoinstrumentationdemo"]},"stressors":{"cpu":{"workers":4,"load":95}}}

+```

+Azure Kubernetes Service (AKS) - Network Emulation

+**Experiment Description** This experiment applies a network emulation to all pods in the specified namespace, adding a latency of 100ms and a packet loss of 0.1% for 5 minutes.

+### [Azure CLI Experiment.JSON](#tab/azure-CLI)

+```AzCLI

+{

+ "identity": {

+ "type": "SystemAssigned"

+ },

+ "tags": {},

+ "location": "westus",

+ "properties": {

+ "selectors": [

+ {

+ "type": "List",

+ "targets": [

+ {

+ "id": "/subscriptions/123hdq8-123d-89d7-5670-123123/resourceGroups/aks_network_emulation_experiment/providers/Microsoft.ContainerService/managedClusters/nikhilAKScluster/providers/Microsoft.Chaos/targets/Microsoft-AzureKubernetesServiceChaosMesh",

+ "type": "ChaosTarget"

+ }

+ ],

+ "id": "Selector1"

+ }

+ ],

+ "steps": [

+ {

+ "name": "AKS network emulation",

+ "branches": [

+ {

+ "name": "AKS network emulation",

+ "actions": [

+ {

+ "type": "continuous",

+ "selectorId": "Selector1",

+ "duration": "PT5M",

+ "parameters": [

+ {

+ "key": "jsonSpec",

+ "value": "{\"action\":\"netem\",\"mode\":\"all\",\"selector\":{\"namespaces\":[\"default\"]},\"netem\":{\"latency\":\"100ms\",\"loss\":\"0.1\",\"correlation\":\"25\"}}"

+ }

+ ],

+ "name": "urn:csci:microsoft:azureKubernetesServiceChaosMesh:networkChaos/2.1"

+ }

+ ]

+ }

+ ]

+ }

+ ]

+ }

+}

+```

+### [Azure portal parameters](#tab/azure-portal)

+```Azure portal

+{"action":"netem","mode":"all","selector":{"namespaces":["default"]},"netem":{"latency":"100ms","loss":"0.1","correlation":"25"}}

+```

+Azure Kubernetes Service (AKS) - Network Partition

+**Experiment Description** This experiment partitions the network for all pods in the specified namespace, simulating a network split in the 'to' direction for 5 minutes.

+### [Azure CLI Experiment.JSON](#tab/azure-CLI)

+```AzCLI

+{

+ "identity": {

+ "type": "SystemAssigned"

+ },

+ "tags": {},

+ "location": "westus",

+ "properties": {

+ "selectors": [

+ {

+ "type": "List",

+ "targets": [

+ {

+ "id": "/subscriptions/123hdq8-123d-89d7-5670-123123/resourceGroups/aks_partition_experiment/providers/Microsoft.ContainerService/managedClusters/nikhilAKScluster/providers/Microsoft.Chaos/targets/Microsoft-AzureKubernetesServiceChaosMesh",

+ "type": "ChaosTarget"

+ }

+ ],

+ "id": "Selector1"

+ }

+ ],

+ "steps": [

+ {

+ "name": "AKS network partition",

+ "branches": [

+ {

+ "name": "AKS network partition",

+ "actions": [

+ {

+ "type": "continuous",

+ "selectorId": "Selector1",

+ "duration": "PT5M",

+ "parameters": [

+ {

+ "key": "jsonSpec",

+ "value": "{\"action\":\"partition\",\"mode\":\"all\",\"selector\":{\"namespaces\":[\"default\"]},\"partition\":{\"direction\":\"to\"}}"

+ }

+ ],

+ "name": "urn:csci:microsoft:azureKubernetesServiceChaosMesh:networkChaos/2.1"

+ }

+ ]

+ }

+ ]

+ }

+ ]

+ }

+}

+```

+### [Azure portal parameters](#tab/azure-portal)

+```Azure portal

+{"action":"partition","mode":"all","selector":{"namespaces":["default"]},"partition":{"direction":"to"}}

+```

+Azure Kubernetes Service (AKS) - Network Bandwidth Limitation

+**Experiment Description** This experiment limits the network bandwidth for all pods in the specified namespace to 1mbps, with additional parameters for limit, buffer, peak rate, and burst for 5 minutes.

+### [Azure CLI Experiment.JSON](#tab/azure-CLI)

+```AzCLI

+{

+ "identity": {

+ "type": "SystemAssigned"

+ },

+ "tags": {},

+ "location": "westus",

+ "properties": {

+ "selectors": [

+ {

+ "type": "List",

+ "targets": [

+ {

+ "id": "/subscriptions/123hdq8-123d-89d7-5670-123123/resourceGroups/aks_bandwidth_experiment/providers/Microsoft.ContainerService/managedClusters/nikhilAKScluster/providers/Microsoft.Chaos/targets/Microsoft-AzureKubernetesServiceChaosMesh",

+ "type": "ChaosTarget"

+ }

+ ],

+ "id": "Selector1"

+ }

+ ],

+ "steps": [

+ {

+ "name": "AKS network bandwidth",

+ "branches": [

+ {

+ "name": "AKS network bandwidth",

+ "actions": [

+ {

+ "type": "continuous",

+ "selectorId": "Selector1",

+ "duration": "PT5M",

+ "parameters": [

+ {

+ "key": "jsonSpec",

+ "value": "{\"action\":\"bandwidth\",\"mode\":\"all\",\"selector\":{\"namespaces\":[\"default\"]},\"bandwidth\":{\"rate\":\"1mbps\",\"limit\":\"50mb\",\"buffer\":\"10kb\",\"peakrate\":\"1mbps\",\"minburst\":\"0\"}}"

+ }

+ ],

+ "name": "urn:csci:microsoft:azureKubernetesServiceChaosMesh:networkChaos/2.1"

+ }

+ ]

+ }

+ ]

+ }

+ ]

+ }

+}

+```

+### [Azure portal parameters](#tab/azure-portal)

+```Azure portal

+{"action":"bandwidth","mode":"all","selector":{"namespaces":["default"]},"bandwidth":{"rate":"1mbps","limit":"50mb","buffer":"10kb","peakrate":"1mbps","minburst":"0"}}

+```

+Azure Kubernetes Service (AKS) - Network Packet Re-order

+**Experiment Description** This experiment reorders network packets for all pods in the specified namespace, with a gap of 5 packets and a reorder percentage of 25% for 5 minutes.

+### [Azure CLI Experiment.JSON](#tab/azure-CLI)

+```AzCLI

+{

+ "identity": {

+ "type": "SystemAssigned"

+ },

+ "tags": {},

+ "location": "westus",

+ "properties": {

+ "selectors": [

+ {

+ "type": "List",

+ "targets": [

+ {

+ "id": "/subscriptions/123hdq8-123d-89d7-5670-123123/resourceGroups/aks_reorder_experiment/providers/Microsoft.ContainerService/managedClusters/nikhilAKScluster/providers/Microsoft.Chaos/targets/Microsoft-AzureKubernetesServiceChaosMesh",

+ "type": "ChaosTarget"

+ }

+ ],

+ "id": "Selector1"

+ }

+ ],

+ "steps": [

+ {

+ "name": "AKS network reorder",

+ "branches": [

+ {

+ "name": "AKS network reorder",

+ "actions": [

+ {

+ "type": "continuous",

+ "selectorId": "Selector1",

+ "duration": "PT5M",

+ "parameters": [

+ {

+ "key": "jsonSpec",

+ "value": "{\"action\":\"reorder\",\"mode\":\"all\",\"selector\":{\"namespaces\":[\"default\"]},\"reorder\":{\"gap\":\"5\",\"reorder\":\"25\",\"correlation\":\"50\"}}"

+ }

+ ],

+ "name": "urn:csci:microsoft:azureKubernetesServiceChaosMesh:networkChaos/2.1"

+ }

+ ]

+ }

+ ]

+ }

+ ]

+ }

+}

+```

+### [Azure portal parameters](#tab/azure-portal)

+```Azure portal

+{"action":"reorder","mode":"all","selector":{"namespaces":["default"]},"reorder":{"gap":"5","reorder":"25","correlation":"50"}}

+```

+Azure Kubernetes Service (AKS) - Network Packet Loss

+**Experiment Description** This experiment simulates a packet loss of 10% for all pods in the specified namespace for 5 minutes.

+### [Azure CLI Experiment.JSON](#tab/azure-CLI)

+```AzCLI

+{

+ "identity": {

+ "type": "SystemAssigned"

+ },

+ "tags": {},

+ "location": "westus",

+ "properties": {

+ "selectors": [

+ {

+ "type": "List",

+ "targets": [

+ {

+ "id": "/subscriptions/123hdq8-123d-89d7-5670-123123/resourceGroups/aks_loss_experiment/providers/Microsoft.ContainerService/managedClusters/nikhilAKScluster/providers/Microsoft.Chaos/targets/Microsoft-AzureKubernetesServiceChaosMesh",

+ "type": "ChaosTarget"

+ }

+ ],

+ "id": "Selector1"

+ }

+ ],

+ "steps": [

+ {

+ "name": "AKS network loss",

+ "branches": [

+ {

+ "name": "AKS network loss",

+ "actions": [

+ {

+ "type": "continuous",

+ "selectorId": "Selector1",

+ "duration": "PT5M",

+ "parameters": [

+ {

+ "key": "jsonSpec",

+ "value": "{\"action\":\"loss\",\"mode\":\"all\",\"selector\":{\"namespaces\":[\"default\"]},\"loss\":{\"loss\":\"10\",\"correlation\":\"25\"}}"

+ }

+ ],

+ "name": "urn:csci:microsoft:azureKubernetesServiceChaosMesh:networkChaos/2.1"

+ }

+ ]

+ }

+ ]

+ }

+ ]

+ }

+}

+```

+### [Azure portal parameters](#tab/azure-portal)

+```Azure portal

+{"action":"loss","mode":"all","selector":{"namespaces":["default"]},"loss":{"loss":"10","correlation":"25"}}

+```

+Azure Kubernetes Service (AKS) - Network Packet Duplication

+**Experiment Description** This experiment duplicates 50% of the network packets for all pods in the specified namespace for 5 minutes.

+### [Azure CLI Experiment.JSON](#tab/azure-CLI)

+```AzCLI

+{

+ "identity": {

+ "type": "SystemAssigned"

+ },

+ "tags": {},

+ "location": "westus",

+ "properties": {

+ "selectors": [

+ {

+ "type": "List",

+ "targets": [

+ {

+ "id": "/subscriptions/123hdq8-123d-89d7-5670-123123/resourceGroups/aks_duplicate_experiment/providers/Microsoft.ContainerService/managedClusters/nikhilAKScluster/providers/Microsoft.Chaos/targets/Microsoft-AzureKubernetesServiceChaosMesh",

+ "type": "ChaosTarget"

+ }

+ ],

+ "id": "Selector1"

+ }

+ ],

+ "steps": [

+ {

+ "name": "AKS network duplicate",

+ "branches": [

+ {

+ "name": "AKS network duplicate",

+ "actions": [

+ {

+ "type": "continuous",

+ "selectorId": "Selector1",

+ "duration": "PT5M",

+ "parameters": [

+ {

+ "key": "jsonSpec",

+ "value": "{\"action\":\"duplicate\",\"mode\":\"all\",\"selector\":{\"namespaces\":[\"default\"]},\"duplicate\":{\"duplicate\":\"50\",\"correlation\":\"50\"}}"

+ }

+ ],

+ "name": "urn:csci:microsoft:azureKubernetesServiceChaosMesh:networkChaos/2.1"

+ }

+ ]

+ }

+ ]

+ }

+ ]

+ }

+}

+```

+### [Azure portal parameters](#tab/azure-portal)

+```Azure portal

+{"action":"duplicate","mode":"all","selector":{"namespaces":["default"]},"duplicate":{"duplicate":"50","correlation":"50"}}

+```

+Azure Kubernetes Service (AKS) - Network Packet Corruption

+**Experiment Description** This experiment corrupts 50% of the network packets for all pods in the specified namespace for 5 minutes.

+### [Azure CLI Experiment.JSON](#tab/azure-CLI)

+```AzCLI

+{

+ "identity": {

+ "type": "SystemAssigned"

+ },

+ "tags": {},

+ "location": "westus",

+ "properties": {

+ "selectors": [

+ {

+ "type": "List",

+ "targets": [

+ {

+ "id": "/subscriptions/123hdq8-123d-89d7-5670-123123/resourceGroups/aks_corrupt_experiment/providers/Microsoft.ContainerService/managedClusters/nikhilAKScluster/providers/Microsoft.Chaos/targets/Microsoft-AzureKubernetesServiceChaosMesh",

+ "type": "ChaosTarget"

+ }

+ ],

+ "id": "Selector1"

+ }

+ ],

+ "steps": [

+ {

+ "name": "AKS network corrupt",

+ "branches": [

+ {

+ "name": "AKS network corrupt",

+ "actions": [

+ {

+ "type": "continuous",

+ "selectorId": "Selector1",

+ "duration": "PT5M",

+ "parameters": [

+ {

+ "key": "jsonSpec",

+ "value": "{\"action\":\"corrupt\",\"mode\":\"all\",\"selector\":{\"namespaces\":[\"default\"]},\"corrupt\":{\"corrupt\":\"50\",\"correlation\":\"50\"}}"

+ }

+ ],

+ "name": "urn:csci:microsoft:azureKubernetesServiceChaosMesh:networkChaos/2.1"

+ }

+ ]

+ }

+ ]

+ }

+ ]

+ }

+}

+```

+### [Azure portal parameters](#tab/azure-portal)

+```Azure portal

+{"action":"corrupt","mode":"all","selector":{"namespaces":["default"]},"corrupt":{"corrupt":"50","correlation":"50"}}

+```

+Azure Load Test - Start/Stop Load Test (With Delay)

+**Experiment Description** This experiment starts an existing Azure load test, then waits for 10 minutes using the "delay" action before stopping the load test.

+### [Azure CLI Experiment.JSON](#tab/azure-CLI)

+```AzCLI

+{

+"identity": {

+ "type": "SystemAssigned",

+ },

+ "tags": {},

+ "location": "eastus",

+ "properties": {

+ "selectors": [

+ {

+ "type": "List",

+ "targets": [

+ {

+ "id": "/subscriptions/123hdq8-123d-89d7-5670-123123/resourceGroups/nikhilLoadTest/providers/microsoft.loadtestservice/loadtests/Nikhil-Demo-Load-Test/providers/Microsoft.Chaos/targets/microsoft-azureloadtest",

+ "type": "ChaosTarget"

+ }

+ ],

+ "id": "66e5124c-12db-4f7e-8549-7299c5828bff"

+ },

+ {

+ "type": "List",

+ "targets": [

+ {

+ "id": "/subscriptions/123hdq8-123d-89d7-5670-123123/resourceGroups/builddemo/providers/microsoft.loadtestservice/loadtests/Nikhil-Demo-Load-Test/providers/Microsoft.Chaos/targets/microsoft-azureloadtest",

+ "type": "ChaosTarget"

+ }

+ ],

+ "id": "9dc23b43-81ca-42c3-beae-3fe8ac80c30b"

+ }

+ ],

+ "steps": [

+ {

+ "name": "Step 1 - Start Load Test",

+ "branches": [

+ {

+ "name": "Branch 1",

+ "actions": [

+ {

+ "selectorId": "66e5124c-12db-4f7e-8549-7299c5828bff",

+ "type": "discrete",

+ "parameters": [

+ {

+ "key": "testId",

+ "value": "ae24e6z9-d88d-4752-8552-c73e8a9adebc"

+ }

+ ],

+ "name": "urn:csci:microsoft:azureLoadTest:start/1.0"

+ },

+ {

+ "type": "delay",

+ "duration": "PT10M",

+ "name": "urn:csci:microsoft:chaosStudio:TimedDelay/1.0"

+ }

+ ]

+ }

+ ]

+ },

+ {

+ "name": "Step 2 - End Load test",

+ "branches": [

+ {

+ "name": "Branch 1",

+ "actions": [

+ {

+ "selectorId": "9dc23b43-81ca-42c3-beae-3fe8ac80c30b",

+ "type": "discrete",

+ "parameters": [

+ {

+ "key": "testId",

+ "value": "ae24e6z9-d88d-4752-8552-c73e8a9adebc"

+ }

+ ],

+ "name": "urn:csci:microsoft:azureLoadTest:stop/1.0"

+ }

+ ]

+ }

+ ]

+ }

+ ]

+ }

+}

+}

+```

+### [Azure portal parameters](#tab/azure-portal)

+```Azure portal

+ae24e6z9-d88d-4752-8552-c73e8a9adebc

+```

+## July 2024 Guest OS

+| Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced |

+| | | | | |

+| Rel 24-07 | 5040430 | Latest Cumulative Update(LCU) | [6.73] | Jul 09, 2024 |

+| Rel 24-07 | 5040437 | Latest Cumulative Update(LCU) | [7.43] | Jul 09, 2024 |

+| Rel 24-07 | 5040434 | Latest Cumulative Update(LCU) | [5.97] | Jul 09, 2024 |

+| Rel 24-07 | 5039909 | .NET Framework 3.5 Security and Quality Rollup | [2.153] | Jul 09, 2024 |

+| Rel 24-07 | 5039882 | .NET Framework 4.7.2 Cumulative Update LKG | [2.153] | Jul 09, 2024 |

+| Rel 24-07 | 5039910 | .NET Framework 3.5 Security and Quality Rollup LKG |[4.133] | Jul 09, 2024 |

+| Rel 24-07 | 5039881 | .NET Framework 4.7.2 Cumulative Update LKG |[4.133] | Jul 09, 2024 |

+| Rel 24-07 | 5039908 | .NET Framework 3.5 Security and Quality Rollup LKG | [3.141] | Jul 09, 2024 |

+| Rel 24-07 | 5039880 | .NET Framework 4.7.2 Cumulative Update LKG | [3.141] | Jul 09, 2024 |

+| Rel 24-07 | 5039879 | . NET Framework Dot Net | [6.73] | Jul 09, 2024 |

+| Rel 24-07 | 5039889 | .NET Framework 4.8 Security and Quality Rollup LKG | [7.43] | Jul 09, 2024 |

+| Rel 24-07 | 5040497 | Monthly Rollup | [2.153] | Jul 09, 2024 |

+| Rel 24-07 | 5040485 | Monthly Rollup | [3.141] | Jul 09, 2024 |

+| Rel 24-07 | 5040456 | Monthly Rollup | [4.133] | Jul 09, 2024 |

+| Rel 24-07 | 5040570 | Servicing Stack Update | [3.141] | Jul 09, 2024 |

+| Rel 24-07 | 5040569 | Servicing Stack Update | [4.133] | Jul 09, 2024 |

+| Rel 24-07 | 5040562 | Servicing Stack Update | [5.97] | Jul 09, 2024 |

+| Rel 24-07 | 5039339 | Servicing Stack Update LKG | [2.153] | Jul 09, 2024 |

+| Rel 24-07 | 5040571 | Servicing Stack Update | [7.43] | Jul 09, 2024 |

+| Rel 24-07 | 5040563 | Servicing Stack Update | [6.73] | Jul 09, 2024 |

+| Rel 24-07 | 4494175 | January '20 Microcode | [5.97] | Sep 1, 2020 |

+| Rel 24-07 | 4494175 | January '20 Microcode | [6.73] | Sep 1, 2020 |

+[5040430]: https://support.microsoft.com/kb/5040430

+[5040437]: https://support.microsoft.com/kb/5040437

+[5040434]: https://support.microsoft.com/kb/5040434

+[5039909]: https://support.microsoft.com/kb/5039909

+[5039882]: https://support.microsoft.com/kb/5039882

+[5039910]: https://support.microsoft.com/kb/5039910

+[5039881]: https://support.microsoft.com/kb/5039881

+[5039908]: https://support.microsoft.com/kb/5039908

+[5039880]: https://support.microsoft.com/kb/5039880

+[5039879]: https://support.microsoft.com/kb/5039879

+[5039889]: https://support.microsoft.com/kb/5039889

+[5040497]: https://support.microsoft.com/kb/5040497

+[5040485]: https://support.microsoft.com/kb/5040485

+[5040456]: https://support.microsoft.com/kb/5040456

+[5040570]: https://support.microsoft.com/kb/5040570

+[5040569]: https://support.microsoft.com/kb/5040569

+[5040562]: https://support.microsoft.com/kb/5040562

+[5039339]: https://support.microsoft.com/kb/5039339

+[5040571]: https://support.microsoft.com/kb/5040571

+[5040563]: https://support.microsoft.com/kb/5040563

+[4494175]: https://support.microsoft.com/kb/4494175

+[2.153]: ./cloud-services-guestos-update-matrix.md#family-2-releases

+[3.141]: ./cloud-services-guestos-update-matrix.md#family-3-releases

+[4.133]: ./cloud-services-guestos-update-matrix.md#family-4-releases

+[5.97]: ./cloud-services-guestos-update-matrix.md#family-5-releases

+[6.73]: ./cloud-services-guestos-update-matrix.md#family-6-releases

+[7.43]: ./cloud-services-guestos-update-matrix.md#family-7-releases

+###### **July 31, 2024**

+The July Guest OS released.

+| WA-GUEST-OS-7.43_202407-01 | July 31, 2024 | Post 7.46 |

+|~~WA-GUEST-OS-7.40_202404-01~~| April 19, 2024 | July 31, 2024 |

+| WA-GUEST-OS-6.73_202407-01 | July 31, 2024 | Post 6.76 |

+|~~WA-GUEST-OS-6.70_202404-01~~| April 19, 2024 | July 31, 2024 |

+| WA-GUEST-OS-5.97_202407-01 | July 31, 2024 | Post 5.100 |

+|~~WA-GUEST-OS-5.94_202404-01~~| April 19, 2024 | July 31, 2024 |

+| WA-GUEST-OS-4.133_202407-01 | July 31, 2024 | Post 4.136 |

+|~~WA-GUEST-OS-4.130_202404-01~~| April 19, 2024 | July 31, 2024 |

+| WA-GUEST-OS-3.141_202407-01 | July 31, 2024 | Post 3.144 |

+|~~WA-GUEST-OS-3.138_202404-01~~| April 19, 2024 | Post 3.141 |

+| WA-GUEST-OS-2.153_202407-01 | July 31, 2024 | Post 2.156 |

+|~~WA-GUEST-OS-2.150_202404-01~~| April 19, 2024 | July 31, 2024 |

+| **Container Subnet Address Prefix** | The example in this article uses `10.0.1.0/24`, which provides 254 IP addresses for Cloud Shell instances. |

+ Title: AI in Azure Communication Services

+description: Learn about Communication Services AI concepts

+# Artificial intelligence (AI) overview

+Artificial intelligence (AI) technologies can be useful for a wide variety of communication experiences. This concept page summarizes availability of AI and AI-adjacent features in Azure Communication Services. AI features can be split into three categories:

+- **Accessors.** APIs that allow you to access Azure Communication data for the purposes of integrating your own separate transformations and bots.

+- **Transformers.** APIs that provide a built-in transformation of communication data using a machine learning or language model.

+- **Bots.** APIs that implement bots that directly communicate with end-users, typically blending structured programming with language models.

+Typical communication scenarios integrating these capabilities:

+- Transforming audio speech content into text transcriptions

+- Transforming a video feed to blur the user's background

+- Operating a chat or voice bot that responds to human conversation

+- Transforming a corpus of text chat and meeting transcriptions into summaries. This experience might involve a generative AI interface in which a user asks, "summarize all conversations between me and user Joe."

+## Messaging: SMS, Chat, Email, WhatsApp

+Azure Communication Services capabilities for asynchronous messaging share common patterns for integrating AI listed here.

+| Feature | Accessor | Transformer | Bot | Description |

+|--|--|--|--|--|

+| REST APIs and SDKs| ✅ | | | The messaging services center around REST APIs and server-oriented SDKs. You can use these SDKs to export content to an external datastore and attach a language model to summarize conversations. Or you can use the SDKs to integrate a bot that directly engages with human users. |

+| WhatsApp Message Analysis | | ✅ | | The Azure Communication Service messaging APIs for WhatsApp provide a built-in integration with Azure OpenAI that analyses and annotates messages. This integration can detect the user’s language, recognize their intent, and extract key phrases. |

+| [Azure Bot – Chat Channel Integration](../quickstarts/chat/quickstart-botframework-integration.md) | | | ✅ | The Azure Communication Service chat system is directly integrated with Azure Bot services. This integration simplifies creating chat bots that engage with human users.|

+## Voice, Video, and Telephony

+The patterns for integrating AI into the voice and video system are summarized here.

+| Feature | Accessor | Transformer | Bot | Description |

+|--|--|--|--|--|

+| [Call Automation REST APIs and SDKs](../concepts/call-automation/call-automation.md) | ✅ | ✅ | | Call Automation APIs include both accessors and transformers, with REST APIs for playing audio files and recognizing a user’s response. The `recognize` APIs integrate Azure Bot Services to transform users’ audio content into text for easier processing by your service. The most common scenario for these APIs is implementing voice bots, sometimes called interactive voice response (IVR). |

+| [Microsoft Copilot Studio](https://learn.microsoft.com/microsoft-copilot-studio/voice-overview) | | ✅ | ✅ | Copilot studio is directly integrated with Azure Communication Services telephony. This integration is designed for voice bots and IVR. |

+| [Azure Portal Copilot](https://learn.microsoft.com/microsoft-copilot-studio/voice-overview) | | ✅ | ✅ | Copilot studio is directly integrated with Azure Communication Services telephony. This integration is designed for voice bots and IVR. |

+| [Client Raw Audio and Video](../concepts/voice-video-calling/media-access.md) | ✅ | | | The Calling client SDK provides APIs for accessing and modifying the raw audio and video feed. An example scenario is taking the video feed, detecting the human speaker and their background, and customizing that background. |

+| [Client Background effects](../quickstarts/voice-video-calling/get-started-video-effects.md?pivots=platform-web)| | ✅ | | The Calling client SDKs provides APIs for blurring or replacing a user’s background. |

+| [Client Captions](../concepts/voice-video-calling/closed-captions.md) | | ✅ | | The Calling client SDK provides APIs for real-time closed captions. These internally integrate Azure Cognitive Services to transform audio content from the call into text in real-time. |

+| [Client Noise Enhancement and Effects](../tutorials/audio-quality-enhancements/add-noise-supression.md?pivots=platform-web) | | ✅ | | The Calling client SDK integrates a [DeepVQE](https://arxiv.org/abs/2306.03177) machine learning model to improve audio quality through echo cancellation, noise suppression, and dereverberation. This transformation is toggled on and off using the client SDK. |

+<tr><td rowspan="11">Geospatial Operators</td><td><code>$geoIntersects</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td></tr>

+<tr><td><code>$geoWithin</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td></tr>

+<tr><td><code>$box</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td></tr>

+<tr><td><code>$center</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td></tr>

+<tr><td><code>$centerSphere</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td></tr>

+<tr><td><code>$geometry</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td></tr>

+<tr><td><code>$maxDistance</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td></tr>

+<tr><td><code>$minDistance</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td></tr>

+<tr><td><code>$polygon</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td></tr>

+<tr><td><code>$near</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td></tr>

+<tr><td><code>$nearSphere</code></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td></tr>

+<tr><td>Geospatial Index</td><td><img src="media/compatibility/yes-icon.svg" alt="Yes"></td></tr>

+ Title: Support for Geospatial Queries

+description: Introducing support for geospatial queries on vCore based Azure Cosmos DB for MongoDB.

+# Support for Geospatial Queries

+Geospatial data can now be stored and queried using vCore-based Azure Cosmos DB for MongoDB. This enhancement provides powerful tools to manage and analyze spatial data, enabling a wide range of applications such as real-time location tracking, route optimization, and spatial analytics.

+HereΓÇÖs a quick overview of the geospatial commands and operators now supported:

+## Geospatial Query Operators

+### **$geoIntersects**

+Selects documents where a specified geometry intersects with the documents' geometry. Useful for finding documents that share any portion of space with a given geometry.

+ ```json

+ db.collection.find({

+ location: {

+ $geoIntersects: {

+ $geometry: {

+ type: "<GeoJSON object type>",

+ coordinates: [[[...], [...], [...], [...]]]

+ }

+ }

+ }

+ })

+ ```

+### **$geoWithin**

+Selects documents with geospatial data that exists entirely within a specified shape. This operator is used to find documents within a defined area.

+ ```json

+ db.collection.find({

+ location: {

+ $geoWithin: {

+ $geometry: {

+ type: "Polygon",

+ coordinates: [[[...], [...], [...], [...]]]

+ }

+ }

+ }

+ })

+ ```

+### **$box**

+Defines a rectangular area using two coordinate pairs (bottom-left and top-right corners). Used with the `$geoWithin` operator to find documents within this rectangle. For example, finding all locations within a rectangular region on a map.

+ ```json

+ db.collection.find({

+ location: {

+ $geoWithin: {

+ $box: [[lowerLeftLong, lowerLeftLat], [upperRightLong, upperRightLat]]

+ }

+ }

+ })

+ ```

+### **$center**

+Defines a circular area using a center point and a radius in radians. Used with the `$geoWithin` operator to find documents within this circle.

+ ```json

+ db.collection.find({

+ location: {

+ $geoWithin: {

+ $center: [[longitude, latitude], radius]

+ }

+ }

+ })

+ ```

+### **$centerSphere**

+Similar to `$center`, but defines a spherical area using a center point and a radius in radians. Useful for spherical geometry calculations.

+ ```json

+ db.collection.find({

+ location: {

+ $geoWithin: {

+ $centerSphere: [[longitude, latitude], radius]

+ }

+ }

+ })

+ ```

+### **$geometry**

+Specifies a GeoJSON object to define a geometry. Used with geospatial operators to perform queries based on complex shapes.

+ ```json

+ db.collection.find({

+ location: {

+ $geoIntersects: {

+ $geometry: {

+ type: "<GeoJSON object type>",

+ coordinates: [longitude, latitude]

+ }

+ }

+ }

+ })

+ ```

+### **$maxDistance**

+Specifies the maximum distance from a point for a geospatial query. Used with `$near` and `$nearSphere` operators. For example, finding all locations within 2 km of a given point.

+ ```json

+ db.collection.find({

+ location: {

+ $near: {

+ $geometry: {

+ type: "Point",

+ coordinates: [longitude, latitude]

+ },

+ $maxDistance: distance

+ }

+ }

+ })

+ ```

+### **$minDistance**

+Specifies the minimum distance from a point for a geospatial query. Used with `$near` and `$nearSphere` operators.

+ ```json

+ db.collection.find({

+ location: {

+ $near: {

+ $geometry: {

+ type: "Point",

+ coordinates: [longitude, latitude]

+ },

+ $minDistance: distance

+ }

+ }

+ })

+ ```

+### **$polygon**

+Defines a polygon using an array of coordinate pairs. Used with the `$geoWithin` operator to find documents within this polygon.

+ ```json

+ db.collection.find({

+ location: {

+ $geoWithin: {

+ $geometry: {

+ type: "Polygon",

+ coordinates: [[[...], [...], [...], [...]]]

+ }

+ }

+ }

+ })

+ ```

+### **$near**

+Finds documents that are near a specified point. Returns documents sorted by distance from the point. For example, finding the nearest restaurants to a user's location.

+ ```json

+ db.collection.find({

+ location: {

+ $near: {

+ $geometry: {

+ type: "Point",

+ coordinates: [longitude, latitude]

+ },

+ $maxDistance: distance

+ }

+ }

+ })

+ ```

+### **$nearSphere**

+Similar to `$near`, but performs calculations on a spherical surface. Useful for more accurate distance calculations on the Earth's surface.

+ ```json

+ db.collection.find({

+ location: {

+ $nearSphere: {

+ $geometry: {

+ type: "Point",

+ coordinates: [longitude, latitude]

+ },

+ $maxDistance: distance

+ }

+ }

+ })

+ ```

+## Geospatial Aggregation Stage

+### **$geoNear**

+Performs a geospatial query to return documents sorted by distance from a specified point. Can include additional query criteria and return distance information.

+ ```json

+ db.collection.aggregate([

+ {

+ $geoNear: {

+ near: {

+ type: "Point",

+ coordinates: [longitude, latitude]

+ },

+ distanceField: "distance",

+ spherical: true

+ }

+ }

+ ])

+ ```

+## Considerations and Unsupported Capabilities

+* Currently, querying with a single-ringed GeoJSON polygon whose area exceeds a single hemisphere isn't supported. In such cases, Mongo vCore returns the following error message:

+ ```json

+ Error: Custom CRS for big polygon is not supported yet.

+ ```

+* A composite index using a regular index and geospatial index isn't allowed. For example:

+ ```json

+ db.collection.createIndex({a: "2d", b: 1});

+ Error: Compound 2d indexes are not supported yet

+ ```

+* Polygons with holes are currently not supported for use with $geoWithin queries. Although inserting a polygon with holes is not restricted, it eventually fails with the following error message:

+ ```json

+ Error: $geoWithin currently doesn't support polygons with holes

+ ```

+* The key field is always required in the $geoNear aggregation stage. If the key field is missing, the following error occurs:

+ ```json

+ Error: $geoNear requires a 'key' option as a String

+ ```

+* The `$geoNear`, `$near`, and `$nearSphere` stages don't have strict index requirements, so these queries wouldn't fail if an index is missing.

+## Related content

+- Read more about [feature compatibility with MongoDB.](compatibility.md)

+- Review options for [migrating from MongoDB to Azure Cosmos DB for MongoDB vCore.](how-to-migrate-native-tools.md)

+- [Node.js Quickstart](quickstart-nodejs.md)

+- [Node.js Quickstart](quickstart-nodejs.md)

+- [Node.js Quickstart](quickstart-nodejs.md)

+- [Node.js Quickstart](quickstart-nodejs.md)

+> [!NOTE]

+> The `quantizedFlat` and `diskANN` indexes requires that at least 1,000 vectors to be inserted. This is to ensure accuracy of the quantization process. If there are fewer than 1,000 vectors, a full scan is executed instead and will lead to higher RU charges for a vector search query.

+ },

+ {

+ "path": "/vector1"

+ },

+ {

+ "path": "/vector1",

+ },

+ {

+ "path": "/vector2",

+>[!IMPORTANT]

+> The vector path added to the "excludedPaths" section of the indexing policy to ensure optimized performance for insertion. Not adding the vector path to "excludedPaths" will result in higher RU charge and latency for vector insertions.

+When all the conditions are fully satisfied, you can detach the payment method from the billing profile.

+#### Detach payment method errors

+There are several reasons why trying to detach a payment method might fail. If youΓÇÖre having problems trying to detach (remove) a payment method, it's most likely caused by one of the following reasons.

+##### Outstanding charges (past due charges)

+You can view your outstanding charges by navigating to **Cost Management + Billing** > select a billing account > under Billing, select **Invoices**, > then in the list of invoices you can view the **Status**. Invoices with **Past Due** status must be paid.

+HereΓÇÖs an example of past due charges.

+After you pay outstanding charges, you can detach your payment method.

+##### Recurring charges set to auto renew

+You can view recurring charges in the Recurring charges page. Navigate to **Cost Management + Billing** > select your billing account > under Billing, select **Recurring charges**. To stop charges from automatically renewing, on the Recurring charges page, select a charge and then one the right side of the row, select the ellipsis symbol (**…**) and then select **Cancel**.

+HereΓÇÖs an example of the Recurring charge page with items that must get canceled.

+Examples of recurring charges include:

+- Azure support agreements

+- Active Azure subscriptions

+- Reservations set to auto renew

+- Savings plans set to auto renew

+After all recurring charges are removed, you can detach your payment method.

+##### Pending charges

+You canΓÇÖt detach your payment method if there are any pending charges. In the Azure portal, pending charges appear with **Due on *date*** status on the Cost Management + Billing > Billing > Invoices page. LetΓÇÖs look at a typical pending charges example.

+1. Assume that a billing cycle begins on June 1.

+2. You use Azure services from June 1 to June 10.

+3. You cancel your subscription on June 10.

+4. You pay your invoice on June 12 for the month of May and are paid in full.

+5. However, you still have pending charges for June 1 to June 10.

+In this example, you arenΓÇÖt billed for your June usage until the following month (August). So, you canΓÇÖt detach your payment method until you pay the invoice for June, which isnΓÇÖt available until August.

+HereΓÇÖs an example of a pending charge.

+After you pay all pending charges, you can detach your payment method.

+1. When you select the corrective action link, you get redirected to the Azure page where you take action. Take whatever correction action is needed.

+1. When you select the corrective action link, you get redirected to the Azure page where you take action. Take whatever correction action is needed.

+If you already tried signing out and back in, yet you get the error message `Your login session has expired. Please click here to log back in`, try using a private browsing session.

+- Anomaly alerts are currently available only in the Azure public cloud. If you are using a government cloud or any of the sovereign clouds, this service is not yet available.

+### How can I automate the creation of an anomaly alert rule?

+You can automate the creation of anomaly alert rules using the [Scheduled Action API](/rest/api/cost-management/scheduled-actions/create-or-update-by-scope?view=rest-cost-management-2023-11-01&tabs=HTTP), specifying the scheduled action kind as **`InsightAlert.`**

+>Due to the sunset of Idf authentication type by **September 15, 2024**, please upgrade to Active Directory Authentication type before the date if you are currently using it.

+You can manually update the refresh token in Azure Key Vault based on QuickBooks Online's refresh token expiry policy. But another approach is to automate updates with a scheduled task or [Azure Function](https://github.com/Azure-Samples/serverless-keyvault-secret-rotation-handling) that checks for a new refresh token and updates it in Azure Key Vault.

+Once the upload to Azure is complete, the Data Box Disk service erases the data on its disks as per the [NIST SP 800-88](https://csrc.nist.gov/News/2014/Released-SP-800-88-Revision-1,-Guidelines-for-Medi) standard. After the erasure is complete, you can [Download the order history](data-box-portal-admin.md#download-order-history).

+description: Explore how Microsoft Defender for Cloud enhances data security posture management across multicloud environments, ensuring comprehensive protection.

+#customer intent: As a security professional, I want to understand how Defender for Cloud enhances data security in a multicloud environment so that I can effectively protect sensitive data.

+## Sensitive data discovery

+Sensitive data discovery identifies sensitive resources and their related risk and then helps to prioritize and remediate those risks.

+Defender for Cloud considers a resource sensitive if a Sensitive Information Type (SIT) is detected in it and the customer has configured the SIT to be considered sensitive. Defender for Cloud detects SITs that are considered sensitive by default.

+The sensitive data discovery process operates by taking samples of the resourceΓÇÖs data. The sample data is then used to identify sensitive resources with high confidence without performing a full scan of all assets in the resource.

+The sensitive data discovery process is powered by the Microsoft Purview classification engine that uses a common set of SITs and labels for all datastores, regardless of their type or hosting cloud vendor.

+Sensitive data discovery detects the existence of sensitive data at the cloud workload level. Sensitive data discovery aims to identify various types of sensitive information, but it might not detect all types.

+To get complete data cataloging scanning results with all SITs available in the cloud resource, we recommend you use the scanning features from Microsoft Purview.

+### For cloud storage

+Defender for Cloud's scanning algorithm selects containers that might contain sensitive information and samples up to 20MBs for each file scanned within the container.

+### For cloud Databases

+Defender for Cloud selects certain tables and samples between 300 to 1,024 rows using nonblocking queries.

+## Next step

+> [!div class="nextstepaction"]

+> [Prepare and review requirements for data security posture management.](concept-data-security-posture-prepare.md)

+Defender for Cloud includes Foundational CSPM capabilities and access to [Microsoft Defender XDR](/microsoft-365/security/defender/microsoft-365-defender) for free. You can add additional paid plans to secure all aspects of your cloud resources. You can try Defender for Cloud for free for the first 30 days. After 30 days, charges begin in accordance with the plans enabled in your environment. To learn more about these plans and their costs, see the Defender for Cloud [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).

+ Title: Explore and investigate Defender for SQL security alerts

+description: Learn how to explore and investigate Defender for SQL security alerts in Microsoft Defender for Cloud.

+# Explore and investigate Defender for SQL security alerts

+There are several ways to view Microsoft Defender for SQL alerts in Microsoft Defender for Cloud:

+- The **Alerts** page.

+- The machine's security page.

+- The [workload protections dashboard](workload-protections-dashboard.md).

+- Through the direct link provided in the alert's email.

+## How to view alerts

+1. Sign in to the [Azure portal](https://portal.azure.com).

+1. Search for and select **Microsoft Defender for Cloud**.

+1. Select **Security alerts**.

+1. Select an alert.

+Alerts are designed to be self-contained, with detailed remediation steps and investigation information in each one. You can investigate further by using other Microsoft Defender for Cloud and Microsoft Sentinel capabilities for a broader view:

+- Enable SQL Server's auditing feature for further investigations. If you're a Microsoft Sentinel user, you can upload the SQL auditing logs from the Windows Security Log events to Sentinel and enjoy a rich investigation experience. [Learn more about SQL Server Auditing](/sql/relational-databases/security/auditing/create-a-server-audit-and-server-audit-specification?preserve-view=true&view=sql-server-ver15).

+- To improve your security posture, use Defender for Cloud's recommendations for the host machine indicated in each alert to reduce the risks of future attacks.

+

+[Learn more about managing and responding to alerts](managing-and-responding-alerts.yml).

+## Related content

+For related information, see these resources:

+- [Security alerts for SQL Database and Azure Synapse Analytics](alerts-sql-database-and-azure-synapse-analytics.md)

+- [Set up email notifications for security alerts](configure-email-notifications.md)

+- [Learn more about Microsoft Sentinel](../sentinel/index.yml)

+ Title: Enable Microsoft Defender for SQL servers on machines

+## Enable Defender for SQL on non-Azure machines using the AMA agent

+### Prerequisites for enabling Defender for SQL on non-Azure machines

+- An active Azure subscription.

+- **Subscription owner** permissions on the subscription in which you wish to assign the policy.

+- SQL Server on machines prerequisites:

+ - **Permissions**: the Windows user operating the SQL server must have the **Sysadmin** role on the database.

+ - **Extensions**: The following extensions should be added to the allowlist:

+ - Defender for SQL (IaaS and Arc):

+ - Publisher: Microsoft.Azure.AzureDefenderForSQL

+ - Type: AdvancedThreatProtection.Windows

+ - SQL IaaS Extension (IaaS):

+ - Publisher: Microsoft.SqlServer.Management

+ - Type: SqlIaaSAgent

+ - SQL IaaS Extension (Arc):

+ - Publisher: Microsoft.AzureData

+ - Type: WindowsAgent.SqlServer

+ - AMA extension (IaaS and Arc):

+ - Publisher: Microsoft.Azure.Monitor

+ - Type: AzureMonitorWindowsAgent

+### Naming conventions in the Deny policy allowlist

+- Defender for SQL uses the following naming convention when creating our resources:

+ - DCR: `MicrosoftDefenderForSQL--dcr`

+ - DCRA: `/Microsoft.Insights/MicrosoftDefenderForSQL-RulesAssociation`

+ - Resource group: `DefaultResourceGroup-`

+ - Log analytics workspace: `D4SQL--`

+- Defender for SQL uses *MicrosoftDefenderForSQL* as a *createdBy* database tag.

+### Steps to enable Defender for SQL on non-Azure machines

+1. Connect SQL server to Azure Arc. For more information on the supported operating systems, connectivity configuration, and required permissions, see the following documentation:

+ - [Plan and deploy Azure Arc-enabled servers](/azure/azure-arc/servers/plan-at-scale-deployment)

+ - [Connected Machine agent prerequisites](/azure/azure-arc/servers/prerequisites)

+ - [Connected Machine agent network requirements](/azure/azure-arc/servers/network-requirements)

+ - [Roles specific to SQL Server enabled by Azure Arc](/sql/relational-databases/security/authentication-access/server-level-roles#roles-specific-to-sql-server-enabled-by-azure-arc)

+1. Once Azure Arc is installed, the Azure extension for SQL Server is installed automatically on the database server. For more information, see [Manage automatic connection for SQL Server enabled by Azure Arc](/sql/sql-server/azure-arc/manage-autodeploy).

+### Enable Defender for SQL

+1. Once enabled we use one of the following policy initiatives:

+ - Configure SQL VMs and Arc-enabled SQL servers to install Microsoft Defender for SQL and AMA with a Log analytics workspace (LAW) for a default LAW. This creates resources groups with data collection rules and a default Log analytics workspace. For more information about the Log analytics workspace, see [Log Analytics workspace overview](/azure/azure-monitor/logs/log-analytics-workspace-overview).

+ :::image type="content" source="media/defender-for-sql-usage/default-log-analytics-workspace.png" alt-text="Screenshot of how to configure default log analytics workspace." lightbox="media/defender-for-sql-usage/default-log-analytics-workspace.png":::

+ - Configure SQL VMs and Arc-enabled SQL servers to install Microsoft Defender for SQL and AMA with a user-defined LAW. This creates a resource group with data collection rules and a custom Log analytics workspace in the predefined region. During this process, we install the Azure monitoring agent. For more information about the options to install the AMA agent, see [Azure Monitor Agent prerequisites](/azure/azure-monitor/agents/azure-monitor-agent-manage#prerequisites).

+ :::image type="content" source="media/defender-for-sql-usage/user-defined-log-analytics-workspace.png" alt-text="Screenshot of how to configure user-defined log analytics workspace." lightbox="media/defender-for-sql-usage/user-defined-log-analytics-workspace.png":::

+1. To complete the installation process, a restart of the SQL server (instance) is necessary for versions 2017 and older.

+## Enable Defender for SQL on Azure virtual machines using the AMA agent

+### Prerequisites for enabling Defender for SQL on Azure virtual machines

+- An active Azure subscription.

+- **Subscription owner** permissions on the subscription in which you wish to assign the policy.

+- SQL Server on machines prerequisites:

+ - **Permissions**: the Windows user operating the SQL server must have the **Sysadmin** role on the database.

+ - **Extensions**: The following extensions should be added to the allowlist:

+ - Defender for SQL (IaaS and Arc):

+ - Publisher: Microsoft.Azure.AzureDefenderForSQL

+ - Type: AdvancedThreatProtection.Windows

+ - SQL IaaS Extension (IaaS):

+ - Publisher: Microsoft.SqlServer.Management

+ - Type: SqlIaaSAgent

+ - SQL IaaS Extension (Arc):

+ - Publisher: Microsoft.AzureData

+ - Type: WindowsAgent.SqlServer

+ - AMA extension (IaaS and Arc):

+ - Publisher: Microsoft.Azure.Monitor

+ - Type: AzureMonitorWindowsAgent

+- Since we're creating a resource group in *East US*, as part of the autoprovisioning enablement process, this region needs to be allowed or Defender for SQL can't complete the installation process successfully.

+### Steps to enable Defender for SQL on Azure virtual machines

+1. Search for and select **Microsoft Defender for Cloud**.

+1. In the Defender for Cloud menu, select **Environment settings**.

+1. Select the relevant subscription.

+1. On the Defender plans page, locate the Databases plan and select **Select types**.

+ :::image type="content" source="media/tutorial-enabledatabases-plan/select-types.png" alt-text="Screenshot that shows you where to select types on the Defender plans page." lightbox="media/tutorial-enabledatabases-plan/select-types.png":::

+1. In the Resource types selection window, toggle the **SQL servers on machines** plan to **On**.

+1. Select **Continue**.

+1. Select **Save**.

+1. Once enabled we use one of the following policy initiatives:

+ - Configure SQL VMs and Arc-enabled SQL servers to install Microsoft Defender for SQL and AMA with a Log analytics workspace (LAW) for a default LAW. This creates a resources group in *East US*, and managed identity. For more information about the use of the managed identity, see [Resource Manager template samples for agents in Azure Monitor](/azure/azure-monitor/agents/resource-manager-agent). It also creates a resource group that includes a Data Collection Rules (DCR) and a default LAW. All resources are consolidated under this single resource group. The DCR and LAW are created to align with the region of the virtual machine (VM).

+ :::image type="content" source="media/defender-for-sql-usage/default-log-analytics-workspace.png" alt-text="Screenshot of how to configure default log analytics workspace." lightbox="media/defender-for-sql-usage/default-log-analytics-workspace.png":::

+ - Configure SQL VMs and Arc-enabled SQL servers to install Microsoft Defender for SQL and AMA with a user-defined LAW. This creates a resources group in *East US*, and managed identity. For more information about the use of the managed identity, see [Resource Manager template samples for agents in Azure Monitor](/azure/azure-monitor/agents/resource-manager-agent). It also creates a resources group with a DCR and a custom LAW in the predefined region.

+ :::image type="content" source="media/defender-for-sql-usage/user-defined-log-analytics-workspace.png" alt-text="Screenshot of how to configure user-defined log analytics workspace." lightbox="media/defender-for-sql-usage/user-defined-log-analytics-workspace.png":::

+1. To complete the installation process, a restart of the SQL server (instance) is necessary for versions 2017 and older.

+## Common questions

+### Once the deployment is done, how long do we need to wait to see a successful deployment?

+It takes approximately 30 minutes to update the protection status by the SQL IaaS Extension, assuming all the prerequisites are fulfilled.

+### How do I verify that my deployment ended successfully and that my database is now protected?

+1. Locate the database on the upper search bar in the Azure portal.

+1. Under the **Security** tab, select **Defender for Cloud**.

+1. Check the **Protection status**. If the status is **Protected**, the deployment was successful.

+### What is the purpose of the managed identity created during the installation process on Azure SQL VMs?

+The managed identity is part of the Azure Policy, which pushes out the AMA. It's used by the AMA to access the database to collect the data and send it via the Log Analytics Workspace (LAW) to Defender for Cloud. For more information about the use of the managed identity, see [Resource Manager template samples for agents in Azure Monitor](/azure/azure-monitor/agents/resource-manager-agent).

+### Can I use my own DCR or managed-identity instead of Defender for Cloud creating a new one?

+Yes, we allow you to bring your own identity or DCR using the following script only. For more information, see [Enable Microsoft Defender for SQL servers on machines at scale](enable-defender-sql-at-scale.md).

+### How can I enable SQL servers on machines with AMA at scale?

+See [Enable Microsoft Defender for SQL servers on machines at scale](enable-defender-sql-at-scale.md) for the process of how to enable Microsoft Defender for SQLΓÇÖs autoprovisioning across multiple subscriptions simultaneously. It's applicable to SQL servers hosted on Azure Virtual Machines, on-premises environments, and Azure Arc-enabled SQL servers.

+### Which tables are used in LAW with AMA?

+Defender for SQL on SQL VMs and Arc-enabled SQL servers uses the Log Analytics Workspace (LAW) to transfer data from the database to the Defender for Cloud portal. This means that no data is saved locally at the LAW. The tables in the LAW named *SQLAtpStatus* and the *SqlVulnerabilityAssessmentScanStatus* will be retired [when MMA is deprecated](/azure/azure-monitor/agents/azure-monitor-agent-migration). ATP and VA status can be viewed in the Defender for Cloud portal.

+### How does Defender for SQL collect logs from the SQL server?

+Defender for SQL uses Xevent, beginning with SQL Server 2017. On previous versions of SQL Server, Defender for SQL collects the logs using the SQL server audit logs.

+### I see a parameter named enableCollectionOfSqlQueriesForSecurityResearch in the policy initiative. Does this mean that my data is collected for analysis?

+This parameter isn't in use today. Its default value is *false*, meaning that unless you proactively change the value, it remains false. There's no effect from this parameter.

+## Related content

+ Title: How to enable Microsoft Defender for SQL servers on machines at scale

+description: Learn how to protect your Microsoft SQL servers on Azure VMs, on-premises, and in hybrid and multicloud environments with Microsoft Defender for Cloud at scale.

+#customer intent: As a user, I want to learn how to enable Defender for SQL servers at scale so that I can protect my SQL servers efficiently.

+# Enable Microsoft Defender for SQL servers on machines at scale

+Microsoft Defender for Cloud's SQL servers on machines component of the Defender for Databases plan, protects SQL IaaS and Defender for SQL extensions. The SQL servers on machines component identifies and mitigates potential database vulnerabilities while detecting anomalous activity that could indicate threats to your databases.

+When [you enable the SQL Server on a machines](tutorial-enable-databases-plan.md#enable-specific-plans-database-protections) component of the Defender for Databases plan, the auto-provision process is it automatically initiated. The auto-provision process installs and configures all the necessary components for the plan to function. Such as the Azure Monitor Agent (AMA), SQL IaaS extension, and Defender for SQL extensions. The auto-provision process also sets up the workspace configuration, Data Collection Rules, identity (if needed), and the SQL IaaS extension.

+This page explains how you can enable the auto-provision process for Defender for SQL across multiple subscriptions simultaneously using a PowerShell script. This process applies to SQL servers hosted on Azure VMs, on-premises environments, and Azure Arc-enabled SQL servers. This article also discusses how to utilize extra functionalities that can accommodate various configurations such as:

+- Custom data collection rules

+- Custom identity management

+- Default workspace integration

+- Custom workspace configuration

+## Prerequisites

+- Gain knowledge on:

+ - [SQL server on VMs](https://azure.microsoft.com/products/virtual-machines/sql-server/)

+ - [SQL Server enabled by Azure Arc](/sql/sql-server/azure-arc/overview)

+ - [How to migrate to Azure Monitor Agent from Log Analytics agent](../azure-monitor/agents/azure-monitor-agent-migration.md)

+- [Connect AWS accounts to Microsoft Defender for Cloud](quickstart-onboard-aws.md)

+- [Connect your GCP project to Microsoft Defender for Cloud](quickstart-onboard-gcp.md)

+- Install PowerShell on [Windows](/powershell/scripting/install/installing-powershell-on-windows), [Linux](/powershell/scripting/install/installing-powershell-on-linux), [macOS](/powershell/scripting/install/installing-powershell-on-macos), or [Azure Resource Manager (ARM)](/powershell/scripting/install/powershell-on-arm).

+- [Install the following PowerShell modules](/powershell/module/powershellget/install-module):

+ - Az.Resources

+ - Az.OperationalInsights

+ - Az.Accounts

+ - Az

+ - Az.PolicyInsights

+ - Az.Security

+- Permissions: requires VM contributor, contributor, or owner rules.

+## PowerShell script parameters and samples

+The PowerShell script that enables Microsoft Defender for SQL on Machines on a given subscription has several parameters that you can customize to fit your needs. The following table lists the parameters and their descriptions:

+| Parameter name | Required | Description |

+|--|--|--|

+| SubscriptionId: | Required | The Azure subscription ID that you want to enable Defender for SQL servers on machines for. |

+| RegisterSqlVmAgnet | Required | A flag indicating whether to register the SQL VM Agent in bulk. <br><br> Learn more about [registering multiple SQL VMs in Azure with the SQL IaaS Agent extension](/azure/azure-sql/virtual-machines/windows/sql-agent-extension-manually-register-vms-bulk?view=azuresql). |

+| WorkspaceResourceId | Optional | The resource ID of the Log Analytics workspace, if you want to use a custom workspace instead of the default one. |

+| DataCollectionRuleResourceId | Optional | The resource ID of the data collection rule, if you want to use a custom DCR instead of the default one. |

+| UserAssignedIdentityResourceId | Optional | The resource ID of the user assigned identity, if you want to use a custom user assigned identity instead of the default one. |

+The following sample script is applicable when you use a default Log Analytics workspace, data collection rule, and managed identity.

+```powershell

+Write-Host " Enable Defender for SQL on Machines example "

+$SubscriptionId = "<SubscriptionID>"

+.\EnableDefenderForSqlOnMachines.ps1 -SubscriptionId $SubscriptionId -RegisterSqlVmAgnet $RegisterSqlVmAgnet

+```

+The following sample script is applicable when you use a custom Log Analytics workspace, data collection rule, and managed identity.

+```powershell

+Write-Host " Enable Defender for SQL on Machines example "

+$SubscriptionId = "<SubscriptionID>"

+$RegisterSqlVmAgnet = "false"

+$WorkspaceResourceId = "/subscriptions/<SubscriptionID>/resourceGroups/someResourceGroup/providers/Microsoft.OperationalInsights/workspaces/someWorkspace"

+$DataCollectionRuleResourceId = "/subscriptions/<SubscriptionID>/resourceGroups/someOtherResourceGroup/providers/Microsoft.Insights/dataCollectionRules/someDcr"

+$UserAssignedIdentityResourceId = "/subscriptions/<SubscriptionID>/resourceGroups/someElseResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/someManagedIdentity"

+.\EnableDefenderForSqlOnMachines.ps1 -SubscriptionId $SubscriptionId -RegisterSqlVmAgnet $RegisterSqlVmAgnet -WorkspaceResourceId $WorkspaceResourceId -DataCollectionRuleResourceId $DataCollectionRuleResourceId -UserAssignedIdentityResourceId $UserAssignedIdentityResourceId

+```

+## Enable Defender for SQL servers on machines at scale

+You can enable Defender for SQL servers on machines at scale by following these steps.

+1. Open a PowerShell window.

+1. Copy the [EnableDefenderForSqlOnMachines.ps1](https://github.com/Azure/Microsoft-Defender-for-Cloud/blob/fd04330a79a4bcd48424bf7a4058f44216bc40e4/Powershell%20scripts/Enable%20Defender%20for%20SQL%20servers%20on%20machines/EnableDefenderForSqlOnMachines.ps1) script.

+1. Paste the script into PowerShell.

+1. Enter parameter information as needed.

+1. Run the script.

+## Next step

+> [!div class="nextstepaction"]

+> [Scan your SQL servers for vulnerabilities](defender-for-sql-on-machines-vulnerability-assessment.md)

+### [Azure AI Services resources should use Azure Private Link](https://ms.portal.azure.com/#view/Microsoft_Azure_Security/GenericRecommendationDetailsBlade/assessmentKey/54f53ddf-6ebd-461e-a247-394c542bc5d1)

+**Description**: Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform reduces data leakage risks by handling the connectivity between the consumer and services over the Azure backbone network.

+Learn more about private links at: [https://aka.ms/AzurePrivateLink/Overview](https://aka.ms/AzurePrivateLink/Overview)

+This recommendation replaces the old recommendation *Cognitive Services should use private link*. It was formerly in category Data recommendations, and was updated to comply with the Azure AI Services naming format and align with the relevant resources.

+**Severity**: Medium

+### [Diagnostic logs in Azure AI services resources should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/dea5192e-1bb3-101b-b70c-4646546f5e1e)

+**Description**: Enable logs for Azure AI services resources. This enables you to recreate activity trails for investigation purposes, when a security incident occurs or your network is compromised.

+This recommendation replaces the old recommendation *Diagnostic logs in Search services should be enabled*. It was formerly in the category Cognitive Services and Cognitive Search, and was updated to comply with the Azure AI Services naming format and align with the relevant resources.

+**Severity**: Low

+|July 31|Recommendation|Update|[Azure AI Services resources should use Azure Private Link](/azure/defender-for-cloud/release-notes-recommendations-alerts)|

+|July 31|Recommendation|GA|[[EDR solution should be installed on Virtual Machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/06e3a6db-6c0c-4ad9-943f-31d9d73ecf6c)](recommendations-reference-compute.md#edr-solution-should-be-installed-on-virtual-machineshttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkey06e3a6db-6c0c-4ad9-943f-31d9d73ecf6c)|

+|July 31|Recommendation|GA|[[EDR solution should be installed on EC2s](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/77d09952-2bc2-4495-8795-cc8391452f85)](recommendations-reference-compute.md#edr-solution-should-be-installed-on-ec2shttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkey77d09952-2bc2-4495-8795-cc8391452f85)|

+|July 31|Recommendation|GA|[[EDR solution should be installed on GCP Virtual Machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/68e595c1-a031-4354-b37c-4bdf679732f1)](recommendations-reference-compute.md#edr-solution-should-be-installed-on-gcp-virtual-machineshttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkey68e595c1-a031-4354-b37c-4bdf679732f1)|

+|July 31|Recommendation|GA|[[EDR configuration issues should be resolved on virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/dc5357d0-3858-4d17-a1a3-072840bff5be)](recommendations-reference-compute.md#edr-configuration-issues-should-be-resolved-on-virtual-machineshttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkeydc5357d0-3858-4d17-a1a3-072840bff5be)|

+|July 31|Recommendation|GA|[[EDR configuration issues should be resolved on EC2s](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/695abd03-82bd-4d7f-a94c-140e8a17666c)](recommendations-reference-compute.md#edr-configuration-issues-should-be-resolved-on-ec2shttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkey695abd03-82bd-4d7f-a94c-140e8a17666c)|

+|July 31|Recommendation|GA|[[EDR configuration issues should be resolved on GCP virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Security/RecommendationsBlade/assessmentKey/f36a15fb-61a6-428c-b719-6319538ecfbc)](recommendations-reference-compute.md#edr-configuration-issues-should-be-resolved-on-gcp-virtual-machineshttpsportalazurecomblademicrosoft_azure_securityrecommendationsbladeassessmentkeyf36a15fb-61a6-428c-b719-6319538ecfbc)|

+| July 31 | Recommendation | Upcoming deprecation | [Adaptive network hardening recommendations should be applied on internet facing virtual machines](recommendations-reference-networking.md#adaptive-network-hardening-recommendations-should-be-applied-on-internet-facing-virtual-machines) |

+| July 31 | Alert | Upcoming deprecation | [Traffic detected from IP addresses recommended for blocking](alerts-azure-network-layer.md#traffic-detected-from-ip-addresses-recommended-for-blocking) |

+| July 30 |Recommendation | Preview | [AWS Bedrock should use AWS PrivateLink](recommendations-reference-ai.md#aws-bedrock-should-use-aws-privatelink) |

+| July 31 | GA | [General availability of enhanced discovery and configuration recommendations for endpoint protection](#general-availability-of-enhanced-discovery-and-configuration-recommendations-for-endpoint-protection) |

+| July 31 | Upcoming update | [Adaptive network hardening deprecation](#adaptive-network-hardening-deprecation) |

+### General availability of enhanced discovery and configuration recommendations for endpoint protection

+July 31, 2024

+Improved discovery features for endpoint protection solutions and enhanced identification of configuration issues are now GA and available for multicloud servers. These updates are included in the Defender for Servers Plan 2 and Defender Cloud Security Posture Management (CSPM).

+The enhanced recommendations feature uses [agentless machine scanning](/azure/defender-for-cloud/concept-agentless-data-collection), enabling comprehensive discovery and assessment of the configuration of [supported endpoint detection and response solutions](/azure/defender-for-cloud/endpoint-detection-response). When configuration issues are identified, remediation steps are provided.

+With this general availability release, the list of [supported solutions](/azure/defender-for-cloud/endpoint-detection-response) is expanded to include two more endpoint detection and response tools:

+- Singularity Platform by SentinelOne

+- Cortex XDR

+### Adaptive network hardening deprecation

+July 31, 2024

+**Estimated date for change: August 31, 2024**

+Defender for Server's adaptive network hardening is being deprecated.

+The feature deprecation includes the following experiences:

+- **Recommendation**: [Adaptive network hardening recommendations should be applied on internet facing virtual machines](recommendations-reference-networking.md#adaptive-network-hardening-recommendations-should-be-applied-on-internet-facing-virtual-machines) [assessment Key: f9f0eed0-f143-47bf-b856-671ea2eeed62]

+- **Alert**: [Traffic detected from IP addresses recommended for blocking](alerts-azure-network-layer.md#traffic-detected-from-ip-addresses-recommended-for-blocking)

+The following capabilities have updated timelines and plans, thus the support for them over MMA will be extended for Defender for Cloud customers to the end of November 2024:

+- **File Integrity Monitoring (FIM):** Public preview release for FIM new version over MDE is planned for **August 2024**. The GA version of FIM powered by Log Analytics agent will continue to be supported for existing customers until the end of **November 2024**.

+- **Security Baseline:** as an alternative to the version based on MMA, the current preview version based on Guest Configuration will be released to general availability in **September 2024.** OS Security Baselines powered by Log Analytics agent will continue to be supported for existing customers until the end of **November 2024.**

+ Title: Azure role-based access control

+description: Learn how Microsoft Dev Box provides protection with Azure role-based access control (Azure RBAC) integration.

+#Customer intent: As a platform engineer, I want to understand how to assign permissions in Dev Box so that I can give dev managers and developers only the permissions they need.

+# Azure role-based access control in Microsoft Dev Box

+This article describes the different built-in roles that Microsoft Dev

+Box supports, and how they map to organizational roles like platform

+engineer and dev manager.

+Azure role-based access control (RBAC) specifies built-in role

+definitions that outline the permissions to be applied. You assign a

+user or group this role definition via a role assignment for a

+particular scope. The scope can be an individual resource, a resource

+group, or across the subscription. In the next section, you learn which

+[built-in roles](#built-in-roles) Microsoft Dev Box supports.

+For more information, see [What is Azure role-based access control (Azure RBAC)](https://microsoft-my.sharepoint.com/azure/role-based-access-control/overview)?

+> [!Note]

+> When you make role assignment changes, it can take a few minutes for these updates to propagate.

+## Built-in roles

+In this article, the Azure built-in roles are logically grouped into

+three organizational role types, based on their scope of influence:

+- Platform engineer roles: influence permissions for dev centers,

+ catalogs, and projects

+- Dev

+- Developer roles: influence permissions for users

+The following are the built-in roles supported by Microsoft Dev Box:

+| Organizational role type | Built-in role | Description |

+|--|--||

+| Platform engineer | Owner | Grant full control to create/manage dev centers, catalogs, and projects, and grant permissions to other users. Learn more about the [Owner role](#owner-role). |

+| Platform engineer | Contributor | Grant full control to create/manage dev centers, catalogs, and projects, except for assigning roles to other users. Learn more about the [Contributor role](#contributor-role). |

+| Dev Manager | DevCenter Project Admin | Grant permission to manage certain aspects of projects and dev boxes. Learn more about the [DevCenter Project Admin role](#devcenter-project-admin-role). |

+| Developer | Dev Box User | Grant permission to create dev boxes and have full control over the dev boxes that they create. Learn more about the [Dev Box User role](#dev-box-user). |

+## Role assignment scope

+In Azure RBAC, *scope* is the set of resources that access applies to.

+When you assign a role, it\'s important to understand scope so that you

+grant just the access that is needed.

+In Azure, you can specify a scope at four levels: management group,

+subscription, resource group, and resource. Scopes are structured in a

+parent-child relationship. Each level of hierarchy makes the scope more

+specific. You can assign roles at any of these levels of scope. The

+level you select determines how widely the role is applied. Lower levels

+inherit role permissions from higher levels. Learn more about [scope for Azure RBAC](https://microsoft-my.sharepoint.com/azure/role-based-access-control/scope-overview).

+For Microsoft Dev Box, consider the following scopes:

+ | Scope | Description |

+ |--||

+ | Subscription | Used to manage billing and security for all Azure resources and services. Typically, only Platform engineers have subscription-level access because this role assignment grants access to all resources in the subscription. |

+ | Resource group | A logical container for grouping together resources. Role assignment for the resource group grants permission to the resource group and all resources within it, such as dev centers, dev box definitions, dev box pools, projects, and dev boxes. |

+ | Dev center (resource) | A collection of projects that require similar settings. Role assignment for the dev center grants permission to the dev center itself. Permissions assigned for the dev centers aren't inherited by other dev box resources. |

+ | Project (resource) | An Azure resource used to apply common configuration settings when you create a dev box. Role assignment for the project grants permission only to that specific project. |

+ | Dev box pool (resource) | A collection of dev boxes that you manage together and to which you apply similar settings. Role assignment for the dev box pool grants permission only to that specific dev box pool. |

+ | Dev box definition (resource) | An Azure resource that specifies a source image and size, including compute size and storage size. Role assignment for the dev box definition grants permission only to that specific dev box definition. |

+## Roles for common Dev Box activities

+The following table shows common Dev Box activities and the role needed for a user to perform that activity.

+| Activity | Role type | Role | Scope |

+|--||-|-|

+| Grant permission to create a resource group. | Platform engineer| Owner or Contributor | Subscription |

+| Grant permission to submit a Microsoft support ticket, including to request capacity. | Platform engineer| Owner, Contributor, Support Request Contributor | Subscription |

+| Grant permission to create virtual networks and subnets. | Platform engineer| Network Contributor | Resource group |

+| Grant permission to create a network connection. | Platform engineer| Owner or Contributor | Resource group |

+| Grant permission to assign roles to other users. | Platform engineer| Owner | Resource group |

+| Grant permission to: </br> - Create / manage dev centers. </br> - Add / remove network connections. </br> - Add / remove Azure compute galleries. </br> - Create / manage dev box definitions. </br> - Create / manage projects. </br> - Attach / manage catalog to a dev center or project (project-level catalogs must be enabled on the dev center). </br> - Configure dev box limits. | Platform engineer| Contributor | Resource group |

+| Grant permission to add or remove a network connection for a dev center. | Platform engineer| Contributor | Dev center |

+| Grant permission to enable / disable project catalogs. | Dev Manager | Contributor | Dev center |

+| Grant permission to: </br> - Add, sync, remove catalog (project-level catalogs must be enabled on the dev center). </br> - Create dev box pools. </br> - Stop, start, delete dev boxes in pools. | Dev Manager | DevCenter Project Admin | Project |

+| Create and manage your own dev boxes in a project. | User | Dev Box User | Project |

+| Create and manage catalogs in a GitHub or Azure Repos repository. | Dev Manager | Not governed by RBAC. </br> - The user must be assigned permissions through Azure DevOps or GitHub. | Repository |

+> [!Important]

+> An organization's subscription is used to manage billing and security for all Azure resources and services. You

+> can assign the Owner or Contributor role on the subscription.

+> Typically, only Platform engineers have subscription-level access because this includes full access to all resources in the subscription.

+## Platform engineer roles

+To grant users permission to manage Microsoft Dev Box within your

+organization's subscription, you should assign them the

+[Owner](#owner-role) or [Contributor](#contributor-role) role.

+Assign these roles to the *resource group*. The dev centers, network

+connections, dev box definitions, dev box pools, and projects within the

+resource group inherit these role assignments.

+### Owner role

+Assign the Owner role to give a user full control to create or manage

+Dev Box resources and grant permissions to other users. When a user has

+the Owner role in the resource group, they can do the following

+activities across all resources within the resource group:

+- Assign roles to platform engineers, so they can manage Dev Box

+ resources.

+- Create dev centers, network connections, dev box definitions, dev

+ box pools, and projects.

+- View, delete, and change settings for all dev centers, network

+ connections, dev box definitions, dev box pools, and projects.

+- Attach and detach catalogs.

+> [!Caution]

+> When you assign the Owner or Contributor role on the resource group, then these permissions also apply to non-Dev Box related resources that exist in the resource group.

+### Contributor role

+Assign the Contributor role to give a user full control to create or

+manage dev centers and projects within a resource group. The Contributor

+role has the same permissions as the Owner role, *except* for:

+- Performing role assignments.

+## Dev Manager role

+There's one dev manager role: DevCenter Project Admin. This role has

+more restricted permissions at lower-level scopes than the platform

+engineer roles. You can assign this role to dev managers to enable them

+to perform administrative tasks for their team.

+### DevCenter Project Admin role

+Assign the DevCenter Project Admin to enable:

+- Add, sync, remove catalog (project-level catalogs must be enabled on

+ the dev center).

+- Create dev box pools.

+- Stop, start, delete dev boxes in pools.

+## Developer role

+There's one developer role: Dev Box User. This role enables developers

+to create and manage their own dev boxes.

+### Dev Box User

+Assign the Dev Box User role to give users permission to create dev

+boxes and have full control over the dev boxes that they create.

+Developers can perform the following actions on any dev box they create:

+- Create

+- Start / stop

+- Restart

+- Delay scheduled shutdown

+- Delete

+## Identity and access management (IAM)

+The **Access control (IAM)** page in the Azure portal is used to

+configure Azure role-based access control on Microsoft Dev Box

+resources. You can use built-in roles for individuals and groups in

+Active Directory. The following screenshot shows Active Directory

+integration (Azure RBAC) using access control (IAM) in the Azure portal:

+For detailed steps, see [Assign Azure roles using the Azure portal](https://microsoft-my.sharepoint.com/azure/role-based-access-control/role-assignments-portal).

+## Dev center, resource group, and project structure

+Your organization should invest time up front to plan the placement of

+your dev centers, and the structure of resource groups and projects.

+**Dev centers:** Organize dev centers by the set of projects you would

+like to manage together, applying similar settings, and providing

+similar templates.

+Organizations can use one or more dev center. Typically, each sub-organization within the organization has its own dev center. You might consider creating multiple dev centers in the following cases:

+- If you want specific configurations to be available to a subset of

+ projects.

+- If different teams need to own and maintain the dev center resource

+ in Azure.

+**Projects:** Associated with each dev team or group of people working

+on one app or product.

+Planning is especially important when you assign roles to the resource

+group because it also applies permissions to all resources in the

+resource group, including dev centers, network connections, dev box

+definitions, dev box pools, and projects.

+To ensure that users are only granted permission to the appropriate

+resources:

+- Create resource groups that only contain Dev Box resources.

+- Organize projects according to the dev box definition and dev box

+ pools required and the developers who should have access. It\'s

+ important to note that dev box pools determine the location of dev

+ box creation. Developers should create dev boxes in a location close

+ to them for the least latency.

+For example, you might create separate projects for different developer

+teams to isolate each team's resources. Dev Managers in a project can

+then be assigned to the Project Admin role, which only grants them

+access to the resources of their team.

+> [!Important]

+> Plan the structure upfront because it's not possible to move Dev Box resources like projects to a different resource group after they\'re created.

+## Catalog structure

+Microsoft Dev Box uses catalogs to enable developers to deploy

+customizations for dev boxes by using a catalog of tasks and a

+configuration file to install software, add extensions, clone

+repositories, and more. 

+Microsoft Dev Box stores catalogs in either a [GitHub repository](https://docs.github.com/repositories/creating-and-managing-repositories/about-repositories) or an [Azure DevOps Services repository](/azure/devops/repos/get-started/what-is-repos). You can attach a catalog to a dev center or to a project.

+You can attach one or more catalogs to your dev center and manage all

+customizations at that level. To provide more granularity in how

+developers access customizations, you can attach catalogs at the project

+level. In planning where to attach catalogs, you should consider the

+needs of each development team.

+## Related content

+- [What is Azure role-based access control (Azure RBAC)](https://microsoft-my.sharepoint.com/azure/role-based-access-control/overview)

+- [Understand scope for Azure RBAC](https://microsoft-my.sharepoint.com/azure/role-based-access-control/scope-overview)

+ | Microsoft Remote Desktop | a4a365df-50f1-4397-bc59-1a1564b8bb9c | Used to authenticate users to the dev box. <br>Only needed when you configure single sign-on in a provisioning policy. </br> |

+ | Windows Cloud Login | 270efc09-cd0d-444b-a71f-39af4910ec45 | Used to authenticate users to the dev box. This app replaces the `Microsoft Remote Desktop` app. <br>Only needed when you configure single sign-on in a provisioning policy. </br> |

+You might see Dev Home in the Start menu. If you see it there, you can select it to open the app.

+## Sign in to Dev Home

+Dev Home allows you to work with many different services, like Microsoft Hyper-V, Windows Subsystem for Linux (WSL), and Microsoft Dev Box. To access your chosen service, you must sign in to your Microsoft account, or your Work or School account.

+To sign in:

+1. Open Dev Home.

+1. From the left menu, select **Settings**.

+ :::image type="content" source="media/how-to-use-dev-home-customize-dev-box/dev-home-settings.png" alt-text="Screenshot of Dev Home, showing the home page with Settings highlighted.":::

+1. Select **Accounts**.

+ :::image type="content" source="media/how-to-use-dev-home-customize-dev-box/dev-home-accounts.png" alt-text="Screenshot of Dev Home, showing the Settings page with Accounts highlighted.":::

+1. Select **Add account** and follow the prompts to sign in.

+ :::image type="content" source="media/how-to-use-dev-home-customize-dev-box/dev-home-sign-in.png" alt-text="Screenshot of Dev Home, showing the Accounts page with Add account highlighted.":::

+1. In Dev Home, from the left menu, select **Extensions**.

+

+ :::image type="content" source="media/how-to-use-dev-home-customize-dev-box/dev-home-extensions.png" alt-text="Screenshot of Dev Home, showing the Extensions page.":::

+

+1. In the list of extensions **Available in the Microsoft Store**, on the **Dev Home Azure Extension (Preview)**, select **Get**.

+

+ :::image type="content" source="media/how-to-use-dev-home-customize-dev-box/dev-home-get-extension.png" alt-text="Screenshot of Dev Home, showing the Extensions page with the Dev Home Azure Extension highlighted.":::

+1. In the Microsoft Store dialog, select **Get** to install the extension.

+ :::image type="content" source="media/how-to-use-dev-home-customize-dev-box/dev-home-get-extension-store.png" alt-text="Screenshot of the Microsoft Store dialog with the Get button highlighted.":::

+1. In **Dev Home**, from the left menu, select **Environments**.

+ :::image type="content" source="media/how-to-use-dev-home-customize-dev-box/dev-home-environments.png" alt-text="Screenshot of Dev Home, showing the Environments page.":::

+1. Select **Create Environment**.

+ :::image type="content" source="media/how-to-use-dev-home-customize-dev-box/dev-home-create-environment.png" alt-text="Screenshot of Dev Home, showing the Environments page with Create Environment highlighted.":::

+ :::image type="content" source="media/how-to-use-dev-home-customize-dev-box/dev-home-create-dev-box.png" alt-text="Screenshot of Dev Home, showing the Select environment page with Microsoft Dev Box highlighted.":::

+ :::image type="content" source="media/how-to-use-dev-home-customize-dev-box/dev-home-configure-environment.png" alt-text="Screenshot showing the Configure your environment page.":::

+

+ :::image type="content" source="media/how-to-use-dev-home-customize-dev-box/dev-home-review-environment.png" alt-text="Screenshot showing the Review your environment page.":::

+

+ :::image type="content" source="media/how-to-use-dev-home-customize-dev-box/dev-home-go-to-environments.png" alt-text="Screenshot showing the Go to Environments button.":::

+1. In **Dev Home**, from the left menu, select **Environments**.

+1. For the dev box you want to launch, select **Launch**.

+ :::image type="content" source="media/how-to-use-dev-home-customize-dev-box/dev-home-start-stop.png" alt-text="Screenshot of the Launch menu with Start and Stop options.":::

+### Manage your dev box

+Dev home enables you to pin your dev box to the start menu or task bar, and to delete your dev box.

+1. Select the dev box you want to manage.

+1. Select **Pin to start**, **Pin to taskbar**, or **Delete**.

+ :::image type="content" source="media/how-to-use-dev-home-customize-dev-box/dev-home-options-menu.png" alt-text="Screenshot showing a dev box with the Pin to start, Pin to taskbar, and Delete options highlighted.":::

+1. From the left menu, select **Machine configuration**.

+ :::image type="content" source="media/how-to-use-dev-home-customize-dev-box/dev-home-machine-configuration.png" alt-text="Screenshot showing Dev Home with Machine configuration highlighted.":::

+1. Select **Set up an environment**.

+

+ :::image type="content" source="media/how-to-use-dev-home-customize-dev-box/dev-home-set-up-environment.png" alt-text="Screenshot showing the Machine configuration page with Set up environment highlighted.":::

+

+ :::image type="content" source="media/how-to-use-dev-home-customize-dev-box/dev-home-select-environment.png" alt-text="Screenshot showing the Select environment page.":::

+

+ :::image type="content" source="media/how-to-use-dev-home-customize-dev-box/dev-home-add-repository.png" alt-text="Screenshot showing the Add repository button.":::

+ :::image type="content" source="media/how-to-use-dev-home-customize-dev-box/dev-home-clone-repository.png" alt-text="Screenshot showing the Add repository dialog box.":::

+ :::image type="content" source="media/how-to-use-dev-home-customize-dev-box/dev-home-repository-next.png" alt-text="Screenshot showing the repositories to add, with the Next button highlighted dialog box.":::

+1. Next, you can choose software to install. From the list of applications Winget provides, choose the software you want to install on your dev box. You can also search for software by name.

+ :::image type="content" source="media/how-to-use-dev-home-customize-dev-box/dev-home-software-select.png" alt-text="Screenshot showing the Add software page with Visual Studio Community and PowerShell highlighted.":::

+1. When you finish selecting software, select **Next**.

+ :::image type="content" source="media/how-to-use-dev-home-customize-dev-box/dev-home-software-install.png" alt-text="Screenshot showing the Add software page with Next highlighted.":::

+ 1. Select the **Repositories** tab to see the list of public GitHub repositories you're cloning.

+

+ :::image type="content" source="media/how-to-use-dev-home-customize-dev-box/dev-home-review-finish.png" alt-text="Screenshot showing the Review and finish page with the I agree and want to continue button highlighted.":::

+

+Notice that you can also generate a configuration file based on your selected repositories and software to use in the future to create dev boxes with the same customizations.

+Digital twins can use the [SendTelemetry API](/rest/api/digital-twins/dataplane/twins/digital-twins-send-telemetry) to emit *telemetry messages* and send them to egress endpoints.

+* [Query API reference documentation](/rest/api/digital-twins/dataplane/query/query-twins)

+To create an endpoint with dead-lettering enabled, you must use the [CLI commands](/cli/azure/dt) or [control plane APIs](/rest/api/digital-twins/controlplane/endpoints/digital-twins-endpoint-create-or-update) to create your endpoint, rather than the Azure portal.

+You can also create dead letter endpoints using the [Azure Digital Twins control plane APIs](concepts-apis-sdks.md#control-plane-apis) instead of the CLI. To do so, view the [DigitalTwinsEndpoint documentation](/rest/api/digital-twins/controlplane/endpoints/digital-twins-endpoint-create-or-update) to see how to structure the request and add the dead letter parameters.

+This article walks you through the process of creating *event routes* using the [Azure portal](https://portal.azure.com), [Azure CLI az dt route commands](/cli/azure/dt/route), [Event Routes data plane APIs](/rest/api/digital-twins/dataplane/event-routes), and the [.NET (C#) SDK](/dotnet/api/overview/azure/digitaltwins.core-readme).

+Event routes can be created with the [Azure portal](https://portal.azure.com), [EventRoutes data plane APIs](/rest/api/digital-twins/dataplane/event-routes), or [az dt route CLI commands](/cli/azure/dt/route). The rest of this section walks through the creation process.

+You can use the [Event Routes data plane APIs](/rest/api/digital-twins/dataplane/event-routes) to write custom filters. To add a filter, you can use a PUT request to `https://<Your-Azure-Digital-Twins-host-name>/eventRoutes/<event-route-name>?api-version=2020-10-31` with the following body:

+You can also decommission a model using the REST API call [DigitalTwinModels Update](/rest/api/digital-twins/dataplane/models/digital-twin-models-update). The `decommissioned` property is the only property that can be replaced with this API call. The JSON Patch document will look something like this:

+You can also delete a model with the [DigitalTwinModels Delete](/rest/api/digital-twins/dataplane/models/digital-twin-models-delete) REST API call.

+* `$etag`: A standard HTTP field assigned by the web server. This is updated to a new value every time the twin is updated, which can be useful to determine whether the twin's data has been updated on the server since a previous check. You can use `If-Match` to perform updates and deletes that only complete if the entity's etag matches the etag provided. For more information on these operations, see the documentation for [DigitalTwins Update](/rest/api/digital-twins/dataplane/twins/digital-twins-update) and [DigitalTwins Delete](/rest/api/digital-twins/dataplane/twins/digital-twins-delete).

+To proceed with an example query, this article will use the [Azure Digital Twins Query API](/rest/api/digital-twins/dataplane/query/query-twins) to query for all the digital twins in an instance.

+ Title: Integrate with Apache Kafka Connect

+description: This article provides a walkthrough that shows you how to use Kafka Connect with Azure Event Hubs for Kafka.

+# customer intent: As a developer, I want to know how to use Apache Kafka Connect with Azure Event Hubs for Kafka.

+[Apache Kafka Connect](https://kafka.apache.org/documentation/#connect) is a framework to connect and import/export data from/to any external system such as MySQL, HDFS, and file system through a Kafka cluster. This article walks you through using Kafka Connect framework with Event Hubs.

+This article walks you through integrating Kafka Connect with an event hub and deploying basic `FileStreamSource` and `FileStreamSink` connectors. While these connectors aren't meant for production use, they demonstrate an end-to-end Kafka Connect scenario where Azure Event Hubs acts as a Kafka broker.

+```bash

+Minimal reconfiguration is necessary when redirecting Kafka Connect throughput from Kafka to Event Hubs. The following `connect-distributed.properties` sample illustrates how to configure Connect to authenticate and communicate with the Kafka endpoint on Event Hubs:

+1. Save the `connect-distributed.properties` file locally. Be sure to replace all values in braces.

+4. Run `./bin/connect-distributed.sh /PATH/TO/connect-distributed.properties`. The Connect worker REST API is ready for interaction when you see `'INFO Finished starting connectors and tasks'`.

+This section walks you through spinning up `FileStreamSource` and `FileStreamSink` connectors.

+2. Create two files: one file with seed data from which the `FileStreamSource` connector reads, and another to which our `FileStreamSink` connector writes.

+3. Create a `FileStreamSource` connector. Be sure to replace the curly braces with your home directory path.

+ You should see the event hub `connect-quickstart` on your Event Hubs instance after running the command.

+ Optionally, you can use [Service Bus Explorer](https://github.com/paolosalvatori/ServiceBusExplorer/releases) to verify that events arrived in the `connect-quickstart` topic.

+5. Create a FileStreamSink Connector. Again, make sure you replace the curly braces with your home directory path.

+Kafka Connect creates Event Hubs topics to store configurations, offsets, and status that persist even after the Connect cluster has been taken down. Unless this persistence is desired, we recommend that you delete these topics. You might also want to delete the `connect-quickstart` Event Hubs that were created during this walkthrough.

+## Related content

+- [Explore samples on our GitHub](https://github.com/Azure/azure-event-hubs-for-kafka)

+ Title: Balance partition load across multiple instances

+#customer intent: As a developer, I want to know how to run multiple instances of my processing client to read data from an event hub.

+## Related content

+description: This article describes how to allow access to your Event Hubs namespace only via private endpoints by using the Azure Private Link Service.

+# customer intent: As an IT admin, I want to restrict access to an Event Hubs namespace to a private endpoint in a virtual network.

+A private endpoint is a network interface that connects you privately and securely to a service powered by Azure Private Link. The private endpoint uses a private IP address from your virtual network, effectively bringing the service into your virtual network. All traffic to the service is routed through the private endpoint, so no gateways, NAT devices, ExpressRoute or VPN connections, or public IP addresses are needed. Traffic between your virtual network and the service traverses over the Microsoft backbone network, eliminating exposure from the public Internet. You can connect to an instance of an Azure resource, giving you the highest level of granularity in access control.

+- Enabling private endpoints can prevent other Azure services from interacting with Event Hubs. Requests that are blocked include those from other Azure services, from the Azure portal, from logging and metrics services, and so on. As an exception, you can allow access to Event Hubs resources from certain **trusted services** even when private endpoints are enabled. For a list of trusted services, see [Trusted services](#trusted-microsoft-services).

+Your private endpoint and virtual network must be in the same region. When you select a region for the private endpoint using the portal, it automatically filters virtual networks that are in that region. Your namespace can be in a different region.

+ :::image type="content" source="./media/private-link-service/public-access-disabled.png" alt-text="Screenshot of the Networking page with public network access as Disabled." lightbox="./media/private-link-service/public-access-disabled.png":::

+ 

+12. Confirm that you see the private endpoint connection you created shows up in the list of endpoints. Refresh the page and switch to the **Private endpoint connections** tab. In this example, the private endpoint is auto-approved because you connected to an Azure resource in your directory and you have sufficient permissions.

+ 

+| Remove | Disconnected | Connection was removed by the private link resource owner. The private endpoint becomes informative and should be deleted for cleanup. |

+ :::image type="content" source="./media/private-link-service/approve-private-endpoint.png" alt-text="Screenshot that shows the Private endpoint connections tab with the Approve button highlighted.":::

+ :::image type="content" source="./media/private-link-service/private-endpoint-reject-button.png" alt-text="Screenshot that shows the Private endpoint connections tab with the Reject button highlighted.":::

+## Related content

+| **[Sejong Telecom](https://www.sejongtelecom.net/)** | Supported | Supported | Seoul |

+| **[sol-tec](https://www.advania.co.uk/our-services/azure-and-cloud/)** | Europe |

+Some services are not able to be accessed from your corporate edge. To enable connectivity to other Azure services and infrastructure services, you must use user-defined routing to allow internet connectivity for every subnet requiring Internet connectivity for these services.

+|[WANdisco Fusion HDI App](https://docs.wandisco.com/bigdata/wdfusion/adls/) |Hadoop, Spark, HBase, Kafka |Keeping data consistent in a distributed environment is a massive data operations challenge. WANdisco Fusion, an enterprise-class software platform, solves this problem by enabling unstructured data consistency across any environment. |

+|Fortanix|Manufacturer,<br/>HSM as a service|<ul><li>Self-Defending Key Management Service (SDKMS)</li><li>Equinix SmartKey</li></ul>|[Exporting SDKMS keys to Cloud Providers for BYOK - Azure Key Vault](https://support.fortanix.com/hc/articles/11620525047828-Fortanix-DSM-Azure-Key-Vault-BYOK-Bring-Your-Own-Key)|

+For Azure Load Balancer's health probe to mark up your instance, you **must** allow 168.63.129.16 IP address in any Azure [network security groups](../virtual-network/network-security-groups-overview.md) and local firewall policies. The **AzureLoadBalancer** service tag identifies this source IP address in your [network security groups](../virtual-network/network-security-groups-overview.md) and permits health probe traffic by default. You can learn more about this IP [here](../virtual-network/what-is-ip-address-168-63-129-16.md).

+If you don't allow the [source IP](#probe-source-ip-address) of the probe in your firewall policies, the health probe fails as it is unable to reach your instance. In turn, Azure Load Balancer marks your instance as *down* due to the health probe failure. This misconfiguration can cause your load balanced application scenario to fail. All IPv4 Load Balancer health probes originate from the IP address 168.63.129.16 as their source. IPv6 probes use a link-local address (fe80::1234:5678:9abc) as their source. For a dual-stack Azure Load Balancer, you must [configure a Network Security Group](./virtual-network-ipv4-ipv6-dual-stack-standard-load-balancer-cli.md#create-a-network-security-group-rule-for-inbound-and-outbound-connections) for the IPv6 health probe to function.

+description: With this article, learn about Azure Load Balancer with bidirectional TCP Reset packets on idle timeout.

+You can use [Standard Load Balancer](./load-balancer-overview.md) to create a more predictable application behavior for your scenarios by enabling TCP Reset on Idle for a given rule. Load Balancer's default behavior is to silently drop flows when the idle timeout of a flow is reached. Enabling TCP reset causes Load Balancer to send bidirectional TCP Resets (TCP reset packets) on idle timeout to inform your application endpoints that the connection timed out and is no longer usable. Endpoints can immediately establish a new connection if needed.

+You change this default behavior and enable sending TCP Resets on idle timeout on inbound NAT rules, load balancing rules, and [outbound rules](./load-balancer-outbound-connections.md#outboundrules). When enabled per rule, Load Balancer sends bidirectional TCP Resets (TCP RST packets) to both client and server endpoints at the time of idle timeout for all matching flows.

+Endpoints receiving TCP rest packets close the corresponding socket immediately. This provides an immediate notification to the endpoint's connection release and any future communication on the same TCP connection will fail. Applications can purge connections when the socket closes and reestablish connections as needed without waiting for the TCP connection to eventually time out.

+If your idle durations exceed configuration limits or your application shows an undesirable behavior with TCP Resets enabled, you can still need to use TCP keepalives, or application layer keepalives, to monitor the liveness of the TCP connections. Further, keepalives can also remain useful for when the connection is proxied somewhere in the path, particularly application layer keepalives.

+If TCP resets are enabled, and it's missed for any reason, resets for any subsequent packets. If the TCP reset option isn't enabled, then packets are silently dropped.

+- Because a NAT gateway will always take precedence over load balancer outbound rules (and over public IP addresses assigned directly to VMs), the idle timeout value assigned to the NAT gateway will be used. (Along the same lines, the locked public IP outbound idle timeouts of 4 minutes of any IPs assigned to the NAT GW aren't considered.)

+- TCP reset isn't supported for Internal Load Balancer HA ports when a network virtual appliance is in the path. A workaround could be to use outbound rule with TCP reset from Network Virtual Appliance.

+- [Configure TCP RST on Idle Timeout](load-balancer-tcp-idle-timeout.md)

+| IP-based Load Balancer outbound IP | IP-based Load Balancers are currently not secure-by-default and will use the backend instances' default outbound access IPs for outbound connections. If the Load Balancer is a public Load Balancer, either the default outbound access IPs or the Load Balancer's frontend IP may be used. | In order to prevent backend instances behind an IP-based Load Balancer from using default outbound access, use NAT Gateway for a predictable IP address and to prevent SNAT port exhaustion, or leverage the private subnet feature to secure your Load Balancer. |

+| numberOfProbes, "Unhealthy threshold" | Health probe configuration property numberOfProbes, otherwise known as "Unhealthy threshold" in Portal, isn't respected. Load Balancer health probes will probe up/down immediately after one probe regardless of the property's configured value. | To control the number of successful or failed consecutive probes necessary to mark backend instances as healthy or unhealthy, please leverage the property ["probeThreshold"](/azure/templates/microsoft.network/loadbalancers?pivots=deployment-language-arm-template#probepropertiesformat-1) instead. |

+Here are the code samples for the data operation action definitions in the article, [Perform data operations](logic-apps-perform-data-operations.md). You can use these samples for when you want to try the examples with your own logic app's underlying workflow definition, Azure subscription, and API connections. Just copy and paste these action definitions into the code view editor for your logic app's workflow definition, and then modify the definitions for your specific workflow.

+To try the [**Compose** action example](logic-apps-perform-data-operations.md#compose-action),

+ "value": "Sophia "

+ "value": "Owens"

+To try the [**Create CSV table** action example](logic-apps-perform-data-operations.md#create-csv-table-action), here are the action definitions you can use:

+To try the [**Create HTML table** action example](logic-apps-perform-data-operations.md#create-html-table-action),

+To try the [**Filter array** action example](logic-apps-perform-data-operations.md#filter-array-action), here are the action definitions you can use:

+To try the [**Join** action example](logic-apps-perform-data-operations.md#join-action), here are the action definitions you can use:

+To try the [**Parse JSON** action example](logic-apps-perform-data-operations.md#parse-json-action), here are the action definitions you can use:

+ "Email": "Sophia.Owens@fabrikam.com",

+ "FirstName": "Sophia",

+ "LastName": "Owens"

+To try the [**Select** action example](logic-apps-perform-data-operations.md#select-action), the following action definitions create a JSON object array from an integer array:

+The following example shows action definitions that create a string array from a JSON object array, but for this task, next to the **Map** box, switch to text mode (**T** icon) in the designer, or use the code view editor instead:

+* [Perform data operations](logic-apps-perform-data-operations.md)

+* The logic app workflow where you want to perform the data operation. Both Consumption and Standard logic app workflows support the data operations described in this guide.

+ All data operations are available only as actions. So, before you can use these actions, your workflow must already start with a [trigger](logic-apps-overview.md#logic-app-concepts) as the first step and include any other actions required to create the outputs that you want to use in the data operation.

+To create more complex JSON transformations, see [Perform advanced JSON transformations with Liquid templates](logic-apps-enterprise-integration-liquid-transform.md).

+And creates the following output:

+To try the **Compose** action, follow these steps by using the workflow designer. Or, if you prefer working in the code view editor, you can copy the example **Compose** and **Initialize variable** action definitions from this guide into your own logic app's underlying workflow definition: [Data operation code examples - Compose](logic-apps-data-operations-code-samples.md#compose-action-example). For more information about the **Compose** action in the underlying JSON workflow definition, see the [Compose action](logic-apps-workflow-actions-triggers.md#compose-action).

+ This example uses the Azure portal and a sample workflow with the **Recurrence** trigger followed by several **Variables** actions named **Initialize variable**. These actions are set up to create two string variables and an integer variable.

+ | Operation | Properties and values |

+ |--|--|

+ | **Initialize variable** | - **Name**: firstNameVar <br>- **Type**: String <br>- **Value**: Sophia |

+ | **Initialize variable** | - **Name**: lastNameVar <br>- **Type**: String <br>- **Value**: Owens |

+ | **Initialize variable** | - **Name**: ageVar <br>- **Type**: Integer <br>- **Value**: 35 |

+ :::image type="content" source="media/logic-apps-perform-data-operations/sample-start-compose-action-consumption.png" alt-text="Screenshot shows Azure portal, Consumption workflow designer, and example workflow for Compose action." lightbox="media/logic-apps-perform-data-operations/sample-start-compose-action-consumption.png":::

+1. [Follow these general steps to add the **Data Operations** action named **Compose**](create-workflow-with-trigger-or-action.md?tabs=consumption#add-action).

+1. On the designer, select the **Compose** action, if not already selected. In the **Inputs** box, enter the inputs to use for creating the output.

+ For this example, follow these steps:

+ 1. In the **Inputs** box, enter the following sample JSON object, including the spacing as shown:

+ ```json

+ {

+ "age": ,

+ "fullName": " , "

+ }

+ ```

+ 1. In the JSON object, put your cursor in the corresponding locations, select the dynamic content list (lightning icon), and then select the corresponding variable from the list:

+ | JSON property | Variable |

+ ||-|

+ | **`age`** | **ageVar** |

+ | **`fullName`** | "**lastNameVar**, **firstNameVar**" |

+ The following example shows both added and not yet added variables:

+ :::image type="content" source="media/logic-apps-perform-data-operations/configure-compose-action.png" alt-text="Screenshot shows Consumption workflow, Compose action, dynamic content list, and selected inputs to use." lightbox="media/logic-apps-perform-data-operations/configure-compose-action.png":::

+ The following example shows the finished sample **Compose** action:

+ :::image type="content" source="media/logic-apps-perform-data-operations/finished-compose-action.png" alt-text="Screenshot shows Consumption workflow and finished example Compose action." lightbox="media/logic-apps-perform-data-operations/finished-compose-action.png":::

+ This example uses the Azure portal and a sample workflow with the **Recurrence** trigger followed by several **Variables** actions named **Initialize variable**. These actions are set up to create two string variables and an integer variable.

+ | Operation | Properties and values |

+ |--|--|

+ | **Initialize variable** | - **Name**: firstNameVar <br>- **Type**: String <br>- **Value**: Sophia |

+ | **Initialize variable** | - **Name**: lastNameVar <br>- **Type**: String <br>- **Value**: Owens |

+ | **Initialize variable** | - **Name**: ageVar <br>- **Type**: Integer <br>- **Value**: 35 |

+ :::image type="content" source="media/logic-apps-perform-data-operations/sample-start-compose-action-standard.png" alt-text="Screenshot shows Azure portal, Standard workflow designer, and example workflow for Compose action." lightbox="media/logic-apps-perform-data-operations/sample-start-compose-action-standard.png":::

+1. [Follow these general steps to add the **Data Operations** action named **Compose**](create-workflow-with-trigger-or-action.md?tabs=standard#add-action).

+1. On the designer, select the **Compose** action, if not already selected. In the **Inputs** box, enter the inputs to use for creating the output.

+ For this example, follow these steps:

+ 1. In the **Inputs** box, enter the following sample JSON object, including the spacing as shown:

+ ```json

+ {

+ "age": ,

+ "fullName": " , "

+ }

+ ```

+ 1. In the JSON object, put your cursor in the corresponding locations, select the dynamic content list (lightning icon), and then select the corresponding variable from the list:

+ | JSON property | Variable |

+ ||-|

+ | **`age`** | **ageVar** |

+ | **`fullName`** | "**lastNameVar**, **firstNameVar**" |

+ The following example shows both added and not yet added variables:

+ :::image type="content" source="media/logic-apps-perform-data-operations/configure-compose-action.png" alt-text="Screenshot shows Standard workflow, Compose action, dynamic content list, and selected inputs to use." lightbox="media/logic-apps-perform-data-operations/configure-compose-action.png":::

+ The following example shows the finished sample **Compose** action:

+ :::image type="content" source="media/logic-apps-perform-data-operations/finished-compose-action.png" alt-text="Screenshot shows Standard workflow and finished example Compose action." lightbox="media/logic-apps-perform-data-operations/finished-compose-action.png":::

+1. In this action, for each box where you want the results to appear, select inside each box, and then select the dynamic content list. From that list, under the **Compose** action, select **Outputs**.

+ :::image type="content" source="media/logic-apps-perform-data-operations/send-email-compose-action.png" alt-text="Screenshot shows workflow designer, the action named Send an email, and output from the preceding Compose action." lightbox="media/logic-apps-perform-data-operations/send-email-compose-action.png":::

+1. Save your workflow, and then manually run your workflow.

+ - Consumption workflow: On the designer toolbar, select **Run** > **Run**.

+ - Standard workflow: On the workflow navigation menu, select **Overview**. On the **Overview** page toolbar, select **Run** > **Run**.

+If you used the Office 365 Outlook action, the following example shows the result:

+ | Operation | Properties and values |

+ |--|--|

+ | **Initialize variable** | - **Name**: myJSONArray <br>- **Type**: Array <br>- **Value**: `[ { "Description": "Apples", "Product_ID": 1 }, { "Description": "Oranges", "Product_ID": 2 }]` |

+ :::image type="content" source="media/logic-apps-perform-data-operations/sample-start-create-table-action-consumption.png" alt-text="Screenshot shows Consumption workflow designer, and example workflow for action named Create CSV table." lightbox="media/logic-apps-perform-data-operations/sample-start-create-table-action-consumption.png":::

+1. [Follow these general steps to add the **Data Operations** action named **Create CSV table**](create-workflow-with-trigger-or-action.md?tabs=consumption#add-action).

+1. On the designer, select the **Create CSV table** action, if not already selected. In the **From** box, enter the array or expression to use for creating the table.

+ For this example, select inside the **From** box, and select the dynamic content list (lightning icon). From that list, select the **myJSONArray** variable:

+ :::image type="content" source="media/logic-apps-perform-data-operations/configure-create-csv-table-action.png" alt-text="Screenshot shows Consumption workflow, action named Create CSV table, and the selected input to use." lightbox="media/logic-apps-perform-data-operations/configure-create-csv-table-action.png":::

+ > [!TIP]

+ > those properties as inputs, use the action named [**Parse JSON**](#parse-json-action)

+ :::image type="content" source="media/logic-apps-perform-data-operations/finished-create-csv-table-action.png" alt-text="Screenshot shows Consumption workflow and finished example action named Create CSV table." lightbox="media/logic-apps-perform-data-operations/finished-create-csv-table-action.png":::

+ | Operation | Properties and values |

+ |--|--|

+ | **Initialize variable** | - **Name**: myJSONArray <br>- **Type**: Array <br>- **Value**: `[ { "Description": "Apples", "Product_ID": 1 }, { "Description": "Oranges", "Product_ID": 2 }]` |

+ :::image type="content" source="media/logic-apps-perform-data-operations/sample-start-create-table-action-standard.png" alt-text="Screenshot shows Azure portal, Standard workflow designer, and example workflow for action named Create CSV table." lightbox="media/logic-apps-perform-data-operations/sample-start-create-table-action-standard.png":::

+1. [Follow these general steps to add the **Data Operations** action named **Create CSV table**](create-workflow-with-trigger-or-action.md?tabs=standard#add-action).

+1. On the designer, select the **Create CSV table** action, if not already selected. In the **From** box, enter the array or expression to use for creating the table.

+ For this example, select inside the **From** box, and select the dynamic content list (lightning icon). From that list, select the **myJSONArray** variable:

+ :::image type="content" source="media/logic-apps-perform-data-operations/configure-create-csv-table-action.png" alt-text="Screenshot shows Standard workflow, action named Create CSV table, and the selected input to use." lightbox="media/logic-apps-perform-data-operations/configure-create-csv-table-action.png":::

+ > [!TIP]

+ > those properties as inputs, use the action named [**Parse JSON**](#parse-json-action)

+ :::image type="content" source="media/logic-apps-perform-data-operations/finished-create-csv-table-action.png" alt-text="Screenshot shows Standard workflow and finished example action named Create CSV table." lightbox="media/logic-apps-perform-data-operations/finished-create-csv-table-action.png":::

+1. If the **Columns** property doesn't appear in the action information box, from the **Advanced parameters** list, select **Columns**.

+To return values from the array, you can use the [**`item()`** function](workflow-definition-language-functions-reference.md#item) with the **Create CSV table** action. In a **`For_each`** loop, you can use the [**`items()`** function](workflow-definition-language-functions-reference.md#items).

+1. In the expression editor, enter the following expression, but replace `<array-property-name>` with the array property name for the value that you want. When you're done with each expression, select **Add**.

+ :::image type="content" source="media/logic-apps-perform-data-operations/csv-table-expression.png" alt-text="Screenshot shows workflow designer, action named Create CSV table, and how to dereference array property named Description." lightbox="media/logic-apps-perform-data-operations/csv-table-expression.png":::

+ For more information, see [**item()** function](workflow-definition-language-functions-reference.md#item).

+1. Repeat the preceding steps for each array property. When you're done, your action looks similar to the following example:

+ :::image type="content" source="media/logic-apps-perform-data-operations/finished-csv-expression.png" alt-text="Screenshot shows action named Create CSV table and function named item()." lightbox="media/logic-apps-perform-data-operations/finished-csv-expression.png":::

+ :::image type="content" source="media/logic-apps-perform-data-operations/send-email-create-csv-table-action.png" alt-text="Screenshot shows workflow with action named Send an email. The Body property contains the field named Output from preceding action named Create CSV table." lightbox="media/logic-apps-perform-data-operations/send-email-create-csv-table-action.png":::

+1. Save your workflow, and then manually run your workflow.

+ - Consumption workflow: On the designer toolbar, select **Run** > **Run**.

+ - Standard workflow: On the workflow navigation menu, select **Overview**. On the **Overview** page toolbar, select **Run** > **Run**.

+If you used the Office 365 Outlook action, the following example shows the result:

+ | Operation | Properties and values |

+ |--|--|

+ | **Initialize variable** | - **Name**: myJSONArray <br>- **Type**: Array <br>- **Value**: `[ { "Description": "Apples", "Product_ID": 1 }, { "Description": "Oranges", "Product_ID": 2 }]` |

+ :::image type="content" source="media/logic-apps-perform-data-operations/sample-start-create-table-action-consumption.png" alt-text="Screenshot shows Azure portal, Consumption workflow designer, and sample workflow for action named Create HTML table." lightbox="media/logic-apps-perform-data-operations/sample-start-create-table-action-consumption.png":::

+1. [Follow these general steps to add the **Data Operations** action named **Create HTML table**](create-workflow-with-trigger-or-action.md?tabs=consumption#add-action).

+1. On the designer, select the **Create HTML table** action, if not already selected. In the **From** box, enter the array or expression to use for creating the table.

+ For this example, select inside the **From** box, and select the dynamic content list (lightning icon). From that list, select the **myJSONArray** variable:

+ :::image type="content" source="media/logic-apps-perform-data-operations/configure-create-html-table-action.png" alt-text="Screenshot shows Consumption workflow, action named Create HTML table, and the selected input to use." lightbox="media/logic-apps-perform-data-operations/configure-create-html-table-action.png":::

+ > [!TIP]

+ > those properties as inputs, use the action named [**Parse JSON**](#parse-json-action)

+ :::image type="content" source="media/logic-apps-perform-data-operations/finished-create-html-table-action.png" alt-text="Screenshot shows Consumption workflow and finished example action named Create HTML table." lightbox="media/logic-apps-perform-data-operations/finished-create-html-table-action.png":::

+ | Operation | Properties and values |

+ |--|--|

+ | **Initialize variable** | - **Name**: myJSONArray <br>- **Type**: Array <br>- **Value**: `[ { "Description": "Apples", "Product_ID": 1 }, { "Description": "Oranges", "Product_ID": 2 }]` |

+ :::image type="content" source="media/logic-apps-perform-data-operations/sample-start-create-table-action-standard.png" alt-text="Screenshot shows Azure portal, Standard workflow designer, and sample workflow for action named Create HTML table." lightbox="media/logic-apps-perform-data-operations/sample-start-create-table-action-standard.png":::

+1. [Follow these general steps to add the **Data Operations** action named **Create HTML table**](create-workflow-with-trigger-or-action.md?tabs=standard#add-action).

+1. On the designer, select the **Create HTML table** action, if not already selected. In the **From** box, enter the array or expression to use for creating the table.

+ For this example, select inside the **From** box, and select the dynamic content list (lightning icon). From that list, select the **myJSONArray** variable:

+ :::image type="content" source="media/logic-apps-perform-data-operations/configure-create-html-table-action.png" alt-text="Screenshot shows Standard workflow, action named Create HTML table, and the selected input to use." lightbox="media/logic-apps-perform-data-operations/configure-create-html-table-action.png":::

+ > [!TIP]

+ > those properties as inputs, use the action named [**Parse JSON**](#parse-json-action)

+ > before you use the **Create HTML table** action.

+ :::image type="content" source="media/logic-apps-perform-data-operations/finished-create-html-table-action.png" alt-text="Screenshot shows Standard workflow and finished example action named Create HTML table." lightbox="media/logic-apps-perform-data-operations/finished-create-html-table-action.png":::

+1. If the **Columns** property doesn't appear in the action information box, from the **Advanced parameters** list, select **Columns**.

+1. For each array property that you want, in the **Value** column, select inside the edit box, and then select the function icon, which opens the expression editor. Make sure that the **Function** list appears selected.

+1. In the expression editor, enter the following expression, but replace `<array-property-name>` with the array property name for the value that you want. When you're done with each expression, select **Add**.

+ :::image type="content" source="media/logic-apps-perform-data-operations/html-table-expression.png" alt-text="Screenshot shows workflow designer, action named Create HTML table, and how to dereference array property named Description." lightbox="media/logic-apps-perform-data-operations/html-table-expression.png":::

+ For more information, see [**item()** function](workflow-definition-language-functions-reference.md#item).

+ :::image type="content" source="media/logic-apps-perform-data-operations/finished-html-expression.png" alt-text="Screenshot shows action named Create HTML table and function named item()." lightbox="media/logic-apps-perform-data-operations/finished-html-expression.png":::

+ :::image type="content" source="media/logic-apps-perform-data-operations/send-email-create-html-table-action.png" alt-text="Screenshot shows workflow with action named Send an email. The Body property contains the Output field from preceding action named Create HTML table." lightbox="media/logic-apps-perform-data-operations/send-email-create-html-table-action.png":::

+1. Save your workflow, and then manually run your workflow.

+ - Consumption workflow: On the designer toolbar, select **Run** > **Run**.

+ - Standard workflow: On the workflow navigation menu, select **Overview**. On the **Overview** page toolbar, select **Run** > **Run**.

+If you used the Office 365 Outlook action, the following example shows the result:

+ | Operation | Properties and values |

+ |--|--|

+ | **Initialize variable** | - **Name**: myIntegerArray <br>- **Type**: Array <br>- **Value**: `[1,2,3,4]` |

+ :::image type="content" source="media/logic-apps-perform-data-operations/sample-start-filter-array-action-consumption.png" alt-text="Screenshot shows Azure portal, Consumption workflow designer, and example workflow for action named Filter array." lightbox="media/logic-apps-perform-data-operations/sample-start-filter-array-action-consumption.png":::

+1. [Follow these general steps to find the **Data Operations** action named **Filter array**](create-workflow-with-trigger-or-action.md?tabs=consumption#add-action).

+1. On the designer, select the **Filter array** action, if not already selected. In the **From** box, enter the array or expression to use as the filter.

+ For this example, select inside the **From** box, and then select the lightning icon, which opens the dynamic content list. From that list, select the previously created variable:

+ :::image type="content" source="media/logic-apps-perform-data-operations/configure-filter-array-action.png" alt-text="Screenshot shows Consumption workflow, action named Filter array, and selected input to use." lightbox="media/logic-apps-perform-data-operations/configure-filter-array-action.png":::

+ :::image type="content" source="media/logic-apps-perform-data-operations/finished-filter-array-action.png" alt-text="Screenshot shows Consumption workflow and finished example action named Filter array." lightbox="media/logic-apps-perform-data-operations/finished-filter-array-action.png":::

+ | Operation | Properties and values |

+ |--|--|

+ | **Initialize variable** | - **Name**: myIntegerArray <br>- **Type**: Array <br>- **Value**: `[1,2,3,4]` |

+ :::image type="content" source="media/logic-apps-perform-data-operations/sample-start-filter-array-action-standard.png" alt-text="Screenshot shows Azure portal, Standard workflow designer, and example workflow for action named Filter array." lightbox="media/logic-apps-perform-data-operations/sample-start-filter-array-action-standard.png":::

+1. [Follow these general steps to find the **Data Operations** action named **Filter array**](create-workflow-with-trigger-or-action.md?tabs=standard#add-action).

+1. On the designer, select the **Filter array** action, if not already selected. In the **From** box, enter the array or expression to use as the filter.

+ :::image type="content" source="media/logic-apps-perform-data-operations/configure-filter-array-action.png" alt-text="Screenshot shows Standard workflow, action named Filter array, and selected input to use." lightbox="media/logic-apps-perform-data-operations/configure-filter-array-action.png":::

+ :::image type="content" source="media/logic-apps-perform-data-operations/finished-filter-array-action.png" alt-text="Screenshot shows Standard workflow and finished example action named Filter array." lightbox="media/logic-apps-perform-data-operations/finished-filter-array-action.png":::

+ 1. For each box where you want the results to appear, select inside each box, and then select the function icon, which opens the expression editor. Make sure that the **Function** list appears selected.

+ 1. To get the array output from the **Filter array** action, enter the following expression, which uses the [**body()** function](workflow-definition-language-functions-reference.md#body) with the **Filter array** action name, and then select **Add**.

+ `body('Filter_array')`

+ :::image type="content" source="media/logic-apps-perform-data-operations/send-email-filter-array-action.png" alt-text="Screenshot shows workflow with action named Send an email. The Body property contains the body() function, which gets the body content from the preceding action named Filter array." lightbox="media/logic-apps-perform-data-operations/send-email-filter-array-action.png":::

+ :::image type="content" source="media/logic-apps-perform-data-operations/send-email-filter-array-action-complete.png" alt-text="Screenshot shows Standard workflow and finished example action for Send an email." lightbox="media/logic-apps-perform-data-operations/send-email-filter-array-action-complete.png":::

+1. Save your workflow, and then manually run your workflow.

+ - Consumption workflow: On the designer toolbar, select **Run** > **Run**.

+ - Standard workflow: On the workflow navigation menu, select **Overview**. On the **Overview** page toolbar, select **Run** > **Run**.

+If you used the Office 365 Outlook action, the following example shows the result:

+ | Operation | Properties and values |

+ |--|--|

+ | **Initialize variable** | - **Name**: myIntegerArray <br>- **Type**: Array <br>- **Value**: `[1,2,3,4]` |

+ :::image type="content" source="media/logic-apps-perform-data-operations/sample-start-join-action-consumption.png" alt-text="Screenshot shows Azure portal, Consumption workflow designer, and example workflow for the action named Join." lightbox="media/logic-apps-perform-data-operations/sample-start-join-action-consumption.png":::

+1. [Follow these general steps to find the **Data Operations** action named **Join**](create-workflow-with-trigger-or-action.md?tabs=consumption#add-action).

+1. On the designer, select the **Join** action, if not already selected. In the **From** box, enter the array that has the items that you want to join as a string.

+ For this example, select inside the **From** box, and then select the lightning icon, which opens the dynamic content list. From that list, select the previously created variable:

+ :::image type="content" source="media/logic-apps-perform-data-operations/configure-join-action.png" alt-text="Screenshot shows Consumption workflow, action named Join, and selected array output to join as a string." lightbox="media/logic-apps-perform-data-operations/configure-join-action.png":::

+1. In the **Join With** box, enter the character to use for separating each array item.

+ This example uses a colon (**:**) as the separator for the **Join With** property.

+ :::image type="content" source="media/logic-apps-perform-data-operations/finished-join-action.png" alt-text="Screenshot shows Consumption workflow and the finished example for the action named Join." lightbox="media/logic-apps-perform-data-operations/finished-join-action.png":::

+ | Operation | Properties and values |

+ |--|--|

+ | **Initialize variable** | - **Name**: myIntegerArray <br>- **Type**: Array <br>- **Value**: `[1,2,3,4]` |

+ :::image type="content" source="media/logic-apps-perform-data-operations/sample-start-join-action-standard.png" alt-text="Screenshot shows Azure portal, Standard workflow designer, and example workflow for the action named Join." lightbox="media/logic-apps-perform-data-operations/sample-start-join-action-standard.png":::

+1. [Follow these general steps to find the **Data Operations** action named **Join**](create-workflow-with-trigger-or-action.md?tabs=standard#add-action).

+1. On the designer, select the **Join** action, if not already selected. In the **From** box, enter the array that has the items that you want to join as a string.

+ :::image type="content" source="media/logic-apps-perform-data-operations/configure-join-action.png" alt-text="Screenshot shows Standard workflow, action named Join, and selected array output to join as a string." lightbox="media/logic-apps-perform-data-operations/configure-join-action.png":::

+1. In the **Join With** box, enter the character to use for separating each array item.

+ This example uses a colon (**:**) as the separator for the **Join With** property.

+ :::image type="content" source="media/logic-apps-perform-data-operations/finished-join-action.png" alt-text="Screenshot shows Standard workflow and the finished example for the action named Join." lightbox="media/logic-apps-perform-data-operations/finished-join-action.png":::

+1. In this action, for each box where you want the results to appear, select inside each box, and then select the lightning icon, which opens the dynamic content list. From that list, under the **Join** action, select **Output**.

+ :::image type="content" source="media/logic-apps-perform-data-operations/send-email-join-action-complete.png" alt-text="Screenshot shows a workflow with the finished action named Send an email for the Join action." lightbox="media/logic-apps-perform-data-operations/send-email-join-action-complete.png":::

+1. Save your workflow, and then manually run your workflow.

+ - Consumption workflow: On the designer toolbar, select **Run** > **Run**.

+ - Standard workflow: On the workflow navigation menu, select **Overview**. On the **Overview** page toolbar, select **Run** > **Run**.

+If you used the Office 365 Outlook action, the following example shows the result:

+ :::image type="content" source="media/logic-apps-perform-data-operations/sample-start-parse-json-action-consumption.png" alt-text="Screenshot shows Azure portal, Consumption workflow designer, and example workflow for action named Parse JSON." lightbox="media/logic-apps-perform-data-operations/sample-start-parse-json-action-consumption.png":::

+1. [Follow these general steps to find the **Data Operations** action named **Parse JSON**](create-workflow-with-trigger-or-action.md?tabs=consumption#add-action).

+1. On the designer, select the **Parse JSON** action, if not already selected. In the **Content** box, enter the JSON object that you want to parse.

+ For this example, select inside the **Content** box, and then select the lightning icon, which opens the dynamic content list. From that list, select the previously created variable:

+ :::image type="content" source="media/logic-apps-perform-data-operations/configure-parse-json-action.png" alt-text="Screenshot shows Consumption workflow, action named Parse JSON, and the selected JSON object variable to parse." lightbox="media/logic-apps-perform-data-operations/configure-parse-json-action.png":::

+ :::image type="content" source="media/logic-apps-perform-data-operations/provide-schema-parse-json-action.png" alt-text="Screenshot shows Consumption workflow, action named Parse JSON, and JSON schema for the JSON object that you want to parse." lightbox="media/logic-apps-perform-data-operations/provide-schema-parse-json-action.png":::

+ "Email": "Sophia.Owens@fabrikam.com",

+ "LastName": "Owens"

+ :::image type="content" source="media/logic-apps-perform-data-operations/generate-schema-parse-json-action.png" alt-text="Screenshot shows Consumption workflow, action named Parse JSON, and box named Enter or paste a sample JSON payload, which contains JSON sample to generate the schema." lightbox="media/logic-apps-perform-data-operations/generate-schema-parse-json-action.png":::

+ "Email": "Sophia.Owens@fabrikam.com",

+ "LastName": "Owens"

+ :::image type="content" source="media/logic-apps-perform-data-operations/sample-start-parse-json-action-standard.png" alt-text="Screenshot shows Azure portal, Standard workflow designer, and example workflow for action named Parse JSON." lightbox="media/logic-apps-perform-data-operations/sample-start-parse-json-action-standard.png":::

+1. [Follow these general steps to find the **Data Operations** action named **Parse JSON**](create-workflow-with-trigger-or-action.md?tabs=consumption#add-action).

+1. On the designer, select the **Parse JSON** action, if not already selected. In the **Content** box, enter the JSON object that you want to parse.

+ :::image type="content" source="media/logic-apps-perform-data-operations/configure-parse-json-action.png" alt-text="Screenshot shows Standard workflow, action named Parse JSON, and the selected JSON object variable to parse." lightbox="media/logic-apps-perform-data-operations/configure-parse-json-action.png":::

+ :::image type="content" source="media/logic-apps-perform-data-operations/provide-schema-parse-json-action.png" alt-text="Screenshot shows Standard workflow, action named Parse JSON, and JSON schema for the JSON object that you want to parse." lightbox="media/logic-apps-perform-data-operations/provide-schema-parse-json-action.png":::

+ "Email": "Sophia.Owens@fabrikam.com",

+ "LastName": "Owens"

+ :::image type="content" source="media/logic-apps-perform-data-operations/generate-schema-parse-json-action.png" alt-text="Screenshot shows Standard workflow, action named Parse JSON, and box named Enter or paste a sample JSON payload, which contains JSON sample to generate the schema." lightbox="media/logic-apps-perform-data-operations/generate-schema-parse-json-action.png":::

+1. In this action, for each box where you want the results to appear, select inside each edit box, and then select the lightning icon, which opens the dynamic content list. From that list, under the **Parse JSON** action, select the properties from the parsed JSON object.

+ This example selects the following properties: **Body FirstName**, **Body LastName**, and **Body Email**

+ :::image type="content" source="media/logic-apps-perform-data-operations/send-email-parse-json-action.png" alt-text="Screenshot shows Standard workflow with JSON properties in the action named Send an email." lightbox="media/logic-apps-perform-data-operations/send-email-parse-json-action.png":::

+ :::image type="content" source="media/logic-apps-perform-data-operations/send-email-parse-json-action-complete.png" alt-text="Screenshot shows workflow with finished action named Send an email for action named Parse JSON." lightbox="media/logic-apps-perform-data-operations/send-email-parse-json-action-complete.png":::

+1. Save your workflow, and then manually run your workflow.

+ - Consumption workflow: On the designer toolbar, select **Run** > **Run**.

+ - Standard workflow: On the workflow navigation menu, select **Overview**. On the **Overview** page toolbar, select **Run** > **Run**.

+If you used the Office 365 Outlook action, the following example shows the result:

+To try the **Select** action, follow these steps by using the workflow designer. Or, if you prefer working in the code view editor, you can copy the example **Select** and **Initialize variable** action definitions from this guide into your own logic app's underlying workflow definition: [Data operation code examples - Select](logic-apps-data-operations-code-samples.md#select-action-example). For more information about this action in your underlying workflow definition, see [Select action](logic-apps-workflow-actions-triggers.md#select-action).

+> [Data operation code examples - Select](logic-apps-data-operations-code-samples.md#select-action-example).

+ | Operation | Properties and values |

+ |--|--|

+ | **Initialize variable** | - **Name**: myIntegerArray <br>- **Type**: Array <br>- **Value**: `[1,2,3,4]` |

+ :::image type="content" source="media/logic-apps-perform-data-operations/sample-start-select-action-consumption.png" alt-text="Screenshot shows Azure portal, Consumption workflow designer, and example workflow for the action named Select." lightbox="media/logic-apps-perform-data-operations/sample-start-select-action-consumption.png":::

+1. [Follow these general steps to find the **Data Operations** action named **Select**](create-workflow-with-trigger-or-action.md?tabs=consumption#add-action).

+1. On the designer, select the **Select** action, if not already selected. In the **From** box, enter the source array that you want to use.

+ For this example, select inside the **From** box, and then select the lightning icon, which opens the dynamic content list. From that list, select the previously created variable:

+ :::image type="content" source="media/logic-apps-perform-data-operations/configure-select-action.png" alt-text="Screenshot shows Consumption workflow, action named Select, and the selected source array variable to use." lightbox="media/logic-apps-perform-data-operations/configure-select-action.png":::

+ 1. Select inside the right column, and then select the function icon, which opens the expression editor. Make sure that the **Function** list appears selected.

+ 1. In the expression editor, enter the function named **item()**, and then select **Add**.

+ :::image type="content" source="media/logic-apps-perform-data-operations/configure-select-action-expression.png" alt-text="Screenshot shows Consumption workflow, the action named Select, and the JSON object property and values to create the JSON object array." lightbox="media/logic-apps-perform-data-operations/configure-select-action-expression.png":::

+ :::image type="content" source="media/logic-apps-perform-data-operations/finished-select-action.png" alt-text="Screenshot shows Consumption workflow and the finished example action named Select." lightbox="media/logic-apps-perform-data-operations/finished-select-action.png":::

+ | Operation | Properties and values |

+ |--|--|

+ | **Initialize variable** | - **Name**: myIntegerArray <br>- **Type**: Array <br>- **Value**: `[1,2,3,4]` |

+ :::image type="content" source="media/logic-apps-perform-data-operations/sample-start-select-action-standard.png" alt-text="Screenshot shows Azure portal, Standard workflow designer, and example workflow for the action named Select." lightbox="media/logic-apps-perform-data-operations/sample-start-select-action-standard.png":::

+1. [Follow these general steps to find the **Data Operations** action named **Select**](create-workflow-with-trigger-or-action.md?tabs=standard#add-action).

+1. On the designer, select the **Select** action, if not already selected. In the **From** box, enter the source array that you want to use.

+ :::image type="content" source="media/logic-apps-perform-data-operations/configure-select-action.png" alt-text="Screenshot shows Standard workflow, action named Select, and the selected source array variable to use." lightbox="media/logic-apps-perform-data-operations/configure-select-action.png":::

+ :::image type="content" source="media/logic-apps-perform-data-operations/configure-select-action-expression.png" alt-text="Screenshot shows Standard workflow, the action named Select, and the JSON object property and values to create the JSON object array." lightbox="media/logic-apps-perform-data-operations/configure-select-action-expression.png":::

+ :::image type="content" source="media/logic-apps-perform-data-operations/finished-select-action.png" alt-text="Screenshot shows Standard workflow and the finished example action named Select." lightbox="media/logic-apps-perform-data-operations/finished-select-action.png":::

+ 1. To get the array output from the **Select** action, enter the following expression, which uses the [**body()** function](workflow-definition-language-functions-reference.md#body) with the **Select** action name, and select **Add**:

+ `body('Select')`

+ :::image type="content" source="media/logic-apps-perform-data-operations/send-email-select-action.png" alt-text="Screenshot shows workflow with action named Send an email, and action outputs from the Select action.":::

+ The resolved expression specifies to show the outputs from the **Select** action in the email body when sent:

+ :::image type="content" source="media/logic-apps-perform-data-operations/send-email-select-action-complete.png" alt-text="Screenshot shows workflow and finished action named Send an email for the Select action." lightbox="media/logic-apps-perform-data-operations/send-email-select-action-complete.png":::

+1. Save your workflow, and then manually run your workflow.

+ - Consumption workflow: On the designer toolbar, select **Run** > **Run**.

+ - Standard workflow: On the workflow navigation menu, select **Overview**. On the **Overview** page toolbar, select **Run** > **Run**.

+If you used the Office 365 Outlook action, the following example shows the result:

+## Related content

+| [body](#body) | Return an action's `body` output at runtime. |

+For shorthand versions, see [body()](#body). For the current action, see [action()](#action).

+Return an action's `body` output at runtime. Shorthand for `actions('<actionName>').outputs.body`. See [actions()](#actions).

+Return an action's outputs at runtime.

+In this article, you learn how to manage imported data assets from a life-cycle perspective. You'll learn how to modify or update auto delete settings on the data assets imported into a managed datastore (`workspacemanagedstore`) that Microsoft manages for the customer.

+1. As shown in the next screenshot, under **Assets** in the left navigation, select **Data**. At the **Data assets** tab, select an imported data asset located in the **workspacemanageddatastore**.

+1. To change the auto delete **Condition** setting, select **Created greater than**, and change **Value** to any numeric value. Then, select **Save** as shown in this screenshot:

+1. After a successful edit, you'll return to the data asset detail page. That page shows the updated values in **Auto delete settings** property box, as shown in the next screenshot:

+ > The auto delete setting is available only on imported data assets in a **workspacemanaged** datastore, as shown in the above screenshot.

+1. As shown in the next screenshot, the data asset details page has an **Auto delete setting** property. This property is currently active on the data asset. Verify that you have the correct **Version:** of the data asset selected in the drop-down, and select the pencil icon to edit the property.

+- [Access data from Azure cloud storage during interactive development](./how-to-access-data-interactive.md)

+- [Working with tables in Azure Machine Learning](./how-to-mltable.md)

+In this article, you'll learn how to programmatically schedule data imports, using the schedule UI to do it. You can create a schedule based on elapsed time. Time-based schedules can handle routine tasks - for example, regular data imports to keep them up-to-date. After learning how to create schedules, you'll learn how to retrieve, update and deactivate them via CLI, SDK, and studio UI resources.

+- You need an Azure subscription to use Azure Machine Learning. If you don't have an Azure subscription, create a free account before you begin. Try the [free or paid version of Azure Machine Learning](https://azure.microsoft.com/free/) today.

+To import data on a recurring basis, you must create a schedule. A `Schedule` associates a data import action with a trigger. The trigger can either be `cron`, which uses a cron expression to describe the delay between runs, or a `recurrence`, which specifies the frequency to trigger a job. In each case, you must first build an import data definition. An existing data import, or a data import that is defined inline, works for this. For more information, visit [Create a data import in CLI, SDK and UI](how-to-import-data-assets.md).

+A `trigger` contains these properties:

+- **(Required)** `type` specifies the schedule type, either `recurrence` or `cron`. The following section has more information.

+- **(Required)** For a better coding experience, use `RecurrenceTrigger` for the recurrence schedule.

+When your data import has satisfactory performance and outputs, you can set up a schedule to automatically trigger that import.

+ 1. Under **Assets** in the left navigation, select **Data**. At the **Data import** tab, select the imported data asset to which you want to attach a schedule. The **Import jobs history** page should appear, as shown in this screenshot:

+ 1. At the **Import jobs history** page, select the latest **Import job name** hyperlink URL, to open the pipelines job details page as shown in this screenshot:

+ - **Trigger**: the recurrence pattern of the schedule, which includes these properties:

+- **(Required)** `frequency` specifies the unit of time that describes how often the schedule fires. Can have values

+ - `minute`

+ - `hour`

+ - `day`

+ - `week`

+ - `month`

+ - If `schedule` is omitted, the job(s) triggers fire according to the logic of `start_time`, `frequency` and `interval`.

+- (Optional) `time_zone` specifies the time zone of the recurrence. If omitted, the default timezone is UTC. For more information about timezone values, visit [appendix for timezone values](reference-yaml-schedule.md#appendix).

+The `trigger` section defines the schedule details and contains these properties:

+- **(Required)** `type` specifies the `cron` schedule type.

+The `CronTrigger` section defines the schedule details and contains these properties:

+- **(Required)** For a better coding experience, use `CronTrigger` for the recurrence schedule.

+When your data import has satisfactory performance and outputs, you can set up a schedule to automatically trigger that import.

+ 1. At the **Import jobs history** page, select the latest **Import job name** hyperlink URL, to open the pipelines job details page as shown in this screenshot:

+ - **Trigger**: the recurrence pattern of the schedule, which includes these properties:

+ - **Recurrence** or **Cron expression**: select recurrence to specify the recurring pattern. With **Cron expression**, you can specify a more flexible and customized recurrence pattern.

+ - This table lists the valid values for each field:

+ - For more information about crontab expressions, visit the [Crontab Expression wiki resource on GitHub](https://github.com/atifaziz/NCrontab/wiki/Crontab-Expression).

+- (Optional) `time_zone`specifies the time zone of the expression. If `time_zone` is omitted, the timezone is UTC by default. For more information about timezone values, visit [appendix for timezone values](reference-yaml-schedule.md#appendix).

+ :::image type="content" source="./media/how-to-schedule-data-import/schedule-detail-overview.png" alt-text="Screenshot of the overview tab in the schedule details page.":::

+> To update more than just tags/description, we recommend use of `az ml schedule create --file update_schedule.yml`

+ 1. Under **Assets** in the left navigation, select **Data**. On the **Data import** tab, select the imported data asset to which you want to attach a schedule. The **Import jobs history** page should appear, as shown in this screenshot:

+ > Make sure you select the correct schedule to update. Once you finish the update, the schedule will trigger different data imports.

+At the schedule details page, you can enable the current schedule. You can also enable schedules at the **All schedules** tab.

+> A schedule must be disabled before deletion. Deletion is a permanent, unrecoverable action. After a schedule is deleted, you can never access or recover it.

+There are currently three action rules related to schedules, and you can configure them in the Azure portal. For more information, visit [how to manage access to an Azure Machine Learning workspace.](how-to-assign-roles.md#create-custom-role).

+* If needed, follow these [steps on building MPI](https://mpi4py.readthedocs.io/en/stable/develop.html#building)