+POST https://{endpoint}/documentintelligence/documentModels:build?api-version=2024-07-31-preview

+ "modelId": "string",

+ "description": "string",

+ "buildMode": "neural",

+> * This paid training feature enables you to train larger data sets for longer durations with flexibility in the training hours.

+For Document Intelligence versions `v3.1 (2023-07-31) and v3.0 (2022-08-31)`, you receive a maximum 30 minutes of training duration per model, and a maximum of 20 trainings for free per month. If you would like to train more than 20 model instances, you can create an [Azure support ticket](service-limits.md#create-and-submit-support-request) to increase in the training limit. For Azure support ticket, enter in the `summary` field: `Increase Document Intelligence custom neural training (TPS) limit`.

+> [!IMPORTANT]

+> * When increasing the training limit, note that 2 custom neural model training sessions will be considered as 1 training hour. For more details on the pricing for increasing the number of training sessions, refer to the [pricing page](https://azure.microsoft.com/pricing/details/ai-document-intelligence/).

+> * Azure support ticket for training limit increase can only apply at a **resource-level**, not a subscription level. You can request a training limit increase for a single Document Intelligence resource by specifying your resource ID and region in the support ticket.

+For Document Intelligence versions `v3.1 (2023-07-31) and v3.0 (2022-08-31)`, you receive a maximum 30 minutes of training duration per model, and a maximum of 20 trainings for free per month. If you would like to train more than 20 model instances, you can create an [Azure support ticket](service-limits.md#create-and-submit-support-request) to increase in the training limit. For Azure support ticket, enter in the `summary` field: `Increase Document Intelligence custom neural training (TPS) limit`.

+> [!IMPORTANT]

+> * When increasing the training limit, note that 2 custom neural model training sessions will be considered as 1 training hour. For more details on the pricing for increasing the number of training sessions, refer to the [pricing page](https://azure.microsoft.com/pricing/details/ai-document-intelligence/).

+> * Azure support ticket for training limit increase can only apply at a **resource-level**, not a subscription level. You can request a training limit increase for a single Document Intelligence resource by specifying your resource ID and region in the support ticket.

+You can find the utilization measure in the Azure-Monitor section for your resource. To access the monitoring dashboards sign-in to [https://portal.azure.com](https://portal.azure.com), go to your Azure OpenAI resource and select the Metrics page from the left nav. On the metrics page, select the 'Provisioned-managed utilization V2' metric. If you have more than one deployment in the resource, you should also split the values by each deployment by clicking the 'Apply Splitting' button.

+Along with Azure AI Studio, Azure OpenAI Studio, APIs, and SDKs, you can use the customizable standalone web app to interact with Azure OpenAI models by using a graphical user interface. Key features include:

+* Connectivity with multiple data sources to support rich querying and retrieval-augmented generation, including Azure AI Search, Prompt Flow, and more.

+* Conversation history and user feedback collection through Cosmos DB.

+* Authentication with role-based access control via Microsoft Entra ID.

+* Customization of the user interface, data sources, and features using environment variables (no-code via Azure portal).

+* Support for modifying the underlying web application source code as an open-source repository.

+You can deploy the app by using either [Azure AI Studio](/azure/ai-studio/tutorials/deploy-chat-web-app) or [Azure OpenAI Studio](/azure/ai-services/openai/use-your-data-quickstart), or through a manual deployment through the Azure portal or the Azure Developer CLI via your local machine [(instructions available at the repository here)](https://github.com/microsoft/sample-app-aoai-chatGPT). Depending on your deployment channel, you can preload a data source to chat with via the web application, but this can be changed after deployment.

+For Azure OpenAI beginners aspiring to chat with their data through the web application, [Azure AI Studio](/azure/ai-studio/tutorials/deploy-chat-web-app) is the recommended medium for initial deployment and data source configuration.

+- This web application and many of its features are in preview, meaning that bugs might occur and that not all features might be complete. If you find a bug or require assistance, raise an issue in the associated [GitHub repository](https://github.com/microsoft/sample-app-aoai-chatGPT).

+- Publishing a web app creates an Azure App Service instance in your subscription. It might incur costs depending on the [pricing plan](https://azure.microsoft.com/pricing/details/app-service/windows/) that you select. When you're done with your app, you can delete it and any associated resources from the Azure portal.

+- GPT-4 Turbo with Vision models are not currently supported.

+Now users will be asked to sign in with their Microsoft Entra account to access your app. You can follow a similar process to add another identity provider if you prefer. The app doesn't use the user's sign-in information in any way other than verifying that the user is a member of your tenant. For more information on managing authentication, view this [quickstart on authentication for web apps on Azure App Service.](/azure/app-service/scenario-secure-app-authentication-app-service)

+## Customizing the application using environment variables

+These environment variables can be modified through the Azure portal after deploying the web application.

+1. In the Azure portal, search for and select the App Services page.

+2. Select the web app that you have just deployed.

+3. In the left menu of the app, select Settings > Environment variables.

+4. To modify an existing environment variable, click on its name.

+5. To add a single new environment variable, click on Add in the panel's top menu bar.

+6. To use the JSON-based editor to manage environment variables, click Advanced edit.

+## Modifying the application user interface

+The environment variables relevant to user interface customization are:

+- `UI_CHAT_DESCRIPTION`: This is the smaller paragraph text shown below the `UI_CHAT_TITLE` in the center of the page upon loading.

+ - Data type: text

+- `UI_CHAT_LOGO`: This is the large image shown in the center of the page upon loading.

+ - Data type: URL to image

+- `UI_CHAT_TITLE`: This is the large text shown in the center of the page upon loading.

+ - Data type: text

+- `UI_FAVICON`: This is the favicon shown on the browser window/tab.

+ - Data type: URL to image

+- `UI_LOGO`: This is logo appears in the top left of the page and to the left of the title.

+ - Data type: URL to image

+- `UI_TITLE`: This is the title shown on the browser window/tab. It also appears in the top left of the page by the logo.

+ - Data type: text

+- `UI_SHOW_SHARE_BUTTON`: This button appears on the top right of the page, and allows users to share a URL linking to the web app.

+ - Data type: Boolean, must enter either True or False, defaults to True if left blank or unspecified.

+- `UI_SHOW_CHAT_HISTORY_BUTTON`: This appears on the top right of the page and to the left of the UI_SHOW_SHARE_BUTTON.

+ - Data type: Boolean, must enter either True or False, defaults to True if left blank or unspecified.

+To modify the application user interface, follow the instructions in the previous step to open the environment variables page for your web app. Then, use Advanced edit to open the JSON-based editor. At the top of the JSON (after the `[` character), paste the below code block and customize the values accordingly:

+```json

+ {

+ "name": "UI_CHAT_DESCRIPTION",

+ "value": "This is an example of a UI Chat Description. Chatbots can make mistakes. Check important info and sensitive info.",

+ "slotSetting": false

+ },

+ {

+ "name": "UI_CHAT_LOGO",

+ "value": "https://learn-bot.azurewebsites.net/assets/Contoso-ff70ad88.svg",

+ "slotSetting": false

+ },

+ {

+ "name": "UI_CHAT_TITLE",

+ "value": "This is an example of a UI Chat Title. Start chatting",

+ "slotSetting": false

+ },

+ {

+ "name": "UI_FAVICON",

+ "value": "https://learn-bot.azurewebsites.net/assets/Contoso-ff70ad88.svg",

+ "slotSetting": false

+ },

+ {

+ "name": "UI_LOGO",

+ "value": "https://learn-bot.azurewebsites.net/assets/Contoso-ff70ad88.svg",

+ "slotSetting": false

+ },

+ {

+ "name": "UI_TITLE",

+ "value": "This is an example of a UI Title",

+ "slotSetting": false

+ },

+```

+## Enabling chat history using Cosmos DB

+You can turn on chat history for your users of the web app. When you turn on the feature, users have access to their individual previous queries and responses.

+To turn on chat history, deploy or redeploy your model as a web app by using [Azure OpenAI Studio](https://oai.azure.com/portal) or [Azure AI Studio](https://ai.azure.com/) and select **Enable chat history and user feedback in the web app**.

+> [!IMPORTANT]

+> Turning on chat history creates an [Azure Cosmos DB](/azure/cosmos-db/introduction) instance in your resource group, and it incurs [additional charges](https://azure.microsoft.com/pricing/details/cosmos-db/autoscale-provisioned/) for the storage that you use beyond any free tiers.

+After you turn on chat history, your users can show and hide it in the upper-right corner of the app. When users show chat history, they can rename or delete conversations. You can modify whether users can access this function using the environment variable `UI_SHOW_CHAT_HISTORY_BUTTON` as specified in the previous section. Because the users are signed in to the app, conversations are automatically ordered from newest to oldest. Conversations are named based on the first query in the conversation.

+> [!NOTE]

+> Popular Azure regions such as East US can experience periods of high-demand where it might not be possible to deploy a new instance of Cosmos DB. In that case, opt to deploy to alternative region such as East US 2 or retry your deployment until it succeeds. Should the deployment of Cosmos DB fail, your app will be available at its specified URL, but chat history will not be available. Enabling conversation history will also enable the view conversation history button in the top-right.

+Deploying with the chat history option selected will automatically populate the following environment variables, so there is no need to modify them unless you wish to switch Cosmos DB instances. They are:

+- `AZURE_COSMOSDB_ACCOUNT`: This is the name of the Cosmos DB account that is deployed along with your web app.

+ - Data type: text

+- `AZURE_COSMOSDB_ACCOUNT_KEY`: This is an alternative environment variable that is used only when permissions are not granted via Microsoft Entra ID and key-based authentication is used instead.

+ - Data type: text. Is normally not present or populated.

+- `AZURE_COSMOSDB_DATABASE`: This is the name of the database object within Cosmos DB that is deployed along with your web app.

+ - Data type: text, should be `db_conversation_history`

+- `AZURE_COSMOSDB_CONTAINER`: This is the name of the database container object within Cosmos DB that is deployed along with your web app.

+ - Data type: text, should be `conversations`

+- `AZURE_COSMOSDB_ACCOUNT`: This is the name of the Cosmos DB account that is deployed along with your web app.

+ - Data type: text

+### Collecting user feedback

+To collect user feedback, you can enable a set of 'thumbs up' and 'thumbs down' icons that appear on each of the chatbot's responses. This will allow users to evaluate a response's quality, and indicate where errors occur using a 'provide negative feedback' modal window.

+To enable this feature, set the following environment variable to True:

+- `AZURE_COSMOSDB_ENABLE_FEEDBACK`: This is the name of the Cosmos DB account that is deployed along with your web app.

+ - Data type: Data type: Boolean, must enter either True or False

+This can be accomplished using the Advanced edit or simple Edit options as previously explained. The JSON to paste in the Advanced edit JSON editor is:

+```json

+ {

+ "name": "AZURE_COSMOSDB_ENABLE_FEEDBACK",

+ "value": "True",

+ "slotSetting": false

+ },

+```

+## Connecting to Azure AI Search and uploaded files as a data source

+### Using Azure AI Studio

+Follow [this tutorial on integrating Azure AI Search with AI Studio](/azure/ai-studio/tutorials/deploy-chat-web-app#add-your-data-and-try-the-chat-model-again) and redeploy your application.

+### Using Azure OpenAI Studio

+Follow [this tutorial on integrating Azure AI Search with OpenAI Studio](/azure/ai-services/openai/use-your-data-quickstart#add-your-data-using-azure-openai-studio) and redeploy your application.

+### Using environment variables

+To connect to Azure AI Search without redeploying your app, you can modify the following mandatory environment variables using any of the editing options as previously described.

+- `DATASOURCE_TYPE`: This determines which data source to use when answering a user's queries.

+ - Data type: text. Should be set to `AzureCognitiveSearch` (former name for Azure AI Search)

+- `AZURE_SEARCH_SERVICE`: This is the name of your Azure AI Search instance.

+ - Data type: text

+- `AZURE_SEARCH_INDEX`: This is the name of your Azure AI Search instance's index name.

+ - Data type: text

+- `AZURE_SEARCH_KEY`: This is the authentication key of your Azure AI Search instance. Optional if using Microsoft Entra ID for authentication.

+ - Data type: text

+### Further customization scenarios using environment variables

+- `AZURE_SEARCH_USE_SEMANTIC_SEARCH`: Indicates whether to use semantic search in Azure AI Search.

+ - Data type: boolean, should be set to `False` if not using semantic search.

+- `AZURE_SEARCH_SEMANTIC_SEARCH_CONFIG`: Specifies the name of the semantic search configuration to use if semantic search is enabled.

+ - Data type: text, defaults to `azureml-default`.

+- `AZURE_SEARCH_INDEX_TOP_K`: Defines the number of top documents to retrieve from Azure AI Search.

+ - Data type: integer, should be set to `5`.

+- `AZURE_SEARCH_ENABLE_IN_DOMAIN`: Limits responses to queries related only to your data.

+ - Data type: boolean, should be set to `True`.

+- `AZURE_SEARCH_CONTENT_COLUMNS`: Specifies the list of fields in your Azure AI Search index that contain the text content of your documents, used when formulating a bot response.

+ - Data type: text, defaults to `content` if deployed from Azure AI Studio or Azure OpenAI Studio,

+- `AZURE_SEARCH_FILENAME_COLUMN`: Specifies the field from your Azure AI Search index that provides a unique identifier of the source data to display in the UI.

+ - Data type: text, defaults to `filepath` if deployed from Azure AI Studio or Azure OpenAI Studio,

+- `AZURE_SEARCH_TITLE_COLUMN`: Specifies the field from your Azure AI Search index that provides a relevant title or header for your data content to display in the UI.

+ - Data type: text, defaults to `title` if deployed from Azure AI Studio or Azure OpenAI Studio,

+- `AZURE_SEARCH_URL_COLUMN`: Specifies the field from your Azure AI Search index that contains a URL for the document.

+ - Data type: text, defaults to `url` if deployed from Azure AI Studio or Azure OpenAI Studio,

+- `AZURE_SEARCH_VECTOR_COLUMNS`: Specifies the list of fields in your Azure AI Search index that contain vector embeddings of your documents, used when formulating a bot response.

+ - Data type: text, defaults to `contentVector` if deployed from Azure AI Studio or Azure OpenAI Studio,

+- `AZURE_SEARCH_QUERY_TYPE`: Specifies the query type to use: `simple`, `semantic`, `vector`, `vectorSimpleHybrid`, or `vectorSemanticHybrid`. This setting takes precedence over `AZURE_SEARCH_USE_SEMANTIC_SEARCH`.

+ - Data type: text, we recommend testing with `vectorSemanticHybrid`.

+- `AZURE_SEARCH_PERMITTED_GROUPS_COLUMN`: Specifies the field from your Azure AI Search index that contains Microsoft Entra group IDs, determining document-level access control.

+ - Data type: text

+- `AZURE_SEARCH_STRICTNESS`: Specifies the strictness level for the model limiting responses to your data.

+ - Data type: integer, should be set between `1` and `5`, with `3` being recommended.

+- `AZURE_OPENAI_EMBEDDING_NAME`: Specifies the name of your embedding model deployment if using vector search.

+ - Data type: text

+The JSON to paste in the Advanced edit JSON editor is:

+```json

+{

+ "name": "AZURE_SEARCH_CONTENT_COLUMNS",

+ "value": "",

+ "slotSetting": false

+ },

+ {

+ "name": "AZURE_SEARCH_ENABLE_IN_DOMAIN",

+ "value": "true",

+ "slotSetting": false

+ },

+ {

+ "name": "AZURE_SEARCH_FILENAME_COLUMN",

+ "value": "",

+ "slotSetting": false

+ },

+ {

+ "name": "AZURE_SEARCH_INDEX",

+ "value": "",

+ "slotSetting": false

+ },

+ {

+ "name": "AZURE_SEARCH_KEY",

+ "value": "",

+ "slotSetting": false

+ },

+ {

+ "name": "AZURE_SEARCH_PERMITTED_GROUPS_COLUMN",

+ "value": "",

+ "slotSetting": false

+ },

+ {

+ "name": "AZURE_SEARCH_QUERY_TYPE",

+ "value": "vectorSemanticHybrid",

+ "slotSetting": false

+ },

+ {

+ "name": "AZURE_SEARCH_SEMANTIC_SEARCH_CONFIG",

+ "value": "azureml-default",

+ "slotSetting": false

+ },

+ {

+ "name": "AZURE_SEARCH_SERVICE",

+ "value": "",

+ "slotSetting": false

+ },

+ {

+ "name": "AZURE_SEARCH_STRICTNESS",

+ "value": "3",

+ "slotSetting": false

+ },

+ {

+ "name": "AZURE_SEARCH_TITLE_COLUMN",

+ "value": "",

+ "slotSetting": false

+ },

+ {

+ "name": "AZURE_SEARCH_TOP_K",

+ "value": "5",

+ "slotSetting": false

+ },

+ {

+ "name": "AZURE_SEARCH_URL_COLUMN",

+ "value": "",

+ "slotSetting": false

+ },

+ {

+ "name": "AZURE_SEARCH_USE_SEMANTIC_SEARCH",

+ "value": "true",

+ "slotSetting": false

+ },

+ {

+ "name": "AZURE_SEARCH_VECTOR_COLUMNS",

+ "value": "contentVector",

+ "slotSetting": false

+ },

+```

+## Connecting to Prompt Flow as a data source

+[Prompt flows](/azure/ai-studio/how-to/flow-develop) allow you to define highly customizable RAG and processing logic on a user's queries.

+### Creating and deploying your prompt flow in Azure AI Studio

+Follow [this tutorial](/azure/ai-studio/tutorials/deploy-copilot-ai-studio) to create, test, and deploy an inferencing endpoint for your prompt flow in Azure AI Studio.

+### Enable underlying citations from your prompt flow

+When configuring your prompt flow to display citations when integrated this web application, it must return two key outputs: one called `documents` (your citations), and one called `reply` (your natural language answer).

+1. `documents` is a JSON object, which should contain the following elements. `citations` is a list that can contain multiple items following the same schema. the `documents` object should be generated and populated based on your selected RAG pattern.

+```json

+{

+ "citations": [

+ {

+ "content": "string",

+ "id": 12345,

+ "title": "string",

+ "filepath": "string",

+ "url": "string",

+ "metadata": "string",

+ "chunk_id": None,

+ "reindex_id": None,

+ "part_index": None

+ }

+ ],

+ "intent": "Your_string_here"

+}

+```

+2. `reply` consists of a returned string that represents the final natural language to a given user query. Your `reply` must contain references to each of the documents (sources) in the following format: `[doc1], [doc2]`, etc. The web application will parse `reply` and process the references, replacing all instances of `[doc1]` with small superscript numeric indicators that link directly to the ordered `documents` that are returned. Hence, you must prompt your LLM that generates the final natural language to include these references, which should also be passed in your LLM call to ensure that they align correctly. For example:

+```text

+system:

+You are a helpful chat assistant that answers a user's question based on the information retrieved from a data source.

+YOU MUST ALWAYS USE CITATIONS FOR ALL FACTUAL RESPONSES. YOU MUST INCLUDE CITATIONS IN YOUR ANSWER IN THE FORMAT [doc1], [doc2], ... AND SO FORTH WHEN YOU ARE USING INFORMATION RELATING TO SAID SOURCE. THIS MUST BE RETURNED IN YOUR ANSWER.

+Provide sort and concise answers with details directly related to the query.

+## Conversation history for context

+{% for item in chat_history %}

+user:

+{{item.inputs.query}}

+assistant:

+{{item.outputs.reply}}

+{% endfor %}

+## Current question

+user:

+### HERE ARE SOME CITED SOURCE INFORMATION FROM A MOCKED API TO ASSIST WITH ANSWERING THE QUESTION BELOW. ANSWER ONLY BASED ON THE TRUTHS PRESENTED HERE.

+{{your_input_name_for_documents}}

+FOR EACH OF THE CITATIONS ABOVE, YOU MUST INCLUDE IN YOUR ANSWER [doc1], [doc2], ... AND SO FORTH WHEN YOU ARE USING INFORMATION RELATING TO SAID SOURCE. THIS MUST BE RETURNED IN YOUR ANSWER.

+### HERE IS THE QUESTION TO ANSWER.

+{{question}}

+

+```

+### Configuring environment variables to integrate prompt flow

+The environment variables to modify are:

+- `AZURE_OPENAI_STREAM`: This determines whether the answer is loaded in a streaming (incremental load) format. This is not supported for prompt flow and thus must be set to `False` to use this feature.

+ - Data type: boolean, set to `True` if not using prompt flow, `False` if using prompt flow

+- `USE_PROMPTFLOW`: Indicates whether to use an existing Prompt flow deployed endpoint. If set to `True`, both `PROMPTFLOW_ENDPOINT` and `PROMPTFLOW_API_KEY` must be set.

+ - Data type: boolean, should be set to `False` if not using Prompt flow.

+- `PROMPTFLOW_ENDPOINT`: Specifies the URL of the deployed Prompt flow endpoint.

+ - Data type: text, for example `https://pf-deployment-name.region.inference.ml.azure.com/score`

+- `PROMPTFLOW_API_KEY`: The authentication key for the deployed Prompt flow endpoint. Note: only Key-based authentication is supported.

+ - Data type: text

+- `PROMPTFLOW_RESPONSE_TIMEOUT`: Defines the timeout value in seconds for the Prompt flow endpoint to respond.

+ - Data type: integer, should be set to `120`.

+- `PROMPTFLOW_REQUEST_FIELD_NAME`: The default field name to construct the Prompt flow request. Note: `chat_history` is automatically constructed based on the interaction. If your API expects other mandatory fields, you will need to change the request parameters under the `promptflow_request` function.

+ - Data type: text, should be set to `query`.

+- `PROMPTFLOW_RESPONSE_FIELD_NAME`: The default field name to process the response from the Prompt flow request.

+ - Data type: text, should be set to `reply`.

+- `PROMPTFLOW_CITATIONS_FIELD_NAME`: The default field name to process the citations output from the Prompt flow request.

+ - Data type: text, should be set to `documents`.

+## Connecting to other data sources

+Other data sources are supported, including:

+- Azure Cosmos DB

+- Elasticsearch

+- Azure SQL Server

+- Pinecone

+- Azure Machine Learning Index

+For further instructions on enabling these data sources, see the [GitHub repository](https://github.com/microsoft/sample-app-aoai-chatGPT).

+## Updating the web app to include the latest changes

+- [View your chat history in the deployed web app](./how-to/use-web-app.md#enabling-chat-history-using-cosmos-db)

+* The entire text included in the request can't exceed 50,000 characters including spaces.

+Each translate request is limited to 50,000 characters, across all the target languages you're translating to. For example, sending a translate request of 3,000 characters to translate to three different languages results in a request size of 3000x3 = 9,000 characters, which satisfy the request limit. You're charged per character, not by the number of requests. We recommended sending shorter requests.

+| translate | 10,000 | 100 | 50,000 |

+description: Learn about features including availability zones and multiregion deployments to make your Azure API Management instance resilient to cloud failures.

+This article is an overview of service capabilities to ensure that your API Management instance continues to serve API requests if Azure outages occur.

+API Management offers the following capabilities for [reliable and resilient](../reliability/overview.md) Azure solutions. Use them individually or together to enhance availability:

+* **Availability zones**: Resilience to datacenter-level outages

+* **Multi-region deployment**: Resilience to regional outages

+> * Availability zones and multi-region deployment are supported in the **Premium** tier.

+> * For configuration, see [Migrate API Management to availability zone support](/azure/reliability/migrate-api-mgt?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json) and [Deploy API Management in multiple regions](api-management-howto-deploy-multi-region.md).

+## Availability zones

+Azure availability zones are physically separate locations within an Azure region that are tolerant to datacenter-level failures. Each zone is composed of one or more datacenters equipped with independent power, cooling, and networking infrastructure. To ensure resiliency, a minimum of 3 separate availability zones are present in all availability zone-enabled regions. [Learn more](../reliability/availability-zones-overview.md)

+Enabling [zone redundancy](../reliability/migrate-api-mgt.md) for an API Management instance in a supported region provides redundancy for all [service components](api-management-key-concepts.md#api-management-components): gateway, management plane, and developer portal. Azure automatically replicates all service components across the zones that you select.

+> Use the [capacity](api-management-capacity.md) metric and your own testing to decide the number of scale units that will provide the gateway performance for your needs. Learn more about [scaling and upgrading](upgrade-and-scale.md) your service instance.

+With [multi-region deployment](api-management-howto-deploy-multi-region.md), you can add regional API gateways to an existing API Management instance in one or more supported Azure regions. Multi-region deployment helps reduce request latency perceived by geographically distributed API consumers and improves service availability if one region goes offline.

+> To validate a JWT that was provided by an identity provider other than Microsoft Entra, API Management also provides the generic [`validate-jwt`](validate-jwt-policy.md) policy.

+ tenant-id="tenant ID or URL (for example, "https://contoso.onmicrosoft.com") of the Microsoft Entra ID tenant"

+ <application-id>Client application ID from Microsoft Entra</application-id>

+ <application-id>Backend application ID from Microsoft Entra</application-id>

+| tenant-id | Tenant ID or URL of the Microsoft Entra ID tenant, or one of the following well-known tenants:<br/><br/> - `organizations` or `https://login.microsoftonline.com/organizations` - to allow tokens from accounts in any organizational directory (any Microsoft Entra directory)<br/>- `common` or `https://login.microsoftonline.com/common` - to allow tokens from accounts in any organizational directory (any Microsoft Entra directory) and from personal Microsoft accounts (for example, Skype, XBox)<br/><br/>Policy expressions are allowed.| Yes | N/A |

+The following policy checks that the audience is the hostname of the API Management instance and that the `ctry` claim is `US`. The Microsoft tenant ID is the well-known `organizations` tenant, which allows tokens from accounts in any organizational directory. The hostname is provided using a policy expression, and the client application ID is provided using a named value. The decoded JWT is provided in the `jwt` variable after validation.

+<validate-azure-ad-token tenant-id="organizations" output-token-variable-name="jwt">

+| Israel Central | ✅ | ✅ | |

+| Jio India Central | ✅** | | |

+| Jio India West | ✅** | | ✅ |

+| Korea South | ✅ | | ✅ |

+| Mexico Central | ✅ | ✅** | |

+| Spain Central | ✅ | ✅** | |

+| [Create an App Service environment v3](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/web-app-asp-app-on-asev3-create) | Creates an App Service environment v3, App Service plan, App Service, and all associated networking resources. |

+| [Monitor an app with web server logs](./scripts/powershell-monitor.md?toc=%2fpowershell%2fmodule%2ftoc.json) | Creates an App Service app, enables logging for it, and downloads the logs to your local machine. |

+| [Create an App Service environment v3](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.web/web-app-asp-app-on-asev3-create) | Creates an App Service environment v3, App Service plan, App Service, and all associated networking resources. |

+| [Create an Azure Windows web app with a backup](./scripts/terraform-backup.md)| Create an Azure Windows web app with a backup schedule. |

+> [!NOTE]

+> WebJobs for **Windows container**, **Linux code**, and **Linux container** is in preview. WebJobs for Windows code is generally available and not in preview.

+> Azure RBAC is not available for Red Hat OpenShift or managed Kubernetes offerings where user access to the API server is restricted (ex: Amazon Elastic Kubernetes Service (EKS), Google Kubernetes Engine (GKE)).

+>

+> Azure RBAC does not currently support Kubernetes clusters operating on ARM64 architecture. Please use [Kubernetes RBAC](identity-access-overview.md#kubernetes-rbac-authorization) to manage access control for ARM64-based Kubernetes clusters.

+>

+> For Azure Kubernetes Service (AKS) clusters, this [feature is available natively](/azure/aks/manage-azure-rbac) and doesn't require the AKS cluster to be connected to Azure Arc.

+description: Learn how to rotate Azure Fluid Relay access keys.

+ Title: Rotate Azure Fluid Relay access keys

+# How to rotate Fluid Relay Server access keys

+This article provides an overview of managing access keys (tenant keys) in Azure Fluid Relay Service. Microsoft recommends that you regularly rotate your keys for better security.

+## Primary / Secondary keys

+Customers use the access keys to sign the access tokens that are used to access Azure Fluid Relay Services. Azure Fluid Relay uses the keys to validate the tokens.

+Two keys are associated with each Azure Fluid Relay Service: a primary key and secondary key. The purpose of dual keys is to let you regenerate, or roll, keys, providing continuous access to your account and data.

+## View your access keys

+### [Azure portal](#tab/azure-portal)

+To see your access keys, search for your Azure Fluid Relay Service in the Azure portal. On the left menu of Azure Fluid Relay Service page, select **Settings**. Then, select **Access Keys**. Select the **Copy** button to copy the selected key.

+[](../images/rotate-tenant-keys.png#lightbox)

+### [PowerShell](#tab/azure-powershell)

+To retrieve your access keys with PowerShell, you need to install [Azure Fluid Relay module](/powershell/module/az.fluidrelay) first.

+```azurepowershell

+Install-Module Az.FluidRelay

+```

+Then call the [Get-AzFluidRelayServerKey](/powershell/module/az.fluidrelay/get-azfluidrelayserverkey) command.

+```azurepowershell

+Get-AzFluidRelayServerKey -FluidRelayServerName <Fluid Relay Service name> -ResourceGroup <resource group> -SubscriptionId <subscription id>

+```

+### [Azure CLI](#tab/azure-cli)

+To retrieve your access keys with Azure CLI, you need to install [fluid-relay](/cli/azure/fluid-relay) extension first. See [instructions](/cli/azure/azure-cli-extensions-overview).

+Then use [az fluid-relay server list-key](/cli/azure/fluid-relay/server?view=azure-cli-latest&preserve-view=true#az-fluid-relay-server-list-key) command to list access keys.

+```azurecli

+az fluid-relay server list-key --resource-group <resource group> --server-name <Fluid Relay Service name>

+```

+## Rotate your access keys

+Two access keys are assigned so that your Azure Fluid Relay Service does not have to be taken offline when you rotate a key. Having two keys ensures that your application maintains access to Azure Fluid Relay throughout the process. You should rotate one of two keys at one time to avoid service interruptions.

+The process of rotating primary and secondary keys is the same. The following steps are for primary keys.

+### [Azure portal](#tab/azure-portal)

+To rotate your Azure Fluid Relay primary key in the Azure portal:

+1. Update the access keys in your application code to use the secondary access key for the Azure Fluid Relay.

+2. Navigate to your Fluid Relay Service in the Azure portal.

+3. Under **Settings**, select **Access key**.

+4. To regenerate the primary access key for your Azure Fluid Relay Service, select the **Regenerate Primary Key** button above the Access Information.

+5. Update the primary key in your code to reference the new primary access key.

+### [PowerShell](#tab/azure-powershell)

+To rotate your Fluid Relay primary key with PowerShell, you need to install [Azure Fluid Relay module](/powershell/module/az.fluidrelay) first.

+```azurepowershell

+Install-Module Az.FluidRelay

+```

+Then follow steps below:

+1. Update the access keys in your application code to use the secondary access key for the Azure Fluid Relay.

+2. Call the [New-AzFluidRelayServerKey](/powershell/module/az.fluidrelay/new-azfluidrelayserverkey) command to regenerate the primary access key, as shown in the following example:

+```azurepowershell

+New-AzFluidRelayServerKey -FluidRelayServerName <Fluid Relay Service name> -ResourceGroup <resource group> -KeyName <key name>

+```

+3. Update the primary key in your code to reference the new primary access key.

+### [Azure CLI](#tab/azure-cli)

+To rotate your Fluid Relay primary key with Azure CLI, you need to install [fluid-relay](/cli/azure/fluid-relay) extension first. See [instructions](/cli/azure/azure-cli-extensions-overview).

+Then follow steps below:

+1. Update the access keys in your application code to use the secondary access key for the Azure Fluid Relay.

+2. Call the [az fluid-relay server regenerate-key](/cli/azure/fluid-relay/server?view=azure-cli-latest&preserve-view=true#az-fluid-relay-server-regenerate-key) command to regenerate the primary access key, as shown in the following example:

+```azurecli

+az fluid-relay server regenerate-key --resource-group <resource group>--server-name <Fluid Relay Service name>--key-name <key name>

+```

+3. Update the primary key in your code to reference the new primary access key.

+For an end-to-end example of how to configure an output binding to Queue storage, see one of these articles:

+For an end-to-end example of how to configure an output binding to Queue storage, see one of these articles:

+For an end-to-end example of how to configure an output binding to Queue storage, see one of these articles:

+For an end-to-end example of how to configure an output binding to Queue storage, see one of these articles:

+For an end-to-end example of how to configure an output binding to Queue storage, see one of these articles:

+

+| [Microsoft Entra ID (Free)](../../active-directory/fundamentals/active-directory-whatis.md#what-are-the-azure-ad-licenses) **&ast;**| &#x2705; | &#x2705; |

+| [Azure Stack Edge](../../databox-online/index.yml) (formerly Data Box Edge) **&ast;&ast;&ast;** | &#x2705; | &#x2705; |

+| [Virtual Machines](../../virtual-machines/index.yml) | &#x2705; | &#x2705; |

+**&ast;** FedRAMP High and DoD SRG Impact Level 2 authorization for Microsoft Entra ID applies to Microsoft Entra External ID. To learn more about Entra External ID, refer to the documentation [here](/entra/)

+**&ast;&ast;&ast;** FedRAMP High authorization for edge devices (such as Azure Data Box and Azure Stack Edge) applies only to Azure services that support on-premises, customer-managed devices. For example, FedRAMP High authorization for Azure Data Box covers datacenter infrastructure services and Data Box pod and disk service, which are the online software components supporting your Data Box hardware appliance. You are wholly responsible for the authorization package that covers the physical devices. For assistance with accelerating your onboarding and authorization of devices, contact your Microsoft account representative.

+| [Virtual Machines](../../virtual-machines/index.yml) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |

+- [Power Pages](https://powerapps.microsoft.com/portals/)

+| August 2024 | **Windows**<ul><li>Added columns to the SecurityEvent table: Keywords, Opcode, Correlation, ProcessId, ThreadId, EventRecordId.</li><li>AMA: Support AMA Client Installer for selected partners.</li></ul>**Linux Features**<ul><li>Enable Dynamic Linking of OpenSSL 1.1 in all regions</li><li>Add Computer field to Custom Logs</li><li>Add EventHub upload support for Custom Logs </li><li>Reliability improvement for upload task scheduling</li><li>Added support for SUSE15 SP5, and AWS 3 distributions</li></ul>**Linux Fixes**<ul><li>Fix Direct upload to storage for perf counters when no other destination is configured. You don't see perf counters If storage was the only configured destination for perf counters, they wouldn't see perf counters in their blob or table.</li><li>Fluent-Bit updated to version 3.0.7. This fixes the issue with Fluent-Bit creating junk files in the root directory on process shutdown.</li><li>Fix proxy for system-wide proxy using http(s)_proxy env var </li><li>Support for syslog hostnames that are up to 255characters</li><li>Stop sending rows longer than 1MB. This exceeds ingestion limits and destabilizes the agent. Now the row is gracefully dropped and a diagnostic message is written.</li><li>Set max disk space used for rsyslog spooling to 1GB. There was no limit before which could lead to high memory usage.</li><li>Use random available TCP port when there is a port conflict with AMA port 28230 and 28330 . This resolved issues where port 28230 and 28330 were already in uses by the customer which prevented data upload to Azure.</li></ul>| 1.29 | 1.32.5 |

+ }

+ }

+ }

+ }

+ }

+ "tableOutputStream": "[concat('Custom-', parameters('tableName'))]"

+> To provide a better experience, custom metrics sent to Azure Monitor from the Application Insights Classic API (SDKs) are always stored in both Log Analytics and the Metrics Store. Your cost to store these metrics is only based on the volume ingested by Log Analytics. There is no additional cost for data stored in the Metrics Store.

+ - Profiler on Linux is only supported on Windows-based web apps.

+Codeless installation of Application Insights Profiler:

+- Follows [the .NET Core support policy](https://dotnet.microsoft.com/platform/support/policy/dotnet-core).

+- Is only supported on *Windows-based* web apps.

+To enable Profiler on Linux, walk through the [ASP.NET Core Azure Linux web apps instructions](profiler-aspnetcore-linux.md).

+> If you're using a preview version of .NET Core, or your application references Application Insights SDK (directly or indirectly via a dependent assembly), follow the instructions for [Enable Snapshot Debugger for other environments](snapshot-debugger-vm.md) to include the [`Microsoft.ApplicationInsights.SnapshotCollector`](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) NuGet package with the application.

+Snapshot Debugger currently supports ASP.NET and ASP.NET Core apps running on Azure App Service on Windows service plans.

+We recommend that you run your application on the Basic or higher service tiers when using Snapshot Debugger. For most applications:

+- The Free and Shared service tiers don't have enough memory or disk space to save snapshots.

+- The Consumption tier isn't currently available for Snapshot Debugger.

+Although Snapshot Debugger is preinstalled as part of the App Services runtime, you need to turn it on to get snapshots for your App Service app. Codeless installation of Snapshot Debugger follows [the .NET Core support policy.](https://dotnet.microsoft.com/platform/support/policy/dotnet-core).

+# [Azure portal](#tab/portal)

+After you've deployed your .NET App Services web app:

+1. Navigate to your App Service in the Azure portal.

+1. In the left-side menu, select **Settings** > **Application Insights**.

+1. Click **Turn on Application Insights**.

+ - If you have an existing Application Insights resource you'd rather use, select that option under **Change your resource**.

+1. Under **Instrument your application**, select the **.NET** tab.

+1. Switch both Snapshot Debugger toggles to **On**.

+1. Snapshot Debugger is now enabled.

+To disable Snapshot Debugger for your App Services resource:

+1. Navigate to your App Service in the Azure portal.

+1. In the left-side menu, select **Settings** > **Application Insights**.

+1. Switch the Snapshot Debugger toggles to **Off**.

+# [Azure Resource Manager](#tab/arm)

+You can also set app settings within the Azure Resource Manager template to enable Snapshot Debugger and Profiler. For example:

+ "apiVersion": "2023-12-01",

+ // "Turn on" a Snapshot Debugger version

+Generate traffic to your application that can trigger an exception. Then, wait 10 to 15 minutes for snapshots to be sent to the Application Insights instance.

+## Enable Snapshot Debugger for other cloud regions

+Currently the only regions that require endpoint modifications are [Azure Government](../../azure-government/compare-azure-government-global-azure.md#application-insights) and [Microsoft Azure operated by 21Vianet](/azure/china/resources-developer-guide) through the Application Insights Connection String.

+|Connection String Property | US Government Cloud | China Cloud |

+|||-|

+|SnapshotEndpoint | `https://snapshot.monitor.azure.us` | `https://snapshot.monitor.azure.cn` |

+For more information about other connection overrides, see [Application Insights documentation](../app/sdk-connection-string.md?tabs=net#connection-string-with-explicit-endpoint-overrides).

+## Configure Snapshot Debugger

+### Enable Microsoft Entra authentication for snapshot ingestion

+Snapshot Debugger supports Microsoft Entra authentication for snapshot ingestion. For all snapshots of your application to be ingested, your application must be authenticated and provide the required application settings to the Snapshot Debugger agent.

+As of today, Snapshot Debugger only supports Microsoft Entra authentication when you reference and configure Microsoft Entra ID using the Application Insights SDK in your application.

+To turn on Microsoft Entra ID for snapshot ingestion in your App Services resource:

+1. Add the managed identity that authenticates against your Application Insights resource to your App Service. You can create either:

+ - [Add a System-Assigned Managed identity](../../app-service/overview-managed-identity.md?tabs=portal%2chttp#add-a-system-assigned-identity).

+ - [Add a User-Assigned Managed identity](../../app-service/overview-managed-identity.md?tabs=portal%2chttp#add-a-user-assigned-identity).

+1. Configure and turn on Microsoft Entra ID in your Application Insights resource. For more information, see the following [documentation](../app/azure-ad-authentication.md?tabs=net#configure-and-enable-azure-ad-based-authentication)

+1. Add the following application setting. This setting tells the Snapshot Debugger agent which managed identity to use:

+For System-Assigned Identity:

+|App Setting | Value |

+||-|

+|APPLICATIONINSIGHTS_AUTHENTICATION_STRING | Authorization=AD |

+For User-Assigned Identity:

+|App Setting | Value |

+||-|

+|APPLICATIONINSIGHTS_AUTHENTICATION_STRING | Authorization=AD;ClientID={Client ID of the User-Assigned Identity} |

+## Unsupported scenarios

+|You're using the Snapshot Collector SDK in your application directly (*.csproj*) and enabled the advanced option "Interop".| The local Application Insights SDK (including Snapshot Collector telemetry) are lost and no Snapshots are available. <br/> Your application could crash at startup with `System.ArgumentException: telemetryProcessorTypedoes not implement ITelemetryProcessor.` <br/> [Learn more about the Application Insights feature "Interop".](../app/azure-web-apps-net-core.md#troubleshooting) | If you're using the advanced option "Interop", use the codeless Snapshot Collector injection (enabled through the Azure portal). |

+- View [snapshots](snapshot-debugger-data.md?toc=/azure/azure-monitor/toc.json#access-debug-snapshots-in-the-portal) in the Azure portal.

+- [Troubleshoot Snapshot Debugger issues](snapshot-debugger-troubleshoot.md).

+Snapshots appear as [**Exceptions**](../app/asp-net-exceptions.md) in the Application Insights pane of the Azure portal. View debug snapshots in the portal to examine the call stack and inspect variables at each call stack frame.

+For a more powerful debugging experience with source code, open snapshots with Visual Studio Enterprise. You can also [set SnapPoints to interactively take snapshots](/visualstudio/debugger/debug-live-azure-applications) without waiting for an exception.

+## Prerequisites

+Snapshots might include sensitive information. You can only view snapshots if you are assigned the `Application Insights Snapshot Debugger` role.

+## Access debug snapshots in the portal

+After an exception has occurred in your application and a snapshot is created, you can view snapshots in the Azure portal within 5 to 10 minutes.

+1. In your Application Insights resource, select **Investigate** > **Failures** from the left-side menu.

+1. In the **Failures** pane, select either:

+ - The **Operations** tab, or

+ - The **Exceptions** tab.

+1. Select the **[x] Samples** in the center column of the page to generate a list of sample operations or exceptions to the right.

+ :::image type="content" source="./media/snapshot-debugger/failures-page.png" alt-text="Screenshot showing the Failures Page in Azure portal.":::

+1. From the list of samples, select an operation or exception to open the **End-to-End Transaction Details** page. From here, select the exception event you'd like to investigate.

+ - If a snapshot is available for the given exception, select the **Open debug snapshot** button in the right pane to view the **Debug Snapshot** page.

+ - [If you do not see this button, no snapshot may be available. See the troubleshooting guide.](./snapshot-debugger-troubleshoot.md#use-the-snapshot-health-check)

+ :::image type="content" source="./media/snapshot-debugger/e2e-transaction-page.png" alt-text="Screenshot showing the Open Debug Snapshot button on exception.":::

+1. In the **Debug Snapshot** page, you see a call stack with a local variables pane. Select a call stack frame to view local variables and parameters for that function call in the variables pane.

+ :::image type="content" source="./media/snapshot-debugger/open-snapshot-portal.png" alt-text="Screenshot showing the Open debug snapshot highlighted in the Azure portal.":::

+## Download snapshots to view in Visual Studio

+To view snapshots in Visual Studio 2017 Enterprise or greater:

+1. Click the **Download Snapshot** button in the **Debug Snapshot** page to download a `.diagsession` file, which can be opened by Visual Studio Enterprise.

+1. In Visual Studio, make sure you have the Snapshot Debugger Visual Studio component installed.

+ - **For Visual Studio 2017 Enterprise and greater:** The required Snapshot Debugger component can be selected from the **Individual Component** list in the Visual Studio installer.

+ - **For a version older than Visual Studio 2017 version 15.5:** Install the extension from the [Visual Studio Marketplace](https://aka.ms/snapshotdebugger).

+1. Open the `.diagsession` file. The Minidump Debugging page in Visual Studio appears.

+1. Click **Debug Managed Code** to start debugging the snapshot. The snapshot opens to the line of code where the exception was thrown.

+The downloaded snapshot includes any symbol files found on your web application server. These symbol files are required to associate snapshot data with source code. For App Service apps, make sure to enable symbol deployment when you publish your web apps.

+We recommend that you run your application on the Basic or higher service tiers when using Snapshot Debugger. For most applications:

+- The Free and Shared service tiers don't have enough memory or disk space to save snapshots.

+- The Consumption tier isn't currently available for Snapshot Debugger.

+Snapshot Debugger is preinstalled as part of the Azure Functions runtime, so you don't need to add extra NuGet packages or application settings.

+[Enable Application Insights monitoring in your Functions app](../../azure-functions/configure-monitoring.md#new-function-app-in-the-portal).

+Generate traffic to your application that can trigger an exception. Then wait 10 to 15 minutes for snapshots to be sent to the Application Insights instance.

+You can verify that Snapshot Debugger has been enabled by checking your .NET function app files. For example, in the following simple .NET function app, the `.csproj`, `{Your}Function.cs`, and `host.json` of your .NET application show Snapshot Debugger as enabled:

+- [View snapshots](snapshot-debugger-data.md?toc=/azure/azure-monitor/toc.json#access-debug-snapshots-in-the-portal) in the Azure portal.

+- Customize Snapshot Debugger configuration based on your use case on your Functions app. For more information, see [Snapshot configuration in host.json](../../azure-functions/functions-host-json.md#applicationinsightssnapshotconfiguration).

+- [Troubleshoot Snapshot Debugger issues](snapshot-debugger-troubleshoot.md).

+## Prerequisites

+- [Enable Application Insights in your .NET resource](../app/asp-net.md).

+- Understand that snapshots may take 10 to 15 minutes to be sent to the Application Insights instance after an exception has been triggered.

+When you add the [Microsoft.ApplicationInsights.SnapshotCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) NuGet package to your application, the `SnapshotCollectorTelemetryProcessor` is added automatically to the `TelemetryProcessors` section of [`ApplicationInsights.config`](../app/configuration-with-applicationinsights-config.md).

+If you don't see `SnapshotCollectorTelemetryProcessor` in `ApplicationInsights.config`, or if you want to customize the Snapshot Debugger configuration, you can edit it manually.

+> [!NOTE]

+> Any manual configurations may get overwritten when upgrading to a newer version of the [Microsoft.ApplicationInsights.SnapshotCollector](https://www.nuget.org/packages/Microsoft.ApplicationInsights.SnapshotCollector) NuGet package.

+Snapshot Collector's default configuration looks similar to the following example:

+In your application's startup code, where services are configured, add a call to the `AddSnapshotCollector` extension method. We suggest adding this line immediately after the call to `AddApplicationInsightsTelemetry`. For example:

+### Customize the Snapshot Collector

+For most scenarios, Snapshot Collector's default settings are sufficient. However, you can customize the settings by adding the following code before the call to `AddSnapshotCollector()`:

+Next, add a `SnapshotCollector` section to _`appsettings.json`_ where you can override the defaults.

+Snapshot Collector's default `appsettings.json` configuration looks similar to the following example:

+Snapshots are collected only on exceptions that are reported to Application Insights.

+For ASP.NET and ASP.NET Core applications, the Application Insights SDK automatically reports unhandled exceptions that escape a controller method or endpoint route handler.

+For other applications, you might need to modify your code to report them. The exception handling code depends on the structure of your application. For example:

+By default, the Application Insights Logger (`ApplicationInsightsLoggerProvider`) forwards exceptions to the Snapshot Debugger via `TelemetryClient.TrackException`. This behavior is controlled via the `TrackExceptionsAsExceptionTelemetry` property on the `ApplicationInsightsLoggerOptions` class.

+If you set `TrackExceptionsAsExceptionTelemetry` to `false` when configuring the Application Insights Logger, the preceding example will not trigger the Snapshot Debugger. In this case, modify your code to call `TrackException` manually.

+- View [snapshots](snapshot-debugger-data.md?toc=/azure/azure-monitor/toc.json#access-debug-snapshots-in-the-portal) in the Azure portal.

+- [Troubleshoot Snapshot Debugger issues](snapshot-debugger-troubleshoot.md).

+When enabled, Snapshot Debugger automatically collects a debug snapshot of the source code and variables when an exception occurs in your live .NET application. The Snapshot Debugger in [Application Insights](../app/app-insights-overview.md):

+- [Azure App Service](snapshot-debugger-app-service.md?toc=/azure/azure-monitor/toc.json)

+- [Azure Functions](snapshot-debugger-function-app.md?toc=/azure/azure-monitor/toc.json)

+- [Azure Cloud Services](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json) running OS family 4 or later

+- [Azure Service Fabric](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json) running on Windows Server 2012 R2 or later

+- [Azure Virtual Machines and Azure Virtual Machine Scale Sets](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json) running Windows Server 2012 R2 or later

+- [On-premises virtual or physical machines](snapshot-debugger-vm.md?toc=/azure/azure-monitor/toc.json) running Windows Server 2012 R2 or later or Windows 8.1 or later

+The Snapshot Debugger process starts and ends with the `TrackException` method. A process snapshot is a suspended clone of the running process, so that your users experience little to no interruption. In a typical scenario:

+While the Snapshot Debugger process continues to run and serve traffic to users with little interruption, the snapshot is handed off to the Snapshot Uploader process. In a typical scenario, the Snapshot Uploader:

+## Upgrading Snapshot Debugger

+Snapshot Debugger auto-upgrades via the built-in, preinstalled Application Insights site extension.

+Manually adding an Application Insights site extension to keep Snapshot Debugger up-to-date is deprecated.

+Make sure that the index isn't already used and that it's in the range from 1 to 5.

+Remove all characters other than alphabetical letters, numbers, or hyphens ("-") from the file path you entered.

+This error occurs when you're trying to create a volume that has both the CIFS (SMB) and NFS protocol types in the volume properties.

+Make sure that the operation is entered correctly. The operation should be available for the resource and subscription that you're using.

+Most likely the pool wasn't fully created or was already deleted at the time of the volume creation.

+The mount target is defined when it's created, and it can't be changed subsequently.

+Check the request for spelling errors to make sure that it's correctly referenced.

+Make sure all property names are spelled correctly. Make sure the properties are available for the subscription and resource.

+This error occurs when you try to delete a volume when it's already being deleted.

+Review your Active Directory configuration. Make sure that the DNS server IP addresses are correct and reachable.

+ "level": "warning"

+output bar bool = length(numberArray) <= 3 || numberArray[3] == 4

+> [!NOTE]

+> * The replica count is currently limited to a maximum of 8 per primary resource.

+> [!NOTE]

+> * The replica count is currently limited to a maximum of 8 per primary resource.

+ Title: Migrate Azure CDN from Microsoft (classic) to Azure Front Door Standard or Premium tier

+# Migrate Azure CDN from Microsoft (classic) to Standard/Premium tier

+|Blocked anonymous join client types | per-organizer | If the property "BlockedAnonymousJoinClientTypes" is set to "Teams" or "Null", the Teams external users via Azure Communication Services can't join Teams meeting. | [CsTeamsMeetingPolicy](/powershell/module/skype/set-csteamsmeetingpolicy) | BlockedAnonymousJoinClientTypes |

+- Learn more about the [UI Library](../ui-library/ui-library-overview.md).

+- Learn more about the [UI Library](../../concepts//ui-library/ui-library-overview.md).

+ Title: Enable scenarios using closed captions and the UI Library

+description: Enable scenarios using closed captions and Azure Communication Services UI Library.

+zone_pivot_groups: acs-plat-ios-android

+#Customer intent: As a developer, I want setup closed captions into a call using the UI Library.

+# Closed captions

+Closed captions play a critical role in video voice calling apps, providing numerous benefits that enhance the accessibility, usability, and overall user experience of these platforms.

+In this article, you learn how to enable closed captions scenarios using the UI Library. There's two main scenarios to enable closed captions: Azure Communication Services video and voice calls and Interop calls.

+## Azure Communication Service based captions

+Supported for calls involving Azure Communication Service users only. Currently, Azure Communication Service captions **do not support language translation**.

+## Teams Interop closed captions

+Supported during calls with one or more Teams users.

+### Translation support

+Unlike Azure Communication Service closed captions, Teams Interop closed captions support translation. Users can opt to have closed captions translated into a different language through the captions settings.

+## How to use captions

+Captions are seamlessly integrated within the `CallingUILibrary`.

+1. **Activate captions**:

+ - During a connected call, navigate to the control bar and click the **more button**.

+ - In the menu pop-up, toggle to turn on captions.

+2. **Adjust spoken language**:

+ - If a different language is being used in the meeting, users can change the spoken language via the UI. This change applies to all users in the call.

+3. **Set caption language** (for Teams Interop Closed Captions):

+ - By default, live captions are displayed in the meeting or event spoken language. Live translated captions allow users to see captions translated into the language theyΓÇÖre most comfortable with.

+ - Change the caption language by clicking on the **Captions language** button after captions start, if translation to a different language is desired.

+> [!NOTE]

+> Live translated captions in meetings are only available as part of [**Teams Premium**](https://learn.microsoft.com/MicrosoftTeams/teams-add-on-licensing/licensing-enhance-teams#meetings), an add-on license that provides additional features to make Teams meetings more personalized, intelligent, and secure. To get access to Teams Premium, contact your IT admin. More details you can find it [here](../calling-sdk/closed-captions-teams-interop-how-to.md).

+## Supported languages

+Azure Communication Services supports various spoken languages for captions. The next table contains the list of supported language codes that you can use with the `setSpokenLanguage` method to set the desired language for captions.

+| Language | ACS Spoken Code | Teams Spoken Code | Teams Captions Code |

+|--|--|-|--|

+| Arabic | ar-ae, ar-sa | ar-ae, ar-sa | ar |

+| Danish | da-dk | da-dk | da |

+| German | de-de | de-de | de |

+| English | en-au, en-ca, en-gb, en-in, en-nz, en-us | en-au, en-ca, en-gb, en-in, en-nz, en-us | en |

+| Spanish | es-es, es-mx | es-es, es-mx | es |

+| Finnish | fi-fi | fi-fi | fi |

+| French | fr-ca, fr-fr | fr-ca, fr-fr | fr, fr-ca |

+| Hindi | hi-in | hi-in | hi |

+| Italian | it-it | it-it | it |

+| Japanese | ja-jp | ja-jp | ja |

+| Korean | ko-kr | ko-kr | ko |

+| Norwegian | nb-no | nb-no | nb |

+| Dutch | nl-be, nl-nl | nl-be, nl-nl | nl |

+| Polish | pl-pl | pl-pl | pl |

+| Portuguese | pt-br | pt-br, pt-pt | pt, pt-pt |

+| Russian | ru-ru | ru-ru | ru |

+| Swedish | sv-se | sv-se | sv |

+| Chinese | zh-cn, zh-hk | zh-cn, zh-hk | zh-Hans, zh-Hant |

+| Czech | ΓÇö | cs-cz | cs |

+| Slovak | ΓÇö | sk-sk | sk |

+| Turkish | ΓÇö | tr-tr | tr |

+| Vietnamese | ΓÇö | vi-vn | vi |

+| Thai | ΓÇö | th-th | th |

+| Hebrew | ΓÇö | he-il | he |

+| Welsh | ΓÇö | cy-gb | cy |

+| Ukrainian | ΓÇö | uk-ua | uk |

+| Greek | ΓÇö | el-gr | el |

+| Hungarian | ΓÇö | hu-hu | hu |

+| Romanian | ΓÇö | ro-ro | ro |

+Ensure the spoken language selected matches the language used in the call to accurately generate captions.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- A deployed Communication Services resource. [Create a Communication Services resource](../../quickstarts/create-communication-resource.md).

+- A user access token to enable the call client. [Get a user access token](../../quickstarts/access-tokens.md).

+- Optional: Completion of the [quickstart for getting started with the UI Library composites](../../quickstarts/ui-library/get-started-composites.md).

+## Set up the feature

+## Next steps

+- [Learn more about the UI Library](../../concepts/ui-library/ui-library-overview.md)

+ "id": "subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/providers/Microsoft.CostManagement/operationResults/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "name": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "requestScope": "subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ az costmanagement export create --name DemoExport --type Usage \--scope "subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e" --storage-account-id cmdemo \--storage-container democontainer --timeframe MonthToDate --storage-directory demodirectory

+Location: https://management.azure.com/providers/Microsoft.Billing/billingAccounts/0000000/providers/Microsoft.CostManagement/operationResults/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e?api-version=2023-09-01

+GET https://management.azure.com/providers/Microsoft.Billing/billingAccounts/0000000/providers/Microsoft.CostManagement/operationResults/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e?api-version=2023-09-01

+ "PurchasingsubscriptionGuid": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "reservationOrderId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "reservationOrderId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "purchasingSubscriptionGuid": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "meterId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "subscriptionId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "meterId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "id": "billingAccount/123456/providers/Microsoft.Consumption/reservationRecommendations/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "name": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "meterId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+Location: https://management.azure.com/providers/Microsoft.Billing/billingAccounts/9845612/providers/Microsoft.CostManagement/reservationDetailsOperationResults/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb?api-version=2023-11-01

+ "reportUrl": "https://storage.blob.core.windows.net/details/20200911/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb?sv=2016-05-31&sr=b&sig=jep8HT2aphfUkyERRZa5LRfd9RPzjXbzB%2F9TNiQ",

+ "reportUrl": "https://storage.blob.core.windows.net/details/20200911/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb?sv=2016-05-31&sr=b&sig=jep8HT2aphfUkyERRZa5LRfd9RPzjXbzB%2F9TNiQ",

+ "reservationOrderId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "reservationId": "bbbbbbbb-1111-2222-3333-cccccccccccc",

+ "instanceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/resourvegroup1/providers/microsoft.compute/virtualmachines/VM1",

+ "reservationOrderId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "reservationId": "bbbbbbbb-1111-2222-3333-cccccccccccc",

+ "reservationOrderId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "reservationId": "bbbbbbbb-1111-2222-3333-cccccccccccc",

+ "resourceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/MYDEVTESTRG/providers/Microsoft.Storage/storageAccounts/{yourStorageAccount} ",

+| POST | `https://management.azure.com/providers/Microsoft.Billing/billingAccounts/{billingAccountId}/billingProfiles/{billingProfileId}/invoices/{invoiceId}/pricesheet/default/download?api-version=2018-11-01-preview&format=csv` |

+| POST | `https://management.azure.com/providers/Microsoft.Billing/billingAccounts/{billingAccountId}/billingProfiles/{billingProfileId}/invoices/{invoiceId}/pricesheet/default/download?api-version=2018-11-01-preview&format=json` |

+| GET | `/providers/Microsoft.Billing/billingAccounts/{billing AccountId}/billingProfiles/{billingProfileId}/providers/Microsoft.Consumption/pricesheets/download?api-version=2019-01-01` |

+ az costmanagement export list --scope "subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"

+ --scope "subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e" \

+ --storage-account-id /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/TreyNetwork/providers/Microsoft.Storage/storageAccounts/cmdemo \

+ --scope "subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"

+ --scope "subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e" --storage-directory demodirectory02

+az costmanagement export delete --name DemoExport --scope "subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"

+ Get-AzCostManagementExport -Scope 'subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e'

+ Scope = 'subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e'

+ DestinationResourceId = '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/treynetwork/providers/Microsoft.Storage/storageAccounts/cmdemo'

+ Get-AzCostManagementExport -Scope 'subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e'

+ Update-AzCostManagementExport -Name DemoExport -Scope 'subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e' -DestinationRootFolderPath demodirectory02

+Remove-AzCostManagementExport -Name DemoExport -Scope 'subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e'

+ "subscriptionId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "subscriptionId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "subscriptionId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"

+ "subscriptionId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"

+az ad sp show --id aaaaaaaa-bbbb-cccc-1111-222222222222 --query 'id'

+Get-AzADServicePrincipal -ApplicationId aaaaaaaa-bbbb-cccc-1111-222222222222 | Select-Object -Property Id

+ "subscriptionId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "subscriptionId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "subscriptionId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"

+ "subscriptionId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"

+ "name": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "subscriptionId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "subscriptionId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"

+ "subscriptionId": "aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"

+ "instanceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/Default-Web-eastasia/providers/Microsoft.Web/sites/shared1",

+ "instanceId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/Default-Web-eastasia/providers/Microsoft.Web/sites/shared1",

+1. Navigate to `https://portal.azure.com/#blade/Microsoft_Azure_Billing/RemoveSpendingLimitBlade/subscriptionId/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e` and replace the example subscription ID with your subscription ID.

+ Get-AzReservation -ReservationOrderId aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb -ReservationId bbbbbbbb-1111-2222-3333-cccccccccccc

+ Split-AzReservation -ReservationOrderId aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb -ReservationId bbbbbbbb-1111-2222-3333-cccccccccccc -Quantity 3,2

+ Update-AzReservation -ReservationOrderId aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb -ReservationId bbbbbbbb-1111-2222-3333-cccccccccccc -AppliedScopeType Single -AppliedScope /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e

+ 'billingScopeId': '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e',

+ 'appliedScopes': ['/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e'],

+ "billingScopeId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+ "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"

+ "reservationOrderId": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+armclient put /providers/Microsoft.Capacity/reservationOrders/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb?api-version=2019-04-01 "{

+ 'billingScopeId': '/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e',

+ 'appliedScopes': ['/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/123'],

+ "id": "/providers/microsoft.capacity/reservationOrders/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb2",

+ "name": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "id": "/providers/microsoft.capacity/reservationOrdersaaaaaaaa-0000-1111-2222-bbbbbbbbbbbb/reservations/bbbbbbbb-1111-2222-3333-cccccccccccc",

+ "name": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb/bbbbbbbb-1111-2222-3333-cccccccccccc",

+ "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourcegroups/123"

+armclient get /providers/microsoft.capacity/reservationOrders/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb?api-version=2018-06-01

+ "id": "/providers/microsoft.capacity/reservationOrders/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",

+ "name": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb ",

+ "id": "/providers/microsoft.capacity/reservationOrders/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb/reservations/bbbbbbbb-1111-2222-3333-cccccccccccc"

+ "billingScopeId": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e",

+|ReservationId |aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb|

+|ReservationId |bbbbbbbb-1111-2222-3333-cccccccccccc|

+- The `billingScopeId` property in the request body must use the `/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e` format.

+The `billingScopeId` property in the request body must use the `/providers/Microsoft.Billing/billingAccounts/{accountId}/billingSubscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e` format.

+ --scope "subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e" --storage-account-id cmdemo \

+1. Create a JSON file named **AzureSQLDatabaseLinkedService.json** in **C:\ADFTutorials\IncCopyChangeTrackingTutorial** folder with the following content: Replace &lt;your-server-name&gt; and &lt;your-database-name&gt; with the name of your server and database before you save the file. You must also configure your Azure SQL Server to [grant access to your data factory's managed identity](connector-azure-sql-database.md#user-assigned-managed-identity-authentication).

+ "name": "AzureSqlDatabaseLinkedService",

+ "properties": {

+ "connectionString": "Server=tcp:<your-server-name>.database.windows.net,1433;Database=<your-database-name>;"

+ },

+ "authenticationType": "ManagedIdentity",

+ "annotations": []

+

+1. Create a JSON file named AzureSQLDatabaseLinkedService.json in the C:\ADF folder with the following content. (Create the folder ADF if it doesn't already exist.) Replace &lt;your-server-name&gt; and &lt;your-database-name&gt; with the name of your server and database before you save the file. You must also configure your Azure SQL Server to [grant access to your data factory's managed identity](connector-azure-sql-database.md#user-assigned-managed-identity-authentication).

+ "name": "AzureSqlDatabaseLinkedService",

+ "properties": {

+ "connectionString": "Server=tcp:<your-server-name>.database.windows.net,1433;Database=<your-database-name>;"

+ },

+ "authenticationType": "ManagedIdentity",

+ "annotations": []

+ Title: Azure Stack Edge 2407 release notes

+description: Describes critical open issues and resolutions for the Azure Stack Edge running 2407 release.

+

+# Azure Stack Edge 2407 release notes

+The following release notes identify critical open issues and resolved issues for the 2407 release for your Azure Stack Edge devices. Features and issues that correspond to a specific model of Azure Stack Edge are called out wherever applicable.

+The release notes are continuously updated, and as critical issues requiring a workaround are discovered, they're added. Before you deploy your device, carefully review the information contained in the release notes.

+This article applies to the **Azure Stack Edge 2407** release, which maps to software version **3.2.2754.1029**.

+> [!Warning]

+> In this release, you must update the packet core version to AP5GC 2308 before you update to Azure Stack Edge 2407. For detailed steps, see [Azure Private 5G Core 2308 release notes](../private-5g-core/azure-private-5g-core-release-notes-2308.md).

+> If you update to Azure Stack Edge 2407 before updating to Packet Core 2308.0.1, you will experience a total system outage. In this case, you must delete and re-create the Azure Kubernetes service cluster on your Azure Stack Edge device.

+> Each time you change the Kubernetes workload profile, you are prompted for the Kubernetes update. Go ahead and apply the update.

+## Supported update paths

+To apply the 2407 update, your device must be running version 2403 or later.

+ - If you aren't running the minimum required version, you see this error:

+ *Update package can't be installed as its dependencies aren't met.*

+ - You can update to 2403 from 2303 or later, and then update to 2407.

+You can update to the latest version using the following update paths:

+| Current version of Azure Stack Edge software and Kubernetes | Update to Azure Stack Edge software and Kubernetes | Desired update to 2407 |

+| --| --| --|

+|2303 |2403 |2407 |

+|2309 |2403 |2407 |

+|2312 |2403 |2407 |

+|2403 |Directly to |2407 |

+## What's new

+The 2407 release has the following new features and enhancements:

+- Base OS updates for Kubernetes nodes.

+- OpenSSH version update for Kubernetes nodes.

+- Azure Stack Edge Kubernetes v1.28.

+- Azure Arc for Kubernetes v1.16.10.

+- Deprecated support for Ubuntu 18.04 LTS GPU extension. The GPU extension is no longer supported on Ubuntu 18.04 GPU VMs running on Azure Stack Edge devices. If you plan to utilize the Ubuntu version 18.04 LTS distro, see steps for manual GPU driver installation at [CUDA Toolkit 12.1 Update 1 Downloads](https://developer.nvidia.com/cuda-12-1-1-download-archive?target_os=Linux&target_arch=x86_64&Distribution=Ubuntu&target_version=18.04&target_type=deb_local).

+ You may need to download the CUDA signing key before the installation.

+

+ For detailed steps to install the signing key, see [Troubleshoot GPU extension issues for GPU VMs on Azure Stack Edge Pro GPU](azure-stack-edge-gpu-troubleshoot-virtual-machine-gpu-extension-installation.md#in-versions-lower-than-2205-linux-gpu-extension-installs-old-signing-keys-signature-andor-required-key-missing).

+<!--!## Issues fixed in this release

+==previous==

+| No. | Feature | Issue |

+| | | |

+|**1.**| Clustering |-->

+## Known issues in this release

+| No. | Feature | Issue | Workaround/comments |

+| | | | |

+|**1.**|VM creation | Image directory is still the old location causing VM creation failure on Azure Stack Edge 2403. | |

+## Known issues from previous releases

+The following table provides a summary of known issues carried over from the previous releases.

+| No. | Feature | Issue | Workaround/comments |

+| | | | |

+| **1.** |Azure Stack Edge Pro + Azure SQL | Creating SQL database requires Administrator access. |Do the following steps instead of Steps 1-2 in [Create-the-sql-database](../iot-edge/tutorial-store-data-sql-server.md#create-the-sql-database). <br> 1. In the local UI of your device, enable compute interface. Select **Compute > Port # > Enable for compute > Apply.**<br> 2. Download `sqlcmd` on your client machine from [SQL command utility](/sql/tools/sqlcmd-utility). <br> 3. Connect to your compute interface IP address (the port that was enabled), adding a ",1401" to the end of the address.<br> 4. Final command looks like this: sqlcmd -S {Interface IP},1401 -U SA -P "Strong!Passw0rd". After this, steps 3-4 from the current documentation should be identical. |

+| **2.** |Refresh| Incremental changes to blobs restored via **Refresh** are NOT supported |For Blob endpoints, partial updates of blobs after a Refresh, might result in the updates not getting uploaded to the cloud. For example, sequence of actions such as:<br> 1. Create blob in cloud. Or delete a previously uploaded blob from the device.<br> 2. Refresh blob from the cloud into the appliance using the refresh functionality.<br> 3. Update only a portion of the blob using Azure SDK REST APIs. These actions can result in the updated sections of the blob to not get updated in the cloud. <br>**Workaround**: Use tools such as robocopy, or regular file copy through Explorer or command line, to replace entire blobs.|

+|**3.**|Throttling|During throttling, if new writes to the device aren't allowed, writes by the NFS client fail with a "Permission Denied" error.| The error shows as below:<br>`hcsuser@ubuntu-vm:~/nfstest$ mkdir test`<br>mkdir: can't create directory 'test': Permission deniedΓÇï|

+|**4.**|Blob Storage ingestion|When using AzCopy version 10 for Blob storage ingestion, run AzCopy with the following argument: `Azcopy <other arguments> --cap-mbps 2000`| If these limits aren't provided for AzCopy, it could potentially send a large number of requests to the device, resulting in issues with the service.|

+|**5.**|Tiered storage accounts|The following apply when using tiered storage accounts:<br> - Only block blobs are supported. Page blobs aren't supported.<br> - There's no snapshot or copy API support.<br> - Hadoop workload ingestion through `distcp` isn't supported as it uses the copy operation heavily.||

+|**6.**|NFS share connection|If multiple processes are copying to the same share, and the `nolock` attribute isn't used, you might see errors during the copy.ΓÇï|The `nolock` attribute must be passed to the mount command to copy files to the NFS share. For example: `C:\Users\aseuser mount -o anon \\10.1.1.211\mnt\vms Z:`.|

+|**7.**|Kubernetes cluster|When applying an update on your device that is running a Kubernetes cluster, the Kubernetes virtual machines will restart and reboot. In this instance, only pods that are deployed with replicas specified are automatically restored after an update. |If you have created individual pods outside a replication controller without specifying a replica set, these pods won't be restored automatically after the device update. You must restore these pods.<br>A replica set replaces pods that are deleted or terminated for any reason, such as node failure or disruptive node upgrade. For this reason, we recommend that you use a replica set even if your application requires only a single pod.|

+|**8.**|Kubernetes cluster|Kubernetes on Azure Stack Edge Pro is supported only with Helm v3 or later. For more information, go to [Frequently asked questions: Removal of Tiller](https://v3.helm.sh/docs/faq/).|

+|**9.**|Kubernetes |Port 31000 is reserved for Kubernetes Dashboard. Port 31001 is reserved for Edge container registry. Similarly, in the default configuration, the IP addresses 172.28.0.1 and 172.28.0.10, are reserved for Kubernetes service and Core DNS service respectively.|Don't use reserved IPs.|

+|**10.**|Kubernetes |Kubernetes doesn't currently allow multi-protocol LoadBalancer services. For example, a DNS service that would have to listen on both TCP and UDP. |To work around this limitation of Kubernetes with MetalLB, two services (one for TCP, one for UDP) can be created on the same pod selector. These services use the same sharing key and spec.loadBalancerIP to share the same IP address. IPs can also be shared if you have more services than available IP addresses. <br> For more information, see [IP address sharing](https://metallb.universe.tf/usage/#ip-address-sharing).|

+|**11.**|Kubernetes cluster|Existing Azure IoT Edge marketplace modules might require modifications to run on IoT Edge on Azure Stack Edge device.|For more information, see [Run existing IoT Edge modules from Azure Stack Edge Pro FPGA devices on Azure Stack Edge Pro GPU device](azure-stack-edge-gpu-modify-fpga-modules-gpu.md).|

+|**12.**|Kubernetes |File-based bind mounts aren't supported with Azure IoT Edge on Kubernetes on Azure Stack Edge device.|IoT Edge uses a translation layer to translate `ContainerCreate` options to Kubernetes constructs. Creating `Binds` maps to `hostpath` directory and thus file-based bind mounts can't be bound to paths in IoT Edge containers. If possible, map the parent directory.|

+|**13.**|Kubernetes |If you bring your own certificates for IoT Edge and add those certificates on your Azure Stack Edge device after the compute is configured on the device, the new certificates aren't picked up.|To work around this problem, you should upload the certificates before you configure compute on the device. If the compute is already configured, [Connect to the PowerShell interface of the device and run IoT Edge commands](azure-stack-edge-gpu-connect-powershell-interface.md#use-iotedge-commands). Restart `iotedged` and `edgehub` pods.|

+|**14.**|Certificates |In certain instances, certificate state in the local UI might take several seconds to update. |The following scenarios in the local UI might be affected. <br> - **Status** column in **Certificates** page. <br> - **Security** tile in **Get started** page. <br> - **Configuration** tile in **Overview** page.<br> |

+|**15.**|Certificates|Alerts related to signing chain certificates aren't removed from the portal even after uploading new signing chain certificates.| |

+|**16.**|Web proxy |NTLM authentication-based web proxy isn't supported. ||

+|**17.**|Internet Explorer|If enhanced security features are enabled, you might not be able to access local web UI pages. | Disable enhanced security, and restart your browser.|

+|**18.**|Kubernetes |Kubernetes doesn't support ":" in environment variable names that are used by .NET applications. This is also required for Event Grid IoT Edge module to function on Azure Stack Edge device and other applications. For more information, see [ASP.NET core documentation](/aspnet/core/fundamentals/configuration/?tabs=basicconfiguration#environment-variables).|Replace ":" by double underscore. For more information, see [Kubernetes issue](https://github.com/kubernetes/kubernetes/issues/53201)|

+|**19.** |Azure Arc + Kubernetes cluster |By default, when resource `yamls` are deleted from the Git repository, the corresponding resources aren't deleted from the Kubernetes cluster. |To allow the deletion of resources when they're deleted from the git repository, set `--sync-garbage-collection` in Arc OperatorParams. For more information, see [Delete a configuration](../azure-arc/kubernetes/tutorial-use-gitops-connected-cluster.md#additional-parameters). |

+|**20.**|NFS |Applications that use NFS share mounts on your device to write data should use Exclusive write. That ensures the writes are written to the disk.| |

+|**21.**|Compute configuration |Compute configuration fails in network configurations where gateways or switches or routers respond to Address Resolution Protocol (ARP) requests for systems that don't exist on the network.| |

+|**22.**|Compute and Kubernetes |If Kubernetes is set up first on your device, it claims all the available GPUs. Hence, it isn't possible to create Azure Resource Manager VMs using GPUs after setting up the Kubernetes. |If your device has 2 GPUs, then you can create one VM that uses the GPU and then configure Kubernetes. In this case, Kubernetes will use the remaining available one GPU. |

+|**23.**|Custom script VM extension |There's a known issue in the Windows VMs that were created in an earlier release and the device was updated to 2103. <br> If you add a custom script extension on these VMs, the Windows VM Guest Agent (Version 2.7.41491.901 only) gets stuck in the update causing the extension deployment to time out. | To work around this issue: <br> 1. Connect to the Windows VM using remote desktop protocol (RDP). <br> 2. Make sure that the `waappagent.exe` is running on the machine: `Get-Process WaAppAgent`. <br> 3. If the `waappagent.exe` isn't running, restart the `rdagent` service: `Get-Service RdAgent` \| `Restart-Service`. Wait for 5 minutes.<br> 4. While the `waappagent.exe` is running, kill the `WindowsAzureGuest.exe` process. <br> 5. After you kill the process, the process starts running again with the newer version. <br> 6. Verify that the Windows VM Guest Agent version is 2.7.41491.971 using this command: `Get-Process WindowsAzureGuestAgent` \| `fl ProductVersion`.<br> 7. [Set up custom script extension on Windows VM](azure-stack-edge-gpu-deploy-virtual-machine-custom-script-extension.md). |

+|**24.**|Multi-Process Service (MPS) |When the device software and the Kubernetes cluster are updated, the MPS setting isn't retained for the workloads. |[Re-enable MPS](azure-stack-edge-gpu-connect-powershell-interface.md#connect-to-the-powershell-interface) and redeploy the workloads that were using MPS. |

+|**25.**|Wi-Fi |Wi-Fi doesn't work on Azure Stack Edge Pro 2 in this release. |

+|**26.**|Azure IoT Edge |The managed Azure IoT Edge solution on Azure Stack Edge is running on an older, obsolete IoT Edge runtime that is at end of life. For more information, see [IoT Edge v1.1 EoL: What does that mean for me?](https://techcommunity.microsoft.com/t5/internet-of-things-blog/iot-edge-v1-1-eol-what-does-that-mean-for-me/ba-p/3662137). Although the solution doesn't stop working past end of life, there are no plans to update it. |To run the latest version of Azure IoT Edge [LTSs](../iot-edge/version-history.md#version-history) with the latest updates and features on their Azure Stack Edge, we **recommend** that you deploy a [customer self-managed IoT Edge solution](azure-stack-edge-gpu-deploy-iot-edge-linux-vm.md) that runs on a Linux VM. For more information, see [Move workloads from managed IoT Edge on Azure Stack Edge to an IoT Edge solution on a Linux VM](azure-stack-edge-move-to-self-service-iot-edge.md). |

+|**27.**|AKS on Azure Stack Edge |In this release, you can't modify the virtual networks once the AKS cluster is deployed on your Azure Stack Edge cluster.| To modify the virtual network, you must delete the AKS cluster, then modify virtual networks, and then recreate AKS cluster on your Azure Stack Edge. |

+|**28.**|AKS Update |The AKS Kubernetes update might fail if one of the AKS VMs isn't running. This issue might be seen in the two-node cluster. |If the AKS update has failed, [Connect to the PowerShell interface of the device](azure-stack-edge-gpu-connect-powershell-interface.md). Check the state of the Kubernetes VMs by running `Get-VM` cmdlet. If the VM is off, run the `Start-VM` cmdlet to restart the VM. Once the Kubernetes VM is running, reapply the update. |

+|**29.**|Wi-Fi |Wi-Fi functionality for Azure Stack Edge Mini R is deprecated. | |

+|**30.**| Azure Storage Explorer | The Blob storage endpoint certificate that's autogenerated by the Azure Stack Edge device might not work properly with Azure Storage Explorer. | Replace the Blob storage endpoint certificate. For detailed steps, see [Bring your own certificates](azure-stack-edge-gpu-deploy-configure-certificates.md#bring-your-own-certificates). |

+|**31.**| Network connectivity | On a two-node Azure Stack Edge Pro 2 cluster with a teamed virtual switch for Port 1 and Port 2, if a Port 1 or Port 2 link is down, it can take up to 5 seconds to resume network connectivity on the remaining active port. If a Kubernetes cluster uses this teamed virtual switch for management traffic, pod communication may be disrupted up to 5 seconds. | |

+|**32.**| Virtual machine | After the host or Kubernetes node pool VM is shut down, there's a chance that kubelet in node pool VM fails to start due to a CPU static policy error. Node pool VM shows **Not ready** status, and pods won't be scheduled on this VM. | Enter a support session and ssh into the node pool VM, then follow steps in [Changing the CPU Manager Policy](https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#changing-the-cpu-manager-policy) to remediate the kubelet service. |

+## Next steps

+- [Update your device](azure-stack-edge-gpu-install-update.md).

+# Update your Azure Stack Edge Pro GPU

+The current version is Update 2407. This update installs two updates, the device update followed by Kubernetes updates.

+- Device software version: Azure Stack Edge 2407 (3.2.2754.1029).

+- Device Kubernetes version: Azure Stack Kubernetes Edge 2407 (3.2.2754.1029).

+- Device Kubernetes workload profile: Other workloads.

+- Kubernetes server version: v1.28.5.

+- Azure Arc version: 1.16.10.

+- GPU driver version: 535.161.08.

+For information on what's new in this update, go to [Release notes](azure-stack-edge-gpu-2407-release-notes.md).

+**To apply the 2407 update, your device must be running version 2403 or later.**

+- You can update to 2403 from 2303 or later, and then install 2407.

+| Current version of Azure Stack Edge software and Kubernetes | Upgrade to Azure Stack Edge software and Kubernetes | Desired update to 2407 |

+| 2303 | 2403 | 2407 |

+| 2309 | 2403 | 2407 |

+| 2312 | 2403 | 2407 |

+| 2403 | Directly to | 2407 |

+If you have Azure Kubernetes service deployed and your Azure Stack Edge device and Kubernetes versions are either 2207 or 2209, you must update in multiple steps to apply 2407.

+Use the following steps to update your Azure Stack Edge version and Kubernetes version to 2407:

+1. Update your device version to 2403.

+1. Update your Kubernetes version to 2403.

+1. Update both device software and Kubernetes to 2407.

+If you're running 2210 or 2301, you can update both your device version and Kubernetes version directly to 2403 and then to 2407.

+If you're running 2403, you can update both your device version and Kubernetes version directly to 2407.

+In Azure portal, the process requires two clicks, the first update gets your device version to 2403 and your Kubernetes version to 2210, and the second update gets your Kubernetes version upgraded to 2407.

+From the local UI, you'll have to run each update separately: update the device version to 2403, update Kubernetes version to 2210, update Kubernetes version to 2403, and then the third update gets both the device version and Kubernetes version to 2407.

+ 

+|Storage| 512 GB Hard Drive |

+|**Hardware profile** | C5600 |

+|**Physical Specifications** | Mounting: 1U with rail kit<br>Ports: 6x RJ45 1 GbE |

+## Dell PowerEdge R660 - Bill of materials

+|4| 370-AGZP | Memory capacity | 8 * 16 GB RDIMM, 4,800 MT/s single rank |

+|**Performance** | Max bandwidth: 25 Mbps <br> Max devices: 1,000 |

+|**Physical specifications** | Mounting: Small Form Factor <br> Ports: 1x1Gbps (builtin) and optional expansion PCIe cards for copper and SFP connectors <br> 1x RJ45 monitoring port|

+|**Physical specifications** | Mounting: 1U<br>Ports: 15x RJ45 or 8x SFP (optional)|

+|**C5600** | [HPE ProLiant DL360](appliance-catalog/hpe-proliant-dl360.md) <br><br><br><br> [Dell PowerEdge R660](appliance-catalog/dell-poweredge-r660.md) | **Max bandwidth**: 3 Gbps <br>**Max devices**: 12K <br> 16 core CPU/ 32G RAM/ 6 TB storage <br><br> **Max bandwidth**: 3 Gbps <br>**Max devices**: 12K <br> 20 core CPU/ 128G RAM/ 7.2 TB storage | **Mounting**: 1U with rail kit<br>**Ports**: 16x RJ45 or 8x SFP (optional) <br><br><br>**Mounting**: 1U with rail kit<br>**Ports**: 6x RJ45 1 GbE or SFP28 (optional) |

+|**E1800** | [HPE ProLiant DL20 Gen11](appliance-catalog/hpe-proliant-dl20-gen-11.md) <br>(4SFF)<br><br><br> [Dell PowerEdge R360](appliance-catalog/dell-poweredge-r360-e1800.md) | **Max bandwidth**: 1 Gbps<br>**Max devices**: 10K <br> 8 core CPU/ 32G RAM/ 2.4TB storage <br><br>**Max bandwidth**: 1 Gbps<br>**Max devices**: 10K <br> 8 core CPU/ 32G RAM/ 2.4TB storage | **Mounting**: 1U <br>**Ports**: 8x RJ45 or 6x SFP (OPT)<br><br><br> **Mounting**: 1U with rail kit<br>**Ports**: 8x RJ45 1 GbE |

+|**E500** | [Dell Edge 5200](appliance-catalog/dell-edge-5200.md) <br> (Rugged MIL-STD-810G) | **Max bandwidth**: 1 Gbps<br>**Max devices**: 10K <br> 8 core CPU/ 32G RAM/ 500GB storage | **Mounting**: Wall Mount<br>**Ports**: 3x RJ45 1Gbe |

+|**L500** | [HPE ProLiant DL20 Gen11 Plus](appliance-catalog/hpe-proliant-dl20-gen-11-nhp-2lff.md)<br> (NHP 2LFF) <br><br> [DELL XE4 SFF](appliance-catalog/dell-xe4-sff.md)| **Max bandwidth**: 200 Mbps<br>**Max devices**: 1,000 <br> 4 core CPU/ 16G RAM/ 1 TB storage <br> <br> **Max bandwidth**: 200 Mbps<br>**Max devices**: 1k <br> 6 core CPU/ 8G RAM/ 512GB storage | **Mounting**: 1U<br>**Ports**: 4x RJ45 <br><br><br>**Mounting**: Small form factor<br>**Ports**: 1x RJ45 |

+|**L100** | [YS-Techsystems YS-FIT2 ](appliance-catalog/ys-techsystems-ys-fit2.md)<br>(Rugged MIL-STD-810G) <br><br><br> [Dell Edge Gateway 3200](appliance-catalog/dell-edge-3200.md) | **Max bandwidth**: 10 Mbps <br>**Max devices**: 100 <br> 4 core CPU/ 8G RAM/ 128GB storage <br><br> **Max bandwidth**: 10 Mbps <br>**Max devices**: 100 <br> 4 core CPU/ 16G RAM/ 512GB storage | **Mounting**: DIN/VESA<br>**Ports**: 2x RJ45 <br><br><br> **Mounting**: 1U with rail kit<br>**Ports**: 6x RJ45 |

+- A Microsoft Entra tenant, and a platform engineer who can provide Microsoft Entra ID help and guidance

+ Title: Create a lab and allocate credit in the Azure Education Hub

+# Create a lab and allocate credit in the Azure Education Hub

+After you set up a lab in the Azure Education Hub, you can add students and allocate credits to them to deploy resources.

+If you're a teaching assistant or a professor for a course, be sure to inform students of this requirement so that their subscription appears in the Azure portal as expected.

+## Create a lab and invite students

+1. Create a lab and fill in the required information such as lab name and method to invite students.

+2. After you create the lab, you can begin inviting students to the lab

+3. Optionally, you can remove existing students by selecting **Remove** next to each student's name.

+4. When you finish, the students added will receive an invitation to join the lab.

+> [!IMPORTANT]

+> We use connection string to authenticate to Azure Relay namespace to keep the tutorial simple. We recommend that you use Microsoft Entra ID authentication in production environments. When using an application, you can enable managed identity for the application and assign the identity an appropriate role (Azure Relay Owner, Azure Relay Listener, or Azure Relay Sender) on the Relay namespace. For more information, see [Authenticate a managed identity with Microsoft Entra ID to access Azure Relay resources](../azure-relay/authenticate-managed-identity.md).

+> [!IMPORTANT]

+> We use connection string to authenticate to Azure Event Hubs namespace to keep the tutorial simple. We recommend that you use Microsoft Entra ID authentication in production environments. When using an application, you can enable managed identity for the application and assign the identity an appropriate role (Azure Event Hubs Owner, Azure Event Hubs Data Sender, or Azure Event Hubs Data Receiver) on the Event Hubs namespace. For more information, see [Authorize access to Event Hubs using Microsoft Entra ID](../event-hubs/authorize-access-azure-active-directory.md).

+ "eTag": "0000000000-0000-0000-0000-0000000000000",

+ "id": "000000000-0000-0000-0000-0000000000000",

+ "eTag": "0000000-0000-0000-0000-000000000000",

+ "id": "0000000-0000-0000-0000-00000000000",

+ Title: Manage access to the de-identification service (preview) with Azure role-based access control (RBAC) in Azure Health Data Services

+description: Learn how to manage access to the de-identification service (preview) using Azure role-based access control.

+# Use Azure role-based access control with the de-identification service (preview)

+Microsoft Entra ID authorizes access rights to secured resources through Azure role-based access control (RBAC). The de-identification service (preview) defines a set of built-in roles that encompass common sets of permissions used to access de-identification functionality.

+Microsoft Entra ID uses the concept of a security principal, which can be a user, a group, an application service principal, or a [managed identity for Azure resources](/entra/identity/managed-identities-azure-resources/overview).

+When an Azure role is assigned to a Microsoft Entra ID security principal over a specific scope, Azure grants access to that scope for that security principal. For more information about scopes, see [Understand scope for Azure RBAC](/azure/role-based-access-control/scope-overview).

+## Prerequisites

+- A de-identification service (preview) in your Azure subscription. If you don't have a de-identification service, follow the steps in [Quickstart: Deploy the de-identification service](quickstart.md).

+## Available built-in roles

+The de-identification service (preview) has the following built-in roles available:

+|Role |Description |

+|--||

+|DeID Data Owner |Full access to de-identification functionality. |

+|DeID Real-time Data User |Execute requests against de-identification API endpoints. |

+|DeID Batch Owner |Create and manage de-identification batch jobs. |

+|DeID Batch Reader |Read-only access to de-identification batch jobs. |

+## Assign a built-in role

+Keep in mind the following points about Azure role assignments with the de-identification service (preview):

+- When you create a de-identification service, you aren't automatically assigned permissions to access data via Microsoft Entra ID. You need to explicitly assign yourself an applicable Azure role. You can assign it at the level of your subscription, resource group, or de-identification service.

+- When roles are assigned, it can take up to 10 minutes for changes to take effect.

+- When the de-identification service is locked with an [Azure Resource Manager read-only lock](/azure/azure-resource-manager/management/lock-resources), the lock prevents the assignment of Azure roles that are scoped to the de-identification service.

+- When Azure deny assignments have been applied, your access might be blocked even if you have a role assignment. For more information, see [Understand Azure deny assignments](/azure/role-based-access-control/deny-assignments).

+You can use different tools to assign built-in roles.

+# [Azure portal](#tab/azure-portal)

+To use the de-identification service (preview), with Microsoft Entra ID credentials, a security principal must be assigned one of the built-in roles. To learn how to assign these roles to a security principal, follow the steps in [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal).

+# [Azure PowerShell](#tab/azure-powershell)

+To assign an Azure role to a security principal with PowerShell, call the [New-AzRoleAssignment](/powershell/module/az.resources/new-azroleassignment) command. In order to run the command, you must have a role that includes **Microsoft.Authorization/roleAssignments/write** permissions assigned to you at the corresponding scope or higher.

+The format of the command can differ based on the scope of the assignment, but `ObjectId` and `RoleDefinitionName` are required parameters. While the `Scope` parameter is optional, you should set it to retain the principle of least privilege. By limiting roles and scopes, you limit the resources that are at risk if the security principal is ever compromised.

+The scope for a de-identification service (preview) is in the form `/subscriptions/<Subscription ID>/resourceGroups/<Resource Group Name>/providers/Microsoft.HealthDataAIServices/deidServices/<Deidentification Service Name>`

+The example assigns the **DeID Data Owner** built-in role to a user, scoped to a specific de-identification service. Make sure to replace the placeholder values

+in angle brackets `<>` with your own values:

+```azurepowershell

+New-AzRoleAssignment

+ -SignInName <Email> `

+ -RoleDefinitionName "DeID Data Owner" `

+ -Scope "/subscriptions/<Subscription ID>/resourceGroups/<Resource Group Name>/providers/Microsoft.HealthDataAIServices/deidServices/<Deidentification Service Name>"

+```

+A successful response should look like:

+```

+console

+RoleAssignmentId : /subscriptions/<Subscription ID>/resourceGroups/<Resource Group Name>/providers/Microsoft.HealthDataAIServices/deidServices/<Deidentification Service Name>/providers/Microsoft.Authorization/roleAssignments/<Role Assignment ID>

+Scope : /subscriptions/<Subscription ID>/resourceGroups/<Resource Group Name>/providers/Microsoft.HealthDataAIServices/deidServices/<Deidentification Service Name>

+DisplayName : Mark Patrick

+SignInName : markpdaniels@contoso.com

+RoleDefinitionName : DeID Data Owner

+RoleDefinitionId : <Role Definition ID>

+ObjectId : <Object ID>

+ObjectType : User

+CanDelegate : False

+```

+For more information, see [Assign Azure roles using Azure PowerShell](/azure/role-based-access-control/role-assignments-powershell).

+# [Azure CLI](#tab/azure-pcli)

+To assign an Azure role to a security principal with Azure CLI, use the [az role assignment create](/cli/azure/role/assignment) command. In order to run the command, you must have a role that includes **Microsoft.Authorization/roleAssignments/write** permissions assigned to you at the corresponding scope or higher.

+The format of the command can differ based on the type of security principal, but `role` and `scope` are required parameters.

+The scope for a de-identification service (preview) is in the form `/subscriptions/<Subscription ID>/resourceGroups/<Resource Group Name>/providers/Microsoft.HealthDataAIServices/deidServices/<Deidentification Service Name>`

+The following example assigns the **DeID Data Owner** built-in role to a user, scoped to a specific de-identification service. Make sure to replace the placeholder values in angle brackets `<>` with your own values:

+```azurecli

+az role assignment create \

+ --assignee <Email> \

+ --role "DeID Data Owner" \

+ --scope "/subscriptions/<Subscription ID>/resourceGroups/<Resource Group Name>/providers/Microsoft.HealthDataAIServices/deidServices/<Deidentification Service Name>"

+```

+For more information, see [Assign Azure roles using Azure PowerShell](/azure/role-based-access-control/role-assignments-cli).

+# [ARM template](#tab/azure-resource-manager)

+To learn how to use an Azure Resource Manager template to assign an Azure role, see [Assign Azure roles using Azure Resource Manager templates](/azure/role-based-access-control/role-assignments-template).

+## Related content

+- [What is Azure role-based access control (Azure RBAC)?](/azure/role-based-access-control/overview)

+- [Best practices for Azure RBAC](/azure/role-based-access-control/best-practices)

+ Title: Use managed identities with the de-identification service (preview) in Azure Health Data Services

+description: Learn how to use managed identities with the Azure Health Data Services de-identification service (preview) using the Azure portal and ARM template.

+# Use managed identities with the de-identification service (preview)

+Managed identities provide Azure services with a secure, automatically managed identity in Microsoft Entra ID. Using managed identities eliminates the need for developers having to manage credentials by providing an identity. There are two types of managed identities: system-assigned and user-assigned. The de-identification service supports both.

+Managed identities can be used to grant the de-identification service (preview) access to your storage account for batch processing. In this article, you learn how to assign a managed identity to your de-identification service.

+## Prerequisites

+- Understand the differences between **system-assigned** and **user-assigned** described in [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview)

+- A de-identification service (preview) in your Azure subscription. If you don't have a de-identification service, follow the steps in [Quickstart: Deploy the de-identification service](quickstart.md).

+## Create an instance of the de-identification service (preview) in Azure Health Data Services with a system-assigned managed identity

+# [Azure portal](#tab/portal)

+1. Access the de-identification service (preview) settings in the Azure portal under the **Security** group in the left navigation pane.

+1. Select **Identity**.

+1. Within the **System assigned** tab, switch **Status** to **On** and choose **Save**.

+# [ARM template](#tab/azure-resource-manager)

+Any resource of type ``Microsoft.HealthDataAIServices/deidServices`` can be created with a system-assigned identity by including the following block in

+the resource definition:

+```json

+"identity": {

+ "type": "SystemAssigned"

+}

+```

+## Assign a user-assigned managed identity to a service instance

+# [Azure portal](#tab/portal)

+1. Create a user-assigned managed identity resource according to [these instructions](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities).

+1. In the navigation pane of your de-identification service (preview), scroll to the **Security** group.

+1. Select **Identity**.

+1. Select the **User assigned** tab, and then choose **Add**.

+1. Search for the identity you created, select it, and then choose **Add**.

+# [ARM template](#tab/azure-resource-manager)

+Any resource of type ``Microsoft.HealthDataAIServices/deidServices`` can be created with a user-assigned identity by including the following block in

+the resource definition, replacing **resource-id** with the Azure Resource Manager (ARM) resource ID of the desired identity:

+```json

+"identity": {

+ "type": "UserAssigned",

+ "userAssignedIdentities": {

+ "<resource-id>": {}

+ }

+}

+```

+## Supported scenarios using managed identities

+Managed identities assigned to the de-identification service (preview) can be used to allow access to Azure Blob Storage for batch de-identification jobs. The service acquires a token as

+the managed identity to access Blob Storage and de-identify blobs that match a specified pattern. For more information, including how to grant access to your managed identity,

+see [Quickstart: Azure Health De-identification client library for .NET](quickstart-sdk-net.md).

+## Clean-up steps

+When you remove a system-assigned identity, you delete it from Microsoft Entra ID. System-assigned identities are also automatically removed from Microsoft Entra ID

+when you delete the de-identification service (preview).

+# [Azure portal](#tab/portal)

+1. In the navigation pane of your de-identification service (preview), scroll down to the **Security** group.

+1. Select **Identity**, then follow the steps based on the identity type:

+ - **System-assigned identity**: Within the **System assigned** tab, switch **Status** to **Off**, and then choose **Save**.

+ - **User-assigned identity**: Select the **User assigned** tab, select the checkbox for the identity, and select **Remove**. Select **Yes** to confirm.

+# [ARM template](#tab/azure-resource-manager)

+Any resource of type ``Microsoft.HealthDataAIServices/deidServices`` can have system-assigned identities deleted and user-assigned identities unassigned by

+including this block in the resource definition:

+```json

+"identity": {

+ "type": "None"

+}

+```

+## Related content

+- [What are managed identities for Azure resources?](/azure/active-directory/managed-identities-azure-resources/overview)

+ Title: Overview of the de-identification service (preview) in Azure Health Data Services

+description: Learn how the de-identification service (preview) in Azure Health Data Services anonymizes clinical data, ensuring HIPAA compliance while retaining data relevance for research and analytics.

+# What is the de-identification service (preview)?

+The de-identification service (preview) in Azure Health Data Services enables healthcare organizations to anonymize clinical data so that the resulting data retains its clinical relevance and distribution while also adhering to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The service uses state-of-the-art machine learning models to automatically extract, redact, or surrogate 28 entities, including the HIPAA 18 Protected Health Information (PHI) identifiers ΓÇô from unstructured text such as clinical notes, transcripts, messages, or clinical trial studies.

+## Use de-identified data in research, analytics, and machine learning

+The de-identification service (preview) unlocks data that was previously difficult to de-identify so organizations can conduct research and derive insights from analytics. The de-identification service supports three operations: **tag**, **redact**, or **surrogate PHI**. The de-identification service offers many benefits, including:

+- **Surrogation**: Surrogation, or replacement, is a best practice for PHI protection. The service can replace PHI elements with plausible replacement values, resulting in data that is most representative of the source data. Surrogation strengthens privacy protections as any false-negative PHI values are hidden within a document.

+- **Consistent replacement**: Consistent surrogation results enable organizations to retain relationships occurring in the underlying dataset, which is critical for research, analytics, and machine learning. By submitting data in the same batch, our service allows for consistent replacement across entities and preserves the relative temporal relationships between events.

+- **Expanded PHI coverage**: The service expands beyond the 18 HIPAA Identifiers to provide stronger privacy protections and more fine-grained distinctions between entity types, such as distinguishing between Doctor and Patient.

+## De-identify clinical data securely and efficiently

+The de-identification service (preview) offers many benefits, including:

+- **PHI compliance**: The de-identification service is designed for protected health information (PHI). The service uses machine learning to identify PHI entities, including HIPAAΓÇÖs 18 identifiers, using the ΓÇ£TAGΓÇ¥ operation. The redaction and surrogation operations replace these identified PHI values with a tag of the entity type or a surrogate, or pseudonym. The service also meets all regional compliance requirements including HIPAA, GDPR, and the California Consumer Privacy Act (CCPA).

+- **Security**: The de-identification service is a stateless service. Customer data stays within the customerΓÇÖs tenant.

+- **Role-based Access Control (RBAC)**: Azure role-based access control (RBAC) enables you to manage how your organization's data is processed, stored, and accessed. You determine who has access to de-identify datasets based on roles you define for your environment.

+## Synchronous or asynchronous endpoints

+The de-identification service (preview) offers two ways to interact with the REST API or Client library (Azure SDK).

+- Directly submit raw unstructured text for analysis. The API output is returned in your application.

+- Submit a job to asynchronously endpoint process files in bulk from Azure Blob Storage using tag, redact, or surrogation with consistency within a job.

+## Input requirements and service limits

+The de-identification service (preview) is designed to receive unstructured text. To de-identify data stored in the FHIR&reg; service, see [Export deidentified data](/azure/healthcare-apis/fhir/deidentified-export).

+The following service limits are applicable during preview:

+- Requests can't exceed 50 KB.

+- Jobs can process no more than 1,000 documents.

+- Each document processed by a job can't exceed 2 MB.

+## Pricing

+As with other Azure Health Data Services, you pay only for what you use. You have a monthly allotment that enables you to try the product for free.

+| Transformation Operation (per MB) | Up to 50 MB | Over 50 MB |

+| - | | - |

+| Unstructured text de-identification | $0 | $0.05 |

+When you choose to store documents in Azure Blob Storage, you are charged based on Azure Storage pricing.

+## Responsible use of AI

+An AI system includes the technology, the people who use it, the people affected by it, and the environment where you deploy it. Read the transparency note for the de-identification service (preview) to learn about responsible AI use and deployment in your systems.

+## Related content

+[De-identification quickstart](quickstart.md)

+[Integration and responsible use](/legal/cognitive-services/language-service/guidance-integration-responsible-use?context=%2Fazure%2Fai-services%2Flanguage-service%2Fcontext%2Fcontext)

+[Data, privacy, and security](/legal/cognitive-services/language-service/data-privacy?context=%2Fazure%2Fai-services%2Flanguage-service%2Fcontext%2Fcontext)

+ Title: "Quickstart: Azure Health De-identification client library for .NET"

+description: A quickstart guide to de-identify health data with the .NET client library

+# Quickstart: Azure Health De-identification client library for .NET

+Get started with the Azure Health De-identification client library for .NET to de-identify your health data. Follow these steps to install the package and try out example code for basic tasks.

+[API reference documentation](/dotnet/api/azure.health.deidentification) | [Library source code](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/healthdataaiservices) | [Package (NuGet)](https://www.nuget.org/packages/Azure.Health.Deidentification) | [More Samples on GitHub](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/healthdataaiservices/Azure.Health.Deidentification/samples/README.md)

+## Prerequisites

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+* An Azure Storage Account (only for job workflow).

+## Setting up

+### Create a de-identification service (preview)

+A de-identification service (preview) provides you with an endpoint URL. This endpoint url can be utilized as a Rest API or with an SDK.

+1. Install [Azure CLI](/cli/azure/install-azure-cli)

+2. Create a de-identification service resource

+ ```bash

+ REGION="<Region>"

+ RESOURCE_GROUP_NAME="<ResourceGroupName>"

+ DEID_SERVICE_NAME="<NewDeidServiceName>"

+ az resource create -g $RESOURCE_GROUP_NAME -n $DEID_SERVICE_NAME --resource-type microsoft.healthdataaiservices/deidservices --is-full-object -p "{\"identity\":{\"type\":\"SystemAssigned\"},\"properties\":{},\"location\":\"$REGION\"}"

+ ```

+

+### Create an Azure Storage Account

+1. Install [Azure CLI](/cli/azure/install-azure-cli)

+1. Create an Azure Storage Account

+ ```bash

+ STORAGE_ACCOUNT_NAME="<NewStorageAccountName>"

+ az storage account create --name $STORAGE_ACCOUNT_NAME --resource-group $RESOURCE_GROUP_NAME --location $REGION

+ ```

+### Authorize de-identification service (preview) on storage account

+- Give the de-identification service (preview) access to your storage account

+

+ ```bash

+ STORAGE_ACCOUNT_ID=$(az storage account show --name $STORAGE_ACCOUNT_NAME --resource-group $RESOURCE_GROUP_NAME --query id --output tsv)

+ DEID_SERVICE_PRINCIPAL_ID=$(az resource show -n $DEID_SERVICE_NAME -g $RESOURCE_GROUP_NAME --resource-type microsoft.healthdataaiservices/deidservices --query identity.principalId --output tsv)

+ az role assignment create --assignee $DEID_SERVICE_PRINCIPAL_ID --role "Storage Blob Data Contributor" --scope $STORAGE_ACCOUNT_ID

+ ```

+### Install the package

+The client library is available through NuGet, as the `Azure.Health.Deidentification` package.

+1. Install package

+

+ ```bash

+ dotnet add package Azure.Health.Deidentification

+ ```

+1. Also, install the Azure Identity package if not already installed.

+ ```bash

+ dotnet add package Azure.Identity

+ ```

+## Object model

+- [DeidentificationClient](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/healthdataaiservices/Azure.Health.Deidentification/src/Generated/DeidentificationClient.cs) is responsible for the communication between the SDK and our De-identification Service Endpoint.

+- [DeidentificationContent](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/healthdataaiservices/Azure.Health.Deidentification/src/Generated/DeidentificationContent.cs) is used for string de-identification.

+- [DeidentificationJob](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/healthdataaiservices/Azure.Health.Deidentification/src/Generated/DeidentificationJob.cs) is used to create jobs to de-identify documents in an Azure Storage Account.

+- [PhiEntity](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/healthdataaiservices/Azure.Health.Deidentification/src/Generated/PhiEntity.cs) is the span and category of a single PHI entity detected via a Tag OperationType.

+## Code examples

+- [Create a Deidentification Client](#create-a-deidentification-client)

+- [De-identify a string](#de-identify-a-string)

+- [Tag a string](#tag-a-string)

+- [Create a Deidentification Job](#create-a-deidentification-job)

+- [Get the status of a Deidentification Job](#get-the-status-of-a-deidentification-job)

+### Create a Deidentification Client

+Before you can create the client, you need to find your **deidentification service (preview) endpoint URL**.

+You can find the endpoint URL with the Azure CLI:

+```bash

+az resource show -n $DEID_SERVICE_NAME -g $RESOURCE_GROUP_NAME --resource-type microsoft.healthdataaiservices/deidservices --query properties.serviceUrl --output tsv

+```

+Then you can create the client using that value.

+```csharp

+using Azure.Identity;

+using Azure.Health.Deidentification;

+string serviceEndpoint = "https://example123.api.deid.azure.com";

+DeidentificationClient client = new(

+ new Uri(serviceEndpoint),

+ new DefaultAzureCredential()

+);

+```

+### De-identify a string

+This function allows you to de-identify any string you have in memory.

+```csharp

+DeidentificationContent content = new("SSN: 123-04-5678");

+DeidentificationResult result = await client.DeidentifyAsync(content);

+```

+### Tag a string

+Tagging can be done the same way and de-identifying by changing the `OperationType`.

+```csharp

+DeidentificationContent content = new("SSN: 123-04-5678");

+content.Operation = OperationType.Tag;

+DeidentificationResult result = await client.DeidentifyAsync(content);

+```

+### Create a Deidentification Job

+This function allows you to de-identify all files, filtered via prefix, within an Azure Blob Storage Account.

+To create the job, we need the URL to the blob endpoint of the Azure Storage Account.

+```bash

+az resource show -n $STORAGE_ACCOUNT_NAME -g $RESOURCE_GROUP_NAME --resource-type Microsoft.Storage/storageAccounts --query properties.primaryEndpoints.blob --output tsv

+```

+Now we can create the job. This example uses `folder1/` as the prefix. The job will de-identify any document that matches this prefix and write the de-identified version with the `output_files/` prefix.

+```csharp

+using Azure;

+Uri storageAccountUri = new("");

+DeidentificationJob job = new(

+ new SourceStorageLocation(new Uri(storageAccountUrl), "folder1/"),

+ new TargetStorageLocation(new Uri(storageAccountUrl), "output_files/")

+);

+job = client.CreateJob(WaitUntil.Started, "my-job-1", job).Value;

+```

+### Get the status of a Deidentification Job

+Once a job is created, you can view the status and other details of the job.

+```csharp

+DeidentificationJob job = client.GetJob("my-job-1").Value;

+```

+## Run the code

+Once your code is updated in your project, you can run it using:

+```bash

+dotnet run

+```

+## Clean up resources

+### Delete Deidentification Service

+```bash

+az resource delete -n $DEID_SERVICE_NAME -g $RESOURCE_GROUP_NAME --resource-type microsoft.healthdataaiservices/deidservices

+```

+### Delete Azure Storage Account

+```bash

+az resource show -n $STORAGE_ACCOUNT_NAME -g $RESOURCE_GROUP_NAME --resource-type Microsoft.Storage/storageAccounts

+```

+### Delete Role Assignment

+```bash

+az role assignment delete --assignee $DEID_SERVICE_PRINCIPAL_ID --role "Storage Blob Data Contributor" --scope $STORAGE_ACCOUNT_ID

+```

+## Troubleshooting

+### Unable to access source or target storage

+Ensure the permissions are given and the Managed Identity for the de-identification service (preview) is set up properly.

+See [Authorize Deidentification Service on Storage Account](#authorize-de-identification-service-preview-on-storage-account)

+### Job failed with status PartialFailed

+You can utilize the `GetJobDocuments` function on the `DeidentificationClient` to view per file error messages.

+See [Sample](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/healthdataaiservices/Azure.Health.Deidentification/tests/samples/Sample4_ListCompletedFiles.cs)

+## Next steps

+In this quickstart, you learned:

+- How to create a de-identification service (preview) and assign a role on a storage account.

+- How to create a Deidentification Client

+- How to de-identify strings and create jobs on documents within a storage account.

+> [!div class="nextstepaction"]

+> [View source code and .NET Client Library README](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/healthdataaiservices/Azure.Health.Deidentification)

+ Title: Quickstart - Deploy the de-identification service (preview) in Azure Health Data Services

+description: Get up and running quickly with the de-identification service (preview) in Azure Health Data Services.

+# Quickstart: Deploy the de-identification service (preview)

+In this quickstart, you deploy an instance of the de-identification service (preview) in your Azure subscription.

+## Prerequisites

+- If you don't have an Azure account, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- Register the `Microsoft.HealthDataAIServices` resource provider.

+## Deploy the de-identification service (preview)

+To deploy an instance of the de-identification service (preview), start at the Azure portal home page.

+1. Search for **de-identification** in the top search bar.

+1. Select **De-identification Services** in the search results.

+1. Select the **Create** button.

+## Complete the Basics tab

+In the **Basics** tab, you provide basic information for your de-identification service (preview).

+1. Fill in the **Project Details** section:

+ | Setting | Action |

+ |-|-|

+ | Subscription | Select your Azure subscription. |

+ | Resource group | Select **Create new** and enter **my-deid**. |

+1. Fill in the **Instance details** section:

+ | Setting | Action |

+ |-|-|

+ | Name | Name your de-identification service. |

+ | Location | Select a supported Azure region. |

+## Complete the Tags tab (optional)

+Tags are name-value pairs. You can assign the same tag to multiple resources and resource groups to categorize resources and consolidate billing. In this quickstart, you don't need to add any tags.

+For more information, see [Use tags to organize your Azure resources](/azure/azure-resource-manager/management/tag-resources) and [Logging](../logging.md).

+## Complete the Managed Identity tab (optional)

+In the **Managed Identity** tab, you can assign a managed identity to your de-identification service (preview). For more information, see [managed identities](managed-identities.md).

+1. To create a system-assigned managed identity, select **On** under **Status**.

+1. To add a user-assigned managed identity, select **Add** to use the selection pane to choose an existing identity to assign.

+## Review and create

+After you complete the configuration, you can deploy the de-identification service (preview).

+1. Select **Next: Review + create** to review your choices.

+1. Select **Create** to start the deployment of your de-identification service. After the deployment is complete, select **Go to resource** to view your service.

+## Clean up resources

+If you no longer need them, delete the resource group and de-identification service (preview). To do so, select the resource group and select **Delete**.

+## Related content

+[De-identification service overview](overview.md)

+ Title: Upload files from your device to the cloud with Azure IoT Hub

+description: How to upload files from a device to the cloud using the Azure IoT SDKs for C#, Python, Java, and Node.js.

+zone_pivot_groups: iot-hub-howto-c2d-1

+# Upload files from a device to the cloud with Azure IoT Hub

+This article demonstrates how to:

+* Use file upload capabilities of IoT Hub to upload a file to Azure Blob Storage, using an Azure IoT device and service SDKs.

+* Notify IoT Hub that the file was successfully uploaded and create a backend service to receive file upload notifications from IoT Hub, using the Azure IoT service SDKs.

+In some scenarios, you can't easily map the data your devices send into the relatively small device-to-cloud messages that IoT Hub accepts. The file upload capabilities in IoT Hub enable you to move large or complex data to the cloud. For example:

+* Videos

+* Large files that contain images

+* Vibration data sampled at high frequency

+* Some form of preprocessed data

+These files are typically batch processed in the cloud, using tools such as [Azure Data Factory](../data-factory/introduction.md) or the [Hadoop](../hdinsight/index.yml) stack. When you need to upload files from a device, you can still use the security and reliability of IoT Hub. This article shows you how.

+This article is meant to complement runnable SDK samples that are referenced from within this article.

+For more information, see:

+* [Overview of file uploads with IoT Hub](iot-hub-devguide-file-upload.md)

+* [Introduction to Azure Blob Storage](../storage/blobs/storage-blobs-introduction.md)

+* [Azure IoT SDKs](iot-hub-devguide-sdks.md)

+## Prerequisites

+* **An IoT hub**. Some SDK calls require the IoT Hub primary connection string, so make a note of the connection string.

+* **A registered device**. Some SDK calls require the device primary connection string, so make a note of the connection string.

+* IoT Hub **Service Connect** permission - To receive file upload notification messages, your backend service needs the **Service Connect** permission. By default, every IoT Hub is created with a shared access policy named **service** that grants this permission. For more information, see [Connect to an IoT hub](/azure/iot-hub/create-hub?&tabs=portal#connect-to-an-iot-hub).

+* Configure file upload in your IoT hub by linking an **Azure Storage account** and **Azure Blob Storage container**. You can configure these using the [Azure portal](/azure/iot-hub/iot-hub-configure-file-upload), [Azure CLI](/azure/iot-hub/iot-hub-configure-file-upload-cli), or [Azure PowerShell](/azure/iot-hub/iot-hub-configure-file-upload-powershell).

+ Title: How to manage devices and modules using twins

+description: Use the Azure portal and Azure CLI to query and update device twins and module twins in your Azure IoT hub.

+# How to view and update devices based on device twin properties

+Use the Azure portal and Azure CLI to manage devices through device twins and module twins. This article focuses on device twins for simplicity, but all of the concepts and processes work in a similar way for module twins.

+This article describes device twin management tasks available in the Azure portal or Azure CLI to manage device twins remotely. For information about developing device applications to handle device twin changes, see [Get started with device twins](./device-twins-dotnet.md).

+In IoT Hub, a *device twin* is a JSON document that stores state information. Every *device identity* is automatically associated with a device twin when it's created. A backend app or user can update two elements of a device twin:

+* *Desired properties*: Desired properties are half of a linked set of state information. A backend app or user can update the desired properties on a twin to communicate a desired state change, while a device can update the *reported properties* to communicate its current state.

+* *Tags*: You can use device twin tags to organize and manage devices in your IoT solutions. You can set tags for any meaningful category, like device type, location, or function.

+For more information, see [Understand and use device twins in IoT Hub](./iot-hub-devguide-device-twins.md) or [Understand and use module twins in IoT Hub](./iot-hub-devguide-module-twins.md).

+## Prerequisites

+Prepare the following prerequisites before you begin.

+### [Azure portal](#tab/portal)

+* An IoT hub in your Azure subscription. If you don't have a hub yet, follow the steps in [Create an IoT hub](create-hub.md).

+* A device registered in your IoT hub. If you don't have a device in your IoT hub, follow the steps in [Register a device](create-connect-device.md#register-a-device).

+### [Azure CLI](#tab/cli)

+* The Azure CLI, version 2.36 or later. To find the version, run `az --version`. To install or upgrade the Azure CLI, see [Install Azure CLI](/cli/azure/install-azure-cli).

+ You can also run the commands in this article using the [Azure Cloud Shell](../cloud-shell/overview.md), an interactive CLI shell that runs in your browser or in an app such as Windows Terminal. If you use the Cloud Shell, you don't need to install anything.

+* An IoT hub in your Azure subscription. If you don't have a hub yet, follow the steps in [Create an IoT hub](create-hub.md).

+* A device registered in your IoT hub. If you don't have a device in your IoT hub, follow the steps in [Register a device](create-connect-device.md#register-a-device).

+## Understand tags for device organization

+Device twin tags can be used as a powerful tool to help you organize your devices. When you have multiple kinds of devices within your IoT solutions, you can use tags to set types, locations, etc. For example:

+```json

+{

+ "deviceId": "mydevice1",

+ "status": "enabled",

+ "connectionState": "Connected",

+ "cloudToDeviceMessageCount": 0,

+ "authenticationType": "sas",

+ "tags": {

+ "deploymentLocation": {

+ "building": "43",

+ "floor": "1"

+ },

+ "deviceType":"HDCamera"

+ },

+ "properties": {

+ ...

+ }

+}

+```

+## View and update device twins

+Once a device identity is created, a device twin is implicitly created in IoT Hub. You can use the Azure portal or Azure CLI to retrieve the device twin of a given device. You can also add, edit, or remove tags and desired properties.

+### [Azure portal](#tab/portal)

+1. In the [Azure portal](https://portal.azure.com), navigate to your IoT hub.

+1. In your IoT hub, select **Devices** from the **Device management** section of the navigation menu.

+ On the **Devices** page, you see a list of all devices registered in your IoT hub. If any of the devices already have tags in their device twins, those tags are shown in the **Tags** column.

+1. Select the name of the device that you want to manage.

+ >[!TIP]

+ >If you're updating tags, you can select multiple devices then select **Assign tags** to manage them as a group.

+ >

+ >:::image type="content" source="./media/manage-device-twins/multi-select-assign-tags.png" alt-text="A screenshot that shows selecting multiple devices in the Azure portal to assign tags as a group.":::

+1. The device details page displays any current tags for the selected device. Select **edit** next to the **Tags** parameter to add, update, or remove tags.

+ :::image type="content" source="./media/manage-device-twins/edit-tags.png" alt-text="A screenshot that shows opening the tags editing option in the Azure portal.":::

+ >[!TIP]

+ >To add or update nested tags, select the **Advanced** tab and provide the JSON.

+ >

+ >:::image type="content" source="./media/manage-device-twins/edit-tags-advanced.png" alt-text="A screenshot that shows using the advanced tags editor to provide JSON text.":::

+1. Select **Device twin** to view and update the device twin JSON.

+ You can type directly in the text box to update tags or desired properties. To remove a tag or desired property, set the value of the item to `null`.

+1. Select **Save** to save your changes.

+1. Back on the device details page, select **Refresh** to update the page to reflect your changes.

+If your device has any module identities associated with it, those modules are displayed on the device details page as well. Select a module name, then select **Module identity twin** to view and update the module twin JSON.

+### [Azure CLI](#tab/cli)

+Use the [az iot hub device-twin](/cli/azure/iot/hub/device-twin) or [az iot hub module-twin](/cli/azure/iot/hub/module-twin) sets of commands to view and update twins.

+The [az iot hub device-twin show](/cli/azure/iot/hub/device-twin#az-iot-hub-device-twin-show) command returns the device twin JSON. For example:

+```azurecli-interactive

+az iot hub device-twin show --device-id <DEVICE_ID> --hub-name <IOTHUB_NAME>

+```

+The [az iot hub device-twin update](/cli/azure/iot/hub/device-twin#az-iot-hub-device-twin-update) command patches tags or desired properties in a device twin. For example:

+```azurecli-interactive

+az iot hub device-twin update --device-id <DEVICE_ID> --hub-name <IOTHUB_NAME> --tags <INLINE_JSON_OR_PATH_TO_JSON_FILE>

+```

+The [az iot hub device-twin replace](/cli/azure/iot/hub/device-twin#az-iot-hub-device-twin-replace) command replaces an entire device twin. For example:

+```azurecli-interactive

+az iot hub device-twin replace --device-id <DEVICE_ID> --hub-name <IOTHUB_NAME> --json <INLINE_JSON_OR_PATH_TO_JSON_FILE>

+```

+>[!TIP]

+>If you're using PowerShell, add a backslash `\` to escape any double quotes. For example: `--tags '{\"country\":\"US\"}'`.

+## Query for device twins

+IoT Hub exposes the device twins for your IoT hub as a document collection called **devices**. You can query devices based on their device twin values.

+This section describes how to run twin queries in the Azure portal and Azure CLI. To learn how to write twin queries, see [Queries for IoT Hub device and module twins](./query-twins.md).

+### [Azure portal](#tab/portal)

+1. In the [Azure portal](https://portal.azure.com), navigate to your IoT hub.

+1. In your IoT hub, select **Devices** from the **Device management** section of the navigation menu.

+1. You can either use a filter or a query to find devices based on their device twin details:

+ * **Find devices using a filter**:

+ 1. Finding devices using a filter is the default view in the Azure portal. If you don't see these fields, select **Find devices using a filter**.

+ 1. Select **Add filter**, and then select **Device tag** as the filter type from the drop-down menu.

+ 1. Enter the desired tag name and value, select **Apply** to retrieve the list of devices that matches the criteria.

+ :::image type="content" source="./media/manage-device-twins/filter-device-twin-tags.png" alt-text="Screenshot of filtering devices with tags.":::

+ * **Find devices using a query**:

+ 1. Select **Find devices using a query**.

+ 1. Enter your query into the text box, then select **Run query**.

+ :::image type="content" source="./media/manage-device-twins/run-query.png" alt-text="Screenshot that shows using the device query filter in the Azure portal.":::

+### [Azure CLI](#tab/cli)

+Use the [az iot hub query](/cli/azure/iot/hub#az-iot-hub-query) command to return device information based on device twin or module twin queries.

+```azurecli

+az iot hub query --hub-name <IOTHUB_NAME> --query-command "SELECT * FROM devices WHERE <QUERY_TEXT>"

+```

+The same `query` command can query module twins by adjusting the query command.

+```azurecli

+az iot hub query --hub-name <IOTHUB_NAME> --query-command "SELECT * FROM devices.modules WHERE <QUERY_TEXT>"

+```

+## Update device twins using jobs

+The *jobs* capability can execute device twin updates against a set of devices at a scheduled time. For more information, see [Schedule jobs on multiple devices](./iot-hub-devguide-jobs.md).

+### [Azure portal](#tab/portal)

+Jobs aren't supported in the Azure portal. Instead, use the Azure CLI.

+### [Azure CLI](#tab/cli)

+Use the [az iot hub job](/cli/azure/iot/hub/job) set of commands to create, view, or cancel jobs.

+For example, the following command updates desired twin properties on a set of devices at a specific time:

+```azurecli

+az iot hub job create --job-id <JOB_NAME> --job-type scheduleUpdateTwin -n <IOTHUB_NAME> --twin-patch <INLINE_JSON_OR_PATH_TO_JSON_FILE> --start-time "<ISO_8601_DATETIME>" --query-condition "<QUERY_TEXT>"

+```

+>[!TIP]

+>If you're using PowerShell, add a backslash `\` to escape any double quotes. For example: `--tags '{\"country\":\"US\"}'`.

+ Title: Convert data by using dataflow conversions

+# Convert data by using dataflow conversions

+The dataflow conversion element is used to compute values for output fields:

+* **Reference to input fields:** How to reference values from input fields in the conversion formula.

+* **Available operations:** Operations that can be utilized in conversions. For example, addition, subtraction, multiplication, and division.

+* **Data types:** Types of data that a formula can process and manipulate. For example, integer, floating point, and string.

+* **Type conversions:** How data types are converted between the input field values, the formula evaluation, and the output fields.

+In this example, the conversion results in an array containing the values of `[Max, Min, Mid.Avg, Mid.Mean]`. The comments in the YAML file (`# - $1`, `# - $2`) are optional, but they help to clarify the connection between each field property and its role in the conversion formula.

+Different serialization formats support various data types. For instance, JSON offers a few primitive types: string, number, Boolean, and null. Also included are arrays of these primitive types. In contrast, other serialization formats like Avro have a more complex type system, including integers with multiple bit field lengths and timestamps with different resolutions. Examples are milliseconds and microseconds.

+| Type | Description |

+||-|

+| `bool` | Logical true/false. |

+| `integer` | Stored as 128-bit signed integer. |

+| `float` | Stored as 64-bit floating point number. |

+| `string` | A UTF-8 string. |

+| `bytes` | Binary data, a string of 8-bit unsigned values. |

+| `datetime` | UTC or local time with nanosecond resolution. |

+| `time` | Time of day with nanosecond resolution. |

+| `duration` | A duration with nanosecond resolution. |

+| `array` | An array of any types listed previously. |

+| `map` | A vector of (key, value) pairs of any types listed previously. |

+* **Avro** `UUID` **type**: It's converted to a `string` because there's no specific `UUID` type in the internal representation.

+* **Avro** `decimal` **type**: It isn't supported by the mapper, so fields of this type can't be included in mappings.

+* **Avro** `duration` **type**: Conversion can vary. If the `months` field is set, it's unsupported. If only `days` and `milliseconds` are set, it's converted to the internal `duration` representation.

+For some formats, surrogate types are used. For example, JSON doesn't have a `datetime` type and instead stores `datetime` values as strings formatted according to ISO8601. When the mapper reads such a field, the internal representation remains a string.

+The mapper is designed to be flexible by converting internal types into output types to accommodate scenarios where data comes from a serialization format with a limited type system. The following examples show how conversions are handled:

+* **Numeric types:** These types can be converted to other representations, even if it means losing precision. For example, a 64-bit floating-point number (`f64`) can be converted into a 32-bit integer (`i32`).

+* **Strings to numbers:** If the incoming record contains a string like `123` and the output field is a 32-bit integer, the mapper converts and writes the value as a number.

+* **Strings to other types:**

+ * If the output field is `datetime`, the mapper attempts to parse the string as an ISO8601 formatted `datetime`.

+ * If the output field is `binary/bytes`, the mapper tries to deserialize the string from a base64-encoded string.

+* **Boolean values:**

+ * Converted to `0`/`1` if the output field is numerical.

+ * Converted to `true`/`false` if the output field is string.

+Although the automatic conversions operate as you might expect based on common implementation practices, there are instances where the right conversion can't be determined automatically and results in an *unsupported* error. To address these situations, several conversion functions are available to explicitly define how data should be transformed. These functions provide more control over how data is converted and help maintain data integrity even when automatic methods fall short.

+### Use a conversion formula with types

+In mappings, an optional formula can specify how data from the input is processed before being written to the output field. If no formula is specified, the mapper copies the input field to the output by using the internal type and conversion rules.

+* Arrays of the preceding types

+`Map` and `byte` can't participate in formulas.

+Types related to time (`datetime`, `time`, and `duration`) are converted into integer values that represent time in seconds. After formula evaluation, results are stored in the internal representation and not converted back. For example, `datetime` converted to seconds remains an integer. If the value will be used in `datetime` fields, an explicit conversion method must be applied. An example is converting the value into an ISO8601 string that's automatically converted to the `datetime` type of the output serialization format.

+### Use irregular types

+Special considerations apply to types like arrays and *missing value*.

+Arrays can be processed by using aggregation functions to compute a single value from multiple elements. For example, by using the input record:

+This configuration selects the smallest value from the `Measurements` array for the output field.

+It's also possible to use functions that result in a new array:

+This mapping creates an array that contains the minimum, maximum, average, and mean.

+Missing value is a special type used in scenarios, such as:

+Example mapping that uses a missing value:

+The input record contains the `BaseSalary` field, but possibly that's optional. Let's say that if the field is missing, a value must be added from a contextualization dataset:

+A mapping can check if the field is present in the input record. If the field is found, the output receives that existing value. Otherwise, the output receives the value from the context dataset. For example:

+* The first parameter is a condition. In the example, it checks if the `BaseSalary` field of the input field (aliased as `$1`) is the missing value.

+Functions can be used in the conversion formula to perform various operations:

+* String manipulation (for example, `uppercase()`)

+* Explicit conversion (for example, `ISO8601_datetime`)

+* Aggregation (for example, `avg()`)

+Dataflows offer a wide range of out-of-the-box conversion functions that allow users to easily perform unit conversions without the need for complex calculations. These predefined functions cover common conversions such as temperature, pressure, length, weight, and volume. The following list shows the available conversion functions, along with their corresponding formulas and function names:

+| Conversion | Formula | Function name |

+| Celsius to Fahrenheit | F = (C * 9/5) + 32 | `cToF` |

+| PSI to bar | Bar = PSI * 0.0689476 | `psiToBar` |

+| Inch to cm | Cm = inch * 2.54 | `inToCm` |

+| Foot to meter | Meter = foot * 0.3048 | `ftToM` |

+| Lbs to kg | Kg = lbs * 0.453592 | `lbToKg` |

+| Gallons to liters | Liters = gallons * 3.78541 | `galToL` |

+| Conversion | Formula | Function name |

+| Fahrenheit to Celsius | C = (F - 32) * 5/9 | `fToC` |

+| Bar to PSI | PSI = bar / 0.0689476 | `barToPsi` |

+| Cm to inch | Inch = cm / 2.54 | `cmToIn` |

+| Meter to foot | Foot = meter / 0.3048 | `mToFt` |

+| Kg to lbs | Lbs = kg / 0.453592 | `kgToLb` |

+| Liters to gallons | Gallons = liters / 3.78541 | `lToGal` |

+These functions are designed to simplify the conversion process. They allow users to input values in one unit and receive the corresponding value in another unit effortlessly.

+We also provide a scaling function to scale the range of value to the user-defined range. For the example `scale($1,0,10,0,100)`, the input value is scaled from the range 0 to 10 to the range 0 to 100.

+Moreover, users have the flexibility to define their own conversion functions by using simple mathematical formulas. Our system supports basic operators such as addition (`+`), subtraction (`-`), multiplication (`*`), and division (`/`). These operators follow standard rules of precedence. For example, multiplication and division are performed before addition and subtraction. Precedence can be adjusted by using parentheses to ensure the correct order of operations. This capability empowers users to customize their unit conversions to meet specific needs or preferences, enhancing the overall utility and versatility of the system.

+### Available arithmetic, comparison, and Boolean operators grouped by precedence

+Because `Exponentiation` has the highest precedence, it's executed first unless parentheses override this order:

+* `-$1 * 2` negates `$1` first, and then multiplies.

+* `-($1 * 2)` multiplies, and then negates the result.

+`Addition` and `Subtraction` are considered weaker operations compared to the operations in the previous group:

+* `$1 + 2 * 3` results in `$1 + 6` because `2 * 3` is executed first because of the higher precedence of `multiplication`.

+* `($1 + 2) * 3` prioritizes `Addition` before `Multiplication`.

+`Comparisons` operate on numeric, Boolean, and string values. Because they have lower precedence than arithmetic operators, no parentheses are needed to compare results effectively:

+ Title: Enrich data by using dataflows

+# Enrich data by using dataflows

+You can enrich data by using the *contextualization datasets* function. When incoming records are processed, you can query these datasets based on conditions that relate to the fields of the incoming record. This capability allows for dynamic interactions. Data from these datasets can be used to supplement information in the output fields and participate in complex calculations during the mapping process.

+The mapper accesses the reference dataset stored in the Azure IoT Operations [distributed state store (DSS)](../create-edge-apps/concept-about-state-store-protocol.md) by using a key value based on a *condition* specified in the mapping configuration. Key names in the DSS correspond to a dataset in the dataflow configuration.

+* **Data request:** The mapper sends a request to the DSS to retrieve the dataset stored under the key `Position`.

+* **Record matching:** The mapper then queries this dataset to find the first record where the `Position` field in the dataset matches the `Position` field of the incoming record.

+In this example, the `WorkingHours` field is added to the output record, while the `BaseSalary` is used conditionally only when the incoming record doesn't contain the `BaseSalary` field (or the value is `null` if it's a nullable field). The request for the contextualization data doesn't happen with every incoming record. The mapper requests the dataset and then it receives notifications from DSS about the changes, while it uses a cached version of the dataset.

+The input references use the key of the dataset like `position` or `permission`. If the key in DSS is inconvenient to use, you can define an alias:

+The configuration renames the dataset with the key `datasets.parag10.rule42` to `position`.

+ Title: Map data by using dataflows

+# Map data by using dataflows

+* **Fields renamed**: The `Birth Date` field is now `Date of Birth`.

+* **Fields restructured**: Both `Name` and `Date of Birth` are grouped under the new `Employee` category.

+* **Field deleted**: The `Place of birth` field is removed because it isn't present in the output.

+* **Field added**: The `Base Salary` field is a new field in the `Employment` category.

+* **Field values changed or merged**: The `Position` field in the output combines the `Position` and `Office` fields from the input.

+The transformations are achieved through *mapping*, which typically involves:

+* **Conversion (optional)**: Modifying the input fields to fit into the output fields. Conversion is required when multiple input fields are combined into a single output field.

+The following mapping is an example:

+* **One-to-one mapping**: `BirthDate` is directly mapped to `Employee.DateOfBirth` without conversion.

+* **Contextual data**: `BaseSalary` is added from a contextual dataset named `position`.

+Field references show how to specify paths in the input and output by using dot notation like `Employee.DateOfBirth` or accessing data from a contextual dataset via `$context(position)`.

+These selectors allow mappings to integrate extra data from external databases, which are referred to as *contextualization datasets*.

+## Dot notation

+Dot notation is widely used in computer science to reference fields, even recursively. In programming, field names typically consist of letters and numbers. A standard dot-notation sample might look like this example:

+In a dataflow, a path described by dot notation might include strings and some special characters without needing escaping:

+In other cases, escaping is necessary:

+The previous example, among other special characters, contains dots within the field name. Without escaping, the field name would serve as a separator in the dot notation itself.

+* Dots (`.`) act as field separators.

+* Single quotation marks, when placed at the beginning or the end of a segment, start an escaped section where dots aren't treated as field separators.

+The path definition must also adhere to the rules of YAML. When a character with special meaning is included in the path, proper quoting is required in the configuration. Consult the YAML documentation for precise rules. Here are some examples that demonstrate the need for careful formatting:

+ - ':Person:.:name:' # ':' cannot be used as the first character without single quotation marks

+ - '100 celsius.hot' # numbers followed by text would not be interpreted as a string without single quotation marks

+In the previous example, the path consists of three segments: `Payload`, `Tag.10`, and `Value`. The outer single quotation marks (`'`) are necessary because of YAML syntax rules, which allow the inclusion of double quotation marks within the string.

+* **Escape each segment separately:** If multiple segments contain dots, those segments must be enclosed in double quotation marks. Other segments can also be quoted, but it doesn't affect the path interpretation:

+ ```yaml

+ - inputs:

+ - 'Payload."Tag.10".Measurements."Vibration.$12".Value'

+ ```

+

+* **Proper use of double quotation marks:** Double quotation marks must open and close an escaped segment. Any quotation marks in the middle of the segment are considered part of the field name:

+ ```yaml

+ - inputs:

+ - 'Payload.He said: "Hello", and waved'

+ ```

+ This example defines two fields in `dataDestination`: `Payload` and `He said: "Hello", and waved`. When a dot appears under these circumstances, it continues to serve as a separator:

+

+ ```yaml

+ - inputs:

+ - 'Payload.He said: "No. It's done"'

+ ```

+

+ In this case, the path is split into the segments `Payload`, `He said: "No`, and `It's done"` (starting with a space).

+

+* If the first character of a segment is a quotation mark, the parser searches for the next quotation mark. The string enclosed between these quotation marks is considered a single segment.

+* If the segment doesn't start with a quotation mark, the parser identifies segments by searching for the next dot or the end of the path.

+In many scenarios, the output record closely resembles the input record, with only minor modifications required. When you deal with records that contain numerous fields, manually specifying mappings for each field can become tedious. Wildcards simplify this process by allowing for generalized mappings that can automatically apply to multiple fields.

+* **Pattern matching**: The asterisk can match a single segment or multiple segments of a path. It serves as a placeholder for any segments in the path.

+* **Field matching**: During the mapping process, the algorithm evaluates each field in the input record against the pattern specified in the `inputs`. The asterisk in the previous example matches all possible paths, effectively fitting every individual field in the input.

+* **Captured segment**: The portion of the path that the asterisk matches is referred to as the `captured segment`.

+* **Output mapping**: In the output configuration, the `captured segment` is placed where the asterisk appears. This means that the structure of the input is preserved in the output, with the `captured segment` filling the placeholder provided by the asterisk.

+Mapping configuration that uses wildcards:

+When you place a wildcard, you must follow these rules:

+* **Single asterisk per dataDestination:** Only one asterisk (`*`) is allowed within a single path.

+* **Full segment matching:** The asterisk must always match an entire segment of the path. It can't be used to match only a part of a segment, such as `path1.partial*.path3`.

+* **Positioning:** The asterisk can be positioned in various parts of `dataDestination`:

+ * **At the beginning:** `*.path2.path3` - Here, the asterisk matches any segment that leads up to `path2.path3`.

+ * **In the middle:** `path1.*.path3` - In this configuration, the asterisk matches any segment between `path1` and `path3`.

+ * **At the end:** `path1.path2.*` - The asterisk at the end matches any segment that follows after `path1.path2`.

+Original JSON:

+Mapping configuration that uses wildcards:

+If you use multi-input wildcards, the asterisk (`*`) must consistently represent the same `Captured Segment` across every input. For example, when `*` captures `Saturation` in the pattern `*.Max`, the mapping algorithm expects the corresponding `Saturation.Min` to match with the pattern `*.Min`. Here, `*` is substituted by the `Captured Segment` from the first input, guiding the matching for subsequent inputs.

+Initial mapping configuration that uses wildcards:

+This initial mapping tries to build an array (for example, for `Opacity`: `[0.88, 0.91, 0.89, 0.89]`). This configuration fails because:

+Because `Avg` and `Mean` are nested within `Mid`, the asterisk in the initial mapping doesn't correctly capture these paths.

+This revised mapping accurately captures the necessary fields. It correctly specifies the paths to include the nested `Mid` object, which ensures that the asterisks work effectively across different levels of the JSON structure.

+### Second rule vs. specialization

+When you use the previous example from multi-input wildcards, consider the following mappings that generate two derived values for each property:

+This mapping is intended to create two separate calculations (`Avg` and `Diff`) for each property under `ColorProperties`. This example shows the result:

+- Include both mappings for `Opacity`. Because the output fields are different in this example, they wouldn't override each other.

+Consider a special case for the same fields to help decide the right action:

+* If a new mapping resolves to the same fields as a previous rule, the following conditions apply:

+ * A `Rank` is calculated for each resolved input based on the number of segments the wildcard captures. For instance, if the `Captured Segments` are `Properties.Opacity`, the `Rank` is 2. If it's only `Opacity`, the `Rank` is 1. A mapping without wildcards has a `Rank` of 0.

+ * Otherwise, the dataflow treats the configuration as a `Specialization`.

+For example, the mapping that directs `Opacity.Max` and `Opacity.Min` to an empty output has a `Rank` of 0. Because the second rule has a lower `Rank` than the previous one, it's considered a specialization and overrides the previous rule, which would calculate a value for `Opacity`.

+Now, let's see how contextualization datasets can be used with wildcards through an example. Consider a dataset named `position` that contains the following record:

+This mapping copies `BaseSalary` from the context dataset directly into the `Employment` section of the output record. If you want to automate the process and include all fields from the `position` dataset into the `Employment` section, you can use wildcards:

+Deep learning has numerous use cases in fields ranging from [language modeling](../ai-services/openai/concepts/models.md) to [protein folding](https://www.deepmind.com/research/highlighted-research/alphafold), among many others. Time series forecasting also benefits from recent advances in deep learning technology. For example, deep neural network (DNN) models feature prominently in the top performing models from the [fourth](https://www.uber.com/blog/m4-forecasting-competition/) and [fifth](https://www.sciencedirect.com/science/article/pii/S0169207021001874) iterations of the high-profile Makridakis forecasting competition.

+In this article, we describe the structure and operation of the TCNForecaster model in AutoML to help you best apply the model to your scenario.

+TCNForecaster is a [temporal convolutional network](https://arxiv.org/abs/1803.01271), or TCN, which has a DNN architecture designed for time series data. The model uses historical data for a target quantity, along with related features, to make probabilistic forecasts of the target up to a specified forecast horizon. The following image shows the major components of the TCNForecaster architecture:

+* A **pre-mix** layer that mixes the input time series and feature data into an array of signal **channels** that the convolutional stack processes.

+The dashed lines show paths through the network that end on the output at a time $t$. These paths cover the last eight points in the input, illustrating that each output point is a function of the eight most relatively recent points in the input. The length of history, or "look back," that a convolutional network uses to make predictions is called the **receptive field** and it's determined completely by the TCN architecture.

+Where $W_{e}$ is an [embedding](https://huggingface.co/blog/getting-started-with-embeddings) matrix for the categorical features, $n_{l} = n_{b}n_{c}$ is the total number of residual cells, the $H_{k}$ denote hidden layer outputs, and the $f_{q}$ are forecast outputs for given quantiles of the prediction distribution. To aid understanding, the dimensions of these variables are in the following table:

+In this section, we describe how AutoML builds TCNForecaster models with your data, including explanations of data preprocessing, training, and model search.

+These steps are included in AutoML's transform pipelines, so they're automatically applied when needed at inference time. In some cases, the inverse operation to a step is included in the inference pipeline. For example, if AutoML applied a $\log$ transform to the target during training, the raw forecasts are exponentiated in the inference pipeline.

+The search terminates when stopping criteria are met. The stopping criteria depend on the [forecast training job configuration](./how-to-auto-train-forecast.md#configure-experiment), but some examples include time limits, limits on number of search trials to perform, and early stopping logic when the validation metric isn't improving.

+The large language model (LLM) tool in prompt flow enables you to take advantage of widely used large language models like [OpenAI](https://platform.openai.com/), [Azure OpenAI Service](../../../cognitive-services/openai/overview.md), or any language model supported by the [Azure AI model inference API](https://aka.ms/azureai/modelinference) for natural language processing.

+- [Chat](https://platform.openai.com/docs/api-reference/chat): OpenAI's chat models and the [Azure AI](https://aka.ms/azureai/modelinference) chat models facilitate interactive conversations with text-based inputs and responses.

+- **Models deployed to Serverless API endpoints**

+ - Select the model from the catalog you are interested in [and deploy it with a serverless API endpoint](../../how-to-deploy-models-serverless.md).

+ - To use models deployed to serverless API endpoints supported by the [Azure AI model inference API](https://aka.ms/azureai/modelinference), like Mistral, Cohere, Meta Llama, or Microsoft family of models (among others), you need to [create a connection in your project to your endpoint](../../how-to-connect-models-serverless.md?#create-a-serverless-api-endpoint-connection).

+| Serverless model | Requred | Required | - | - |

+| model, deployment_name | string | Language model to use. This parameter is not required if the model is deployed to a serverless API endpoint. | Yes* |

+1. Set up and select the connections to OpenAI resources or to a serverless API endpoint.

+1. Select **+New automated ML job**.

+1. Select **Train automatically**

+1. Select **Start configuring job**

+1. In the **Experiment name** section, select the option **Create new** and enter this experiment name: `my-1st-automl-experiment`

+1. Select **Classfication** as your task type.

+1. Create a new data asset by selecting **Create**.

+ 1. Select **View additional configuration settings** and populate the fields as follows. These settings are to better control the training job. Otherwise, defaults are applied based on experiment selection and data.

+ Additional&nbsp;configurations|Description|Value&nbsp;for&nbsp;tutorial

+ ||

+ Primary metric| Evaluation metric that the machine learning algorithm will be measured by.|AUC_weighted

+ Explain best model| Automatically shows explainability on the best model created by automated ML.| Enable

+ Blocked algorithms | Algorithms you want to exclude from the training job| None

+ Additional&nbsp;classification settings | These settings help improve the accuracy of your model |Positive class label: None

+ Exit criterion| If a criteria is met, the training job is stopped. |Training&nbsp;job&nbsp;time (hours): 1 <br> Metric&nbsp;score&nbsp;threshold: None

+ Concurrency| The maximum number of parallel iterations executed per iteration| Max&nbsp;concurrent&nbsp;iterations: 5

+

+ 1. Select **Save**.

+1. On the **[Optional] Validate and test** form,

+ 1. Select k-fold cross-validation as your **Validation type**.

+ 1. Select 2 as your **Number of cross validations**.

+1. Select **Next**

+1. Select **compute cluster** as your compute type.

+1. A compute target is a local or cloud-based resource environment used to run your training script or host your service deployment. For this experiment, you can either try a cloud-based serverless compute (preview) or create your own cloud-based compute.

+ 1. To use serverless compute, [enable the preview feature](./how-to-use-serverless-compute.md#how-to-use-serverless-compute), select **Serverless**, and skip the rest of this step.

+ 1. To create your own compute target, select **+New** to configure your compute target.

+1. Select **Next**.

+1. Select **Submit training job** to run the experiment. The **Job overview** screen opens with the **Job status** at the top as the experiment preparation begins. This status updates as the experiment progresses. Notifications also appear in the top right corner of the studio to inform you of the status of your experiment.

+## Updates - August 2024

+You can now create up to 20 IP addresses per Azure Red Hat OpenShift cluster load balancer. This feature was previously in preview but is now generally available. See [Configure multiple IP addresses per cluster load balancer](howto-multiple-ips.md) for details. Azure Red Hat OpenShift 4.x has a 250 pod-per-node limit and a 250 compute node limit.

+There's a change in the order of actions performed by Site Reliability Engineers of Azure RedHat OpenShift. To maintain the health of a cluster, a timely action is necessary if control plane resources are over-utilized. Now the control plane is resized proactively to maintain cluster health. After the resize of the control plane, a notification is sent out to you with the details of the changes made to the control plane. Make sure you have the quota available in your subscription for Site Reliability Engineers to perform this action.

+CLUSTER=clustername

+Using these values, delete your cluster:

+az aro delete --resource-group $RESOURCEGROUP --name $CLUSTER

+You'll then be prompted to confirm if you are sure you want to perform this operation. After you confirm with `y`, it will take several minutes to delete the cluster. When the command finishes, the cluster will be deleted and all the managed objects.

+> [!NOTE]

+> User-created objects such as virtual network and subnets must be manually deleted accordingly.

+Learn more about using OpenShift with the official [Red Hat OpenShift documentation](https://docs.openshift.com/container-platform/4.14/welcome/https://docsupdatetracker.net/index.html).

+ Title: Configure multiple IP addresses for ARO cluster load balancers

+# Configure multiple IP addresses per ARO cluster load balancer

+ARO public clusters are created with a public load balancer that's used for outbound connectivity from inside the cluster. By default, one public IP address is configured on that public load balancer, and that limits the maximum node count of your cluster to 65. To be able to scale your cluster to the maximum supported number of 250 nodes, you need to assign multiple additional public IP addresses to the load balancer.

+> [!CAUTION]

+> Before deleting a large cluster, descale the cluster to 120 nodes or below.

+>

+> [!NOTE]

+> The [API](/rest/api/openshift/open-shift-clusters/update?view=rest-openshift-2023-11-22&tabs=HTTP) method for using this feature is generally available. General availability for using the CLI for this feature is coming soon. The [preview version](#download-aro-extension-wheel-file-preview-only) of this feature can still be used through the CLI.

+>

+* Don't create more than 250 worker nodes on a cluster. 250 is the maximum number of nodes that can be created on a cluster. See [Configure multiple IP addresses per ARO cluster load balancer](howto-multiple-ips.md) for more information.

+ Title: Understanding Kubernetes cluster features in Azure Operator Nexus Kubernetes service

+description: Working with Kubernetes cluster features in Azure Operator Nexus Kubernetes clusters

+# Work with Kubernetes cluster features in Nexus Kubernetes clusters

+In this article, you learn how to work with Nexus Kubernetes cluster features. Nexus Kubernetes Cluster Features is a functionality of the Nexus platform that allows customers to enhance their Nexus Kubernetes clusters by adding extra packages or features.

+## Prerequisites

+Before proceeding with this how-to guide, it's recommended that you:

+* Refer to the Nexus Kubernetes cluster [QuickStart guide](./quickstarts-kubernetes-cluster-deployment-cli.md) for a comprehensive overview and steps involved.

+* Ensure that you meet the outlined prerequisites to ensure smooth implementation of the guide.

+* Minimum required `networkcloud` az-cli extension version: `3.0.0b1`

+## Limitations

+* You can only create, delete, or update Kubernetes cluster features that have the `Required` field set to `False`.

+* When installing a Kubernetes cluster feature for the first time, the feature's name should be one of the feature names listed in the table. For subsequent actions such as updates or deletions, the feature's name should be obtained using the `az networkcloud kubernetescluster feature list` command.

+* The `metrics-server` feature can't be deleted if a Horizontal Pod Autoscaler (HPA) is in use within the cluster.

+* Storage-related Kubernetes cluster features, such as `csi-nfs` and `csi-volume`, can't be deleted if the respective StorageClass is in use within the cluster.

+## Default configuration

+When a Nexus Kubernetes cluster is deployed, the list of required Kubernetes cluster features will be installed automatically. After deployment, you can manage optional Kubernetes cluster features by either installing them or uninstalling them (deleting them from the cluster).

+You can't control the installation of Kubernetes cluster features marked as "Required." However, you can perform create, update, and delete operations on features that have the "Required" field set to "False." You also have the option to update any Kubernetes cluster features via the update command.

+The following Kubernetes cluster features are available to each Nexus Kubernetes cluster. Features with "Required" set to "True" are always installed by default and can't be deleted.

+| Name | Description | Required | Installed by default |

+|--|-|-|-|

+| azure-arc-k8sagents | Arc connects Nexus Kubernetes Cluster | True | True |

+| calico | Provides Container Network Interface (CNI) support | True | True |

+| cloud-provider-kubevirt | Supports the Cluster API (CAPI) KubeVirt provider for managing virtual machine-based workloads in Kubernetes | True | True |

+| ipam-cni-plugin | Allocates IP addresses for Layer 3 networks connected to workload containers when `ipamEnabled` is set to True | True | True |

+| metallb | Provides External IPs to LoadBalancer services for load balancing traffic within Kubernetes | True | True |

+| multus | Supports multiple network interfaces to be attached to Kubernetes pods | True | True |

+| node-local-dns | Deploys NodeLocal DNSCache to improve DNS performance and reliability within the Kubernetes cluster | True | True |

+| sriov-dp | Deploys an optional CNI plugin for Single Root I/O Virtualization (SR-IOV) to enhance network performance | True | True |

+| azure-arc-servers | Deploys Azure Arc-enabled servers on each control plane and agent pool node, allowing management of non-Azure resources alongside Azure resources | False | True |

+| csi-nfs | Provides a Container Storage Interface (CSI) driver for NFS (Network File System) to support NFS-based storage in Kubernetes | False| True |

+| csi-volume | Supports the csi-nexus-volume storage class for persistent volume claims within Kubernetes | False | True |

+| metrics-server | Deploys the Metrics Server, which provides resource usage metrics for Kubernetes clusters, such as CPU and memory usage | False| True |

+> [!NOTE]

+> * For each cluster, you can create only one feature of each Kubernetes cluster feature type.

+> * If you delete a Kubernetes cluster feature with the "Required" attribute set to "False," the related charts will be removed from the cluster.

+## How to manage Kubernetes cluster features

+The following interactions allow for the creation and management of the Kubernetes cluster feature configuration.

+### Install a Kubernetes cluster feature

+To install a Kubernetes cluster feature in the cluster, use the `az networkcloud kubernetescluster feature create` command. If you have multiple Azure subscriptions, you must specify the subscription ID either by using the `--subscription` flag in the CLI command or by selecting the appropriate subscription ID with the [az account set](/cli/azure/account#az-account-set) command.

+```azurecli

+az networkcloud kubernetescluster feature create \

+ --name "<FEATURE_NAME>" \

+ --kubernetes-cluster-name "<KUBERNETES_CLUSTER_NAME>" \

+ --resource-group "<RESOURCE_GROUP>" \

+ --location "<LOCATION>" \

+ --tags "<KEY1>=<VALUE1>" "<KEY2>=<VALUE2>"

+```

+* Replace the placeholders (`<FEATURE_NAME>`, `<KUBERNETES_CLUSTER_NAME>`, `<RESOURCE_GROUP>`, `<LOCATION>`, `<KEY1>=<VALUE1>`, and `<KEY2>=<VALUE2>`) with your specific information.

+

+To see all available parameters and their descriptions, run the command:

+```azurecli

+az networkcloud kubernetescluster feature create --help

+```

+#### Kubernetes cluster feature configuration parameters

+| Parameter name | Description |

+| --| -- |

+| FEATURE_NAME | Name of Kubernetes cluster `feature` |

+| KUBERNETES_CLUSTER_NAME | Name of Cluster |

+| LOCATION | The Azure Region where the Cluster is deployed |

+| RESOURCE_GROUP | The Cluster resource group name |

+| KEY1 | Optional tag1 to pass to Kubernetes cluster feature create |

+| VALUE1 | Optional tag1 value to pass to Kubernetes cluster feature create |

+| KEY2 | Optional tag2 to pass to Kubernetes cluster feature create |

+| VALUE2 | Optional tag2 value to pass to Kubernetes cluster feature create |

+Specifying `--no-wait --debug` options in az command results in the execution of this command asynchronously. For more information, see [how to track asynchronous operations](howto-track-async-operations-cli.md).

+### List the Kubernetes cluster feature

+You can check the Kubernetes cluster feature resources for a specific cluster by using the `az networkcloud kubernetescluster feature list` command. This command displays a list of all features associated with the specified Kubernetes cluster:

+```azurecli

+az networkcloud kubernetescluster feature list \

+ --kubernetes-cluster-name "<KUBERNETES_CLUSTER_NAME>" \

+ --resource-group "<RESOURCE_GROUP>"

+```

+### Retrieve a Kubernetes cluster feature

+After a Kubernetes cluster is created, you can check the details of a specific Kubernetes cluster feature using the `networkcloud kubernetescluster feature show` command. This provides detailed information about the feature:

+```azurecli

+az networkcloud kubernetescluster feature show \

+ --cluster-name "<KUBERNETES_CLUSTER_NAME>" \

+ --resource-group "<RESOURCE_GROUP>"

+```

+This command returns a JSON representation of the Kubernetes cluster feature configuration.

+### Update a Kubernetes cluster feature

+Much like the creation of a Kubernetes cluster feature, you can perform an update action to modify the tags assigned to the Kubernetes cluster feature. Use the following command to update the tags:

+> [!IMPORTANT]

+> * The `name` parameter should match the "Name" obtained from the output of the `az networkcloud kubernetescluster feature list` command. While the feature name provided during installation can be used initially, once the feature is installed, it is assigned a unique name. Therefore, always use the `list` command to get the actual resource name for update and delete operations, rather than relying on the initial feature name shown in the table.

+```azurecli

+az networkcloud kubernetescluster feature update \

+ --name "<FEATURE_NAME>" \

+ --kubernetes-cluster-name "<KUBERNETES_CLUSTER_NAME>" \

+ --resource-group "<RESOURCE_GROUP>" \

+ --tags <KEY1>="<VALUE1>" \

+ <KEy2>="<VALUE2>"

+```

+Specifying `--no-wait --debug` options in az command results in the execution of this command asynchronously. For more information, see [how to track asynchronous operations](howto-track-async-operations-cli.md).

+### Delete Kubernetes cluster feature

+Deleting a Kubernetes cluster feature removes the resource from the cluster. To delete a Kubernetes cluster feature, use the following command:

+> [!IMPORTANT]

+> * The `name` parameter should match the "Name" obtained from the output of the `az networkcloud kubernetescluster feature list` command. While the feature name provided during installation can be used initially, once the feature is installed, it is assigned a unique name. Therefore, always use the `list` command to get the actual resource name for update and delete operations, rather than relying on the initial feature name shown in the table.

+```azurecli

+az networkcloud kubernetescluster feature delete \

+ --name "<FEATURE_NAME>" \

+ --kubernetes-cluster-name "<KUBERNETES_CLUSTER_NAME>" \

+ --resource-group "<RESOURCE_GROUP>"

+```

+Specifying `--no-wait --debug` options in az command results in the execution of this command asynchronously. For more information, see [how to track asynchronous operations](howto-track-async-operations-cli.md).

+> [!NOTE]

+> * If you attempt to delete a Kubernetes cluster feature that has `Required=True`, the command will fail and produce an error message stating, "delete not allowed for ... feature as it is a required feature."

+> * In such cases, a subsequent show/list command will display the `provisioningState` as `Failed`. This is a known issue.

+> * To correct the `provisioningState`, you can run a no-op command, such as updating the tags on the affected Kubernetes cluster feature. Use the `--tags` parameter of the update command to do this. This action will reset the `provisioningState` to `Succeeded`.

+* Minimum required `networkcloud` az-cli extension version: `3.0.0b1`

+# Migrate Azure API Management to availability zone support

+- Experiences such as Event Streams don't support availability zones.

+- Data engineering supports availability zones if you use OneLake. If you use other data sources such as ADLS Gen2, then you need to ensure that Zone-redundant storage (ZRS) is enabled.

+- Zone availability may or may not be available for Fabric experiences and/or features/functionalities that are in preview.

+| **Americas** | **Power BI** | **Datamarts** | **Data Warehouses** | **Real-Time Analytics** | **Data Factory (pipelines)** | **Data Engineering** |

+|:|::|::|::|::|::|::|

+| Brazil South | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | |

+| Canada Central | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | |

+| Central US | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | | | | :::image type="icon" source="media/yes-icon.svg" border="false"::: |

+| East US | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: |

+| East US 2 | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: |

+| South Central US | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | | | :::image type="icon" source="media/yes-icon.svg" border="false"::: | |

+| West US 2 | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | | :::image type="icon" source="media/yes-icon.svg" border="false"::: | |

+| West US 3 | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | |

+| **Europe** | | | | | | |

+| France Central | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | |

+| Germany West Central | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | | | | |

+| North Europe | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: |

+| UK South | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: |

+| West Europe | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | | | |

+| Norway East | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | |

+| **Middle East** | | | | | | |

+| Qatar Central | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | | | | |

+| **Africa** | | | | | | |

+| South Africa North | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | | :::image type="icon" source="media/yes-icon.svg" border="false"::: | :::image type="icon" source="media/yes-icon.svg" border="false"::: | |

+| **Asia Pacific** | | | | | | |

+| Australia East | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | :::image type="icon" source="media/yes-icon.svg" border="false"::: | |

+| Japan East | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | | | :::image type="icon" source="media/yes-icon.svg" border="false"::: | |

+| Southeast Asia | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | | | :::image type="icon" source="media/yes-icon.svg" border="false"::: | | |

+During a zone-wide outage, no action is required during zone recovery. Fabric capabilities in regions listed in [supported regions](#supported-regions) self-heal and rebalance automatically to take advantage of the healthy zone. Running Spark Jobs may fail if the master node is in the failed zone. In such a case, the jobs will need to be resubmitted.

+| text | vectors ¹ | Text can be chunked and vectorized in an indexer pipeline, or handled externally and then [indexed as vector fields](vector-search-how-to-create-index.md) in your index. |

+| image | vectors ¹ | Images can be vectorized in an indexer pipeline, or handled externally for a mathematical representation of image content and then [indexed as vector fields](vector-search-how-to-create-index.md) in your index. You can use [Azure AI Vision multimodal](/azure/ai-services/computer-vision/how-to/image-retrieval) or an open source model like [OpenAI CLIP](https://github.com/openai/CLIP/blob/main/README.md) to vectorize text and images in the same embedding space.|

+ ¹ Azure AI Search provides [integrated data chunking and vectorization](vector-search-integrated-vectorization.md), but you must take a dependency on indexers and skillsets. If you can't use an indexer, Microsoft's [Semantic Kernel](/semantic-kernel/overview/) or other community offerings can help you with a full stack solution. For code samples showing both approaches, see [azure-search-vectors repo](https://github.com/Azure/azure-search-vector-samples).

+² [Skills](cognitive-search-working-with-skillsets.md) are built-in support for [applied AI](cognitive-search-concept-intro.md). For OCR and Image Analysis, the indexing pipeline makes an internal call to the Azure AI Vision APIs. These skills pass an extracted image to Azure AI for processing, and receive the output as text that's indexed by Azure AI Search. Skills are also used for integrated data chunking (Text Split skill) and integrated embedding (skills that call Azure AI Vision multimodal, Azure OpenAI, and models in the Azure AI Studio model catalog.)

+### Maximize relevance and recall

+Here are some tips for maximizing relevance and recall:

+ + [Scoring profiles](index-add-scoring-profiles.md) that boost the search score if matches are found in a specific search field or on other criteria.

+ + [Semantic ranking](semantic-ranking.md) that re-ranks an initial results set, using semantic models from Bing to reorder results for a better semantic fit to the original query.

+ + Query parameters for fine-tuning. You can [bump up the importance of vector queries](vector-search-how-to-query.md#vector-weighting) or [adjust the amount of BM25-ranked results](vector-search-how-to-query.md#maxtextsizerecall-for-hybrid-search-preview) in a hybrid query. You can also [set minimum thresholds to exclude low scoring results](vector-search-how-to-query.md#set-thresholds-to-exclude-low-scoring-results-preview) from a vector query.

+In comparison and benchmark testing, hybrid queries with text and vector fields, supplemented with semantic ranking, produce the most relevant results.

+The following Python code demonstrates the essential components of a RAG workflow in Azure AI Search. You need to set up the clients, define a system prompt, and provide a query. The prompt tells the LLM to use just the results from the query, and how to return the results. For more steps based on this example, see this [RAG quickstart](search-get-started-rag.md).

+# Set up the query for generating responses

+from azure.identity import DefaultAzureCredential

+from azure.identity import get_bearer_token_provider

+from azure.search.documents import SearchClient

+from openai import AzureOpenAI

+credential = DefaultAzureCredential()

+token_provider = get_bearer_token_provider(credential, "https://cognitiveservices.azure.com/.default")

+openai_client = AzureOpenAI(

+ api_version="2024-06-01",

+ azure_endpoint=AZURE_OPENAI_ACCOUNT,

+ azure_ad_token_provider=token_provider

+)

+search_client = SearchClient(

+ endpoint=AZURE_SEARCH_SERVICE,

+ index_name="hotels-sample-index",

+ credential=credential

+)

+# This prompt provides instructions to the model

+GROUNDED_PROMPT="""

+You are a friendly assistant that recommends hotels based on activities and amenities.

+Answer the query using only the sources provided below in a friendly and concise bulleted manner.

+Answer ONLY with the facts listed in the list of sources below.

+If there isn't enough information below, say you don't know.

+Do not generate answers that don't use the sources below.

+Query: {query}

+Sources:\n{sources}

+"""

+# Query is the question being asked

+query="Can you recommend a few hotels near the ocean with beach access and good views"

+# Retrieve the selected fields from the search index related to the question

+search_results = search_client.search(

+ search_text=query,

+ top=5,

+ select="Description,HotelName,Tags"

+)

+sources_formatted = "\n".join([f'{document["HotelName"]}:{document["Description"]}:{document["Tags"]}' for document in search_results])

+response = openai_client.chat.completions.create(

+ messages=[

+ {

+ "role": "user",

+ "content": GROUNDED_PROMPT.format(query=query, sources=sources_formatted)

+ }

+ ],

+ model="gpt-4o"

+)

+print(response.choices[0].message.content)

+A RAG solution that includes Azure AI Search can leverage [built-in data chunking and vectorization capabilities](vector-search-integrated-vectorization.md), or you can build your own using platforms like Semantic Kernel, LangChain, or LlamaIndex.

+[Notebooks in the demo repository](https://github.com/Azure/azure-search-vector-samples/tree/main/demo-python/code/community-integration) are a great starting point because they show patterns for LLM integration. Much of the code in a RAG solution consists of calls to the LLM so you need to develop an understanding of how those APIs work, which is outside the scope of this article.

+Depending on region and datacenter capacity, you can automatically request more quota to add services to your subscription. If the request fails, you should either decrease the number or file a support ticket. For an large increase in quota, such as more than 30 extra services, you should expect a one-month turnaround.

+## Custom logs from text files

+The following examples are for DCRs using the AMA to collect custom logs from text files.

+### Custom text logs DCR

+These examples are of the API request for creating a DCR.

+#### Custom text logs DCR creation request body

+The following is an example of a DCR creation request for a custom log text file. Replace *`{PLACEHOLDER_VALUES}`* with actual values.

+The `outputStream` parameter is required only if the transform changes the schema of the stream.

+```json

+{

+ "type": "Microsoft.Insights/dataCollectionRules",

+ "name": "{DCR_NAME}",

+ "location": "{WORKSPACE_LOCATION}",

+ "apiVersion": "2022-06-01",

+ "properties": {

+ "streamDeclarations": {

+ "Custom-Text-{TABLE_NAME}": {

+ "columns": [

+ {

+ "name": "TimeGenerated",

+ "type": "datetime"

+ },

+ {

+ "name": "RawData",

+ "type": "string"

+ },

+ ]

+ }

+ },

+ "dataSources": {

+ "logFiles": [

+ {

+ "streams": [

+ "Custom-Text-{TABLE_NAME}"

+ ],

+ "filePatterns": [

+ "{LOCAL_PATH_FILE_1}","{LOCAL_PATH_FILE_2}"

+ ],

+ "format": "text",

+ "name": "Custom-Text-{TABLE_NAME}"

+ }

+ ],

+ },

+ "destinations": {

+ "logAnalytics": [

+ {

+ "workspaceResourceId": "{WORKSPACE_RESOURCE_PATH}",

+ "workspaceId": "{WORKSPACE_ID}",

+ "name": "DataCollectionEvent"

+ }

+ ],

+ },

+ "dataFlows": [

+ {

+ "streams": [

+ "Custom-Text-{TABLE_NAME}"

+ ],

+ "destinations": [

+ "DataCollectionEvent"

+ ],

+ "transformKql": "source",

+ "outputStream": "Custom-{TABLE_NAME}"

+ }

+ ]

+ }

+}

+```

+#### Custom text logs DCR creation response

+```json

+{

+ "properties": {

+ "immutableId": "dcr-00112233445566778899aabbccddeeff",

+ "dataCollectionEndpointId": "/subscriptions/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb/resourceGroups/Contoso-RG-1/providers/Microsoft.Insights/dataCollectionEndpoints/Microsoft-Sentinel-aaaabbbbccccddddeeeefff",

+ "streamDeclarations": {

+ "Custom-Text-ApacheHTTPServer_CL": {

+ "columns": [

+ {

+ "name": "TimeGenerated",

+ "type": "datetime"

+ },

+ {

+ "name": "RawData",

+ "type": "string"

+ }

+ ]

+ }

+ },

+ "dataSources": {

+ "logFiles": [

+ {

+ "streams": [

+ "Custom-Text-ApacheHTTPServer_CL"

+ ],

+ "filePatterns": [

+ "C:\\Server\\bin\\log\\Apache24\\logs\\*.log"

+ ],

+ "format": "text",

+ "settings": {

+ "text": {

+ "recordStartTimestampFormat": "ISO 8601"

+ }

+ },

+ "name": "Custom-Text-ApacheHTTPServer_CL"

+ }

+ ]

+ },

+ "destinations": {

+ "logAnalytics": [

+ {

+ "workspaceResourceId": "/subscriptions/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb/resourceGroups/contoso-rg-1/providers/Microsoft.OperationalInsights/workspaces/CyberSOC",

+ "workspaceId": "cccccccc-3333-4444-5555-dddddddddddd",

+ "name": "DataCollectionEvent"

+ }

+ ]

+ },

+ "dataFlows": [

+ {

+ "streams": [

+ "Custom-Text-ApacheHTTPServer_CL"

+ ],

+ "destinations": [

+ "DataCollectionEvent"

+ ],

+ "transformKql": "source",

+ "outputStream": "Custom-ApacheHTTPServer_CL"

+ }

+ ],

+ "provisioningState": "Succeeded"

+ },

+ "location": "centralus",

+ "tags": {

+ "createdBy": "Sentinel"

+ },

+ "id": "/subscriptions/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb/resourceGroups/Contoso-RG-1/providers/Microsoft.Insights/dataCollectionRules/DCR-CustomLogs-01",

+ "name": "DCR-CustomLogs-01",

+ "type": "Microsoft.Insights/dataCollectionRules",

+ "etag": "\"00000000-1111-2222-3333-444444444444\"",

+ "systemData": {

+ "createdBy": "gbarnes@contoso.com",

+ "createdByType": "User",

+ "createdAt": "2024-08-12T09:29:15.1083961Z",

+ "lastModifiedBy": "gbarnes@contoso.com",

+ "lastModifiedByType": "User",

+ "lastModifiedAt": "2024-08-12T09:29:15.1083961Z"

+ }

+}

+```

+- Your user must have the [Security Administrator](../active-directory/roles/permissions-reference.md#security-administrator) role on the tenant you want to stream the logs from, or the equivalent permissions.

+ Title: Ingest syslog and CEF messages to Microsoft Sentinel - AMA

+description: Ingest syslog messages from linux machines and from network and security devices and appliances to Microsoft Sentinel, using data connectors based on the Azure Monitor Agent (AMA).

+Before you begin, you must have the resources configured and the appropriate permissions assigned, as described in this section.

+ - [Azure or Defender portal](?tabs=syslog%2Cportal#create-data-collection-rule-dcr)

+### Create data collection rule (DCR)

+To get started, open either the **Syslog via AMA** or **Common Event Format (CEF) via AMA** data connector in Microsoft Sentinel and create a data collection rule (DCR).

+ Title: Collect logs from text files with the Azure Monitor Agent and ingest to Microsoft Sentinel - AMA

+description: Collect text file-based logs from network or security applications installed on Windows- or Linux-based machines, using the Custom Logs via AMA data connector based on the Azure Monitor Agent (AMA).

+appliesto:

+ - Microsoft Sentinel in the Azure portal

+ - Microsoft Sentinel in the Microsoft Defender portal

+#Customer intent: As a security operator, I want to ingest and filter text file-based logs from network or security applications installed on Windows- or Linux-based machines to my Microsoft Sentinel workspace, so that security analysts can monitor activity on these systems and detect security threats.

+# Collect logs from text files with the Azure Monitor Agent and ingest to Microsoft Sentinel

+This article describes how to use the **Custom Logs via AMA** connector to quickly filter and ingest logs in text-file format from network or security applications installed on Windows or Linux machines.

+Many applications log data to text files instead of standard logging services like Windows Event log or Syslog. You can use the Azure Monitor Agent (AMA) to collect data in text files of nonstandard formats from both Windows and Linux computers. The AMA can also effect transformations on the data at the time of collection, to parse it into different fields.

+For more information about the applications for which Microsoft Sentinel has solutions to support log collection, see [Custom Logs via AMA data connector - Configure data ingestion to Microsoft Sentinel from specific applications](unified-connector-custom-device.md).

+For more general information about ingesting custom logs from text files, see [Collect logs from a text file with Azure Monitor Agent](../azure-monitor/agents/data-collection-log-text.md).

+> [!IMPORTANT]

+> - The **Custom Logs via AMA** data connector is currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+>

+> - [!INCLUDE [unified-soc-preview-without-alert](includes/unified-soc-preview-without-alert.md)]

+## Prerequisites

+Before you begin, you must have the resources configured and the appropriate permissions assigned, as described in this section.

+### Microsoft Sentinel prerequisites

+- Install the Microsoft Sentinel solution that matches your application and make sure you have the permissions to complete the steps in this article. You can find these solutions in the **Content hub** in Microsoft Sentinel, and they all include the **Custom Logs via AMA** connector.

+ For the list of applications that have solutions in the content hub, see [Specific instructions per application](unified-connector-custom-device.md#specific-instructions-per-application-type). If there isn't a solution available for your application, install the **Custom Logs via AMA** solution.

+ For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md).

+- Have an Azure account with the following Azure role-based access control (Azure RBAC) roles:

+ | Built-in role | Scope | Reason |

+ | - | -- | |

+ | - [Virtual Machine Contributor](../role-based-access-control/built-in-roles/compute.md#virtual-machine-contributor)<br>- [Azure Connected Machine<br>&nbsp;&nbsp;&nbsp;Resource Administrator](../role-based-access-control/built-in-roles/management-and-governance.md#azure-connected-machine-resource-administrator) | <li>Virtual machines (VM)<li>Virtual Machine Scale Sets<li>Azure Arc-enabled servers | To deploy the agent |

+ | Any role that includes the action<br>*Microsoft.Resources/deployments/\** | <li>Subscription<li>Resource group<li>Existing data collection rule | To deploy Azure Resource Manager templates |

+ | [Monitoring Contributor](../role-based-access-control/built-in-roles/monitor.md#monitoring-contributor) | <li>Subscription<li>Resource group<li>Existing data collection rule | To create or edit data collection rules |

+### Log forwarder prerequisites

+Certain custom applications are hosted on closed appliances that necessitate sending their logs to an external log collector/forwarder. In such a scenario, the following prerequisites apply to the log forwarder:

+- You must have a designated Linux VM as a log forwarder to collect logs.

+ - [Create a Linux VM in the Azure portal](../virtual-machines/linux/quick-create-portal.md).

+ - [Supported Linux operating systems for Azure Monitor Agent](../azure-monitor/agents/agents-overview.md#linux).

+- If your log forwarder *isn't* an Azure virtual machine, it must have the Azure Arc [Connected Machine agent](../azure-arc/servers/overview.md) installed on it.

+- The Linux log forwarder VM must have Python 2.7 or 3 installed. Use the ``python --version`` or ``python3 --version`` command to check. If you're using Python 3, make sure it's set as the default command on the machine, or run scripts with the 'python3' command instead of 'python'.

+- The log forwarder must have either the `syslog-ng` or `rsyslog` daemon enabled.

+- For space requirements for your log forwarder, refer to the [Azure Monitor Agent Performance Benchmark](../azure-monitor/agents/azure-monitor-agent-performance.md). You can also review [this blog post](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/designs-for-accomplishing-microsoft-sentinel-scalable-ingestion/ba-p/3741516), which includes designs for scalable ingestion.

+- Your log sources, security devices, and appliances must be configured to send their log messages to the log forwarder's syslog daemon instead of to their local syslog daemon.

+#### Machine security prerequisites

+Configure the log forwarder machine's security according to your organization's security policy. For example, configure your network to align with your corporate network security policy and change the ports and protocols in the daemon to align with your requirements. To improve your machine security configuration, [secure your VM in Azure](../virtual-machines/security-policy.md), or review these [best practices for network security](../security/fundamentals/network-best-practices.md).

+If your devices are sending logs over TLS because, for example, your log forwarder is in the cloud, you need to configure the syslog daemon (`rsyslog` or `syslog-ng`) to communicate in TLS. For more information, see:

+- [Encrypt Syslog traffic with TLS ΓÇô rsyslog](https://www.rsyslog.com/doc/v8-stable/tutorials/tls_cert_summary.html)

+- [Encrypt log messages with TLS ΓÇô syslog-ng](https://support.oneidentity.com/technical-documents/syslog-ng-open-source-edition/3.22/administration-guide/60#TOPIC-1209298)

+## Configure the data connector

+The setup process for the Custom Logs via AMA data connector includes the following steps:

+1. Create the destination table in Log Analytics (or Advanced Hunting if you're in the Defender portal).

+ The table's name must end with `_CL` and it must consist of only the following two fields:

+ - **TimeGenerated** (of type *DateTime*): the timestamp of the creation of the log message.

+ - **RawData** (of type *String*): the log message in its entirety.

+ (If you're collecting logs from a log forwarder and not directly from the device hosting the application, name this field **Message** instead of **RawData**.)

+1. Install the Azure Monitor Agent and create a Data Collection Rule (DCR) by using either of the following methods:

+ - [Azure or Defender portal](?tabs=portal#create-data-collection-rule-dcr)

+ - [Azure Resource Manager template](?tabs=arm#install-the-azure-monitor-agent)

+1. If you're collecting logs using a log forwarder, configure the syslog daemon on that machine to listen for messages from other sources, and open the required local ports. For details, see [Configure the log forwarder to accept logs](#configure-the-log-forwarder-to-accept-logs).

+Select the appropriate tab for instructions.

+# [Azure or Defender portal](#tab/portal)

+### Create data collection rule (DCR)

+To get started, open either the **Custom Logs via AMA** data connector in Microsoft Sentinel and create a data collection rule (DCR).

+1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Configuration**, select **Data connectors**.<br> For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Configuration** > **Data connectors**.

+1. Type *custom* in the **Search** box. From the results, select the **Custom Logs via AMA** connector.

+1. Select **Open connector page** on the details pane.

+ :::image type="content" source="media/connect-custom-logs-ama/custom-logs-connector-open.png" alt-text="Screenshot of custom logs AMA connector in gallery." lightbox="media/connect-custom-logs-ama/custom-logs-connector-open.png":::

+1. In the **Configuration** area, select **+Create data collection rule**.

+ :::image type="content" source="media/connect-custom-logs-ama/custom-logs-connector-page-create-dcr.png" alt-text="Screenshot showing the Custom Logs via AMA connector page." lightbox="media/connect-custom-logs-ama/custom-logs-connector-page-create-dcr.png":::

+1. In the **Basic** tab:

+ - Type a DCR name.

+ - Select your subscription.

+ - Select the resource group where you want to locate your DCR.

+ :::image type="content" source="media/connect-cef-ama/dcr-basics-tab.png" alt-text="Screenshot showing the DCR details in the Basic tab." lightbox="media/connect-cef-ama/dcr-basics-tab.png":::

+1. Select **Next: Resources >**.

+### Define VM resources

+In the **Resources** tab, select the machines from which you want to collect the logs. These are either the machines on which your application is installed, or your log forwarder machines. If the machine you're looking for doesn't appear in the list, it might not be an Azure VM with the Azure Connected Machine agent installed.

+1. Use the available filters or search box to find the machine you're looking for. Expand a subscription in the list to see its resource groups, and a resource group to see its VMs.

+1. Select the machine that you want to collect logs from. The check box appears next to the VM name when you hover over it.

+ :::image type="content" source="media/connect-cef-ama/dcr-select-resources.png" alt-text="Screenshot showing how to select resources when setting up the DCR." lightbox="media/connect-cef-ama/dcr-select-resources.png":::

+ If the machines you selected don't already have the Azure Monitor Agent installed on them, the agent is installed when the DCR is created and deployed.

+1. Review your changes and select **Next: Collect >**.

+### Configure the DCR for your application

+1. In the **Collect** tab, select your application or device type from the **Select device type (optional)** drop-down box, or leave it as **Custom new table** if your application or device isn't listed.

+1. If you chose one of the listed applications or devices, the **Table name** field is automatically populated with the right table name. If you chose **Custom new table**, enter a table name under **Table name**. The name must end with the `_CL` suffix.

+1. In the **File pattern** field, enter the path and file name of the text log files to be collected. To find the default file names and paths for each application or device type, see [Specific instructions per application type](unified-connector-custom-device.md#specific-instructions-per-application-type). You don't have to use the default file names or paths, and you can use wildcards in the file name.

+1. In the **Transform** field, if you chose a custom new table in step 1, enter a Kusto query that applies a transformation of your choice to the data.

+ If you chose one of the listed applications or devices in step 1, this field is automatically populated with the proper transformation. DO NOT edit the transformation that appears there. Depending on the chosen type, this value should be one of the following:

+ - `source` (the default&mdash;no transformation)

+ - `source | project-rename Message=RawData` (for devices that send logs to a forwarder)

+1. Review your selections and select **Next: Review + create**.

+### Review and create the rule

+After you complete all the tabs, review what you entered and create the data collection rule.

+1. In the **Review and create** tab, select **Create**.

+ :::image type="content" source="media/connect-cef-ama/dcr-review-create.png" alt-text="Screenshot showing how to review the configuration of the DCR and create it.":::

+ The connector installs the Azure Monitor Agent on the machines you selected when creating your DCR.

+1. Check the notifications in the Azure portal or Microsoft Defender portal to see when the DCR is created and the agent is installed.

+1. Select **Refresh** on the connector page to see the DCR displayed in the list.

+# [Resource Manager template](#tab/arm)

+### Install the Azure Monitor Agent

+Follow the appropriate instructions from the Azure Monitor documentation to install the Azure Monitor Agent on the machine hosting your application, or on your log forwarder. Use the instructions for Windows or for Linux, as appropriate.

+- [Install the AMA using PowerShell](../azure-monitor/agents/azure-monitor-agent-manage.md?tabs=azure-powershell)

+- [Install the AMA using the Azure CLI](../azure-monitor/agents/azure-monitor-agent-manage.md?tabs=azure-cli)

+- [Install the AMA using an Azure Resource Manager template](../azure-monitor/agents/azure-monitor-agent-manage.md?tabs=azure-resource-manager)

+Create Data Collection Rules (DCRs) using the [Azure Monitor Logs Ingestion API](/rest/api/monitor/data-collection-rules). For more information, see [Data collection rules in Azure Monitor](../azure-monitor/essentials/data-collection-rule-overview.md).

+### Create the data collection rule

+Use the following ARM template to create or modify a DCR for collecting text log files:

+```json

+{

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "resources": [

+ {

+ "type": "Microsoft.Insights/dataCollectionRules",

+ "name": "{DCR_NAME}",

+ "location": "{DCR_LOCATION}",

+ "apiVersion": "2022-06-01",

+ "properties": {

+ "streamDeclarations": {

+ "Custom-Text-{TABLE_NAME}": {

+ "columns": [

+ {

+ "name": "TimeGenerated",

+ "type": "datetime"

+ },

+ {

+ "name": "RawData",

+ "type": "string"

+ },

+ ]

+ }

+ },

+ "dataSources": {

+ "logFiles": [

+ {

+ "streams": [

+ "Custom-Text-{TABLE_NAME}"

+ ],

+ "filePatterns": [

+ "{LOCAL_PATH_FILE_1}","{LOCAL_PATH_FILE_2}"

+ ],

+ "format": "text",

+ "name": "Custom-Text-{TABLE_NAME}"

+ }

+ ]

+ },

+ "destinations": {

+ "logAnalytics": [

+ {

+ "workspaceResourceId": "{WORKSPACE_RESOURCE_PATH}",

+ "workspaceId": "{WORKSPACE_ID}",

+ "name": "workspace"

+ }

+ ]

+ },

+ "dataFlows": [

+ {

+ "streams": [

+ "Custom-Text-{TABLE_NAME}"

+ ],

+ "destinations": [

+ "DataCollectionEvent"

+ ],

+ "transformKql": "source",

+ "outputStream": "Custom-{TABLE_NAME}"

+ }

+ ]

+ }

+ }

+ ]

+}

+```

+Replace the {PLACE_HOLDER} values with the following values:

+| Placeholder | Value |

+| -- | -- |

+| {DCR_NAME} | The name you choose for your Data Collection Rule. It must be unique within your workspace. |

+| {DCR_LOCATION} | The region where the resource group containing the DCR is located. |

+| {TABLE_NAME} | The name of the destination table in Log Analytics. Must end with `_CL`. |

+| {LOCAL_PATH_FILE_1}&nbsp;*(required)*,<br>{LOCAL_PATH_FILE_2} *(optional)* | Paths and file names of the text files containing the logs you want to collect. These must be on the machine where the Azure Monitor Agent is installed. |

+| {WORKSPACE_RESOURCE_PATH} | The Azure resource path of your Microsoft Sentinel workspace. |

+| {WORKSPACE_ID} | The GUID of your Microsoft Sentinel workspace. |

+

+### Associate the DCR with the Azure Monitor Agent

+If you create the DCR using an ARM template, you still must associate the DCR with the agents that will use it. You can edit the DCR in the Azure portal and select the agents as described in [Define VM resources](#define-vm-resources).

+## Configure the log forwarder to accept logs

+If you're collecting logs from an appliance using a log forwarder, configure the syslog daemon on the log forwarder to listen for messages from other machines, and open the necessary local ports.

+1. Copy the following command line:

+ ```python

+ sudo wget -O Forwarder_AMA_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Forwarder_AMA_installer.py&&sudo python Forwarder_AMA_installer.py

+ ```

+1. Sign in to the log forwarder machine where you just installed the AMA.

+1. Paste the command you copied in the last step to launch the installation script.

+ The script configures the `rsyslog` or `syslog-ng` daemon to use the required protocol and restarts the daemon. The script opens port 514 to listen to incoming messages in both UDP and TCP protocols. To change this setting, refer to the syslog daemon configuration file according to the daemon type running on the machine:

+ - Rsyslog: `/etc/rsyslog.conf`

+ - Syslog-ng: `/etc/syslog-ng/syslog-ng.conf`

+ If you're using Python 3, and it's not set as the default command on the machine, substitute `python3` for `python` in the pasted command. See [Log forwarder prerequisites](#log-forwarder-prerequisites).

+ > [!NOTE]

+ > To avoid [Full Disk scenarios](../azure-monitor/agents/azure-monitor-agent-troubleshoot-linux-vm-rsyslog.md) where the agent can't function, we recommend that you set the `syslog-ng` or `rsyslog` configuration not to store unneeded logs. A Full Disk scenario disrupts the function of the installed AMA.

+ > For more information, see [RSyslog](https://www.rsyslog.com/doc/master/configuration/actions.html) or [Syslog-ng](https://syslog-ng.github.io/).

+## Configure the security device or appliance

+For specific instructions to configure your security application or appliance, see [Custom Logs via AMA data connector - Configure data ingestion to Microsoft Sentinel from specific applications](unified-connector-custom-device.md)

+Contact the solution provider for more information or where information is unavailable for the appliance or device.

+## Related content

+- [Data collection rules in Azure Monitor](../azure-monitor/essentials/data-collection-rule-overview.md)

+- [Collect logs from a text file with Azure Monitor Agent](../azure-monitor/agents/data-collection-log-text.md)

+This article describes how to collect data from devices that use custom log formats to Microsoft Sentinel using the **Log Analytics agent**. To learn how to ingest custom logs **using the Azure Monitor Agent (AMA)**, see [Collect logs from text files with the Azure Monitor Agent and ingest to Microsoft Sentinel](connect-custom-logs-ama.md).

+- Your user must have the [Security Administrator](../active-directory/roles/permissions-reference.md#security-administrator) role on the tenant you want to stream the logs from, or the equivalent permissions.

+- The Security Administrator role on the tenant, or the equivalent permissions.

+- You must have a Security administrator role on your Microsoft Sentinel workspace's tenant, or the equivalent permissions.

+- To grant permissions to your TIP product or any other custom application that uses direct integration with the Microsoft Graph TI Indicators API, you must have the **Security administrator** Microsoft Entra role, or the equivalent permissions.

+1. To grant consent, a privileged role is required. For more information, see [Grant tenant-wide admin consent to an application](/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal).

+- Your user must be assigned to the Microsoft Entra ID **Security Administrator** role in your tenant or the equivalent permissions.

+More roles might be required depending on the data you ingest or monitor. For example, Microsoft Entra roles might be required, such as the Security Administrator role, to set up data connectors for services in other Microsoft portals.

+Log collection from many security appliances and devices is supported by the **Common Event Format (CEF) via AMA** data connector in Microsoft Sentinel. This article lists provider-supplied installation instructions for specific security appliances and devices that use this data connector. Contact the provider for updates, more information, or where information is unavailable for your security appliance or device.

+To ingest data to your Log Analytics workspace for Microsoft Sentinel, complete the steps in [Ingest syslog and CEF messages to Microsoft Sentinel with the Azure Monitor Agent](connect-cef-syslog-ama.md). Those steps include the installation of the **Common Event Format (CEF) via AMA** data connector in Microsoft Sentinel. After the connector is installed, use the instructions appropriate to your device, shown later in this article, to complete the setup.

+ Title: Custom logs via AMA connector - Configure data ingestion to Microsoft Sentinel from specific applications

+description: Learn how to configure data ingestion into Microsoft Sentinel from specific or custom applications that produce logs as text files, using the Custom Logs via AMA data connector or manual configuration.

+# Custom Logs via AMA data connector - Configure data ingestion to Microsoft Sentinel from specific applications

+Microsoft Sentinel's **Custom Logs via AMA** data connector supports the collection of logs from text files from several different network and security applications and devices.

+This article supplies the configuration information, unique to each specific security application, that you need to supply when configuring this data connector. This information is provided by the application providers. Contact the provider for updates, for more information, or when information is unavailable for your security application. For the full instructions to install and configure the connector, see [Collect logs from text files with the Azure Monitor Agent and ingest to Microsoft Sentinel](connect-custom-logs-ama.md), but refer back to this article for the unique information to supply for each application.

+This article also shows you how to ingest data from these applications to your Microsoft Sentinel workspace without using the connector. These steps include installation of the Azure Monitor Agent. After the connector is installed, use the instructions appropriate to your application, shown later in this article, to complete the setup.

+The devices from which you collect custom text logs fall into two categories:

+- Applications installed on Windows or Linux machines

+ The application stores its log files on the machine where it's installed. To collect these logs, the Azure Monitor Agent is installed on this same machine.

+- Appliances that are self-contained on closed (usually Linux-based) devices

+ These appliances store their logs on an external syslog server. To collect these logs, the Azure Monitor Agentis installed on this external syslog server, often called a log forwarder.

+For more information about the related Microsoft Sentinel solution for each of these applications, search the [Azure Marketplace](https://azuremarketplace.microsoft.com/) for the **Product Type** > **Solution Templates** or review the solution from the **Content hub** in Microsoft Sentinel.

+> [!IMPORTANT]

+> - The **Custom Logs via AMA** data connector is currently in PREVIEW. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+>

+> - [!INCLUDE [unified-soc-preview-without-alert](includes/unified-soc-preview-without-alert.md)]

+## General instructions

+The steps for collecting logs from machines hosting applications and appliances follow a general pattern:

+1. Create the destination table in Log Analytics (or Advanced Hunting if you're in the Defender portal).

+1. Create the data collection rule (DCR) for your application or appliance.

+1. Deploy the Azure Monitor Agent to the machine hosting the application, or to the external server (log forwarder) that collects logs from appliances if it's not already deployed.

+1. Configure logging on your application. If an appliance, configure it to send its logs to the external server (log forwarder) where the Azure Monitor Agent is installed.

+These general steps (except for the last one) are automated when you use the **Custom Logs via AMA** data connector, and are described in detail in [Collect logs from text files with the Azure Monitor Agent and ingest to Microsoft Sentinel](connect-custom-logs-ama.md).

+## Specific instructions per application type

+The per-application information you need to complete these steps is presented in the rest of this article. Some of these applications are on self-contained appliances and require a different type of configuration, starting with the use of a log forwarder.

+Each application section contains the following information:

+- Unique parameters to supply to the configuration of the **Custom Logs via AMA** data connector, if you're using it.

+- The outline of the procedure required to ingest data manually, without using the connector. For the details of this procedure, see [Collect logs from text files with the Azure Monitor Agent and ingest to Microsoft Sentinel](connect-custom-logs-ama.md).

+- Specific instructions for configuring the originating applications or devices themselves, and/or links to the instructions on the providers' web sites. These steps must be taken whether using the connector or not.

+**The following devices' instructions are provided here:**

+- [Apache HTTP Server](#apache-http-server)

+- [Apache Tomcat](#apache-tomcat)

+- [Cisco Meraki](#cisco-meraki) (appliance)

+- [Jboss Enterprise Application Platform](#jboss-enterprise-application-platform)

+- [JuniperIDP](#juniperidp) (appliance)

+- [MarkLogic Audit](#marklogic-audit)

+- [MongoDB Audit](#mongodb-audit)

+- [NGINX HTTP Server](#nginx-http-server)

+- [Oracle WebLogic Server](#oracle-weblogic-server)

+- [PostgreSQL Events](#postgresql-events)

+- [SecurityBridge Threat Detection for SAP](#securitybridge-threat-detection-for-sap)

+- [SquidProxy](#squidproxy)

+- [Ubiquiti UniFi](#ubiquiti-unifi) (appliance)

+- [VMware vCenter](#vmware-vcenter) (appliance)

+- [Zscaler Private Access (ZPA)](#zscaler-private-access-zpa) (appliance)

+### Apache HTTP Server

+Follow these steps to ingest log messages from Apache HTTP Server:

+1. Table name: `ApacheHTTPServer_CL`

+1. Log storage location: Logs are stored as text files on the application's host machine. Install the AMA on the same machine to collect the files.

+ Default file locations ("filePatterns"):

+ - Windows: `"C:\Server\bin\log\Apache24\logs\*.log"`

+ - Linux: `"/var/log/httpd/*.log"`

+1. Create the DCR according to the directions in [Collect logs from text files with the Azure Monitor Agent and ingest to Microsoft Sentinel](connect-custom-logs-ama.md#configure-the-data-connector).

+ Replace the {TABLE_NAME} and {LOCAL_PATH_FILE} placeholders in the [DCR template](connect-custom-logs-ama.md?tabs=arm#create-the-data-collection-rule) with the values in steps 1 and 2. Replace the other placeholders as directed.

+[Back to list](#specific-instructions-per-application-type) | [Back to top](#custom-logs-via-ama-data-connectorconfigure-data-ingestion-to-microsoft-sentinel-from-specific-applications)

+### Apache Tomcat

+Follow these steps to ingest log messages from Apache Tomcat:

+1. Table name: `Tomcat_CL`

+1. Log storage location: Logs are stored as text files on the application's host machine. Install the AMA on the same machine to collect the files.

+ Default file locations ("filePatterns"):

+ - Linux: `"/var/log/tomcat/*.log"`

+1. Create the DCR according to the directions in [Collect logs from text files with the Azure Monitor Agent and ingest to Microsoft Sentinel](connect-custom-logs-ama.md#configure-the-data-connector).

+ Replace the {TABLE_NAME} and {LOCAL_PATH_FILE} placeholders in the [DCR template](connect-custom-logs-ama.md?tabs=arm#create-the-data-collection-rule) with the values in steps 1 and 2. Replace the other placeholders as directed.

+[Back to list](#specific-instructions-per-application-type) | [Back to top](#custom-logs-via-ama-data-connectorconfigure-data-ingestion-to-microsoft-sentinel-from-specific-applications)

+### Cisco Meraki

+Follow these steps to ingest log messages from Cisco Meraki:

+1. Table name: `meraki_CL`

+1. Log storage location: Create a log file on your external syslog server. Grant the syslog daemon write permissions to the file. Install the AMA on the external syslog server if it's not already installed. Enter this filename and path in the **File pattern** field in the connector, or in place of the `{LOCAL_PATH_FILE}` placeholder in the DCR.

+1. Configure the syslog daemon to export its Meraki log messages to a temporary text file so the AMA can collect them.

+ # [rsyslog](#tab/rsyslog)

+ 1. Create a custom configuration file for the rsyslog daemon and save it to `/etc/rsyslog.d/10-meraki.conf`. Add the following filtering conditions to this configuration file:

+ ```bash

+ if $rawmsg contains "flows" then {

+ action(type="omfile" file="<LOG_FILE_Name>")

+ stop

+ }

+ if $rawmsg contains "urls" then {

+ action(type="omfile" file="<LOG_FILE_Name>")

+ stop

+ }

+ if $rawmsg contains "ids-alerts" then {

+ action(type="omfile" file="<LOG_FILE_Name>")

+ stop

+ }

+ if $rawmsg contains "events" then {

+ action(type="omfile" file="<LOG_FILE_Name>")

+ stop

+ }

+ if $rawmsg contains "ip_flow_start" then {

+ action(type="omfile" file="<LOG_FILE_Name>")

+ stop

+ }

+ if $rawmsg contains "ip_flow_end" then {

+ action(type="omfile" file="<LOG_FILE_Name>")

+ stop

+ }

+ ```

+ (Replace `<LOG_FILE_Name>` with the name of the log file you created.)

+ To learn more about filtering conditions for rsyslog, see [rsyslog: Filter conditions](https://rsyslog.readthedocs.io/en/latest/configuration/filters.html). We recommend testing and modifying the configuration based on your specific installation.

+ 1. Restart rsyslog. The typical command syntax is `systemctl restart rsyslog`.

+ # [syslog-ng](#tab/syslog-ng)

+ 1. Edit the config file `/etc/syslog-ng/conf.d`, adding the following conditions:

+

+ ```bash

+ filter f_meraki {

+ message("flows") or message("urls") or message("ids-alerts") or message("events") or message("ip_flow_start") or message("ip_flow_end");

+ };

+

+ destination d_meraki {

+ file("<LOG_FILE_NAME>");

+ };

+ log {

+ source(s_src);

+ filter(f_meraki);

+ destination(d_meraki);

+ flags(final); #Ensures that once a message matches the filter and is written to the specified destination, it will not be processed by subsequent log statements

+ };

+ ```

+ (Replace `<LOG_FILE_NAME>` with the name of the log file you created.)

+ 1. Restart syslog-ng. The typical command syntax is `systemctl restart syslog-ng`.

+

+1. Create the DCR according to the directions in [Collect logs from text files with the Azure Monitor Agent and ingest to Microsoft Sentinel](connect-custom-logs-ama.md#configure-the-data-connector).

+ - Replace the column name `"RawData"` with the column name `"Message"`.

+ - Replace the transformKql value `"source"` with the value `"sourceΓÇ»| project-rename Message=RawData"`.

+ - Replace the `{TABLE_NAME}` and `{LOCAL_PATH_FILE}` placeholders in the [DCR template](connect-custom-logs-ama.md?tabs=arm#create-the-data-collection-rule) with the values in steps 1 and 2. Replace the other placeholders as directed.

+1. Configure the machine where the Azure Monitor Agent is installed to open the syslog ports, and configure the syslog daemon there to accept messages from external sources. For detailed instructions and a script to automate this configuration, see [Configure the log forwarder to accept logs](connect-custom-logs-ama.md#configure-the-log-forwarder-to-accept-logs).

+1. Configure and connect the Cisco Meraki device(s): follow the [instructions provided by Cisco](https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Meraki_Device_Reporting_-_Syslog%2C_SNMP%2C_and_API) for sending syslog messages. Use the IP address or hostname of the virtual machine where the Azure Monitor Agent is installed.

+[Back to list](#specific-instructions-per-application-type) | [Back to top](#custom-logs-via-ama-data-connectorconfigure-data-ingestion-to-microsoft-sentinel-from-specific-applications)

+### JBoss Enterprise Application Platform

+Follow these steps to ingest log messages from JBoss Enterprise Application Platform:

+1. Table name: `JBossLogs_CL`

+1. Log storage location: Logs are stored as text files on the application's host machine. Install the AMA on the same machine to collect the files.

+ Default file locations ("filePatterns") - Linux only:

+ - Standalone server: `"{EAP_HOME}/standalone/log/server.log"`

+ - Managed domain: `"{EAP_HOME}/domain/servers/{SERVER_NAME}/log/server.log"`

+1. Create the DCR according to the directions in [Collect logs from text files with the Azure Monitor Agent and ingest to Microsoft Sentinel](connect-custom-logs-ama.md#configure-the-data-connector).

+ Replace the {TABLE_NAME} and {LOCAL_PATH_FILE} placeholders in the [DCR template](connect-custom-logs-ama.md?tabs=arm#create-the-data-collection-rule) with the values in steps 1 and 2. Replace the other placeholders as directed.

+[Back to list](#specific-instructions-per-application-type) | [Back to top](#custom-logs-via-ama-data-connectorconfigure-data-ingestion-to-microsoft-sentinel-from-specific-applications)

+### JuniperIDP

+Follow these steps to ingest log messages from JuniperIDP:

+1. Table name: `JuniperIDP_CL`

+1. Log storage location: Create a log file on your external syslog server. Grant the syslog daemon write permissions to the file. Install the AMA on the external syslog server if it's not already installed. Enter this filename and path in the **File pattern** field in the connector, or in place of the `{LOCAL_PATH_FILE}` placeholder in the DCR.

+1. Configure the syslog daemon to export its JuniperIDP log messages to a temporary text file so the AMA can collect them.

+ # [rsyslog](#tab/rsyslog)

+ 1. Create custom configuration file for the rsyslog daemon, in the `/etc/rsyslog.d/` folder, with the following filtering conditions:

+ ```bash

+ # Define a new ruleset

+ ruleset(name="<RULESET_NAME>") {

+ action(type="omfile" file="<LOG_FILE_NAME>")

+ }

+

+ # Set the input on port and bind it to the new ruleset

+ input(type="imudp" port="<PORT>" ruleset="<RULESET_NAME>")

+ ```

+ (Replace `<parameters>` with the actual names of the objects represented. <LOG_FILE_NAME> is the file you created in step 2.)

+ 1. Restart rsyslog. The typical command syntax is `systemctl restart rsyslog`.

+ # [syslog-ng](#tab/syslog-ng)

+ 1. Edit the config file `/etc/syslog-ng/conf.d`, adding the following conditions:

+ ```bash

+ source s_network {

+ network (

+ ip(ΓÇ£0.0.0.0ΓÇ¥)

+ port(<PORT>)

+ );

+ };

+ destination d_file {

+ file(ΓÇ£<LOG_FILE_NAME>ΓÇ¥);

+ };

+ log {

+ source(s_network);

+ destination(d_file);

+ };

+ ```

+ (Replace `<LOG_FILE_NAME>` with the name of the log file you created.)

+ 1. Restart syslog-ng. The typical command syntax is `systemctl restart syslog-ng`.

+

+1. Create the DCR according to the directions in [Collect logs from text files with the Azure Monitor Agent and ingest to Microsoft Sentinel](connect-custom-logs-ama.md#configure-the-data-connector).

+ - Replace the column name `"RawData"` with the column name `"Message"`.

+ - Replace the `{TABLE_NAME}` and `{LOCAL_PATH_FILE}` placeholders in the [DCR template](connect-custom-logs-ama.md?tabs=arm#create-the-data-collection-rule) with the values in steps 1 and 2. Replace the other placeholders as directed.

+ - Replace the transformKql value `"source"` with the following Kusto query (enclosed in double quotes):

+ ```kusto

+ source | parse RawData with tmp_time " " host_s " " ident_s " " tmp_pid " " msgid_s " " extradata | extend dvc_os_s = extract("\\[(junos\\S+)", 1, extradata) | extend event_end_time_s = extract(".*epoch-time=\"(\\S+)\"", 1, extradata) | extend message_type_s = extract(".*message-type=\"(\\S+)\"", 1, extradata) | extend source_address_s = extract(".*source-address=\"(\\S+)\"", 1, extradata) | extend destination_address_s = extract(".*destination-address=\"(\\S+)\"", 1, extradata) | extend destination_port_s = extract(".*destination-port=\"(\\S+)\"", 1, extradata) | extend protocol_name_s = extract(".*protocol-name=\"(\\S+)\"", 1, extradata) | extend service_name_s = extract(".*service-name=\"(\\S+)\"", 1, extradata) | extend application_name_s = extract(".*application-name=\"(\\S+)\"", 1, extradata) | extend rule_name_s = extract(".*rule-name=\"(\\S+)\"", 1, extradata) | extend rulebase_name_s = extract(".*rulebase-name=\"(\\S+)\"", 1, extradata) | extend policy_name_s = extract(".*policy-name=\"(\\S+)\"", 1, extradata) | extend export_id_s = extract(".*export-id=\"(\\S+)\"", 1, extradata) | extend repeat_count_s = extract(".*repeat-count=\"(\\S+)\"", 1, extradata) | extend action_s = extract(".*action=\"(\\S+)\"", 1, extradata) | extend threat_severity_s = extract(".*threat-severity=\"(\\S+)\"", 1, extradata) | extend attack_name_s = extract(".*attack-name=\"(\\S+)\"", 1, extradata) | extend nat_source_address_s = extract(".*nat-source-address=\"(\\S+)\"", 1, extradata) | extend nat_source_port_s = extract(".*nat-source-port=\"(\\S+)\"", 1, extradata) | extend nat_destination_address_s = extract(".*nat-destination-address=\"(\\S+)\"", 1, extradata) | extend nat_destination_port_s = extract(".*nat-destination-port=\"(\\S+)\"", 1, extradata) | extend elapsed_time_s = extract(".*elapsed-time=\"(\\S+)\"", 1, extradata) | extend inbound_bytes_s = extract(".*inbound-bytes=\"(\\S+)\"", 1, extradata) | extend outbound_bytes_s = extract(".*outbound-bytes=\"(\\S+)\"", 1, extradata) | extend inbound_packets_s = extract(".*inbound-packets=\"(\\S+)\"", 1, extradata) | extend outbound_packets_s = extract(".*outbound-packets=\"(\\S+)\"", 1, extradata) | extend source_zone_name_s = extract(".*source-zone-name=\"(\\S+)\"", 1, extradata) | extend source_interface_name_s = extract(".*source-interface-name=\"(\\S+)\"", 1, extradata) | extend destination_zone_name_s = extract(".*destination-zone-name=\"(\\S+)\"", 1, extradata) | extend destination_interface_name_s = extract(".*destination-interface-name=\"(\\S+)\"", 1, extradata) | extend packet_log_id_s = extract(".*packet-log-id=\"(\\S+)\"", 1, extradata) | extend alert_s = extract(".*alert=\"(\\S+)\"", 1, extradata) | extend username_s = extract(".*username=\"(\\S+)\"", 1, extradata) | extend roles_s = extract(".*roles=\"(\\S+)\"", 1, extradata) | extend msg_s = extract(".*message=\"(\\S+)\"", 1, extradata) | project-away RawData

+ ```

+1. Configure the machine where the Azure Monitor Agent is installed to open the syslog ports, and configure the syslog daemon there to accept messages from external sources. For detailed instructions and a script to automate this configuration, see [Configure the log forwarder to accept logs](connect-custom-logs-ama.md#configure-the-log-forwarder-to-accept-logs).

+1. For the instructions to configure the Juniper IDP appliance to send syslog messages to an external server, see [SRX Getting Started - Configure System Logging.](https://supportportal.juniper.net/s/article/SRX-Getting-Started-Configure-System-Logging).

+[Back to list](#specific-instructions-per-application-type) | [Back to top](#custom-logs-via-ama-data-connectorconfigure-data-ingestion-to-microsoft-sentinel-from-specific-applications)

+### MarkLogic Audit

+Follow these steps to ingest log messages from MarkLogic Audit:

+1. Table name: `MarkLogicAudit_CL`

+1. Log storage location: Logs are stored as text files on the application's host machine. Install the AMA on the same machine to collect the files.

+ Default file locations ("filePatterns"):

+ - Windows: `"C:\Program Files\MarkLogic\Data\Logs\AuditLog.txt"`

+ - Linux: `"/var/opt/MarkLogic/Logs/AuditLog.txt"`

+1. Create the DCR according to the directions in [Collect logs from text files with the Azure Monitor Agent and ingest to Microsoft Sentinel](connect-custom-logs-ama.md#configure-the-data-connector).

+ Replace the {TABLE_NAME} and {LOCAL_PATH_FILE} placeholders in the [DCR template](connect-custom-logs-ama.md?tabs=arm#create-the-data-collection-rule) with the values in steps 1 and 2. Replace the other placeholders as directed.

+1. Configure MarkLogic Audit to enable it to write logs: (from MarkLogic documentation)

+ 1. Using your browser, navigate to MarkLogic Admin interface.

+ 1. Open the Audit Configuration screen under Groups > group_name > Auditing.

+ 1. Mark the Audit Enabled radio button. Make sure it is enabled.

+ 1. Configure audit event and/or restrictions desired.

+ 1. Validate by selecting OK.

+ 1. Refer to MarkLogic documentation for [more details and configuration options](https://docs.marklogic.com/guide/admin/auditing).

+[Back to list](#specific-instructions-per-application-type) | [Back to top](#custom-logs-via-ama-data-connectorconfigure-data-ingestion-to-microsoft-sentinel-from-specific-applications)

+### MongoDB Audit

+Follow these steps to ingest log messages from MongoDB Audit:

+1. Table name: `MongoDBAudit_CL`

+1. Log storage location: Logs are stored as text files on the application's host machine. Install the AMA on the same machine to collect the files.

+ Default file locations ("filePatterns"):

+ - Windows: `"C:\data\db\auditlog.json"`

+ - Linux: `"/data/db/auditlog.json"`

+1. Create the DCR according to the directions in [Collect logs from text files with the Azure Monitor Agent and ingest to Microsoft Sentinel](connect-custom-logs-ama.md#configure-the-data-connector).

+ Replace the {TABLE_NAME} and {LOCAL_PATH_FILE} placeholders in the [DCR template](connect-custom-logs-ama.md?tabs=arm#create-the-data-collection-rule) with the values in steps 1 and 2. Replace the other placeholders as directed.

+1. Configure MongoDB to write logs:

+ 1. For Windows, edit the configuration file `mongod.cfg`. For Linux, `mongod.conf`.

+ 1. Set the `dbpath` parameter to `data/db`.

+ 1. Set the `path` parameter to `/data/db/auditlog.json`.

+ 1. Refer to MongoDB documentation for [more parameters and details](https://www.mongodb.com/docs/manual/tutorial/configure-auditing/).

+[Back to list](#specific-instructions-per-application-type) | [Back to top](#custom-logs-via-ama-data-connectorconfigure-data-ingestion-to-microsoft-sentinel-from-specific-applications)

+### NGINX HTTP Server

+Follow these steps to ingest log messages from NGINX HTTP Server:

+1. Table name: `NGINX_CL`

+1. Log storage location: Logs are stored as text files on the application's host machine. Install the AMA on the same machine to collect the files.

+ Default file locations ("filePatterns"):

+ - Linux: `"/var/log/nginx.log"`

+1. Create the DCR according to the directions in [Collect logs from text files with the Azure Monitor Agent and ingest to Microsoft Sentinel](connect-custom-logs-ama.md#configure-the-data-connector).

+ Replace the {TABLE_NAME} and {LOCAL_PATH_FILE} placeholders in the [DCR template](connect-custom-logs-ama.md?tabs=arm#create-the-data-collection-rule) with the values in steps 1 and 2. Replace the other placeholders as directed.

+[Back to list](#specific-instructions-per-application-type) | [Back to top](#custom-logs-via-ama-data-connectorconfigure-data-ingestion-to-microsoft-sentinel-from-specific-applications)

+### Oracle WebLogic Server

+Follow these steps to ingest log messages from Oracle WebLogic Server:

+1. Table name: `OracleWebLogicServer_CL`

+1. Log storage location: Logs are stored as text files on the application's host machine. Install the AMA on the same machine to collect the files.

+ Default file locations ("filePatterns"):

+ - Windows: `"{DOMAIN_NAME}\Servers\{SERVER_NAME}\logs*.log"`

+ - Linux: `"{DOMAIN_HOME}/servers/{SERVER_NAME}/logs/*.log"`

+1. Create the DCR according to the directions in [Collect logs from text files with the Azure Monitor Agent and ingest to Microsoft Sentinel](connect-custom-logs-ama.md#configure-the-data-connector).

+ Replace the {TABLE_NAME} and {LOCAL_PATH_FILE} placeholders in the [DCR template](connect-custom-logs-ama.md?tabs=arm#create-the-data-collection-rule) with the values in steps 1 and 2. Replace the other placeholders as directed.

+[Back to list](#specific-instructions-per-application-type) | [Back to top](#custom-logs-via-ama-data-connectorconfigure-data-ingestion-to-microsoft-sentinel-from-specific-applications)

+### PostgreSQL Events

+Follow these steps to ingest log messages from PostgreSQL Events:

+1. Table name: `PostgreSQL_CL`

+1. Log storage location: Logs are stored as text files on the application's host machine. Install the AMA on the same machine to collect the files.

+ Default file locations ("filePatterns"):

+ - Windows: `"C:\*.log"`

+ - Linux: `"/var/log/*.log"`

+1. Create the DCR according to the directions in [Collect logs from text files with the Azure Monitor Agent and ingest to Microsoft Sentinel](connect-custom-logs-ama.md#configure-the-data-connector).

+ Replace the {TABLE_NAME} and {LOCAL_PATH_FILE} placeholders in the [DCR template](connect-custom-logs-ama.md?tabs=arm#create-the-data-collection-rule) with the values in steps 1 and 2. Replace the other placeholders as directed.

+1. Edit the PostgreSQL Events configuration file `postgresql.conf` to output logs to files.

+ 1. Set `log_destination='stderr'`

+ 1. Set `logging_collector=on`

+ 1. Refer to PostgreSQL documentation for [more parameters and details](https://www.postgresql.org/docs/current/runtime-config-logging.html).

+[Back to list](#specific-instructions-per-application-type) | [Back to top](#custom-logs-via-ama-data-connectorconfigure-data-ingestion-to-microsoft-sentinel-from-specific-applications)

+### SecurityBridge Threat Detection for SAP

+Follow these steps to ingest log messages from SecurityBridge Threat Detection for SAP:

+1. Table name: `SecurityBridgeLogs_CL`

+1. Log storage location: Logs are stored as text files on the application's host machine. Install the AMA on the same machine to collect the files.

+ Default file locations ("filePatterns"):

+ - Linux: `"/usr/sap/tmp/sb_events/*.cef"`

+1. Create the DCR according to the directions in [Collect logs from text files with the Azure Monitor Agent and ingest to Microsoft Sentinel](connect-custom-logs-ama.md#configure-the-data-connector).

+ Replace the {TABLE_NAME} and {LOCAL_PATH_FILE} placeholders in the [DCR template](connect-custom-logs-ama.md?tabs=arm#create-the-data-collection-rule) with the values in steps 1 and 2. Replace the other placeholders as directed.

+[Back to list](#specific-instructions-per-application-type) | [Back to top](#custom-logs-via-ama-data-connectorconfigure-data-ingestion-to-microsoft-sentinel-from-specific-applications)

+### SquidProxy

+Follow these steps to ingest log messages from SquidProxy:

+1. Table name: `SquidProxy_CL`

+1. Log storage location: Logs are stored as text files on the application's host machine. Install the AMA on the same machine to collect the files.

+ Default file locations ("filePatterns"):

+ - Windows: `"C:\Squid\var\log\squid\*.log"`

+ - Linux: `"/var/log/squid/*.log"`

+1. Create the DCR according to the directions in [Collect logs from text files with the Azure Monitor Agent and ingest to Microsoft Sentinel](connect-custom-logs-ama.md#configure-the-data-connector).

+ Replace the {TABLE_NAME} and {LOCAL_PATH_FILE} placeholders in the [DCR template](connect-custom-logs-ama.md?tabs=arm#create-the-data-collection-rule) with the values in steps 1 and 2. Replace the other placeholders as directed.

+[Back to list](#specific-instructions-per-application-type) | [Back to top](#custom-logs-via-ama-data-connectorconfigure-data-ingestion-to-microsoft-sentinel-from-specific-applications)

+### Ubiquiti UniFi

+Follow these steps to ingest log messages from Ubiquiti UniFi:

+1. Table name: `Ubiquiti_CL`

+1. Log storage location: Create a log file on your external syslog server. Grant the syslog daemon write permissions to the file. Install the AMA on the external syslog server if it's not already installed. Enter this filename and path in the **File pattern** field in the connector, or in place of the `{LOCAL_PATH_FILE}` placeholder in the DCR.

+1. Configure the syslog daemon to export its Ubiquiti log messages to a temporary text file so the AMA can collect them.

+ # [rsyslog](#tab/rsyslog)

+ 1. Create custom configuration file for the rsyslog daemon, in the `/etc/rsyslog.d/` folder, with the following filtering conditions:

+ ```bash

+ # Define a new ruleset

+ ruleset(name="<RULESET_NAME>") {

+ action(type="omfile" file="<LOG_FILE_NAME>")

+ }

+

+ # Set the input on port and bind it to the new ruleset

+ input(type="imudp" port="<PORT>" ruleset="<RULESET_NAME>")

+ ```

+ (Replace `<parameters>` with the actual names of the objects represented. <LOG_FILE_NAME> is the file you created in step 2.)

+ 1. Restart rsyslog. The typical command syntax is `systemctl restart rsyslog`.

+ # [syslog-ng](#tab/syslog-ng)

+ 1. Edit the config file `/etc/syslog-ng/conf.d`, adding the following conditions:

+ ```bash

+ source s_network {

+ network (

+ ip(ΓÇ£0.0.0.0ΓÇ¥)

+ port(<PORT>)

+ );

+ };

+ destination d_file {

+ file(ΓÇ£<LOG_FILE_NAME>ΓÇ¥);

+ };

+ log {

+ source(s_network);

+ destination(d_file);

+ };

+ ```

+ (Replace `<LOG_FILE_NAME>` with the name of the log file you created.)

+ 1. Restart syslog-ng. The typical command syntax is `systemctl restart syslog-ng`.

+

+1. Create the DCR according to the directions in [Collect logs from text files with the Azure Monitor Agent and ingest to Microsoft Sentinel](connect-custom-logs-ama.md#configure-the-data-connector).

+ - Replace the column name `"RawData"` with the column name `"Message"`.

+ - Replace the transformKql value `"source"` with the value `"sourceΓÇ»| project-rename Message=RawData"`.

+ - Replace the `{TABLE_NAME}` and `{LOCAL_PATH_FILE}` placeholders in the [DCR template](connect-custom-logs-ama.md?tabs=arm#create-the-data-collection-rule) with the values in steps 1 and 2. Replace the other placeholders as directed.

+1. Configure the machine where the Azure Monitor Agent is installed to open the syslog ports, and configure the syslog daemon there to accept messages from external sources. For detailed instructions and a script to automate this configuration, see [Configure the log forwarder to accept logs](connect-custom-logs-ama.md#configure-the-log-forwarder-to-accept-logs).

+1. Configure and connect the Ubiquiti controller.

+ 1. Follow the [instructions provided by Ubiquiti](https://help.ui.com/hc/en-us/categories/6583256751383) to enable syslog and optionally debugging logs.

+ 1. Select Settings > System Settings > Controller Configuration > Remote Logging and enable syslog.

+[Back to list](#specific-instructions-per-application-type) | [Back to top](#custom-logs-via-ama-data-connectorconfigure-data-ingestion-to-microsoft-sentinel-from-specific-applications)

+### VMware vCenter

+Follow these steps to ingest log messages from VMware vCenter:

+1. Table name: `vcenter_CL`

+1. Log storage location: Create a log file on your external syslog server. Grant the syslog daemon write permissions to the file. Install the AMA on the external syslog server if it's not already installed. Enter this filename and path in the **File pattern** field in the connector, or in place of the `{LOCAL_PATH_FILE}` placeholder in the DCR.

+1. Configure the syslog daemon to export its vCenter log messages to a temporary text file so the AMA can collect them.

+ # [rsyslog](#tab/rsyslog)

+ 1. Edit the configuration file `/etc/rsyslog.conf` to add the following template line before the *directive* section:

+ `$template vcenter,"%timestamp% %hostname% %msg%\ n"`

+ 1. Create custom configuration file for the rsyslog daemon, saved as `/etc/rsyslog.d/10-vcenter.conf` with the following filtering conditions:

+ ```bash

+ if $rawmsg contains "vpxd" then {

+ action(type="omfile" file="/<LOG_FILE_NAME>")

+ stop

+ }

+ if $rawmsg contains "vcenter-server" then {

+ action(type="omfile" file="/<LOG_FILE_NAME>")

+ stop

+ }

+ ```

+ (Replace `<LOG_FILE_NAME>` with the name of the log file you created.)

+ 1. Restart rsyslog. The typical command syntax is `sudo systemctl restart rsyslog`.

+ # [syslog-ng](#tab/syslog-ng)

+ 1. Edit the config file `/etc/syslog-ng/conf.d`, adding the following filtering conditions:

+

+ ```bash

+ filter f_vcenter {

+ message("vpxd") or message("vcenter-server");

+ };

+

+ destination d_vcenter {

+ file("<LOG_FILE_NAME>");

+ };

+ log {

+ source(s_src);

+ filter(f_vcenter);

+ destination(d_vcenter);

+ flags(final); #Ensures that once a message matches the filter and is written to the specified destination, it will not be processed by subsequent log statements

+ };

+ ```

+ (Replace `<LOG_FILE_NAME>` with the name of the log file you created.)

+ 1. Restart syslog-ng. The typical command syntax is `systemctl restart syslog-ng`.

+

+1. Create the DCR according to the directions in [Collect logs from text files with the Azure Monitor Agent and ingest to Microsoft Sentinel](connect-custom-logs-ama.md#configure-the-data-connector).

+ - Replace the column name `"RawData"` with the column name `"Message"`.

+ - Replace the transformKql value `"source"` with the value `"sourceΓÇ»| project-rename Message=RawData"`.

+ - Replace the `{TABLE_NAME}` and `{LOCAL_PATH_FILE}` placeholders in the [DCR template](connect-custom-logs-ama.md?tabs=arm#create-the-data-collection-rule) with the values in steps 1 and 2. Replace the other placeholders as directed.

+ - dataCollectionEndpointId should be populated with your DCE. If you don't have one, define a new one. See [Create a data collection endpoint](../azure-monitor/essentials/data-collection-endpoint-overview.md#create-a-data-collection-endpoint) for the instructions.

+1. Configure the machine where the Azure Monitor Agent is installed to open the syslog ports, and configure the syslog daemon there to accept messages from external sources. For detailed instructions and a script to automate this configuration, see [Configure the log forwarder to accept logs](connect-custom-logs-ama.md#configure-the-log-forwarder-to-accept-logs).

+1. Configure and connect the vCenter devices.

+ 1. Follow the [instructions provided by VMware](https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.monitoring.doc/GUID-9633A961-A5C3-4658-B099-B81E0512DC21.html) for sending syslog messages.

+ 1. Use the IP address or hostname of the machine where the Azure Monitor Agent is installed.

+[Back to list](#specific-instructions-per-application-type) | [Back to top](#custom-logs-via-ama-data-connectorconfigure-data-ingestion-to-microsoft-sentinel-from-specific-applications)

+### Zscaler Private Access (ZPA)

+Follow these steps to ingest log messages from Zscaler Private Access (ZPA):

+1. Table name: `ZPA_CL`

+1. Log storage location: Create a log file on your external syslog server. Grant the syslog daemon write permissions to the file. Install the AMA on the external syslog server if it's not already installed. Enter this filename and path in the **File pattern** field in the connector, or in place of the `{LOCAL_PATH_FILE}` placeholder in the DCR.

+1. Configure the syslog daemon to export its vCenter log messages to a temporary text file so the AMA can collect them.

+ # [rsyslog](#tab/rsyslog)

+ 1. Create custom configuration file for the rsyslog daemon, in the `/etc/rsyslog.d/` folder, with the following filtering conditions:

+ ```bash

+ # Define a new ruleset

+ ruleset(name="<RULESET_NAME>") {

+ action(type="omfile" file="<LOG_FILE_NAME>")

+ }

+

+ # Set the input on port and bind it to the new ruleset

+ input(type="imudp" port="<PORT>" ruleset="<RULESET_NAME>")

+ ```

+ (Replace `<parameters>` with the actual names of the objects represented.)

+ 1. Restart rsyslog. The typical command syntax is `systemctl restart rsyslog`.

+ # [syslog-ng](#tab/syslog-ng)

+ 1. Edit the config file `/etc/syslog-ng/conf.d`, adding the following conditions:

+ ```bash

+ source s_network {

+ network (

+ ip(ΓÇ£0.0.0.0ΓÇ¥)

+ port(<PORT>)

+ );

+ };

+ destination d_file {

+ file(ΓÇ£<LOG_FILE_NAME>ΓÇ¥);

+ };

+ log {

+ source(s_network);

+ destination(d_file);

+ };

+ ```

+ (Replace `<LOG_FILE_NAME>` with the name of the log file you created.)

+ 1. Restart syslog-ng. The typical command syntax is `systemctl restart syslog-ng`.

+

+1. Create the DCR according to the directions in [Collect logs from text files with the Azure Monitor Agent and ingest to Microsoft Sentinel](connect-custom-logs-ama.md#configure-the-data-connector).

+ - Replace the column name `"RawData"` with the column name `"Message"`.

+ - Replace the transformKql value `"source"` with the value `"sourceΓÇ»| project-rename Message=RawData"`.

+ - Replace the `{TABLE_NAME}` and `{LOCAL_PATH_FILE}` placeholders in the [DCR template](connect-custom-logs-ama.md?tabs=arm#create-the-data-collection-rule) with the values in steps 1 and 2. Replace the other placeholders as directed.

+1. Configure the machine where the Azure Monitor Agent is installed to open the syslog ports, and configure the syslog daemon there to accept messages from external sources. For detailed instructions and a script to automate this configuration, see [Configure the log forwarder to accept logs](connect-custom-logs-ama.md#configure-the-log-forwarder-to-accept-logs).

+1. Configure and connect the ZPA receiver.

+ 1. Follow the [instructions provided by ZPA](https://help.zscaler.com/zpa/configuring-log-receiver). Select JSON as the log template.

+ 1. Select Settings > System Settings > Controller Configuration > Remote Logging and enable syslog.

+[Back to list](#specific-instructions-per-application-type) | [Back to top](#custom-logs-via-ama-data-connectorconfigure-data-ingestion-to-microsoft-sentinel-from-specific-applications)

+## Related content

+- [Ingest syslog and CEF messages to Microsoft Sentinel with the Azure Monitor Agent](connect-cef-syslog-ama.md)

+- [Syslog via AMA and Common Event Format (CEF) via AMA connectors for Microsoft Sentinel](cef-syslog-ama-overview.md)

+- [Unified AMA-based connectors for syslog ingestion](#unified-ama-based-connectors-for-syslog-ingestion)

+- [Better visibility for Windows security events](#better-visibility-for-windows-security-events)

+### Unified AMA-based connectors for syslog ingestion

+With the impending retirement of the Log Analytics Agent, Microsoft Sentinel has consolidated the collection and ingestion of syslog, CEF, and custom-format log messages into three multi-purpose data connectors based on the Azure Monitor Agent (AMA):

+- **Syslog via AMA**, for any device whose logs are ingested into the *Syslog* table in Log Analytics.

+- **Common Event Format (CEF) via AMA**, for any device whose logs are ingested into the *CommonSecurityLog* table in Log Analytics.

+- **New! Custom Logs via AMA (Preview)**, for any of 15 device types, or any unlisted device, whose logs are ingested into custom tables with names ending in *_CL* in Log Analytics.

+These connectors replace nearly all the existing connectors for individual device and appliance types that have existed until now, that were based on either the legacy Log Analytics agent (also known as MMA or OMS) or the current Azure Monitor Agent. The solutions provided in the content hub for all of these devices and appliances now include whichever of these three connectors are appropriate to the solution.* The replaced connectors are now marked as "Deprecated" in the data connector gallery.

+The data ingestion graphs that were previously found in each device's connector page can now be found in device-specific workbooks packaged with each device's solution.

+\* When installing the solution for any of these applications, devices, or appliances, to ensure that the accompanying data connector is installed, you must select **Install with dependencies** on the solution page, and then mark the data connector on the following page.

+For the updated procedures for installing these solutions, see the following articles:

+- [CEF via AMA data connector - Configure specific appliance or device for Microsoft Sentinel data ingestion](unified-connector-cef-device.md)

+- [Syslog via AMA data connector - Configure specific appliance or device for Microsoft Sentinel data ingestion](unified-connector-syslog-device.md)

+- [Custom Logs via AMA data connector - Configure data ingestion to Microsoft Sentinel from specific applications](unified-connector-custom-device.md)

+### Better visibility for Windows security events

+We've enhanced the schema of the *SecurityEvent* table that hosts Windows Security events, and have added new columns to ensure compatibility with the Azure Monitor Agent (AMA) for Windows (version 1.28.2). These enhancements are designed to increase the visibility and transparency of collected Windows events. If you're not interested in receiving data in these fields, you can apply an ingestion-time transformation ("project-away" for example) to drop them.

+|[Install Service Fabric Runtime for Windows](https://download.microsoft.com/download/b/8/a/b8a2fb98-0ec1-41e5-be98-9d8b5abf7856/MicrosoftServiceFabric.10.1.2338.9590.exe) | 10.1.2338.9590 |

+|[Install Service Fabric SDK](https://download.microsoft.com/download/b/8/a/b8a2fb98-0ec1-41e5-be98-9d8b5abf7856/MicrosoftServiceFabricSDK.7.1.2338.msi) | 7.1.2338 |

+| 10.1 CU4<br>10.1.2338.9590 | 9.1 CU6<br>9.1.1851.9590 | 9.0 | Version 7.1 or earlier | .NET 8 **(.NET 8 runtime support is available starting with Cumulative Update 3.0 (CU3) of version 10.1)**, .NET 7, .NET 6 <br> .NET Framework >= 4.6.2 | [See supported OS version](#supported-windows-versions-and-support-end-date) | Current version | [Release notes](https://github.com/microsoft/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_101CU3.md) |

+| 10.1 CU4<br>10.1.2306.1 | 9.1 CU6<br>9.1.1642.1 | 9.0 | Version 7.1 or earlier | .NET 8 **(.NET 8 runtime support is available starting with Cumulative Update 3.0 (CU3) of version 10.1)**, .NET 7, .NET 6 | [See supported OS version](#supported-linux-versions-and-support-end-date) | Current version | [Release notes](https://github.com/microsoft/service-fabric/blob/master/release_notes/Service_Fabric_ReleaseNotes_101CU3.md) |

+| 10.1 CU4 | 10.1.2338.9590 | 10.1.2306.1 |

+| 10.0 CU5 | 10.0.2604.9590 | 10.0.2497.1 |

+| 9.1 CU11 | 9.1.2718.9590 | 9.1.2498.1 |

+# As a JavaScript developer, I want to know how to upload files to blob storage within an application, so that I can adopt this functionality into my own solution.

+> This tutorial is meant for quick adoption and as such it doesn't follow secure-by-default requirements. To understand more about this scenario with a secure-by-default goal, go to [Security considerations](#security-considerations).

+## Security considerations

+This solution, as a beginner tutorial, doesn't demonstrate secure-by-default practices. This is intentional to allow you to be successful in deploying the solution. The next step after that successful deployment is to secure the resources. This solution uses three Azure services, each has its own security features and considerations for secure-by-default configuration:

+* Azure Functions - [Securing Azure Functions](/azure/azure-functions/security-concepts)

+* Azure Storage - [Security recommendations for Blob storage](security-recommendations.md)

+* Azure Cognitive services - [Azure AI services security features](/azure/ai-services/security-features)

+## Related content

+## Output data type mappings

+As the schema of the target table in your SQL database must exactly match the fields and their types in your job's output, you can refer to [Data Types (Azure Stream Analytics)](/stream-analytics-query/data-types-azure-stream-analytics) for detailed type mappings between ASA and SQL.

+> Deprecation and disablement notification for Azure Synapse Runtime for Apache Spark 3.1.

+>* **On August 29, 2024,** partial pools and jobs disablement will begin. We will continue with further, **full disablement by September 30, 2024.** **Immediately** migrate to higher runtime versions otherwise your jobs will stop executing.

+> * **All Spark jobs running on Azure Synapse Runtime for Apache Spark 3.1 will be fully disabled as of** **September 30, 2024.**

+* End of Support for Azure Synapse Runtime for Apache Spark 3.1 announced January 26, 2023.

+ Title: Use multiple Virtual Machine sizes with Instance Mix

+description: Use multiple Virtual Machine sizes in a scale set using Instance Mix. Optimize deployments using allocation strategies.

+# Use multiple Virtual Machine sizes with Instance Mix (Preview)

+> [!IMPORTANT]

+> Instance Mix for Virtual Machine Scale Sets with Flexible Orchestration Mode is currently in preview. Previews are made available to you on the condition that you agree to the [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). Some aspects of this feature may change prior to general availability (GA).

+Instance Mix enables you to specify multiple different Virtual Machine (VM) sizes in your Virtual Machine Scale Set with Flexible Orchestration Mode, and an allocation strategy to further optimize your deployments.

+Instance Mix is best suited for workloads that are flexible in compute requirements and can be run on various different sized VMs. Using Instance Mix you can:

+- Deploy a heterogeneous mix of VM sizes in a single scale set. You can view max scale set instance counts in the [documentation](./virtual-machine-scale-sets-orchestration-modes.md#what-has-changed-with-flexible-orchestration-mode).

+- Optimize your deployments for cost or capacity through allocation strategies.

+- Continue to make use of scale set features, like [Spot Priority Mix](./spot-priority-mix.md), [Autoscale](./virtual-machine-scale-sets-autoscale-overview.md), or [Upgrade Policies](./virtual-machine-scale-sets-set-upgrade-policy.md).

+- Spread a heterogeneous mix of VMs across Availability Zones and Fault Domains for high availability and reliability.

+## Enroll in the Preview

+Register for the `FlexVMScaleSetSkuProfileEnabled` feature flag using the [az feature register](/cli/azure/feature#az-feature-register) command:

+```azurecli-interactive

+az feature register --namespace "Microsoft.Compute" --name "FlexVMScaleSetSkuProfileEnabled"

+```

+It takes a few moments for the feature to register. Verify the registration status by using the [az feature show](/cli/azure/feature#az-feature-register) command:

+```azurecli-interactive

+az feature show --namespace "Microsoft.Compute" --name "FlexVMScaleSetSkuProfileEnabled"

+```

+## Changes to existing scale set properties

+### sku.tier

+The `sku.tier` property is currently an optional scale set property and should be set to `null` for Instance Mix scenarios.

+### sku.capacity

+The `sku.capacity` property continues to represent the overall size of the scale set in terms of the total number of VMs.

+### scaleInPolicy

+The optional scale-in property isn't needed for scale set deployments using Instance Mix. During scaling in events, the scale set utilizes the allocation strategy to inform the decision on which VMs should be scaled in. For example, when you use `LowestPrice`, the scale set scales in by removing the more expensive VMs first.

+## New scale set properties

+### skuProfile

+The `skuProfile` property represents the umbrella property for all properties related to Instance Mix, including VM sizes and allocation strategy.

+### vmSizes

+The `vmSizes` property is where you specify the specific VM sizes that you're using as part of your scale set deployment with Instance Mix.

+### allocationStrategy

+Instance Mix introduces the ability to set allocation strategies for your scale set. The `allocationStrategy` property is where you specify which allocation strategy you'd like to use for your Instance Flexible scale set deployments. There are two options for allocation strategies, `lowestPrice` and `capacityOptimized`. Allocation strategies apply to both Spot and Standard VMs.

+#### lowestPrice (default)

+This allocation strategy is focused on workloads where cost and cost-optimization are most important. When evaluating what VM split to use, Azure looks at the lowest priced VMs of the VM sizes specified. Azure also considers capacity as part of this allocation strategy. When using `lowestPrice` allocation strategy, the scale set deploys as many of the lowest priced VMs as it can, depending on available capacity, before moving on to the next lowest priced VM size specified.

+#### capacityOptimized

+This allocation strategy is focused on workloads where attaining capacity is the primary concern. When evaluating what VM size split to deploy in the scale set, Azure looks only at the underlying capacity available. It doesn't take price into account when determining what VMs to deploy. Using `capacityOptimized` can result in the scale set deploying the most expensive, but most readily available VMs.

+## Cost

+Following the scale set cost model, usage of Instance Mix is free. You continue to only pay for the underlying resources, like the VM, disk, and networking.

+## Limitations

+- Instance Mix is currently available in the following regions: West US, West US2, East US, and East US2.

+- Instance Mix is only available for scale sets using Flexible Orchestration Mode.

+- Instance Mix is currently only available through ARM template.

+- You must have quota for the VM sizes you're requesting with Instance Mix.

+- You can specify **up to** five VM sizes with Instance Mix at this time.

+- Existing scale sets can't be updated to use Instance Mix.

+- VM sizes can't be changed once the scale set is deployed.

+- For REST API deployments, you must have an existing virtual network inside of the resource group that you're deploying your scale set with Instance Mix in.

+## Deploy a scale set using Instance Mix

+The following example can be used to deploy a scale set using Instance Mix:

+### [REST API](#tab/arm-1)

+To deploy an Instance Flexible scale set through REST API, use a `PUT` call to and include the following sections in your request body:

+```json

+PUT https://management.azure.com/subscriptions/{YourSubscriptionId}/resourceGroups/{YourResourceGroupName}/providers/Microsoft.Compute/virtualMachineScaleSets/{youScaleSetName}?api-version=2023-09-01

+```

+In the request body, ensure `sku.name` is set to Mix:

+```json

+ "sku": {

+ "name": "Mix",

+ "capacity": {TotalNumberVms}

+ },

+```

+Ensure you reference your existing subnet:

+```json

+"subnet": {

+ "id": "/subscriptions/{YourSubscriptionId}/resourceGroups/{YourResourceGroupName}/providers/Microsoft.Network/virtualNetworks/{YourVnetName}/subnets/default"

+},

+```

+Lastly, be sure to specify the `skuProfile` with **up to five** VM sizes. This sample uses three:

+```json

+ "skuProfile": {

+ "vmSizes": [

+ {

+ "name": "Standard_D8s_v5"

+ },

+ {

+ "name": "Standard_E16s_v5"

+ },

+ {

+ "name": "Standard_D2s_v5"

+ }

+ ],

+ "allocationStrategy": "lowestPrice"

+ },

+```

+## Troubleshooting

+| Error Code | Error Message | Troubleshooting options |

+|--|-|-|

+| SkuProfileAllocationStrategyInvalid | Sku ProfileΓÇÖs Allocation Strategy is invalid. | Ensure that you're using either `CapacityOptimized` or `LowestPrice` as the `allocationStrategy` |

+| SkuProfileVMSizesCannotBeNullOrEmpty | Sku Profile VM Sizes cannot be null or empty. Please provide a valid list of VM Sizes and retry. | Provide at least one VM size in the `skuProfile`. |

+| SkuProfileHasTooManyVMSizesInRequest | Too many VM Sizes were specified in the request. Please provide no more than 5 VM Sizes. | At this time, you can specify up to five VM sizes with Instance Mix. |

+| SkuProfileVMSizesCannotHaveDuplicates | Sku Profile contains duplicate VM Size: {duplicateVmSize}. Please remove any duplicates and retry. | Check the VM SKUs listed in the `skuProfile` and remove the duplicate VM size. |

+| SkuProfileUpdateNotAllowed | Virtual Machine Scale Sets with Sku Profile property cannot be updated. | At this time, you can't update the `skuProfile` of a scale set using Instance Mix. |

+| SkuProfileScenarioNotSupported | {propertyName} is not supported on Virtual Machine Scale Sets with Sku Profile | Instance Mix doesnΓÇÖt support certain scenarios today, like Azure Dedicated Host (`properties.hostGroup`), Capacity Reservations (`properties.virtualMachineProfile.capacityReservation`), and StandbyPools (`properties.standbyPoolProfile`). Adjust the template to ensure youΓÇÖre not using unsupported properties. |

+| SkuNameMustBeMixIfSkuProfileIsSpecified | Sku name is {skuNameValue}. Virtual Machine Scale Sets with Sku Profile must have the Sku name property set to "Mix" | Ensure that the `sku.name property` is set to `"Mix"`. |

+| SkuTierMustNotBeSetIfSkuProfileIsSpecified | Sku tier is {skuTierValue}. Virtual Machine Scale Sets with Sku Profile must not have the Sku tier property set. | `sku.tier` is an optional property for scale sets. With Instance Mix, `sku.tier` must be set to `null` or not specified. |

+| InvalidParameter | The value of parameter skuProfile is invalid. | Your subscription isn't registered for the Instance Mix feature. Follow the enrollment instructions to register for the Preview. |

+| FleetRPInternalError | An unexpected error occurred while computing the desired sku split. | Instance Mix isn't supported in this region yet. Deploy only in supported regions. |

+## FAQs

+### Can I use Spot and Standard VMs with Instance Mix?

+Yes, you can use both Spot and Standard VMs in your scale set deployments using Instance Mix. To do so, use [Spot Priority Mix](./spot-priority-mix.md) to define a percentage split of Spot and Standard VMs.

+### My region doesn't support Instance Mix today. Will it support Instance Mix in the future?

+Instance Mix is rolling out to all Azure regions during Public Preview. Instance Mix is currently available in the following regions: West US, West US2, East US, and East US2.

+- In an Update Domain, no more than 20% of the VMs within an availability set will be updated at a time. For availability sets with less than 10 VMs, VMs update one at a time within an Update Domain.

+After you create a virtual machine (VM), you can scale the VM up or down by changing the VM size. In some cases, you must deallocate the VM first. Deallocation may be necessary if the new size isn't available on the same hardware cluster that is currently hosting the VM. It is important to understand that even when deallocation is not necessary, if the virtual machine is currently running, changing its size will cause it to restart. For this reason you should consider changing VM size as a disruptive procedure, especially for stateful workloads that are hosted on the VM.

+* Azure Load Balancers (public)

+>[!Important]

+>On September 30, 2025, Basic SKU public IPs will be retired. For more information, see the [official announcement](https://azure.microsoft.com/updates/upgrade-to-standard-sku-public-ip-addresses-in-azure-by-30-september-2025-basic-sku-will-be-retired/). If you are currently using Basic SKU public IPs, make sure to upgrade to Standard SKU public IPs prior to the retirement date. For guidance on upgrading, visit [Upgrading a basic public IP address to Standard SKU - Guidance](public-ip-basic-upgrade-guidance.md).

+Public IP addresses are created with a SKU of **Standard** or **Basic**. The SKU determines their functionality including allocation method, feature support, and resources they can be associated with.

+Full details are listed in the table below:

+Virtual machines attached to a backend pool do not need a public IP address to be attached to a public load balancer. But if they do, matching SKUs are required for load balancer and public IP resources. You can't have a mixture of basic SKU resources and standard SKU resources. You can't attach standalone virtual machines, virtual machines in an availability set resource, or a virtual machine scale set resources to both SKUs simultaneously. New designs should consider using Standard SKU resources. For more information about a standard load balancer, see [Standard Load Balancer](../../load-balancer/load-balancer-overview.md?toc=%2fazure%2fvirtual-network%2ftoc.json).

+- **Dynamic** - The IP address **isn't** given to the resource at the time of creation when selecting dynamic. The IP is assigned when you associate the public IP address with a resource. The IP address is released when you stop, or delete the resource. Dynamic public IP addresses are commonly used for when there's no dependency on the IP address. For example, a public IP resource is released from a VM upon stop and then start. Any associated IP address is released if the allocation method is **dynamic**. If you don't want the IP address to change, set the allocation method to **static** to ensure the IP address remains the same.

+

+- **Static** - The resource is assigned an IP address at the time it's created. The IP address is released when the resource is deleted. When you set the allocation method to **static**, you cannot specify the actual IP address assigned to the public IP address resource. Azure assigns the IP address from a pool of available IP addresses in the Azure location the resource is created in.

+Static public IP addresses are commonly used in the following scenarios:

+The fully qualified domain name (FQDN) **contoso.westus.cloudapp.azure.com** resolves to the public IP address of the resource. Each domain name label created must be unique within its Azure location.

+Public IPs also have an optional parameter for **Domain Name Label Scope**, which defines what domain label an object with the same name will use. This feature can help to prevent "dangling DNS names" which can be reused by malicious actors. When this option is chosen, the public IP address' DNS name will have an additional string in between the **domainnamelabel** and **location** fields, e.g. **contoso.fjdng2acavhkevd8.westus.cloudapp.Azure.com**. (This string is a hash generated from input specific to your subscription, resource group, domain name label, and other properties).

+The domain name label scope can only be specified at the creation of a public IP address.

+Standard SKU Public IPs can be created as non-zonal, zonal, or zone-redundant in [regions that support availability zones](../../availability-zones/az-region.md). Basic SKU Public IPs do not have any zones and are created as non-zonal.

+A public IP's availability zone can't be changed after the public IP's creation.

+| Value | Behavior |

+| | |

+| Non-zonal | A non-zonal public IP address is placed into a zone for you by Azure and doesn't give a guarantee of redundancy. |

+| Zonal | A zonal IP is tied to a specific availability zone, and shares fate with the health of the zone. |

+| Zone-redundant | A zone-redundant IP is created in all zones for a region and can survive any single zone failure. |

+In regions without availability zones, all public IP addresses are created as nonzonal. Public IP addresses created in a region that is later upgraded to have availability zones remain non-zonal.

+> [!IMPORTANT]

+> We are updating Standard non-zonal IPs to be zone-redundant by default on a region by region basis. This means that in the following 12 regions, all IPs created (except zonal) are zone-redundant.

+> Region availability: Central Canada, Central Poland, Central Israel, Central France, Central Qatar, East Norway, Italy North, Sweden Central, South Africa North, South Brazil, West Central Germany, West US 2.

+There are other attributes that can be used for a public IP address (Standard SKU only).

+| Metric| Routing | [New Virtual Hub Metrics](monitor-virtual-wan-reference.md#hub-router-metrics)| There are now two additional Virtual WAN hub metrics that display the virtual hub's capacity and spoke VM utilization: **Routing Infrastructure Units** and **Spoke VM Utilization**.| August 2024 | The **Spoke VM Utilization** metric represents an approximate number of deployed spoke VMs as a percentage of the total number of spoke VMs that the hub's routing infrastructure units can support.

+(\*\*) The Basic SKU has certain feature and performance limitations and shouldn't be used for production purposes. Verify that the feature that you need is supported before you use the Basic SKU. The Basic SKU doesn't support IPv6 and can only be configured using PowerShell or Azure CLI. Additionally, the Basic SKU doesn't support RADIUS authentication.

+| **Workload** | **SKUs** |

+| | |

+(\*\*) The Basic SKU has certain feature and performance limitations and shouldn't be used for production purposes. Verify that the feature that you need is supported before you use the Basic SKU. The Basic SKU doesn't support IPv6 and can only be configured using PowerShell or Azure CLI. Additionally, the Basic SKU doesn't support RADIUS authentication.

+For information about working with the legacy gateway SKUs (Standard and High Performance), including SKU deprecation, see [Managing legacy gateway SKUs](vpn-gateway-about-skus-legacy.md).

+> [!IMPORTANT]

+> The Basic SKU has certain feature and performance limitations and shouldn't be used for production purposes. For more information about SKUs, see [About gateway SKUs](about-gateway-skus.md).

+The Basic SKU has certain feature and performance limitations and shouldn't be used for production purposes. Some of the limitations of the Basic SKU are:

+Create a site-to-site VPN connection between your virtual network gateway and your on-premises VPN device. If you're using an active-active mode gateway (recommended), each gateway VM instance has a separate IP address. To properly configure [highly available connectivity](vpn-gateway-highlyavailable.md), you must establish a tunnel between each VM instance and your VPN device. Both tunnels are part of the same connection.

+The following table shows the gateway types and the estimated aggregate throughput by gateway SKU. This table applies to the Resource Manager and classic deployment models.

+Pricing differs between gateway SKUs. For more information, see [VPN Gateway Pricing](https://azure.microsoft.com/pricing/details/vpn-gateway).

+The UltraPerformance gateway SKU isn't represented in this table. For information about the UltraPerformance SKU, see the [ExpressRoute](../expressroute/expressroute-about-virtual-network-gateways.md) documentation.

+| | **VPN Gateway throughput (1)** | **VPN Gateway max IPsec tunnels (2)** | **ExpressRoute Gateway throughput** | **VPN Gateway and ExpressRoute coexist** |

+| | | | | |

+| **Standard SKU (3)(4)** |100 Mbps |10 |1000 Mbps |Yes |

+| **High Performance SKU (3)** |200 Mbps |30 |2000 Mbps |Yes |

+(1) The VPN throughput is a rough estimate based on the measurements between VNets in the same Azure region. It isn't a guaranteed throughput for cross-premises connections across the Internet. It's the maximum possible throughput measurement.

+(2) The number of tunnels refer to RouteBased VPNs. A PolicyBased VPN can only support one Site-to-Site VPN tunnel.

+(3) PolicyBased VPNs aren't supported for this SKU. They're supported for the Basic SKU.

+(4) Active-active S2S VPN Gateway connections aren't supported for this SKU. Active-active is supported on the HighPerformance SKU.

+## <a name="new"></a>What's new in VPN Gateway?

+We're taking action to ensure the continued operation of deployed VPN gateways that use Basic SKU public IP addresses until the retirement of Basic IP in September 2025. Before this retirement, we will provide customers with a migration path from Basic to Standard IP.