+ <InputClaim ClaimTypeReferenceId="copiedEmail" TransformationClaimType="personalizations.0.dynamic_template_data.verify-email" />

+ - **copiedEmail**, transformation claim type **personalizations.0.dynamic_template_data.verify-email**: "someone@example.com"

+&scope=openid%20offline_access%20{application-id-uri}/{scope-name}

+|`extension_loyaltyId` | Custom policy|

+> [!NOTE]

+> When using a custom attribute in custom policies, you must prefix the claim type ID with `extension_` to allow the correct data mapping to take place within the Azure AD B2C directory.

+> [!WARNING]

+> When you define a claims mapping policy for a directory extension attribute, use the `ExtensionID` property instead of the `ID` property within the body of the `ClaimsSchema` array, as shown in the example above.

+The maximum number of redirect URIS can't be raised for [security reasons](#restrictions-on-wildcards-in-redirect-uris). If your scenario requires more redirect URIs than the maximum limit allowed, consider the following [state parameter approach](#use-a-state-parameter) as the solution.

+* [Add an on-premises application for remote access through Application Proxy in Azure Active Directory](../app-proxy/application-proxy-add-on-premises-application.md)

+* [Configure password-based SSO for on-premises applications with Application Proxy](../app-proxy/application-proxy-configure-single-sign-on-password-vaulting.md)

+* [Add an on-premises application for remote access through Application Proxy in Azure AD](../app-proxy/application-proxy-add-on-premises-application.md)

+This article provides guidance to monitor and alert on application events and helps enable you to:

+* [SCIM 2.0 protocol compliance of the Azure AD Provisioning Service](../app-provisioning/application-provisioning-config-problem-scim-compatibility.md)

+ Title: Configure an automatic assignment policy for an access package in Azure AD entitlement management - Azure Active Directory

+description: Learn how to configure automatic assignments based on rules for an access package in Azure Active Directory entitlement management.

+documentationCenter: ''

+editor:

+ na

+#Customer intent: As an administrator, I want detailed information about how I can edit an access package to include a policy for users to get and lose access package assignments automatically, without them or an administrator needing to request access.

+# Configure an automatic assignment policy for an access package in Azure AD entitlement management (Preview)

+You can use rules to determine access package assignment based on user properties in Azure Active Directory (Azure AD), part of Microsoft Entra. In Entitlement Management, an access package can have multiple policies, and each policy establishes how users get an assignment to the access package, and for how long. As an administrator, you can establish a policy for automatic assignments by supplying a membership rule, that Entitlement Management will follow to create and remove assignments automatically. Similar to a [dynamic group](../enterprise-users/groups-create-rule.md), when an automatic assignment policy is created, user attributes are evaluated for matches with the policy's membership rule. When an attribute changes for a user, these automatic assignment policy rules in the access packages are processed for membership changes. Assignments to users are then added or removed depending on whether they meet the rule criteria.

+During this preview, you can have at most one automatic assignment policy in an access package.

+This article describes how to create an access package automatic assignment policy for an existing access package.

+## Create an automatic assignment policy (Preview)

+To create a policy for an access package, you need to start from the access package's policy tab. Follow these steps to create a new policy for an access package.

+**Prerequisite role:** Global administrator, Identity Governance administrator, Catalog owner, or Access package manager

+1. In the Azure portal, click **Azure Active Directory** and then click **Identity Governance**.

+1. In the left menu, click **Access packages** and then open the access package.

+1. Click **Policies** and then **Add auto-assignment policy** to create a new policy.

+1. In the first tab, you'll specify the rule. Click **Edit**.

+1. Provide a dynamic membership rule, using the [membership rule builder](../enterprise-users/groups-dynamic-membership.md) or by clicking **Edit** on the rule syntax text box.

+ > [!NOTE]

+ > The rule builder might not be able to display some rules constructed in the text box. For more information, see [rule builder in the Azure portal](/enterprise-users/groups-create-rule.md#rule-builder-in-the-azure-portal).

+ 

+1. Click **Save** to close the dynamic membership rule editor, then click **Next** to open the **Custom Extensions** tab.

+1. If you have [custom extensions](entitlement-management-logic-apps-integration.md) in your catalog you wish to have run when the policy assigns or removes access, you can add them to this policy. Then click next to open the **Review** tab.

+1. Type a name and a description for the policy.

+ 

+1. Click **Create** to save the policy.

+ > [!NOTE]

+ > In this preview, Entitlement management will automatically create a dynamic security group corresponding to each policy, in order to evaluate the users in scope. This group should not be modified except by Entitlement Management itself. This group may also be modified or deleted automatically by Entitlement Management, so don't use this group for other applications or scenarios.

+1. Azure AD will evaluate the users in the organization that are in scope of this rule, and create assignments for those users who don't already have assignments to the access package. It may take several minutes for the evaluation to occur, or for subsequent updates to user's attributes to be reflected in the access package assignments.

+## Create an automatic assignment policy programmatically (Preview)

+You can also create a policy using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission, or an application in a catalog role or with the `EntitlementManagement.ReadWrite.All` permission, can call the [create an accessPackageAssignmentPolicy](/graph/api/entitlementmanagement-post-assignmentpolicies?tabs=http&view=graph-rest-1.0&preserve-view=true) API. In your [request payload](/graph/api/resources/accesspackageassignmentpolicy?view=graph-rest-1.0&preserve-view=true), include the `displayName`, `description`, `specificAllowedTargets`, [`automaticRequestSettings`](/graph/api/resources/accesspackageautomaticrequestsettings?view=graph-rest-1.0&preserve-view=true) and `accessPackage` properties of the policy.

+## Next steps

+- [View assignments for an access package](entitlement-management-access-package-assignments.md)

+For example, a single policy cannot be used to assign internal and external users to the same access package. However, you can create two policies in the same access package, one for internal users and one for external users. If there are multiple policies that apply to a user to request, they will be prompted at the time of their request to select the policy they would like to be assigned to. The following diagram shows an access package with two policies.

+

+In addition to policies for users to request access, you can also have policies for [automatic assignment](entitlement-management-access-package-auto-assignment-policy.md), and policies for direct assignment by administrators or catalog owners.

+| I want some users to request access and other users to be assigned access by an administrator | Two |

+| I want some users in my organization to receive access automatically, other users in my organization to be able to request, and other users to be assigned access by an administrator | Three |

+ **Users not in your directory** refers to users who are in another Azure AD directory or domain. These users may not have yet been invited into your directory. Azure AD directories must be configured to allow invitations in **Collaboration restrictions**. For more information, see [Configure external collaboration settings](../external-identities/external-collaboration-settings-configure.md).

+## Creating an access package assignment policy programmatically

+You can also create a policy using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.ReadWrite.All` permission, or an application in a catalog role or with the `EntitlementManagement.ReadWrite.All` permission, can call the [create an accessPackageAssignmentPolicy](/graph/api/entitlementmanagement-post-assignmentpolicies?tabs=http&view=graph-rest-1.0&preserve-view=true) API.

+- Give users access automatically to those resources, based on the user's properties like department or cost center, and remove a user's access when those properties change (preview).

+You can also have policies for users to be assigned access, either by an administrator or [automatically](entitlement-management-access-package-auto-assignment-policy.md).

+- Member users who *can* request an access package.

+- Member users who *request* an access package.

+- Member users who *approve requests* for an access package.

+- Member users who *review assignments* for an access package.

+- Member users who have a *direct assignment* or an *automatic assignment* to an access package.

+- Guest users who *request* an access package.

+- Guest users who *approve requests* for an access package.

+- Guest users who *review assignments* for an access package.

+- Guest users who have a *direct assignment* to an access package.

+### Administrator: Assign employees access automatically (preview)

+1. [Create a new access package](entitlement-management-access-package-create.md#start-new-access-package)

+1. [Add groups, Teams, applications, or SharePoint sites to access package](entitlement-management-access-package-create.md#resource-roles)

+1. [Add an automatic assignment policy](entitlement-management-access-package-auto-assignment-policy.md)

+You can also manage access packages, catalogs, policies, requests and assignments using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can call the [entitlement management API](/graph/tutorial-access-package-api). An application with those application permissions can also use many of those API functions, with the exception of managing resources in catalogs and access packages. And an application which only needs to operate within specific catalogs can be added to the **Catalog owner** or **Catalog reader** roles of a catalog to be authorized to update or read within that catalog.

+| Adding and removing a user's group memberships, application roles, and SharePoint site roles, based on changes to the user's attributes | [Configure an automatic assignment policy for an access package in entitlement management](entitlement-management-access-package-auto-assignment-policy.md) (preview)|

+| thumbnailphoto |X |X | |synced only once from Azure AD to Exchange Online after which Exchange Online becomes source of authority for this attribute and any later changes can't be synced from on-premises. See ([KB](https://support.microsoft.com/help/3062745/user-photos-aren-t-synced-from-the-on-premises-environment-to-exchange)) for more.|

+| thumbnailphoto |X |X | |synced only once from Azure AD to Exchange Online after which Exchange Online becomes source of authority for this attribute and any later changes can't be synced from on-premises. See ([KB](https://support.microsoft.com/help/3062745/user-photos-aren-t-synced-from-the-on-premises-environment-to-exchange)) for more.|

+ | Public Domain | For example: `https://jde-external.example.com`. <br>For testing, you can use localhost DNS. If you aren't deploying DAB behind a load balancer, use the **Public Domain** port. |

+> The on-premises Umbrella AD Connector should be turned off before importing the ObjectGUID attribute.

+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Meta Work Accounts | Microsoft Docs'

+description: Learn how to configure single sign-on between Azure Active Directory and Meta Work Accounts.

+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Meta Work Accounts

+In this tutorial, you'll learn how to integrate Meta Work Accounts with Azure Active Directory (Azure AD). When you integrate Meta Work Accounts with Azure AD, you can:

+* Control in Azure AD who has access to Meta Work Accounts.

+* Enable your users to be automatically signed-in to Meta Work Accounts with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Meta Work Accounts single sign-on (SSO) enabled subscription.

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Meta Work Accounts supports **SP and IDP** initiated SSO.

+## Add Meta Work Accounts from the gallery

+To configure the integration of Meta Work Accounts into Azure AD, you need to add Meta Work Accounts from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Meta Work Accounts** in the search box.

+1. Select **Meta Work Accounts** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Meta Work Accounts

+Configure and test Azure AD SSO with Meta Work Accounts using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Meta Work Accounts.

+To configure and test Azure AD SSO with Meta Work Accounts, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Meta Work Accounts SSO](#configure-meta-work-accounts-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Meta Work Accounts test user](#create-meta-work-accounts-test-user)** - to have a counterpart of B.Simon in Meta Work Accounts that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Meta Work Accounts** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:

+ a. In the **Identifier** text box, type a URL using the following pattern:

+ `https://work.facebook.com/company/<ID>`

+ b. In the **Reply URL** text box, type a URL using the following pattern:

+ ` https://work.facebook.com/work/saml.php?__cid=<ID>`

+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:

+ In the **Sign-on URL** text box, type the URL:

+ `https://work.facebook.com`

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier and Reply URL. Engage the [Work Accounts team](https://www.workplace.com/help/work) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Meta Work Accounts** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Meta Work Accounts.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Meta Work Accounts**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Meta Work Accounts SSO

+1. Log in to your Meta Work Accounts company site as an administrator.

+1. Go to **Security** > **Single Sign-On**.

+1. Enable **Single-sign on(SSO)** checkbox and click **+Add new SSO Provider**.

+ 

+1. On the **Single Sign-On (SSO) Setup** page, perform the following steps:

+ 

+ 1. Enter a valid **Name of the SSO Provider**.

+ 1. In the **SAML URL** textbox, paste the **Login URL** value which you have copied from the Azure portal.

+ 1. In the **SAML Issuer URL** textbox, paste the **Azure AD Identifier** value which you have copied from the Azure portal.

+ 1. **Enable SAML logout redirection** checkbox and in the **SAML Logout URL** textbox, paste the **Logout URL** value which you have copied from the Azure portal.

+ 1. Open the downloaded **Certificate (Base64)** from the Azure portal into Notepad and paste the content into the **SAML Certificate** textbox.

+ 1. Copy **Audience URL** value, paste this value into the **Identifier** textbox in the **Basic SAML Configuration** section in the Azure portal.

+ 1. Copy **ACS (Assertion Consumer Service) URL** value, paste this value into the **Reply URL** text box in the **Basic SAML Configuration** section in the Azure portal.

+ 1. In the **Test SSO Setup** section, enter a valid email in the textbox and click **Test SSO**.

+ 1. Click **Save Changes**.

+### Create Meta Work Accounts test user

+In this section, you create a user called Britta Simon in Meta Work Accounts. Work with the [Work Accounts team](https://www.workplace.com/help/work) to add the users in the Meta Work Accounts platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Meta Work Accounts Sign on URL where you can initiate the login flow.

+* Go to Meta Work Accounts Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Meta Work Accounts for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Meta Work Accounts tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Meta Work Accounts for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Meta Work Accounts you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).

+ `https://learn.tickitlms.com/sso/login`

+```json

+ "value":

+ "manifestUrl" : "https://...",

+ "manifestUrl" : "https://...",

+> Certificate auto-rotation will *only* be enabled by default for RBAC enabled AKS clusters.

+For AKS to automatically rotate non-CA certificates, the cluster must have [TLS Bootstrapping](https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/) which has been enabled by default in all Azure regions.

+> Do not disable bootstrap to keep your auto-rotation enabled.

+Certificate auto-rotation will only be enabled by default for RBAC enabled AKS clusters.

+### Exceptions

+Add-ons will be upgraded to a new major/minor version (or breaking change) within a Kubernetes minor version if either the cluster's Kubernetes version or the add-on version are in preview.

+### Available add-ons

+If the resource needs of your applications change, your cluster performance may be impacted due to low capacity on CPU, memory, PID space, or disk sizes. To address these changes, you can manually scale your AKS cluster to run a different number of nodes. When you scale down, nodes are carefully [cordoned and drained][kubernetes-drain] to minimize disruption to running applications. When you scale up, AKS waits until nodes are marked **Ready** by the Kubernetes cluster before pods are scheduled on them.

+[update-azaksnodepool]: /powershell/module/az.aks/update-azaksnodepool

+> Steps 1 -3 are not required for managed portals. If you have a managed portal, skip to step 4.

+1. In the `startup.publish.ts` file in the `src` folder, import and register the Application Insights module. Add the `AppInsightsPublishModule` after the existing modules in the dependency injection container:

+ const injector = new InversifyInjector();

+ injector.bindModule(new CoreModule());

+ ...

+ injector.resolve("autostart");

+1. Retrieve the portal's configuration using the [Content Item - Get](/rest/api/apimanagement/current-ga/content-item/get) REST API:

+ GET https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.ApiManagement/service/{api-management-service-name}/contentTypes/document/contentItems/configuration?api-version=2021-08-01

+

+ Output is similar to:

+ "id": "/contentTypes/document/contentItems/configuration",

+ "type": "Microsoft.ApiManagement/service/contentTypes/contentItems",

+ "name": "configuration",

+ "properties": {

+ "nodes": [

+ }

+1. Extend the site configuration from the previous step with Application Insights configuration. Update the configuration using the [Content Item - Create or Update](/rest/api/apimanagement/current-ga/content-item/create-or-update) REST API. Pass the Application Insights instrumentation key in an `integration` node in the request body.

+ PUT https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.ApiManagement/service/{api-management-service-name}/contentTypes/document/contentItems/configuration?api-version=2021-08-01

+ "id": "/contentTypes/document/contentItems/configuration",

+ "type": "Microsoft.ApiManagement/service/contentTypes/contentItems",

+ "name": "configuration",

+ "properties": {

+ }

+1. After you update the configuration, [republish the portal](api-management-howto-developer-portal-customize.md#publish) for the changes to take effect.

+> Steps 1 - 3 are not required for managed portals. If you have a managed portal, skip to step 4.

+Azure Monitor is a monitoring service that provides a complete set of features to monitor your Azure resources in addition to resources in other clouds and on-premises. The Azure Monitor data platform collects data into logs and metrics where they can be analyzed. App Service monitoring data can be shipped to Azure Monitor through Diagnostic Settings.

+| `WEBSITE_PULL_IMAGE_OVER_VNET` | Connect and pull from a registry inside a Virtual Network or on-premises. Your app will need to be connected to a Virtual Network using VNet integration feature. This setting is also needed for Azure Container Registry with Private Endpoint. ||

+* For apps deployed in Free, Shared, Basic, Standard, and Premium App Service plans - `https://<app-name>.scm.azurewebsites.net`

+- In the current implementation of Private Link, Automation account cloud jobs cannot access Azure resources that are secured using private endpoint. For example, Azure Key Vault, Azure SQL, Azure Storage account, etc. To workaround this, use a [Hybrid Runbook Worker](../automation-hybrid-runbook-worker.md) instead. Hence, on-premises VMs are supported to run Hybrid Runbook Workers against an Automation Account with Private Link enabled.

+| [Azure DNS: Azure DNS Private Resolver](../dns/dns-private-resolver-get-started-portal.md) |  |

+[`getContainerVersions(ID, options)`](https://fluidframework.com/docs/apis/azure-client/azureclient#getcontainerversions-Method)

+[`copyContainer(ID, containerSchema)`](https://fluidframework.com/docs/apis/azure-client/azureclient#copycontainer-Method)

+| documentId | string | Generated by Azure Fluid Relay (AFR) service. Identifies the document for which the token is being generated. |

+You can run tests using the local [@fluidframework/azure-local-service](https://www.npmjs.com/package/@fluidframework/azure-local-service) or using a test tenant in Azure Fluid Relay service. [AzureClient](https://fluidframework.com/docs/apis/azure-client/azureclient) can be configured to connect to both a remote service and a local service, which enables you to use a single client type between tests against live and local service instances. The only difference is the configuration used to create the client.

+When you create a document in Azure Fluid Relay, the JWT provided by the [ITokenProvider](https://fluidframework.com/docs/apis/azure-client/itokenprovider/) for the creation request can only be used once. After creating a document, the client must generate a new JWT that contains the document ID provided by the service at creation time. If an application has an authorization service that manages document access control, it will need to know who created a document with a given ID in order to authorize the generation of a new JWT for access to that document.

+An application can tie into the document creation lifecycle by implementing a public [documentPostCreateCallback()](https://fluidframework.com/docs/apis/azure-client/itokenprovider#documentpostcreatecallback-MethodSignature) method in its `TokenProvider`. This callback will be triggered directly after creating the document, before a client requests the new JWT it needs to gain read/write permissions to the document that was created.

+ Title: Azure Storage provider for Durable Functions

+description: Learn about the characteristics of the Durable Functions Azure Storage provider.

+# Azure Storage provider (Azure Functions)

+This document describes the characteristics of the Durable Functions Azure Storage provider, with a focus on performance and scalability aspects. The Azure Storage provider is the default provider. It stores instance states and queues in an Azure Storage (classic) account.

+> [!NOTE]

+> For more information on the supported storage providers for Durable Functions and how they compare, see the [Durable Functions storage providers](durable-functions-storage-providers.md) documentation.

+In the Azure Storage provider, all function execution is driven by Azure Storage queues. Orchestration and entity status and history are stored in Azure Tables. Azure Blobs and blob leases are used to distribute orchestration instances and entities across multiple app instances (also known as *workers* or simply *VMs*). This section goes into more detail on the various Azure Storage artifacts and how they impact performance and scalability.

+## Storage representation

+A [task hub](durable-functions-task-hubs.md) durably persists all instance states and all messages. For a quick overview of how these are used to track the progress of an orchestration, see the [task hub execution example](durable-functions-task-hubs.md#execution-example).

+The Azure Storage provider represents the task hub in storage using the following components:

+* Two Azure Tables store the instance states.

+* One Azure Queue stores the activity messages.

+* One or more Azure Queues store the instance messages. Each of these so-called *control queues* represents a [partition](durable-functions-perf-and-scale.md#partition-count) that is assigned a subset of all instance messages, based on the hash of the instance ID.

+* A few extra blob containers used for lease blobs and/or large messages.

+For example, a task hub named `xyz` with `PartitionCount = 4` contains the following queues and tables:

+

+Next, we describe these components and the role they play in more detail.

+### History table

+The **History** table is an Azure Storage table that contains the history events for all orchestration instances within a task hub. The name of this table is in the form *TaskHubName*History. As instances run, new rows are added to this table. The partition key of this table is derived from the instance ID of the orchestration. Instance IDs are random by default, ensuring optimal distribution of internal partitions in Azure Storage. The row key for this table is a sequence number used for ordering the history events.

+When an orchestration instance needs to run, the corresponding rows of the History table are loaded into memory using a range query within a single table partition. These *history events* are then replayed into the orchestrator function code to get it back into its previously checkpointed state. The use of execution history to rebuild state in this way is influenced by the [Event Sourcing pattern](/azure/architecture/patterns/event-sourcing).

+> [!TIP]

+> Orchestration data stored in the History table includes output payloads from activity and sub-orchestrator functions. Payloads from external events are also stored in the History table. Because the full history is loaded into memory every time an orchestrator needs to execute, a large enough history can result in significant memory pressure on a given VM. The length and size of the orchestration history can be reduced by splitting large orchestrations into multiple sub-orchestrations or by reducing the size of outputs returned by the activity and sub-orchestrator functions it calls. Alternatively, you can reduce memory usage by lowering per-VM [concurrency throttles](durable-functions-perf-and-scale.md#concurrency-throttles) to limit how many orchestrations are loaded into memory concurrently.

+### Instances table

+The **Instances** table contains the statuses of all orchestration and entity instances within a task hub. As instances are created, new rows are added to this table. The partition key of this table is the orchestration instance ID or entity key and the row key is an empty string. There is one row per orchestration or entity instance.

+This table is used to satisfy [instance query requests from code](durable-functions-instance-management.md#query-instances) as well as [status query HTTP API](durable-functions-http-api.md#get-instance-status) calls. It is kept eventually consistent with the contents of the **History** table mentioned previously. The use of a separate Azure Storage table to efficiently satisfy instance query operations in this way is influenced by the [Command and Query Responsibility Segregation (CQRS) pattern](/azure/architecture/patterns/cqrs).

+> [!TIP]

+> The partitioning of the *Instances* table allows it to store millions of orchestration instances without any noticeable impact on runtime performance or scale. However, the number of instances can have a significant impact on [multi-instance query](durable-functions-instance-management.md#query-all-instances) performance. To control the amount of data stored in these tables, consider periodically [purging old instance data](durable-functions-instance-management.md#purge-instance-history).

+### Queues

+Orchestrator, entity, and activity functions are all triggered by internal queues in the function app's task hub. Using queues in this way provides reliable "at-least-once" message delivery guarantees. There are two types of queues in Durable Functions: the **control queue** and the **work-item queue**.

+#### The work-item queue

+There is one work-item queue per task hub in Durable Functions. It's a basic queue and behaves similarly to any other `queueTrigger` queue in Azure Functions. This queue is used to trigger stateless *activity functions* by dequeueing a single message at a time. Each of these messages contains activity function inputs and additional metadata, such as which function to execute. When a Durable Functions application scales out to multiple VMs, these VMs all compete to acquire tasks from the work-item queue.

+#### Control queue(s)

+There are multiple *control queues* per task hub in Durable Functions. A *control queue* is more sophisticated than the simpler work-item queue. Control queues are used to trigger the stateful orchestrator and entity functions. Because the orchestrator and entity function instances are stateful singletons, it's important that each orchestration or entity is only processed by one worker at a time. To achieve this constraint, each orchestration instance or entity is assigned to a single control queue. These control queues are load balanced across workers to ensure that each queue is only processed by one worker at a time. More details on this behavior can be found in subsequent sections.

+Control queues contain a variety of orchestration lifecycle message types. Examples include [orchestrator control messages](durable-functions-instance-management.md), activity function *response* messages, and timer messages. As many as 32 messages will be dequeued from a control queue in a single poll. These messages contain payload data as well as metadata including which orchestration instance it is intended for. If multiple dequeued messages are intended for the same orchestration instance, they will be processed as a batch.

+Control queue messages are constantly polled using a background thread. The batch size of each queue poll is controlled by the `controlQueueBatchSize` setting in host.json and has a default of 32 (the maximum value supported by Azure Queues). The maximum number of prefetched control-queue messages that are buffered in memory is controlled by the `controlQueueBufferThreshold` setting in host.json. The default value for `controlQueueBufferThreshold` varies depending on a variety of factors, including the type of hosting plan. For more information on these settings, see the [host.json schema](../functions-host-json.md#durabletask) documentation.

+> [!TIP]

+> Increasing the value for `controlQueueBufferThreshold` allows a single orchestration or entity to process events faster. However, increasing this value can also result in higher memory usage. The higher memory usage is partly due to pulling more messages off the queue and partly due to fetching more orchestration histories into memory. Reducing the value for `controlQueueBufferThreshold` can therefore be an effective way to reduce memory usage.

+#### Queue polling

+The durable task extension implements a random exponential back-off algorithm to reduce the effect of idle-queue polling on storage transaction costs. When a message is found, the runtime immediately checks for another message. When no message is found, it waits for a period of time before trying again. After subsequent failed attempts to get a queue message, the wait time continues to increase until it reaches the maximum wait time, which defaults to 30 seconds.

+The maximum polling delay is configurable via the `maxQueuePollingInterval` property in the [host.json file](../functions-host-json.md#durabletask). Setting this property to a higher value could result in higher message processing latencies. Higher latencies would be expected only after periods of inactivity. Setting this property to a lower value could result in [higher storage costs](durable-functions-billing.md#azure-storage-transactions) due to increased storage transactions.

+> [!NOTE]

+> When running in the Azure Functions Consumption and Premium plans, the [Azure Functions Scale Controller](../event-driven-scaling.md) will poll each control and work-item queue once every 10 seconds. This additional polling is necessary to determine when to activate function app instances and to make scale decisions. At the time of writing, this 10 second interval is constant and cannot be configured.

+#### Orchestration start delays

+Orchestrations instances are started by putting an `ExecutionStarted` message in one of the task hub's control queues. Under certain conditions, you may observe multi-second delays between when an orchestration is scheduled to run and when it actually starts running. During this time interval, the orchestration instance remains in the `Pending` state. There are two potential causes of this delay:

+* **Backlogged control queues**: If the control queue for this instance contains a large number of messages, it may take time before the `ExecutionStarted` message is received and processed by the runtime. Message backlogs can happen when orchestrations are processing lots of events concurrently. Events that go into the control queue include orchestration start events, activity completions, durable timers, termination, and external events. If this delay happens under normal circumstances, consider creating a new task hub with a larger number of partitions. Configuring more partitions will cause the runtime to create more control queues for load distribution. Each partition corresponds to 1:1 with a control queue, with a maximum of 16 partitions.

+* **Back off polling delays**: Another common cause of orchestration delays is the [previously described back-off polling behavior for control queues](#queue-polling). However, this delay is only expected when an app is scaled out to two or more instances. If there is only one app instance or if the app instance that starts the orchestration is also the same instance that is polling the target control queue, then there will not be a queue polling delay. Back off polling delays can be reduced by updating the **host.json** settings, as described previously.

+### Blobs

+In most cases, Durable Functions doesn't use Azure Storage Blobs to persist data. However, queues and tables have [size limits](../../azure-resource-manager/management/azure-subscription-service-limits.md#azure-queue-storage-limits) that can prevent Durable Functions from persisting all of the required data into a storage row or queue message. For example, when a piece of data that needs to be persisted to a queue is greater than 45 KB when serialized, Durable Functions will compress the data and store it in a blob instead. When persisting data to blob storage in this way, Durable Function stores a reference to that blob in the table row or queue message. When Durable Functions needs to retrieve the data it will automatically fetch it from the blob. These blobs are stored in the blob container `<taskhub>-largemessages`.

+#### Performance considerations

+The extra compression and blob operation steps for large messages can be expensive in terms of CPU and I/O latency costs. Additionally, Durable Functions needs to load persisted data in memory, and may do so for many different function executions at the same time. As a result, persisting large data payloads can cause high memory usage as well. To minimize memory overhead, consider persisting large data payloads manually (for example, in blob storage) and instead pass around references to this data. This way your code can load the data only when needed to avoid redundant loads during [orchestrator function replays](durable-functions-orchestrations.md#reliability). However, storing payloads to local disks is *not* recommended since on-disk state is not guaranteed to be available since functions may execute on different VMs throughout their lifetimes.

+### Storage account selection

+The queues, tables, and blobs used by Durable Functions are created in a configured Azure Storage account. The account to use can be specified using the `durableTask/storageProvider/connectionStringName` setting (or `durableTask/azureStorageConnectionStringName` setting in Durable Functions 1.x) in the **host.json** file.

+#### Durable Functions 2.x

+```json

+{

+ "extensions": {

+ "durableTask": {

+ "storageProvider": {

+ "connectionStringName": "MyStorageAccountAppSetting"

+ }

+ }

+ }

+}

+```

+#### Durable Functions 1.x

+```json

+{

+ "extensions": {

+ "durableTask": {

+ "azureStorageConnectionStringName": "MyStorageAccountAppSetting"

+ }

+ }

+}

+```

+If not specified, the default `AzureWebJobsStorage` storage account is used. For performance-sensitive workloads, however, configuring a non-default storage account is recommended. Durable Functions uses Azure Storage heavily, and using a dedicated storage account isolates Durable Functions storage usage from the internal usage by the Azure Functions host.

+> [!NOTE]

+> Standard general purpose Azure Storage accounts are required when using the Azure Storage provider. All other storage account types are not supported. We highly recommend using legacy v1 general purpose storage accounts for Durable Functions. The newer v2 storage accounts can be significantly more expensive for Durable Functions workloads. For more information on Azure Storage account types, see the [Storage account overview](../../storage/common/storage-account-overview.md) documentation.

+### Orchestrator scale-out

+While activity functions can be scaled out infinitely by adding more VMs elastically, individual orchestrator instances and entities are constrained to inhabit a single partition and the maximum number of partitions is bounded by the `partitionCount` setting in your `host.json`.

+> [!NOTE]

+> Generally speaking, orchestrator functions are intended to be lightweight and should not require large amounts of computing power. It is therefore not necessary to create a large number of control-queue partitions to get great throughput for orchestrations. Most of the heavy work should be done in stateless activity functions, which can be scaled out infinitely.

+The number of control queues is defined in the **host.json** file. The following example host.json snippet sets the `durableTask/storageProvider/partitionCount` property (or `durableTask/partitionCount` in Durable Functions 1.x) to `3`. Note that there are as many control queues as there are partitions.

+#### Durable Functions 2.x

+```json

+{

+ "extensions": {

+ "durableTask": {

+ "storageProvider": {

+ "partitionCount": 3

+ }

+ }

+ }

+}

+```

+#### Durable Functions 1.x

+```json

+{

+ "extensions": {

+ "durableTask": {

+ "partitionCount": 3

+ }

+ }

+}

+```

+A task hub can be configured with between 1 and 16 partitions. If not specified, the default partition count is **4**.

+During low traffic scenarios, your application will be scaled-in, so partitions will be managed by a small number of workers. As an example, consider the diagram below.

+

+In the previous diagram, we see that orchestrators 1 through 6 are load balanced across partitions. Similarly, partitions, like activities, are load balanced across workers. Partitions are load-balanced across workers regardless of the number of orchestrators that get started.

+If you're running on the Azure Functions Consumption or Elastic Premium plans, or if you have load-based auto-scaling configured, more workers will get allocated as traffic increases and partitions will eventually load balance across all workers. If we continue to scale out, eventually each partition will eventually be managed by a single worker. Activities, on the other hand, will continue to be load-balanced across all workers. This is shown in the image below.

+

+The upper-bound of the maximum number of concurrent _active_ orchestrations at *any given time* is equal to the number of workers allocated to your application _times_ your value for `maxConcurrentOrchestratorFunctions`. This upper-bound can be made more precise when your partitions are fully scaled-out across workers. When fully scaled-out, and since each worker will have only a single Functions host instance, the maximum number of _active_ concurrent orchestrator instances will be equal to your number of partitions _times_ your value for `maxConcurrentOrchestratorFunctions`.

+> [!NOTE]

+> In this context, *active* means that an orchestration or entity is loaded into memory and processing *new events*. If the orchestration or entity is waiting for more events, such as the return value of an activity function, it gets unloaded from memory and is no longer considered *active*. Orchestrations and entities will be subsequently reloaded into memory only when there are new events to process. There's no practical maximum number of *total* orchestrations or entities that can run on a single VM, even if they're all in the "Running" state. The only limitation is the number of *concurrently active* orchestration or entity instances.

+The image below illustrates a fully scaled-out scenario where more orchestrators are added but some are inactive, shown in grey.

+

+During scale-out, control queue leases may be redistributed across Functions host instances to ensure that partitions are evenly distributed. These leases are internally implemented as Azure Blob storage leases and ensure that any individual orchestration instance or entity only runs on a single host instance at a time. If a task hub is configured with three partitions (and therefore three control queues), orchestration instances and entities can be load-balanced across all three lease-holding host instances. Additional VMs can be added to increase capacity for activity function execution.

+The following diagram illustrates how the Azure Functions host interacts with the storage entities in a scaled out environment.

+

+As shown in the previous diagram, all VMs compete for messages on the work-item queue. However, only three VMs can acquire messages from control queues, and each VM locks a single control queue.

+Orchestration instances and entities are distributed across all control queue instances. The distribution is done by hashing the instance ID of the orchestration or the entity name and key pair. Orchestration instance IDs by default are random GUIDs, ensuring that instances are equally distributed across all control queues.

+Generally speaking, orchestrator functions are intended to be lightweight and should not require large amounts of computing power. It is therefore not necessary to create a large number of control queue partitions to get great throughput for orchestrations. Most of the heavy work should be done in stateless activity functions, which can be scaled out infinitely.

+## Extended sessions

+Extended sessions is a [caching mechanism](durable-functions-perf-and-scale.md#instance-caching) that keeps orchestrations and entities in memory even after they finish processing messages. The typical effect of enabling extended sessions is reduced I/O against the underlying durable store and overall improved throughput.

+You can enable extended sessions by setting `durableTask/extendedSessionsEnabled` to `true` in the **host.json** file. The `durableTask/extendedSessionIdleTimeoutInSeconds` setting can be used to control how long an idle session will be held in memory:

+**Functions 2.0**

+```json

+{

+ "extensions": {

+ "durableTask": {

+ "extendedSessionsEnabled": true,

+ "extendedSessionIdleTimeoutInSeconds": 30

+ }

+ }

+}

+```

+**Functions 1.0**

+```json

+{

+ "durableTask": {

+ "extendedSessionsEnabled": true,

+ "extendedSessionIdleTimeoutInSeconds": 30

+ }

+}

+```

+There are two potential downsides of this setting to be aware of:

+1. There's an overall increase in function app memory usage because idle instances are not unloaded from memory as quickly.

+2. There can be an overall decrease in throughput if there are many concurrent, distinct, short-lived orchestrator or entity function executions.

+As an example, if `durableTask/extendedSessionIdleTimeoutInSeconds` is set to 30 seconds, then a short-lived orchestrator or entity function episode that executes in less than 1 second still occupies memory for 30 seconds. It also counts against the `durableTask/maxConcurrentOrchestratorFunctions` quota mentioned previously, potentially preventing other orchestrator or entity functions from running.

+The specific effects of extended sessions on orchestrator and entity functions are described in the next sections.

+> [!NOTE]

+> Extended sessions are currently only supported in .NET languages, like C# or F#. Setting `extendedSessionsEnabled` to `true` for other platforms can lead to runtime issues, such as silently failing to execute activity and orchestration-triggered functions.

+### Orchestrator function replay

+As mentioned previously, orchestrator functions are replayed using the contents of the **History** table. By default, the orchestrator function code is replayed every time a batch of messages are dequeued from a control queue. Even if you are using the fan-out, fan-in pattern and are awaiting for all tasks to complete (for example, using `Task.WhenAll()` in .NET, `context.df.Task.all()` in JavaScript, or `context.task_all()` in Python), there will be replays that occur as batches of task responses are processed over time. When extended sessions are enabled, orchestrator function instances are held in memory longer and new messages can be processed without a full history replay.

+The performance improvement of extended sessions is most often observed in the following situations:

+* When there are a limited number of orchestration instances running concurrently.

+* When orchestrations have large number of sequential actions (for example, hundreds of activity function calls) that complete quickly.

+* When orchestrations fan-out and fan-in a large number of actions that complete around the same time.

+* When orchestrator functions need to process large messages or do any CPU-intensive data processing.

+In all other situations, there is typically no observable performance improvement for orchestrator functions.

+> [!NOTE]

+> These settings should only be used after an orchestrator function has been fully developed and tested. The default aggressive replay behavior can useful for detecting [orchestrator function code constraints](durable-functions-code-constraints.md) violations at development time, and is therefore disabled by default.

+### Performance targets

+The following table shows the expected *maximum* throughput numbers for the scenarios described in the [Performance Targets](durable-functions-perf-and-scale.md#performance-targets) section of the [Performance and Scale](durable-functions-perf-and-scale.md) article.

+"Instance" refers to a single instance of an orchestrator function running on a single small ([A1](../../virtual-machines/sizes-previous-gen.md)) VM in Azure App Service. In all cases, it is assumed that [extended sessions](#orchestrator-function-replay) are enabled. Actual results may vary depending on the CPU or I/O work performed by the function code.

+| Scenario | Maximum throughput |

+|-|-|

+| Sequential activity execution | 5 activities per second, per instance |

+| Parallel activity execution (fan-out) | 100 activities per second, per instance |

+| Parallel response processing (fan-in) | 150 responses per second, per instance |

+| External event processing | 50 events per second, per instance |

+| Entity operation processing | 64 operations per second |

+If you are not seeing the throughput numbers you expect and your CPU and memory usage appears healthy, check to see whether the cause is related to [the health of your storage account](../../storage/common/storage-monitoring-diagnosing-troubleshooting.md#troubleshooting-guidance). The Durable Functions extension can put significant load on an Azure Storage account and sufficiently high loads may result in storage account throttling.

+> [!TIP]

+> In some cases you can significantly increase the throughput of external events, activity fan-in, and entity operations by increasing the value of the `controlQueueBufferThreshold` setting in **host.json**. Increasing this value beyond its default causes the Durable Task Framework storage provider to use more memory to prefetch these events more aggressively, reducing delays associated with dequeueing messages from the Azure Storage control queues. For more information, see the [host.json](durable-functions-bindings.md#host-json) reference documentation.

+### High throughput processing

+The architecture of the Azure Storage backend puts certain limitations on the maximum theoretical performance and scalability of Durable Functions. If your testing shows that Durable Functions on Azure Storage won't meet your throughput requirements, you should consider instead using the [Netherite storage provider for Durable Functions](durable-functions-storage-providers.md#netherite).

+To compare the achievable throughput for various basic scenarios, see the section [Basic Scenarios](https://microsoft.github.io/durabletask-netherite/#/scenarios) of the Netherite storage provider documentation.

+The Netherite storage backend was designed and developed by [Microsoft Research](https://www.microsoft.com/research). It uses [Azure Event Hubs](../../event-hubs/event-hubs-about.md) and the [FASTER](https://www.microsoft.com/research/project/faster/) database technology on top of [Azure Page Blobs](../../storage/blobs/storage-blob-pageblob-overview.md). The design of Netherite enables significantly higher-throughput processing of orchestrations and entities compared to other providers. In some benchmark scenarios, throughput was shown to increase by more than an order of magnitude when compared to the default Azure Storage provider.

+For more information on the supported storage providers for Durable Functions and how they compare, see the [Durable Functions storage providers](durable-functions-storage-providers.md) documentation.

+## Next steps

+> [!div class="nextstepaction"]

+> [Learn about disaster recovery and geo-distribution](durable-functions-disaster-recovery-geo-distribution.md)

+* Each function app instance internally polls multiple queues in the storage account by using an exponential-backoff polling algorithm. An idle app instance polls the queues less often than does an active app, which results in fewer transaction costs. For more information about Durable Functions queue-polling behavior when using the Azure Storage provider, see the [queue-polling section](durable-functions-azure-storage-provider.md#queue-polling) of the Azure Storage provider documentation.

+* **Stopping and starting**: Messages in Durable functions persist between debug sessions. If you stop debugging and terminate the local host process while a durable function is executing, that function may re-execute automatically in a future debug session. This behavior can be confusing when not expected. Using a [fresh task hub](durable-functions-task-hubs.md#task-hub-management) or clearing the task hub contents between debug sessions is one technique to avoid this behavior.

+| **`instanceIdPrefix`** | Query string | Optional parameter. When specified, filters the list of returned instances to include only instances whose instance ID starts with the specified prefix string. Available starting with [version 2.7.2](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.DurableTask/2.7.2) of the extension. |

+> This operation can be very expensive in terms of Azure Storage I/O if you are using the [default Azure Storage provider](durable-functions-storage-providers.md#azure-storage) and if there are a lot of rows in the Instances table. More details on Instance table can be found in the [Azure Storage provider](durable-functions-azure-storage-provider.md#instances-table) documentation.

+> [!CAUTION]

+> The query result may return fewer items than the limit specified by `top`. When receiving results, you should therefore *always* check to see if there is a continuation token.

+> This operation can be very expensive in terms of Azure Storage I/O if you are using the [default Azure Storage provider](durable-functions-storage-providers.md#azure-storage) and if there are many rows in the Instances and/or History tables. More details on these tables can be found in the [Performance and scale in Durable Functions (Azure Functions)](durable-functions-azure-storage-provider.md#instances-table) documentation.

+To optimize performance and scalability, it's important to understand the unique scaling characteristics of [Durable Functions](durable-functions-overview.md). In this article, we explain how workers are scaled based on load, and how one can tune the various parameters.

+## Worker scaling

+A fundamental benefit of the [task hub concept](durable-functions-task-hubs.md) is that the number of workers that process task hub work items can be continuously adjusted. In particular, applications can add more workers (*scale out*) if the work needs to be processed more quickly, and can remove workers (*scale in*) if there is not enough work to keep the workers busy.

+It is even possible to *scale to zero* if the task hub is completely idle. When scaled to zero, there are no workers at all; only the scale controller and the storage need to remain active.

+The following diagram illustrates this concept:

+

+### Automatic scaling

+As with all Azure Functions running in the Consumption and Elastic Premium plans, Durable Functions supports auto-scale via the [Azure Functions scale controller](../event-driven-scaling.md#runtime-scaling). The Scale Controller monitors how long messages and tasks have to wait before they are processed. Based on these latencies it can decide whether to add or remove workers.

+> Starting with Durable Functions 2.0, function apps can be configured to run within VNET-protected service endpoints in the Elastic Premium plan. In this configuration, the Durable Functions triggers initiate scale requests instead of the Scale Controller. For more information, see [Runtime scale monitoring](../functions-networking-options.md#premium-plan-with-virtual-network-triggers).

+On a premium plan, automatic scaling can help to keep the number of workers (and therefore the operating cost) roughly proportional to the load that the application is experiencing.

+### CPU usage

+**Orchestrator functions** are executed on a single thread to ensure that execution can be deterministic across many replays. Because of this single-threaded execution, it's important that orchestrator function threads do not perform CPU-intensive tasks, do I/O, or block for any reason. Any work that may require I/O, blocking, or multiple threads should be moved into activity functions.

+**Activity functions** have all the same behaviors as regular queue-triggered functions. They can safely do I/O, execute CPU intensive operations, and use multiple threads. Because activity triggers are stateless, they can freely scale out to an unbounded number of VMs.

+**Entity functions** are also executed on a single thread and operations are processed one-at-a-time. However, entity functions do not have any restrictions on the type of code that can be executed.

+### Function timeouts

+Activity, orchestrator, and entity functions are subject to the same [function timeouts](../functions-scale.md#timeout) as all Azure Functions. As a general rule, Durable Functions treats function timeouts the same way as unhandled exceptions thrown by the application code.

+For example, if an activity times out, the function execution is recorded as a failure, and the orchestrator is notified and handles the timeout just like any other exception: retries take place if specified by the call, or an exception handler may be executed.

+### Entity operation batching

+To improve performance and reduce cost, a single work item may execute an entire batch of entity operations. On consumption plans, each batch is then billed as a single function execution.

+By default, the maximum batch size is 50 for consumption plans and 5000 for all other plans. The maximum batch size can also be configured in the [host.json](durable-functions-bindings.md#host-json) file. If the maximum batch size is 1, batching is effectively disabled.

+> If individual entity operations take a long time to execute, it may be beneficial to limit the maximum batch size to reduce the risk of [function timeouts](#function-timeouts), in particular on consumption plans.

+## Instance caching

+Generally, to process an [orchestration work item](durable-functions-task-hubs.md#work-items), a worker has to both

+1. Fetch the orchestration history.

+1. Replay the orchestrator code using the history.

+If the same worker is processing multiple work items for the same orchestration, the storage provider can optimize this process by caching the history in the worker's memory, which eliminates the first step. Moreover, it can cache the mid-execution orchestrator, which eliminates the second step, the history replay, as well.

+The typical effect of caching is reduced I/O against the underlying storage service, and overall improved throughput and latency. On the other hand, caching increases the memory consumption on the worker.

+Instance caching is currently supported by the Azure Storage provider and by the Netherite storage provider. The table below provides a comparison.

+|| Azure Storage provider | Netherite storage provider | MSSQL storage provider |

+|-|-|-|-|

+| **Instance caching** | Supported<br/>(.NET in-process worker only) | Supported | Not supported |

+| **Default setting** | Disabled | Enabled | n/a |

+| **Mechanism** | Extended Sessions | Instance Cache | n/a |

+| **Documentation** | See [Extended sessions](durable-functions-azure-storage-provider.md#extended-sessions) | See [Instance cache](https://microsoft.github.io/durabletask-netherite/#/caching) | n/a |

+> [!TIP]

+> Caching can reduce how often histories are replayed, but it cannot eliminate replay altogether. When developing orchestrators, we highly recommend testing them on a configuration that disables caching. This forced-replay behavior can useful for detecting [orchestrator function code constraints](durable-functions-code-constraints.md) violations at development time.

+### Comparison of caching mechanisms

+The providers use different mechanisms to implement caching, and offer different parameters to configure the caching behavior.

+* **Extended sessions**, as used by the Azure Storage provider, keep mid-execution orchestrators in memory until they are idle for some time. The parameters to control this mechanism are `extendedSessionsEnabled` and `extendedSessionIdleTimeoutInSeconds`. For more details, see the section [Extended sessions](durable-functions-azure-storage-provider.md#extended-sessions) of the Azure Storage provider documentation.

+> Extended sessions are supported only in the .NET in-process worker.

+* The **Instance cache**, as used by the Netherite storage provider, keeps the state of all instances, including their histories, in the worker's memory, while keeping track of the total memory used. If the cache size exceeds the limit configured by `InstanceCacheSizeMB`, the least recently used instance data is evicted. If `CacheOrchestrationCursors` is set to true, the cache also stores the mid-execution orchestrators along with the instance state.

+ For more details, see the section [Instance cache](https://microsoft.github.io/durabletask-netherite/#/caching) of the Netherite storage provider documentation.

+> Instance caches work for all language SDKs, but the `CacheOrchestrationCursors` option is available only for the .NET in-process worker.

+## Concurrency throttles

+A single worker instance can execute multiple [work items](durable-functions-task-hubs.md#work-items) concurrently. This helps to increase parallelism and more efficiently utilize the workers.

+However, if a worker attempts to process too many work items at the same time, it may exhaust its available resources, such as the CPU load, the number of network connections, or the available memory.

+To ensure that an individual worker does not overcommit, it may be necessary to throttle the per-instance concurrency. By limiting the number of functions that are concurrently running on each worker, we can avoid exhausting the resource limits on that worker.

+> [!NOTE]

+> The concurrency throttles only apply locally, to limit what is currently being processed **per worker**. Thus, these throttles do not limit the total throughput of the system.

+> [!TIP]

+> In some cases, throttling the per-worker concurrency can actually *increase* the total throughput of the system. This can occur when each worker takes less work, causing the scale controller to add more workers to keep up with the queues, which then increases the total throughput.

+### Configuration of throttles

+Activity, orchestrator, and entity function concurrency limits can be configured in the **host.json** file. The relevant settings are `durableTask/maxConcurrentActivityFunctions` for activity functions and `durableTask/maxConcurrentOrchestratorFunctions` for both orchestrator and entity functions. These settings control the maximum number of orchestrator, entity, or activity functions that are loaded into memory on a single worker.

+> Orchestrations and entities are only loaded into memory when they are actively processing events or operations, or if [instance caching](durable-functions-perf-and-scale.md#instance-caching) is enabled. After executing their logic and awaiting (i.e. hitting an `await` (C#) or `yield` (JavaScript, Python) statement in the orchestrator function code), they may be unloaded from memory. Orchestrations and entities that are unloaded from memory don't count towards the `maxConcurrentOrchestratorFunctions` throttle. Even if millions of orchestrations or entities are in the "Running" state, they only count towards the throttle limit when they are loaded into active memory. An orchestration that schedules an activity function similarly doesn't count towards the throttle if the orchestration is waiting for the activity to finish executing.

+#### Functions 2.0

+#### Functions 1.x

+### Language runtime considerations

+The language runtime you select may impose strict concurrency restrictions or your functions. For example, Durable Function apps written in Python or PowerShell may only support running a single function at a time on a single VM. This can result in significant performance problems if not carefully accounted for. For example, if an orchestrator fans-out to 10 activities but the language runtime restricts concurrency to just one function, then 9 of the 10 activity functions will be stuck waiting for a chance to run. Furthermore, these 9 stuck activities will not be able to be load balanced to any other workers because the Durable Functions runtime will have already loaded them into memory. This becomes especially problematic if the activity functions are long-running.

+If the language runtime you are using places a restriction on concurrency, you should update the Durable Functions concurrency settings to match the concurrency settings of your language runtime. This ensures that the Durable Functions runtime will not attempt to run more functions concurrently than is allowed by the language runtime, allowing any pending activities to be load balanced to other VMs. For example, if you have a Python app that restricts concurrency to 4 functions (perhaps it's only configured with 4 threads on a single language worker process or 1 thread on 4 language worker processes) then you should configure both `maxConcurrentOrchestratorFunctions` and `maxConcurrentActivityFunctions` to 4.

+For more information and performance recommendations for Python, see [Improve throughput performance of Python apps in Azure Functions](../python-scale-performance-reference.md). The techniques mentioned in this Python developer reference documentation can have a substantial impact on Durable Functions performance and scalability.

+## Partition count

+Some of the storage providers use a *partitioning* mechanism and allow specifying a `partitionCount` parameter.

+When using partitioning, workers do not directly compete for individual work items. Instead, the work items are first grouped into `partitionCount` partitions. These partitions are then assigned to workers. This partitioned approach to load distribution can help to reduce the total number of storage accesses required. Also, it can enable [instance caching](durable-functions-perf-and-scale.md#instance-caching) and improve locality because it creates *affinity*: all work items for the same instance are processed by the same worker.

+> [!NOTE]

+> Partitioning limits scale out because at most `partitionCount` workers can process work items from a partitioned queue.

+The following table shows, for each storage provider, which queues are partitioned, and the allowable range and default values for the `partitionCount` parameter.

+|| Azure Storage provider | Netherite storage provider | MSSQL storage provider |

+|-|-|-|-|

+| **Instance messages**| Partitioned | Partitioned | Not partitioned |

+| **Activity messages** | Not partitioned | Partitioned | Not partitioned |

+| **Default `partitionCount`** | 4 | 12 | n/a |

+| **Maximum `partitionCount`** | 16 | 32 | n/a |

+| **Documentation** | See [Orchestrator scale-out](durable-functions-azure-storage-provider.md#orchestrator-scale-out) | See [Partition count considerations](https://microsoft.github.io/durabletask-netherite/#/settings?id=partition-count-considerations) | n/a |

+> [!WARNING]

+> The partition count can no longer be changed after a task hub has been created. Thus, it is advisable to set it to a large enough value to accommodate future scale out requirements for the task hub instance.

+### Configuration of partition count

+The `partitionCount` parameter can be specified in the **host.json** file. The following example host.json snippet sets the `durableTask/storageProvider/partitionCount` property (or `durableTask/partitionCount` in Durable Functions 1.x) to `3`.

+#### Durable Functions 2.x

+ "storageProvider": {

+ "partitionCount": 3

+ }

+#### Durable Functions 1.x

+ "extensions": {

+ "durableTask": {

+ "partitionCount": 3

+ }

+When planning to use Durable Functions for a production application, it is important to consider the performance requirements early in the planning process. Some basic usage scenarios include:

+We provide throughput numbers for these scenarios in the respective documentation for the storage providers. In particular:

+* for the Azure Storage provider, see [Performance Targets](durable-functions-azure-storage-provider.md#performance-targets).

+* for the Netherite storage provider, see [Basic Scenarios](https://microsoft.github.io/durabletask-netherite/#/scenarios).

+* for the MSSQL storage provider, see [Orchestration Throughput Benchmarks](https://microsoft.github.io/durabletask-mssql/#/scaling?id=orchestration-throughput-benchmarks).

+> Unlike fan-out, fan-in operations are limited to a single VM. If your application uses the fan-out, fan-in pattern and you are concerned about fan-in performance, consider sub-dividing the activity function fan-out across multiple [sub-orchestrations](durable-functions-sub-orchestrations.md).

+> [Learn about the Azure Storage provider](durable-functions-azure-storage-provider.md)

+The Durable Functions runtime automatically persists function parameters, return values, and other state to the [task hub](durable-functions-task-hubs.md) in order to provide reliable execution. However, the amount and frequency of data persisted to durable storage can impact application performance and storage transaction costs. Depending on the type of data your application stores, data retention and privacy policies may also need to be considered.

+## Task Hub Contents

+Task hubs store the current state of instances, and any pending messages:

+* *Instance states* store the current status and history of an instance. For orchestration instances, this includes the runtime state, the orchestration history, inputs, outputs, and custom status. For entity instances, it includes the entity state.

+* *Messages* store function inputs or outputs, event payloads, and metadata that Durable Functions uses for internal purposes, like routing and end-to-end correlation.

+Messages are deleted after being processed, but instance states persist unless they're explicitly deleted by the application or an operator. In particular, an orchestration history remains in storage even after the orchestration completes.

+For an example of how states and messages represent the progress of an orchestration, see the [task hub execution example](durable-functions-task-hubs.md#execution-example).

+Where and how states and messages are represented in storage [depends on the storage provider](durable-functions-task-hubs.md#representation-in-storage). By default, Durable Functions uses the [Azure Storage provider](durable-functions-azure-storage-provider.md) which persists data to queues, tables, and blobs in an [Azure Storage](https://azure.microsoft.com/services/storage/) account that you specify.

+> For many function apps, the default Azure Storage provider for Durable Functions is likely to suffice, and is the easiest to use since it requires no extra configuration. However, there are cost, scalability, and data management tradeoffs that may favor the use of an alternate storage provider.

+Two alternate storage providers were developed for use with Durable Functions and the Durable Task Framework, namely the _Netherite_ storage provider and the _Microsoft SQL Server (MSSQL)_ storage provider. This article describes all three supported providers, compares them against each other, and provides basic information about how to get started using them.

+> [!NOTE]

+> It's not currently possible to migrate data from one storage provider to another. If you want to use a new storage provider, you should create a new app configured with the new storage provider.

+| Local development and emulation options | [Azurite v3.12+](../../storage/common/storage-use-azurite.md) (cross platform)<br/>[Azure Storage Emulator](../../storage/common/storage-use-emulator.md) (Windows only) | Supports in-memory emulation of task hubs ([more information](https://microsoft.github.io/durabletask-netherite/#/emulation)) | SQL Server Developer Edition (supports [Windows](/sql/database-engine/install-windows/install-sql-server), [Linux](/sql/linux/sql-server-linux-setup), and [Docker containers](/sql/linux/sql-server-linux-docker-container-deployment)) |

+| Elastic Premium plan support | ✅ Fully supported | ⚠ Requires [runtime scale monitoring](../functions-networking-options.md#premium-plan-with-virtual-network-triggers) | ⚠ Requires [runtime scale monitoring](../functions-networking-options.md#premium-plan-with-virtual-network-triggers) |

+| Managed Identity Support | ✅ Fully supported | ❌ Not supported | ⚠️ Requires runtime-driven scaling |

+A *task hub* in [Durable Functions](durable-functions-overview.md) is a representation of the current state of the application in storage, including all the pending work. While a function app is running, the progress of orchestration, activity, and entity functions is continually stored in the task hub. This ensures that the application can resume processing where it left off, should it require to be restarted after being temporarily stopped or interrupted for some reason. Also, it allows the function app to scale the compute workers dynamically.

+

+Conceptually, a task hub stores the following information:

+* The **instance states** of all orchestration and entity instances.

+* The messages to be processed, including

+ * any **activity messages** that represent activities waiting to be run.

+ * any **instance messages** that are waiting to be delivered to instances.

+The difference between activity and instance messages is that activity messages are stateless, and can thus be processed anywhere, while instance messages need to be delivered to a particular stateful instance (orchestration or entity), identified by its instance ID.

+Internally, each storage provider may use a different organization to represent instance states and messages. For example, messages are stored in Azure Storage Queues by the Azure Storage provider, but in relational tables by the MSSQL provider. These differences don't matter as far as the design of the application is concerned, but some of them may influence the performance characteristics. We discuss them in the section [Representation in storage](durable-functions-task-hubs.md#representation-in-storage) below.

+## Work items

+The activity messages and instance messages in the task hub represent the work that the function app needs to process. While the function app is running, it continuously fetches *work items* from the task hub. Each work item is processing one or more messages. We distinguish two types of work items:

+* **Activity work items**: Run an activity function to process an activity message.

+* **Orchestrator work item**: Run an orchestrator or entity function to process one or more instance messages.

+Workers can process multiple work items at the same time, subject to the [configured per-worker concurrency limits](durable-functions-perf-and-scale.md#concurrency-throttles).

+Once a worker completes a work item, it commits the effects back to the task hub. These effects vary by the type of function that was executed:

+* A completed activity function creates an instance message containing the result, addressed to the parent orchestrator instance.

+* A completed orchestrator function updates the orchestration state and history, and may create new messages.

+* A completed entity function updates the entity state, and may also create new instance messages.

+For orchestrations, each work item represents one **episode** of that orchestration's execution. An episode starts when there are new messages for the orchestrator to process. Such a message may indicate that the orchestration should start; or it may indicate that an activity, entity call, timer, or suborchestration has completed; or it can represent an external event. The message triggers a work item that allows the orchestrator to process the result and to continue with the next episode. That episode ends when the orchestrator either completes, or reaches a point where it must wait for new messages.

+### Execution example

+Consider a fan-out-fan-in orchestration that starts two activities in parallel, and waits for both of them to complete:

+# [C#](#tab/csharp)

+```csharp

+[FunctionName("Example")]

+public static async Task Run([OrchestrationTrigger] IDurableOrchestrationContext context)

+{

+ Task t1 = context.CallActivityAsync<int>("MyActivity", 1);

+ Task t2 = context.CallActivityAsync<int>("MyActivity", 2);

+ await Task.WhenAll(t1, t2);

+}

+```

+# [JavaScript](#tab/javascript)

+```JavaScript

+module.exports = df.orchestrator(function*(context){

+ const tasks = [];

+ tasks.push(context.df.callActivity("MyActivity", 1));

+ tasks.push(context.df.callActivity("MyActivity", 2));

+ yield context.df.Task.all(tasks);

+});

+```

+# [Python](#tab/python)

+```python

+def orchestrator_function(context: df.DurableOrchestrationContext):

+ tasks = []

+ tasks.append(context.call_activity("MyActivity", 1))

+ tasks.append(context.call_activity("MyActivity", 2))

+ yield context.task_all(tasks)

+```

+# [Java](#tab/java)

+```java

+@FunctionName("Example")

+public String exampleOrchestrator(

+ @DurableOrchestrationTrigger(name = "runtimeState") String runtimeState) {

+ return OrchestrationRunner.loadAndRun(runtimeState, ctx -> {

+ Task<Void> t1 = ctx.callActivity("MyActivity", 1);

+ Task<Void> t2 = ctx.callActivity("MyActivity", 2);

+ ctx.allOf(List.of(t1, t2)).await();

+ });

+}

+```

+After this orchestration is initiated by a client it's processed by the function app as a sequence of work items. Each completed work item updates the task hub state when it commits. These are the steps:

+1. A client requests to start a new orchestration with instance-id "123". After the client completes this request, the task hub contains a placeholder for the orchestration state and an instance message:

+ 

+ The label `ExecutionStarted` is one of many [history event types](https://github.com/Azure/durabletask/tree/main/src/DurableTask.Core/History#readme) that identify the various types of messages and events participating in an orchestration's history.

+2. A worker executes an *orchestrator work item* to process the `ExecutionStarted` message. It calls the orchestrator function which starts executing the orchestration code. This code schedules two activities and then stops executing when it is waiting for the results. After the worker commits this work item, the task hub contains

+ 

+ The runtime state is now `Running`, two new `TaskScheduled` messages were added, and the history now contains the five events `OrchestratorStarted`, `ExecutionStarted`, `TaskScheduled`, `TaskScheduled`, `OrchestratorCompleted`. These events represent the first episode of this orchestration's execution.

+3. A worker executes an *activity work item* to process one of the `TaskScheduled` messages. It calls the activity function with input "2". When the activity function completes, it creates a `TaskCompleted` message containing the result. After the worker commits this work item, the task hub contains

+ 

+4. A worker executes an *orchestrator work item* to process the `TaskCompleted` message. If the orchestration is still cached in memory, it can just resume execution. Otherwise, the worker first [replays the history to recover the current state of the orchestration](durable-functions-orchestrations.md#reliability). Then it continues the orchestration, delivering the result of the activity. After receiving this result, the orchestration is still waiting for the result of the other activity, so it once more stops executing. After the worker commits this work item, the task hub contains

+ 

+ The orchestration history now contains three more events `OrchestratorStarted`, `TaskCompleted`, `OrchestratorCompleted`. These events represent the second episode of this orchestration's execution.

+5. A worker executes an *activity work item* to process the remaining `TaskScheduled` message. It calls the activity function with input "1". After the worker commits this work item, the task hub contains

+ 

+6. A worker executes another *orchestrator work item* to process the `TaskCompleted` message. After receiving this second result, the orchestration completes. After the worker commits this work item, the task hub contains

+ 

+ The runtime state is now `Completed`, and the orchestration history now contains four more events `OrchestratorStarted`, `TaskCompleted`, `ExecutionCompleted`, `OrchestratorCompleted`. These events represent the third and final episode of this orchestration's execution.

+The final history for this orchestration's execution then contains the 12 events `OrchestratorStarted`, `ExecutionStarted`, `TaskScheduled`, `TaskScheduled`, `OrchestratorCompleted`, `OrchestratorStarted`, `TaskCompleted`, `OrchestratorCompleted`, `OrchestratorStarted`, `TaskCompleted`, `ExecutionCompleted`, `OrchestratorCompleted`.

+> The schedule shown isn't the only one: there are many slightly different possible schedules. For example, if the second activity completes earlier, both `TaskCompleted` instance messages may be processed by a single work item. In that case, the execution history is a bit shorter, because there are only two episodes, and it contains the following 10 events: `OrchestratorStarted`, `ExecutionStarted`, `TaskScheduled`, `TaskScheduled`, `OrchestratorCompleted`, `OrchestratorStarted`, `TaskCompleted`, `TaskCompleted`, `ExecutionCompleted`, `OrchestratorCompleted`.

+## Task hub management

+Next, let's take a closer look at how task hubs are created or deleted, how to use task hubs correctly when running multiple function apps, and how the content of task hubs can be inspected.

+### Creation and deletion

+An empty task hub with all the required resources is automatically created in storage when a function app is started the first time.

+If using the default Azure Storage provider, no extra configuration is required. Otherwise, follow the [instructions for configuring storage providers](durable-functions-storage-providers.md#configuring-alternate-storage-providers) to ensure that the storage provider can properly provision and access the storage resources required for the task hub.

+> The task hub is *not* automatically deleted when you stop or delete the function app. You must delete the task hub, its contents, or the containing storage account manually if you no longer want to keep that data.

+> [!TIP]

+> In a development scenario, you may need to restart from a clean state often. To do so quickly, you can just [change the configured task hub name](durable-functions-task-hubs.md#task-hub-names). This will force the creation of a new, empty task hub when you restart the application. Be aware that the old data is not deleted in this case.

+### Multiple function apps

+If multiple function apps share a storage account, each function app *must* be configured with a separate [task hub name](durable-functions-task-hubs.md#task-hub-names). This requirement also applies to staging slots: each staging slot must be configured with a unique task hub name. A single storage account can contain multiple task hubs. This restriction generally applies to other storage providers as well.

+

+> [!NOTE]

+> The exception to the task hub sharing rule is if you are configuring your app for regional disaster recovery. See the [disaster recovery and geo-distribution](durable-functions-disaster-recovery-geo-distribution.md) article for more information.

+### Content inspection

+There are several common ways to inspect the contents of a task hub:

+1. Within a function app, the client object provides methods to query the instance store. To learn more about what types of queries are supported, see the [Instance Management](durable-functions-instance-management.md) article.

+2. Similarly, The [HTTP API](durable-functions-http-features.md) offers REST requests to query the state of orchestrations and entities. See the [HTTP API Reference](durable-functions-http-api.md) for more details.

+3. The [Durable Functions Monitor](https://github.com/microsoft/DurableFunctionsMonitor) tool can inspect task hubs and offers various options for visual display.

+For some of the storage providers, it is also possible to inspect the task hub by going directly to the underlying storage:

+* If using the Azure Storage provider, the instance states are stored in the [Instance Table](durable-functions-azure-storage-provider.md#instances-table) and the [History Table](durable-functions-azure-storage-provider.md#history-table) that can be inspected using tools such as Azure Storage Explorer.

+* If using the MSSQL storage provider, SQL queries and tools can be used to inspect the task hub contents inside the database.

+## Representation in storage

+Each storage provider uses a different internal organization to represent task hubs in storage. Understanding this organization, while not required, can be helpful when troubleshooting a function app or when trying to ensure performance, scalability, or cost targets. We thus briefly explain, for each storage provider, how the data is organized in storage. For more information on the various storage provider options and how they compare, see the [Durable Functions storage providers](durable-functions-storage-providers.md).

+### Azure Storage provider

+The Azure Storage provider represents the task hub in storage using the following components:

+* Two Azure Tables store the instance states.

+* One Azure Queue stores the activity messages.

+* One or more Azure Queues store the instance messages. Each of these so-called *control queues* represents a [partition](durable-functions-perf-and-scale.md#partition-count) that is assigned a subset of all instance messages, based on the hash of the instance ID.

+* A few extra blob containers used for lease blobs and/or large messages.

+For example, a task hub named `xyz` with `PartitionCount = 4` contains the following queues and tables:

+

+Next, we describe these components and the role they play in more detail.

+For more information how task hubs are represented by the Azure Storage provider, see the [Azure Storage provider](durable-functions-azure-storage-provider.md) documentation.

+### Netherite storage provider

+Netherite partitions all of the task hub state into a specified number of partitions.

+In storage, the following resources are used:

+* One Azure Storage blob container that contains all the blobs, grouped by partition.

+* One Azure Table that contains published metrics about the partitions.

+* An Azure Event Hubs namespace for delivering messages between partitions.

+For example, a task hub named `mytaskhub` with `PartitionCount = 32` is represented in storage as follows:

+

+> [!NOTE]

+> All of the task hub state is stored inside the `x-storage` blob container. The `DurableTaskPartitions` table and the EventHubs namespace contain redundant data: if their contents are lost, they can be automatically recovered. Therefore it is not necessary to configure the Azure Event Hubs namespace to retain messages past the default expiration time.

+Netherite uses an event-sourcing mechanism, based on a log and checkpoints, to represent the current state of a partition. Both block blobs and page blobs are used. It is not possible to read this format from storage directly, so the function app has to be running when querying the instance store.

+For more information on task hubs for the Netherite storage provider, see [Task Hub information for the Netherite storage provider](https://microsoft.github.io/durabletask-netherite/#/storage).

+### MSSQL storage provider

+All task hub data is stored in a single relational database, using several tables:

+* The `dt.Instances` and `dt.History` tables store the instance states.

+* The `dt.NewEvents` table stores the instance messages.

+* The `dt.NewTasks` table stores the activity messages.

+

+To enable multiple task hubs to coexist independently in the same database, each table includes a `TaskHub` column as part of its primary key. Unlike the other two providers, the MSSQL provider doesn't have a concept of partitions.

+For more information on task hubs for the MSSQL storage provider, see [Task Hub information for the Microsoft SQL (MSSQL) storage provider](https://microsoft.github.io/durabletask-mssql/#/taskhubs).

+Task hubs are identified by a name that must conform to these rules:

+Task hub names must start with a letter and consist of only letters and numbers. If not specified, a default task hub name will be used as shown in the following table:

+| 2.x | When deployed in Azure, the task hub name is derived from the name of the *function app*. When running outside of Azure, the default task hub name is `TestHubName`. |

+> [Learn about using and choosing storage providers](durable-functions-storage-providers.md)

+When all customer data must remain within a single region, the storage account associated with the function app must be one with [in-region redundancy](../storage/common/storage-redundancy.md). An in-region redundant storage account also must be used with [Azure Durable Functions](./durable/durable-functions-azure-storage-provider.md#storage-account-selection).

+ //The attribute should track exceptions only when CustomErrors setting is On

+ //if CustomErrors is Off, exceptions will be caught by AI HTTP Module

+> Although these addresses are static, it's possible that we'll need to change them from time to time. All Application Insights traffic represents outbound traffic with the exception of availability monitoring and webhook action groups, which also require inbound firewall rules.

+> [!WARNING]

+>

+> JRE is not supported.

+> [!WARNING]

+>

+> Read-only file system is not supported.

+> [!WARNING]

+>

+> The invocation must be requested at the beginning of the `main` method.

+* Or you can use an environmental variable or a system property, more in the _Configuration file path_ part on [this page](../app/java-standalone-config.md). Spring properties defined in a Spring _.properties_ file are not supported.

+You can find a Django sample application that uses dependencies in the Azure Monitor OpenCensus Python samples repository located [here](https://github.com/Azure-Samples/azure-monitor-opencensus-python/tree/master/azure_monitor/django_sample).

+You can find a Django sample application in the sample Azure Monitor OpenCensus Python samples repository located [here](https://github.com/givenscj/azure-monitor-opencensus-python/tree/master/azure_monitor/django_sample).

+You can find a Flask sample application that tracks requests in the Azure Monitor OpenCensus Python samples repository located [here](https://github.com/Azure-Samples/azure-monitor-opencensus-python/tree/master/azure_monitor/flask_sample).

+The SDK uses three Azure Monitor exporters to send different types of telemetry to Azure Monitor. They are `trace`, `metrics`, and `logs`. For more information on these telemetry types, see [the data platform overview](../data-platform.md). Use the following instructions to send these telemetry types via the three exporters.

+1. The exporter sends log data to Azure Monitor. You can find the data under `traces`.

+* [Azure Monitor Sample Applications](https://github.com/Azure-Samples/azure-monitor-opencensus-python/tree/master/azure_monitor)

+be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at https://go.microsoft.com/fwlink/?LinkID=135170.

+## Public preview support and limitations

+### Why is CPU percentage over 100 percent on predictive charts?

+The predictive chart shows the cumulative load for all machines in the scale set. If you have 5 VMs in a scale set, the maximum cumulative load for all VMs will be 500%, that is, five times the 100% maximum CPU load of each VM.

+### Which rule will take effect if both predictive and standard autoscale rules are set?

+Standard autoscale rules are used if there is an unexpected spike in the CPU load, or an error occurs when retrieving predictive data```

+We use the threshold set in the standard autoscale rules to understand when youΓÇÖd like to scale out and by how many instances. If you want your VM scale set to scale out when the CPU usage exceeds 70%, and actual or predicted data shows that CPU usage is or will be over 70%, then a scale out will occur.

+- [Autoscale REST API](/rest/api/monitor/autoscalesettings)

+With Container insights, you can use the performance charts and health status to monitor the workload of Kubernetes clusters hosted on Azure Kubernetes Service (AKS), Azure Stack, or another environment from two perspectives. You can monitor directly from the cluster. You can also view all clusters in a subscription from Azure Monitor. Viewing Azure Container Instances is also possible when you're monitoring a specific AKS cluster.

+This article helps you understand the two perspectives and how Azure Monitor helps you quickly assess, investigate, and resolve detected issues.

+Azure Monitor provides a multi-cluster view that shows the health status of all monitored Kubernetes clusters running Linux and Windows Server 2019 deployed across resource groups in your subscriptions. It shows clusters discovered across all environments that aren't monitored by the solution.

+With this view, you can immediately understand cluster health. From here, you can drill down to the node and controller performance page or navigate to see performance charts for the cluster. For AKS clusters that were discovered and identified as unmonitored, you can enable monitoring for them at any time.

+The main differences in monitoring a Windows Server cluster with Container insights compared to a Linux cluster are described in [Features of Container insights](container-insights-overview.md#features-of-container-insights) in the overview article.

+

+* **Azure**: AKS and AKS Engine clusters hosted in Azure Kubernetes Service.

+* **Azure Stack (Preview)**: AKS Engine clusters hosted on Azure Stack.

+* **Non-Azure (Preview)**: Kubernetes clusters hosted on-premises.

+* **All**: View all the Kubernetes clusters hosted in Azure, Azure Stack, and on-premises environments that are onboarded to Container insights.

+To view clusters from a specific environment, select it from **Environment** in the upper-left corner.

+

+- How many clusters are in a critical or unhealthy state versus how many are healthy or not reporting (referred to as an Unknown state).

+- Whether all of the [Azure Kubernetes Engine (AKS Engine)](https://github.com/Azure/aks-engine) deployments are healthy.

+Health state calculates the overall cluster status as the *worst of* the three states with one exception. If any of the three states is Unknown, the overall cluster state shows **Unknown**.

+>The experiences described in the remainder of this article are also applicable for viewing performance and health status of your Kubernetes clusters hosted on Azure Stack or another environment when selected from the multi-cluster view.

+

+- **Node count**: A node count and status from Kubernetes. Statuses of the cluster nodes represented are **Total**, **Ready**, and **Not Ready**. They can be filtered individually or combined in the selector above the chart.

+- **Active pod count**: A pod count and status from Kubernetes. Statuses of the pods represented are **Total**, **Pending**, **Running**, **Unknown**, **Succeeded**, or **Failed**. They can be filtered individually or combined in the selector above the chart.

+Container insights also supports Azure Monitor [Metrics Explorer](../essentials/metrics-getting-started.md), where you can create your own plot charts, correlate and investigate trends, and pin to dashboards. From Metrics Explorer, you also can use the criteria that you set to visualize your metrics as the basis of a [metric-based alert rule](../alerts/alerts-metric.md).

+## View container metrics in Metrics Explorer

+In Metrics Explorer, you can view aggregated node and pod utilization metrics from Container insights. The following table summarizes the details to help you understand how to use the metric charts to visualize container metrics.

+| | cpuUsageMillicores | Aggregated measurement of CPU utilization across the cluster. It's a CPU core split into 1,000 units (milli = 1000). Used to determine the usage of cores in a container where many applications might be using one core.|

+As you expand the objects in the hierarchy, the properties pane updates based on the object selected. From the pane, you also can view Kubernetes container logs (stdout/stderror), events, and pod metrics by selecting the **View live data (preview)** link at the top of the pane. For more information about the configuration required to grant and control access to view this data, see [Set up the Live Data (preview)](container-insights-livedata-setup.md).

+While you review cluster resources, you can see this data from the container in real time. For more information about this feature, see [How to view Kubernetes logs, events, and pod metrics in real time](container-insights-livedata-overview.md).

+To view Kubernetes log data stored in your workspace based on predefined log searches, select **View container logs** from the **View in analytics** dropdown list. For more information, see [How to query logs from Container insights](container-insights-log-query.md).

+Use the **+ Add Filter** option at the top of the page to filter the results for the view by **Service**, **Node**, **Namespace**, or **Node Pool**. After you select the filter scope, select one of the values shown in the **Select value(s)** field. After the filter is configured, it's applied globally while viewing any perspective of the AKS cluster. The formula only supports the equal sign. You can add more filters on top of the first one to further narrow your results. For example, if you specify a filter by **Node**, you can only select **Service** or **Namespace** for the second filter.

+

+Windows Server containers that run the Windows Server 2019 OS are shown after all the Linux-based nodes in the list. When you expand a Windows Server node, you can view one or more pods and containers that run on the node. After a node is selected, the properties pane shows version information.

+

+

+

+Select controllers or containers at the top of the page to review the status and resource utilization for those objects. To review memory utilization, in the **Metric** dropdown list, select **Memory RSS** or **Memory working set**. **Memory RSS** is supported only for Kubernetes version 1.8 and later. Otherwise, you view values for **Min&nbsp;%** as *NaN&nbsp;%*, which is a numeric data type value that represents an undefined or unrepresentable value.

+

+**Memory working set** shows both the resident memory and virtual memory (cache) included and is a total of what the application is using. **Memory RSS** shows only main memory, which is nothing but the resident memory. This metric shows the actual capacity of available memory. What's the difference between resident memory and virtual memory?

+- **Resident memory**, or main memory, is the actual amount of machine memory available to the nodes of the cluster.

+- **Virtual memory** is reserved hard disk space (cache) used by the operating system to swap data from memory to disk when under memory pressure, and then fetch it back to memory when needed.

+

+

+

+You might notice a workload after expanding a node named **Other process**. It represents non-containerized processes that run on your node, and includes:

+* Self-managed or managed Kubernetes non-containerized processes.

+* Container run-time processes.

+* Kubelet.

+* System processes running on your node.

+* Other non-Kubernetes workloads running on node hardware or a VM.

+It's calculated by *Total usage from CAdvisor* - *Usage from containerized process*.

+

+

+

+

+| Status | The rollup status of the containers after it's finished running with status such as **OK**, **Terminated**, **Failed**, **Stopped**, or **Paused**. If the container is running but the status either wasn't properly displayed or wasn't picked up by the agent and hasn't responded for more than 30 minutes, the status is **Unknown**. More details of the status icon are provided in the following table.|

+|  | Running (Ready)|

+|  | Waiting or Paused|

+|  | Last reported running but hasn't responded for more than 30 minutes|

+|  | Successfully stopped or failed to stop|

+The status icon displays a count based on what the pod provides. It shows the worst two states. When you hover over the status, it displays a rollup status from all pods in the container. If there isn't a ready state, the status value displays **(0)**.

+

+Here you can view the performance health of your AKS and Container Instances containers.

+

+

+| Status | Status of the containers, if any. More details of the status icon are provided in the next table.|

+|  | Running (Ready)|

+|  | Waiting or Paused|

+|  | Last reported running but hasn't responded in more than 30 minutes|

+|  | Successfully stopped or failed to stop|

+|  | Failed state |

+Azure Network Policy Manager includes informative Prometheus metrics that you can use to monitor and better understand your network configurations. It provides built-in visualizations in either the Azure portal or Grafana Labs. For more information, see [Monitor and visualize network configurations with Azure NPM](../../virtual-network/kubernetes-network-policies.md#monitor-and-visualize-network-configurations-with-azure-npm).

+Workbooks combine text, log queries, metrics, and parameters into rich interactive reports that you can use to analyze cluster performance. For a description of the workbooks available for Container insights, see [Workbooks in Container insights](container-insights-reports.md).

+- See [Create performance alerts with Container insights](./container-insights-log-alerts.md) to learn how to create alerts for high CPU and memory utilization to support your DevOps or operational processes and procedures.

+- See [Log query examples](container-insights-log-query.md) to see predefined queries and examples to evaluate or customize to alert, visualize, or analyze your clusters.

+- See [Monitor cluster health](./container-insights-overview.md) to learn about viewing the health status of your Kubernetes cluster.

+After applying one or more of these changes to your ConfigMaps, see [Apply updated ConfigMap](container-insights-prometheus-integration.md#apply-updated-configmap) to apply it to your cluster.

+ Title: Query logs from Container insights

+description: Container insights collects metrics and log data, and this article describes the records and includes sample queries.

+# Query logs from Container insights

+Container insights collects performance metrics, inventory data, and health state information from container hosts and containers. The data is collected every three minutes and forwarded to the Log Analytics workspace in Azure Monitor where it's available for [log queries](../logs/log-query-overview.md) using [Log Analytics](../logs/log-analytics-overview.md) in Azure Monitor.

+You can apply this data to scenarios that include migration planning, capacity analysis, discovery, and on-demand performance troubleshooting. Azure Monitor Logs can help you look for trends, diagnose bottlenecks, forecast, or correlate data that can help you determine whether the current cluster configuration is performing optimally.

+For information on using these queries, see [Using queries in Azure Monitor Log Analytics](../logs/queries.md). For a complete tutorial on using Log Analytics to run queries and work with their results, see [Log Analytics tutorial](../logs/log-analytics-tutorial.md).

+There are multiple options for starting Log Analytics. Each option starts with a different [scope](../logs/scope.md). For access to all data in the workspace, on the **Monitoring** menu, select **Logs**. To limit the data to a single Kubernetes cluster, select **Logs** from that cluster's menu.

+You don't necessarily need to understand how to write a log query to use Log Analytics. You can select from multiple prebuilt queries. You can either run the queries without modification or use them as a start to a custom query. Select **Queries** at the top of the Log Analytics screen, and view queries with a **Resource type** of **Kubernetes Services**.

+For a list of tables and their detailed descriptions used by Container insights, see the [Azure Monitor table reference](/azure/azure-monitor/reference/tables/tables-resourcetype#kubernetes-services). All these tables are available for log queries.

+It's often useful to build queries that start with an example or two and then modify them to fit your requirements. To help build more advanced queries, you can experiment with the following sample queries.

+### Requests per minute with custom metrics

+This query returns the number of scaled-out replicas in each deployment. It calculates the scale-out percentage with the maximum number of replicas configured in HPA.

+### Nodepool scale-outs

+This query returns the number of active nodes in each node pool. It calculates the number of available active nodes and the max node configuration in the autoscaler settings to determine the scale-out percentage. See commented lines in the query to use it for a **number of results** alert rule.

+//(Uncomment the below two lines to set this as a log search alert)

+This query returns the system containers (replicasets) and reports the unavailable percentage. See commented lines in the query to use it for a **number of results** alert rule.

+This query returns the system containers (daemonsets) and reports the unavailable percentage. See commented lines in the query to use it for a **number of results** alert rule.

+Resource logs for AKS are stored in the [AzureDiagnostics](/azure/azure-monitor/reference/tables/azurediagnostics) table. You can distinguish different logs with the **Category** column. For a description of each category, see [AKS reference resource logs](../../aks/monitor-aks-reference.md). The following examples require a diagnostic extension to send resource logs for an AKS cluster to a Log Analytics workspace. For more information, see [Configure monitoring](../../aks/monitor-aks.md#configure-monitoring).

+To view Prometheus metrics scraped by Azure Monitor and filtered by namespace, specify "prometheus". Here's a sample query to view Prometheus metrics from the `default` Kubernetes namespace.

+### Query configuration or scraping errors

+

+Container insights doesn't include a predefined set of alerts. To learn how to create recommended alerts for high CPU and memory utilization to support your DevOps or operational processes and procedures, see [Create performance alerts with Container insights](./container-insights-log-alerts.md).

+description: This article describes Container insights, which monitors the AKS Container insights solution, and the value it delivers by monitoring the health of your AKS clusters and Container Instances in Azure.

+- Managed Kubernetes clusters hosted on [Azure Kubernetes Service (AKS)](../../aks/intro-kubernetes.md).

+- Self-managed Kubernetes clusters hosted on Azure using [AKS Engine](https://github.com/Azure/aks-engine).

+- [Azure Container Instances](../../container-instances/container-instances-overview.md).

+- Self-managed Kubernetes clusters hosted on [Azure Stack](/azure-stack/user/azure-stack-kubernetes-aks-engine-overview) or on-premises.

+- [Azure Arc-enabled Kubernetes](../../azure-arc/kubernetes/overview.md).

+Container insights supports clusters running the Linux and Windows Server 2019 operating system. The container runtimes it supports are Moby and any CRI-compatible runtime such as CRI-O and ContainerD. Docker is no longer supported as a container runtime as of September 2022. For more information about this deprecation, see the [AKS release notes][aks-release-notes].

+> Container insights support for Windows Server 2022 operating system is in public preview.

+Container insights gives you performance visibility by collecting memory and processor metrics from controllers, nodes, and containers that are available in Kubernetes through the Metrics API. After you enable monitoring from Kubernetes clusters, metrics and Container logs are automatically collected for you through a containerized version of the Log Analytics agent for Linux. Metrics are sent to the [metrics database in Azure Monitor](../essentials/data-platform-metrics.md). Log data is sent to your [Log Analytics workspace](../logs/log-analytics-workspace-overview.md).

+Container insights deliver a comprehensive monitoring experience to understand the performance and health of your Kubernetes cluster and container workloads. You can:

+- Configure alerts to proactively notify you or record when CPU and memory utilization on nodes or containers exceed your thresholds, or when a health state change occurs in the cluster at the infrastructure or nodes health rollup.

+- Integrate with [Prometheus](https://prometheus.io/docs/introduction/overview/) to view application and workload metrics it collects from nodes and Kubernetes by using [queries](container-insights-log-query.md) to create custom alerts and dashboards and perform detailed analysis.

+The following video provides an intermediate-level deep dive to help you learn about monitoring your AKS cluster with Container insights. The video refers to *Azure Monitor for Containers*, which is the previous name for *Container insights*.

+## Access Container insights

+You can access Container insights in the Azure portal from Azure Monitor or directly from the selected AKS cluster. The Azure Monitor menu gives you the global perspective of all the containers that are deployed and monitored. This information allows you to search and filter across your subscriptions and resource groups. You can then drill into Container insights from the selected container. Access Container insights for a particular AKS container directly from the AKS page.

+

+The main differences in monitoring a Windows Server cluster compared to a Linux cluster include:

+- Windows doesn't have a Memory RSS metric, and as a result it isn't available for Windows nodes and containers. The [Working Set](/windows/win32/memory/working-set) metric is available.

+To begin monitoring your Kubernetes cluster, review [Enable Container insights](container-insights-onboard.md) to understand the requirements and available methods to enable monitoring.

+ Title: Configure Container insights Prometheus integration | Microsoft Docs

+[Prometheus](https://prometheus.io/) is a popular open-source metric monitoring solution and is a part of the [Cloud Native Compute Foundation](https://www.cncf.io/). Container insights provides a seamless onboarding experience to collect Prometheus metrics.

+Typically, to use Prometheus, you need to set up and manage a Prometheus server with a store. If you integrate with Azure Monitor, a Prometheus server isn't required. You only need to expose the Prometheus metrics endpoint through your exporters or pods (application). Then the containerized agent for Container insights can scrape the metrics for you.

+

+>The minimum agent version supported for scraping Prometheus metrics is ciprod07092019. The agent version supported for writing configuration and agent errors in the `KubeMonAgentEvents` table is ciprod10112019. For Azure Red Hat OpenShift and Red Hat OpenShift v4, the agent version is ciprod04162020 or later.

+>For more information about the agent versions and what's included in each release, see [Agent release notes](https://github.com/microsoft/Docker-Provider/tree/ci_feature_prod).

+>To verify your agent version, select the **Insights** tab of the resource. From the **Nodes** tab, select a node. In the properties pane, note the value of the **Agent Image Tag** property.

+- Azure Kubernetes Service (AKS).

+- Azure Stack or on-premises.

+- Azure Arc enabled Kubernetes.

+- Azure Red Hat OpenShift and Red Hat OpenShift version 4.x through cluster connect to Azure Arc.

+* **Cluster-wide**: HTTP URL and discover targets from listed endpoints of a service, for example, Kubernetes services such as kube-dns and kube-state-metrics, and pod annotations specific to an application. Metrics collected in this context will be defined in the ConfigMap section *[Prometheus data_collection_settings.cluster]*.

+* **Node-wide**: HTTP URL and discover targets from listed endpoints of a service. Metrics collected in this context will be defined in the ConfigMap section *[Prometheus_data_collection_settings.node]*.

+| Pod annotation | Cluster-wide | Annotations: <br>`prometheus.io/scrape: "true"` <br>`prometheus.io/path: "/mymetrics"` <br>`prometheus.io/port: "8000"` <br>`prometheus.io/scheme: "http"` |

+| URL/endpoint | Per-node and/or cluster-wide | `http://myurl:9101/metrics` |

+When a URL is specified, Container insights only scrapes the endpoint. When Kubernetes service is specified, the service name is resolved with the cluster DNS server to get the IP address. Then the resolved service is scraped.

+| | `urls` | String | Comma-separated array | HTTP endpoint (either IP address or valid URL path specified). For example: `urls=[$NODE_IP/metrics]`. ($NODE_IP is a specific Container insights parameter and can be used instead of a node IP address. Must be all uppercase.) |

+| | `kubernetes_services` | String | Comma-separated array | An array of Kubernetes services to scrape metrics from kube-state-metrics. Fully qualified domain names must be used here. For example,`kubernetes_services = ["https://metrics-server.kube-system.svc.cluster.local/metrics",http://my-service-dns.my-namespace.svc.cluster.local:9100/metrics]`|

+| | `monitor_kubernetes_pods` | Boolean | true or false | When set to `true` in the cluster-wide settings, the Container insights agent will scrape Kubernetes pods across the entire cluster for the following Prometheus annotations:<br> `prometheus.io/scrape:`<br> `prometheus.io/scheme:`<br> `prometheus.io/path:`<br> `prometheus.io/port:` |

+| | `prometheus.io/scrape` | Boolean | true or false | Enables scraping of the pod, and `monitor_kubernetes_pods` must be set to `true`. |

+| | `prometheus.io/scheme` | String | http or https | Defaults to scraping over HTTP. If necessary, set to `https`. |

+| | `prometheus.io/path` | String | Comma-separated array | The HTTP resource path from which to fetch metrics. If the metrics path isn't `/metrics`, define it with this annotation. |

+| | `prometheus.io/port` | String | 9102 | Specify a port to scrape from. If the port isn't set, it will default to 9102. |

+| Node-wide | `urls` | String | Comma-separated array | HTTP endpoint (either IP address or valid URL path specified). For example: `urls=[$NODE_IP/metrics]`. ($NODE_IP is a specific Container insights parameter and can be used instead of a node IP address. Must be all uppercase.) |

+| Node-wide or cluster-wide | `interval` | String | 60s | The collection interval default is one minute (60 seconds). You can modify the collection for either the *[prometheus_data_collection_settings.node]* and/or *[prometheus_data_collection_settings.cluster]* to time units such as s, m, and h. |

+| Node-wide or cluster-wide | `fieldpass`<br> `fielddrop`| String | Comma-separated array | You can specify certain metrics to be collected or not from the endpoint by setting the allow (`fieldpass`) and disallow (`fielddrop`) listing. You must set the allowlist first. |

+ConfigMaps is a global list and there can be only one ConfigMap applied to the agent. You can't have another ConfigMaps overruling the collections.

+1. [Download](https://aka.ms/container-azm-ms-agentconfig) the template ConfigMap YAML file and save it as container-azm-ms-agentconfig.yaml.

+ >This step isn't required when you're working with Azure Red Hat OpenShift because the ConfigMap template already exists on the cluster.

+1. Edit the ConfigMap YAML file with your customizations to scrape Prometheus metrics.

+ If you're editing the ConfigMap YAML file for Azure Red Hat OpenShift, first run the command `oc edit configmaps container-azm-ms-agentconfig -n openshift-azure-logging` to open the file in a text editor.

+ >The following annotation `openshift.io/reconcile-protect: "true"` must be added under the metadata of *container-azm-ms-agentconfig* ConfigMap to prevent reconciliation.

+ - To collect Kubernetes services cluster-wide, configure the ConfigMap file by using the following example:

+ - To configure scraping of Prometheus metrics from a specific URL across the cluster, configure the ConfigMap file by using the following example:

+ - To configure scraping of Prometheus metrics from an agent's DaemonSet for every individual node in the cluster, configure the following example in the ConfigMap:

+ >$NODE_IP is a specific Container insights parameter and can be used instead of a node IP address. It must be all uppercase.

+ - To configure scraping of Prometheus metrics by specifying a pod annotation:

+ 1. In the ConfigMap, specify the following configuration:

+ 1. Specify the following configuration for pod annotations:

+ If you want to restrict monitoring to specific namespaces for pods that have annotations, for example, only include pods dedicated for production workloads, set the `monitor_kubernetes_pod` to `true` in ConfigMap. Then add the namespace filter `monitor_kubernetes_pods_namespaces` to specify the namespaces to scrape from. An example is `monitor_kubernetes_pods_namespaces = ["default1", "default2", "default3"]`.

+1. Run the following kubectl command: `kubectl apply -f <configmap_yaml_file.yaml>`.

+ Example: `kubectl apply -f container-azm-ms-agentconfig.yaml`.

+The configuration change can take a few minutes to finish before taking effect. You must restart all omsagent pods manually. When the restarts are finished, a message appears that's similar to the following and includes the result `configmap "container-azm-ms-agentconfig" created`.

+## Configure and deploy ConfigMaps for Azure Red Hat OpenShift v3

+>For Azure Red Hat OpenShift v3.x, a template ConfigMap file is created in the *openshift-azure-logging* namespace. It isn't configured to actively scrape metrics or data collection from the agent.

+Before you start, confirm you're a member of the Customer Cluster Admin role of your Azure Red Hat OpenShift cluster to configure the containerized agent and Prometheus scraping settings. To verify you're a member of the *osa-customer-admins* group, run the following command:

+The output will resemble the following example:

+If you're a member of *osa-customer-admins* group, you should be able to list the `container-azm-ms-agentconfig` ConfigMap by using the following command:

+The output will resemble the following example:

+To configure your ConfigMap configuration file for your Azure Red Hat OpenShift v3.x cluster:

+1. Edit the ConfigMap YAML file with your customizations to scrape Prometheus metrics. The ConfigMap template already exists on the Red Hat OpenShift v3 cluster. Run the command `oc edit configmaps container-azm-ms-agentconfig -n openshift-azure-logging` to open the file in a text editor.

+ >The following annotation `openshift.io/reconcile-protect: "true"` must be added under the metadata of *container-azm-ms-agentconfig* ConfigMap to prevent reconciliation.

+ - To collect Kubernetes services cluster-wide, configure the ConfigMap file by using the following example:

+ - To configure scraping of Prometheus metrics from a specific URL across the cluster, configure the ConfigMap file by using the following example:

+ - To configure scraping of Prometheus metrics from an agent's DaemonSet for every individual node in the cluster, configure the following example in the ConfigMap:

+ >$NODE_IP is a specific Container insights parameter and can be used instead of a node IP address. It must be all uppercase.

+ - To configure scraping of Prometheus metrics by specifying a pod annotation:

+ 1. In the ConfigMap, specify the following configuration:

+ 1. Specify the following configuration for pod annotations:

+ If you want to restrict monitoring to specific namespaces for pods that have annotations, for example, only include pods dedicated for production workloads, set `monitor_kubernetes_pod` to `true` in ConfigMap. Then add the namespace filter `monitor_kubernetes_pods_namespaces` to specify the namespaces to scrape from. An example is `monitor_kubernetes_pods_namespaces = ["default1", "default2", "default3"]`.

+1. Save your changes in the editor.

+The configuration change can take a few minutes to finish before taking effect. Then all omsagent pods in the cluster will restart. The restart is a rolling restart for all omsagent pods. Not all pods restart at the same time. When the restarts are finished, a message appears that's similar to the following and includes the result `configmap "container-azm-ms-agentconfig" created`.

+You can view the updated ConfigMap by running the command `oc describe configmaps container-azm-ms-agentconfig -n openshift-azure-logging`.

+## Apply updated ConfigMap

+If you've already deployed a ConfigMap to your cluster and you want to update it with a newer configuration, you can edit the ConfigMap file you've previously used. Then apply it by using the same commands as before.

+run the command `kubectl apply -f <config3. map_yaml_file.yaml>`.

+For an example, run the command `Example: kubectl apply -f container-azm-ms-agentconfig.yaml` to open the file in your default editor to modify and then save it.

+The configuration change can take a few minutes to finish before taking effect. Then all omsagent pods in the cluster will restart. The restart is a rolling restart for all omsagent pods. Not all pods restart at the same time. When the restarts are finished, a message appears that's similar to the following and includes the result "configmap 'container-azm-ms-agentconfig' created" to indicate the configmap resource was created.

+To verify the configuration was successfully applied to a cluster, use the following command to review the logs from an agent pod: `kubectl logs omsagent-fdf58 -n=kube-system`.

+>This command isn't applicable to Azure Red Hat OpenShift v3.x cluster.

+>

+If there are configuration errors from the omsagent pods, the output will show errors similar to the following example:

+- From an agent pod logs using the same `kubectl logs` command.

+ >This command isn't applicable to Azure Red Hat OpenShift cluster.

+- From Live Data (preview). Live Data (preview) logs show errors similar to the following example:

+Errors prevent omsagent from parsing the file, causing it to restart and use the default configuration. After you correct the errors in ConfigMap on clusters other than Azure Red Hat OpenShift v3.x, save the YAML file and apply the updated ConfigMaps by running the command `kubectl apply -f <configmap_yaml_file.yaml`.

+For Azure Red Hat OpenShift v3.x, edit and save the updated ConfigMaps by running the command `oc edit configmaps container-azm-ms-agentconfig -n openshift-azure-logging`.

+To view Prometheus metrics scraped by Azure Monitor and any configuration/scraping errors reported by the agent, review [Query Prometheus metrics data](container-insights-log-query.md#query-prometheus-metrics-data) and [Query configuration or scraping errors](container-insights-log-query.md#query-configuration-or-scraping-errors).

+Container insights supports viewing metrics stored in your Log Analytics workspace in Grafana dashboards. We've provided a template that you can download from Grafana's [dashboard repository](https://grafana.com/grafana/dashboards?dataSource=grafana-azure-monitor-datasource&category=docker). Use the template to get started and reference it to help you learn how to query other data from your monitored clusters to visualize in custom Grafana dashboards.

+To identify the ingestion volume of each metrics size in GB per day to understand if it's high, the following query is provided.

+The output will show results similar to the following example.

+

+The output will show results similar to the following example.

+

+For more information on how to analyze usage, see [Analyze usage in Log Analytics workspace](../logs/analyze-usage.md).

+To learn more about configuring the agent collection settings for stdout, stderr, and environmental variables from container workloads, see [Configure agent data collection for Container insights](container-insights-agent-config.md).

+@description('The name of the event hub.')

+ "description": "The name of the event hub."

+> [!WARNING]

+> Table names are used for billing purposes so they should not contain sensitive information.

+ about_CommonParameters (https://go.microsoft.com/fwlink/?LinkID=113216).

+When you add an *SAP HANA database* to the configuration, the following values are required:

+backups block other methods of backup, such as using a files-based backup or a storage snapshot-based backup (for example, AzAcSnap). Guidance is provided on the Azure Backup site on how to [Run SAP HANA Studio backup on a database with Azure Backup enabled](../backup/backup-azure-sap-hana-database.md#run-sap-hana-studio-backup-on-a-database-with-azure-backup-enabled).

+When you add an *Oracle database* to the configuration, the following values are required:

+When you add *HLI Storage* to a database section, the following values are required:

+When you add *ANF Storage* to a database section, the following values are required:

+- **Service Principal Authentication filename** = the `authfile.json` file generated in the Cloud Shell when configuring

+- **Full ANF Storage Volume Resource ID** = the full Resource ID of the Volume being snapshot. This string can be retrieved from:

+The following output is an example configuration file only and is the content of the file as generated by the configuration session above, update all the values accordingly.

+Since AzAcSnap v5.0 was released as GA in April 2021, there have been 8 releases of AzAcSnap across two branches. Our goal with the new release model is to align with how Azure components are released. This allows moving features from Preview to GA (without having to move an entire branch), and introduce new Preview features (without having to create a new branch). From AzAcSnap 6 we will have a single branch with fully supported GA features and Preview features (which are subject to Microsoft's Preview Ts&Cs). ItΓÇÖs important to note customers cannot accidentally use Preview features, and must enable them with the `--preview` command line option. This means the next release will be AzAcSnap 7, which could include; patches (if necessary) for GA features, current Preview features moving to GA, or new Preview features.

+ Title: Mount NFS volumes for virtual machines | Microsoft Docs

+description: Learn how to mount an NFS volume for Windows or Linux virtual machines.

+# Mount NFS volumes for Linux or Windows VMs

+You can mount an NFS file for Windows or Linux virtual machines (VMs).

+## Mount NFS volumes on Linux clients

+1. Review the [Linux NFS mount options best practices](performance-linux-mount-options.md).

+2. Select the **Volumes** pane and then the NFS volume that you want to mount.

+3. To mount the NFS volume using a Linux client, select **Mount instructions** from the selected volume. Follow the displayed instructions to mount the volume.

+ :::image type="content" source="../media/azure-netapp-files/azure-netapp-files-mount-instructions-nfs.png" alt-text="Screenshot of Mount instructions." lightbox="../media/azure-netapp-files/azure-netapp-files-mount-instructions-nfs.png":::

+ * Ensure that you use the `vers` option in the `mount` command to specify the NFS protocol version that corresponds to the volume you want to mount.

+ For example, if the NFS version is NFSv4.1:

+ `sudo mount -t nfs -o rw,hard,rsize=65536,wsize=65536,vers=4.1,tcp,sec=sys $MOUNTTARGETIPADDRESS:/$VOLUMENAME $MOUNTPOINT`

+ * If you use NFSv4.1 and your configuration requires using VMs with the same host names (for example, in a DR test), refer to [Configure two VMs with the same hostname to access NFSv4.1 volumes](configure-nfs-clients.md#configure-two-vms-with-the-same-hostname-to-access-nfsv41-volumes).

+4. If you want the volume mounted automatically when an Azure VM is started or rebooted, add an entry to the `/etc/fstab` file on the host.

+ For example: `$ANFIP:/$FILEPATH /$MOUNTPOINT nfs bg,rw,hard,noatime,nolock,rsize=65536,wsize=65536,vers=3,tcp,_netdev 0 0`

+ * `$ANFIP` is the IP address of the Azure NetApp Files volume found in the volume properties menu

+ * `$FILEPATH` is the export path of the Azure NetApp Files volume

+ * `$MOUNTPOINT` is the directory created on the Linux host used to mount the NFS export

+5. If you want to mount an NFS Kerberos volume, refer to [Configure NFSv4.1 Kerberos encryption](configure-kerberos-encryption.md) for additional details.

+6. You can also access SMB volumes from Unix and Linux clients via NFS by setting the protocol access for the volume to ΓÇ£dual-protocolΓÇ¥. This allows for accessing the volume via NFS (NFSv3 or NFSv4.1) and SMB. See [Create a dual-protocol volume](create-volumes-dual-protocol.md) for details. Take note of the security style mappings table. Mounting a dual-protocol volume from Unix and Linux clients relies on the same procedure as regular NFS volumes.

+## Mount NFS volumes on Windows clients

+Mounting NFSv4.1 volumes on Windows clients is supported. For more information, see [Network File System overview](/windows-server/storage/nfs/nfs-overview).

+If you want to mount NFSv3 volumes on a Windows client using NFS:

+1. [Mount the volume onto a Unix or Linux VM first](#mount-nfs-volumes-on-linux-clients).

+1. Run a `chmod 777` or `chmod 775` command against the volume.

+1. Mount the volume via the NFS client on Windows using the mount option `mtype=hard` to reduce connection issues.

+ See [Windows command line utility for mounting NFS volumes](/windows-server/administration/windows-commands/mount) for more detail.

+ For example: `Mount -o rsize=256 -o wsize=256 -o mtype=hard \\10.x.x.x\testvol X:* `

+1. You can also access NFS volumes from Windows clients via SMB by setting the protocol access for the volume to ΓÇ£dual-protocolΓÇ¥. This setting allows access to the volume via SMB and NFS (NFSv3 or NFSv4.1) and will result in better performance than using the NFS client on Windows with an NFS volume. See [Create a dual-protocol volume](create-volumes-dual-protocol.md) for details, and take note of the security style mappings table. Mounting a dual-protocol volume from Windows clients using the same procedure as regular SMB volumes.

+* [Mount SMB volumes for Windows or Linux virtual machines](mount-volumes-vms-smb.md)

+* [Linux NFS mount options best practices](performance-linux-mount-options.md)

+* [Refactor mainframe applications with Astadia ΓÇô Azure Example Scenarios](/azure/architecture/example-scenario/mainframe/refactor-mainframe-applications-astadia)

+* [Refactor mainframe computer systems that run Adabas & Natural - Azure Example Scenarios](/azure/architecture/example-scenario/mainframe/refactor-adabas-aks)

+* [Refactor IBM z/OS mainframe coupling facility (CF) to Azure - Azure Example Scenarios](/azure/architecture/reference-architectures/zos/refactor-zos-coupling-facility)

+* [Refactor mainframe applications to Azure with Raincode compilers - Azure Example Scenarios](/azure/architecture/reference-architectures/app-modernization/raincode-reference-architecture)

+* [Multiple forests with AD DS and Azure AD ΓÇô Azure Example Scenarios](/azure/architecture/example-scenario/wvd/multi-forest)

+* [Multiregion Business Continuity and Disaster Recovery (BCDR) for Azure Virtual Desktop ΓÇô Azure Example Scenarios](/azure/architecture/example-scenario/wvd/azure-virtual-desktop-multi-region-bcdr)

+* [Deploy Esri ArcGIS Pro in Azure Virtual Desktop ΓÇô Azure Example Scenarios](/azure/architecture/example-scenario/data/esri-arcgis-azure-virtual-desktop)

+* [Deploy IBM Maximo Application Suite on Azure ΓÇô Azure Example Scenarios](/azure/architecture/example-scenario/apps/deploy-ibm-maximo-application-suite)

+## What's the performance impact of using `nconnect` with Kerberos?

+ Title: Mount SMB volumes for Windows VMs | Microsoft Docs

+description: Learn how to mount SMB volumes for Windows virtual machines.

+# Mount SMB volumes for Windows VMs

+You can mount an SMB file for Windows virtual machines (VMs).

+## Mount SMB volumes on a Windows client

+1. Select the **Volumes** menu and then the SMB volume that you want to mount.

+1. To mount the SMB volume using a Windows client, select **Mount instructions** from the selected volume. Follow the displayed instructions to mount the volume.

+ :::image type="content" source="../media/azure-netapp-files/azure-netapp-files-mount-instructions-smb.png" alt-text="Screenshot of Mount instructions." lightbox="../media/azure-netapp-files/azure-netapp-files-mount-instructions-smb.png":::

+## Next steps

+* [Mount NFS volumes for Windows or Linux VMs](azure-netapp-files-mount-unmount-volumes-for-virtual-machines.md)

+* [SMB FAQs](faq-smb.md)

+* [Network File System overview](/windows-server/storage/nfs/nfs-overview)

+### `Nconnect` considerations

+For example, SAS Viya recommends a 256-KiB read and write sizes, and [SAS GRID](https://communities.sas.com/t5/Administration-and-Deployment/Azure-NetApp-Files-A-shared-file-system-to-use-with-SAS-Grid-on/m-p/606973/highlight/true#M17740) limits the `r/wsize` to 64 KiB while augmenting read performance with increased read-ahead for the NFS mounts. See [NFS read-ahead best practices for Azure NetApp Files](performance-linux-nfs-read-ahead.md) for details.

+There are other cases that can benefit from a similar set of mount options, even when there's no complete ownership by the clients, for example, if the clients use the data as read only and data update is managed through another path. For applications that use grids of clients like EDA, web hosting and movie rendering and have relatively static data sets (EDA tools or libraries, web content, texture data), the typical behavior is that the data set is largely cached on the clients. There are few reads and no writes. There will be many `getattr`/access calls coming back to storage. These data sets are typically updated through another client mounting the file systems and periodically pushing content updates.

+In these cases, there's a known lag in picking up new content and the application still works with potentially out-of-date data. In these cases, `nocto` and `actimeo` can be used to control the period where out-of-data date can be managed. For example, in EDA tools and libraries, `actimeo=600` works well because this data is typically updated infrequently. For small web hosting where clients need to see their data updates timely as they're editing their sites, `actimeo=10` might be acceptable. For large-scale web sites where there's content pushed to multiple file systems, `actimeo=60` might be acceptable.

+ If there's a race condition where the content has not finished flushing from Machine 1 when a file is opened on Machine 2, Machine 2 will only receive the data present on the server at the time of the open. In this case, Machine 2 will not retrieve more data from the file until the `acreg` timer is reached, and Machine 2 checks its cache coherency from the server again. This scenario can be observed using a tail `-f` from Machine 2 when the file is still being written to from Machine 1.

+ Title: Azure managed applications with notifications

+description: Configure an Azure managed application with webhook endpoints to receive notifications about creates, updates, deletes, and errors on the managed application instances.

+Azure managed application notifications allow publishers to automate actions based on lifecycle events of the managed application instances. Publishers can specify a custom notification webhook endpoint to receive event notifications about new and existing managed application instances. Publishers can set up custom workflows at the time of application provisioning, updates, and deletion.

+To start receiving managed application notifications, create a public HTTPS endpoint. Specify the endpoint when you publish the service catalog application definition or Microsoft Azure Marketplace offer.

+1. Create a public HTTPS endpoint that logs the incoming POST requests and returns `200 OK`.

+1. Add the endpoint to the service catalog application definition or Azure Marketplace offer as explained later in this article.

+1. Create a managed application instance that references the application definition or Azure Marketplace offer.

+1. Validate that the notifications are being received.

+1. Enable authorization as explained in the [Endpoint authentication](#endpoint-authentication) section of this article.

+1. Follow the instructions in the [Notification schema](#notification-schema) section of this article to parse the notification requests and implement your business logic based on the notification.

+The following examples show how to add a notification endpoint URI using the portal or REST API.

+### Azure portal

+### REST API

+> You can only supply one endpoint in the `notificationEndpoints` property of the managed application definition.

+{

+ "properties": {

+ "isEnabled": true,

+ "lockLevel": "ReadOnly",

+ "displayName": "Sample Application Definition",

+ "description": "Notification-enabled application definition.",

+ "notificationPolicy": {

+ "notificationEndpoints": [

+ {

+ "uri": "https://isv.azurewebsites.net:1214?sig=unique_token"

+ }

+ ]

+ },

+ "authorizations": [

+ {

+ "principalId": "d6b7fbd3-4d99-43fe-8a7a-f13aef11dc18",

+ "roleDefinitionId": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635"

+ },

+ ...

+The following table describes all the possible combinations of `eventType` and `provisioningState` and their triggers:

+When you create your webhook endpoint to handle notifications, you'll need to parse the payload to get important properties to then act upon the notification. Service catalog and Azure Marketplace managed application notifications provide many of the same properties, but there are some differences. The `applicationDefinitionId` property only applies to service catalog. The `billingDetails` and `plan` properties only apply to Azure Marketplace.

+Azure appends `/resource` to the notification endpoint URI you provided in the managed application definition. The webhook endpoint must be able to handle notifications on the `/resource` URI. For example, if you provided a notification endpoint URI like `https://fabrikam.com` then the webhook endpoint URI is `https://fabrikam.com/resource`.

+### Service catalog application notification schema

+The following sample shows a service catalog notification after the successful provisioning of a managed application instance.

+ "eventType": "PUT",

+ "applicationId": "/subscriptions/<subId>/resourceGroups/<rgName>/providers/Microsoft.Solutions/applications/<applicationName>",

+ "eventTime": "2019-08-14T19:20:08.1707163Z",

+ "provisioningState": "Succeeded",

+ "applicationDefinitionId": "/subscriptions/<subId>/resourceGroups/<rgName>/providers/Microsoft.Solutions/applicationDefinitions/<appDefName>"

+ "eventType": "PUT",

+ "applicationId": "subscriptions/<subId>/resourceGroups/<rgName>/providers/Microsoft.Solutions/applications/<applicationName>",

+ "eventTime": "2019-08-14T19:20:08.1707163Z",

+ "provisioningState": "Failed",

+ "applicationDefinitionId": "/subscriptions/<subId>/resourceGroups/<rgName>/providers/Microsoft.Solutions/applicationDefinitions/<appDefName>",

+ "error": {

+ "code": "ErrorCode",

+ "message": "error message",

+ "details": [

+ {

+ "code": "DetailedErrorCode",

+ "message": "error message"

+ }

+ ]

+ }

+### Azure Marketplace application notification schema

+The following sample shows a service catalog notification after the successful provisioning of a managed application instance.

+ "eventType": "PUT",

+ "applicationId": "/subscriptions/<subId>/resourceGroups/<rgName>/providers/Microsoft.Solutions/applications/<applicationName>",

+ "eventTime": "2019-08-14T19:20:08.1707163Z",

+ "provisioningState": "Succeeded",

+ "billingDetails": {

+ "resourceUsageId": "<resourceUsageId>"

+ },

+ "plan": {

+ "publisher": "publisherId",

+ "product": "offer",

+ "name": "skuName",

+ "version": "1.0.1"

+ }

+ "eventType": "PUT",

+ "applicationId": "/subscriptions/<subId>/resourceGroups/<rgName>/providers/Microsoft.Solutions/applications/<applicationName>",

+ "eventTime": "2019-08-14T19:20:08.1707163Z",

+ "provisioningState": "Failed",

+ "billingDetails": {

+ "resourceUsageId": "<resourceUsageId>"

+ },

+ "plan": {

+ "publisher": "publisherId",

+ "product": "offer",

+ "name": "skuName",

+ "version": "1.0.1"

+ },

+ "error": {

+ "code": "ErrorCode",

+ "message": "error message",

+ "details": [

+ {

+ "code": "DetailedErrorCode",

+ "message": "error message"

+ }

+ ]

+ }

+Property | Description

+`eventType` | The type of event that triggered the notification. (For example, PUT, PATCH, DELETE.)

+`applicationId` | The fully qualified resource identifier of the managed application for which the notification was triggered.

+`eventTime` | The timestamp of the event that triggered the notification. (Date and time in UTC ISO 8601 format.)

+`provisioningState` | The provisioning state of the managed application instance. For example, Succeeded, Failed, Deleting, Deleted.

+`applicationDefinitionId` | _Specified only for service catalog managed applications_. Represents the fully qualified resource identifier of the application definition for which the managed application instance was provisioned.

+`billingDetails` | _Specified only for Azure Marketplace managed applications_. The billing details of the managed application instance. Contains the `resourceUsageId` that you can use to query Azure Marketplace for usage details.

+`plan` | _Specified only for Azure Marketplace managed applications_. Represents the publisher, offer, SKU, and version of the managed application instance.

+`error` | _Specified only when the provisioningState is Failed_. Contains the error code, message, and details of the issue that caused the failure.

+1. Provide a query parameter on top of the webhook URI, like this: `https://your-endpoint.com?sig=Guid`. With each notification, check that the query parameter `sig` has the expected value `Guid`.

+1. Issue a GET on the managed application instance by using `applicationId`. Validate that the `provisioningState` matches the `provisioningState` of the notification to ensure consistency.

+The managed application notification service expects a `200 OK` response from the webhook endpoint to the notification. The notification service will retry if the webhook endpoint returns an HTTP error code greater than or equal to 500, it returns an error code of 429, or if the endpoint is temporarily unreachable. If the webhook endpoint doesn't become available within 10 hours, the notification message will be dropped, and the retries will stop.

+description: Learn how to use Azure Quickstart Templates to complete your template development.

+# Tutorial: Use Azure Quickstart Templates

+[Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/) is a repository of community contributed templates. You can use the sample templates in your template development. In this tutorial, you find a website resource definition and add it to your own template. This instruction takes **12 minutes** to complete.

+You need to have Visual Studio Code with the Resource Manager Tools extension, and either Azure PowerShell or Azure Command-Line Interface (CLI). For more information, see [template tools](template-tutorial-create-first-template.md#get-tools).

+At the end of the previous tutorial, your template had the following JSON file:

+1. Open [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/)

+1. Review the template. Look for the `Microsoft.Web/sites` resource.

+The web app name needs to be unique across Azure. To prevent having duplicate names, the `webAppPortalName` variable is updated from `"webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]"` to `"webAppPortalName": "[concat(parameters('webAppName'), uniqueString(resourceGroup().id))]"`.

+It has an element named `dependsOn` that's set to the app service plan. This setting is required because the app service plan needs to exist before the web app is created. The `dependsOn` element tells Resource Manager how to order the resources for deployment.

+To run this deployment command, you need to have the [latest version](/cli/azure/install-azure-cli) of Azure CLI.

+> If the deployment fails, use the `verbose` switch to get information about the resources you're creating. Use the `debug` switch to get more information for debugging.

+If you're stopping now, you might want to delete the resource group.

+1. From the Azure portal, select **Resource groups** from the left menu.

+2. Type the resource group name in the **Filter for any field...** text field.

+3. Check the box next to **myResourceGroup** and select **myResourceGroup** or your resource group name.

+* When power, space, or other considerations permit only a lightweight edge device to be deployed on-premises

+This article gives an overview of Azure Video Indexer accounts types and provides links to other articles for more details.

+## Overview

+The first time you visit the [www.videoindexer.ai/](https://www.videoindexer.ai/) website, a trial account is automatically created. A trial Azure Video Indexer account has limitation on number of indexing minutes, support, and SLA.

+With a trial, account Azure Video Indexer provides up to 600 minutes of free indexing to users and up to 2400 minutes of free indexing to users that subscribe to the Azure Video Indexer API on the [developer portal](https://aka.ms/avam-dev-portal).

+> [!NOTE]

+> The trial account is not available on the Azure Government cloud.

+You can later create a paid account where you're not limited by the quota. Two types of paid accounts are available to you: Azure Resource Manager (ARM) (currently in preview) and classic (generally available). The main difference between the two is account management platform. While classic accounts are built on the API Management, ARM-based accounts management is built on Azure, which enables apply access control to all services with role-based access control (Azure RBAC) natively.

+Make sure to review [Pricing](https://azure.microsoft.com/pricing/details/video-indexer/).

+## Connecting to Azure subscription

+With a trial account, you don't have to set up an Azure subscription. When creating a paid account, you need to connect Azure Video Indexer [to your Azure subscription and an Azure Media Services account](connect-to-azure.md).

+## To get access to your account

+## Create accounts

+* Connect a classic account to ARM: [Connect an existing classic paid Azure Video Indexer account to an ARM-based account](connect-classic-account-to-arm.md).

+description: This topic demonstrates how to use animated character detection with Azure Video Indexer.

+# Use the animated character detection with portal and API

+1. Select **Connect Custom Vision Account** and select **Try it**.

+ * If there are images that belong to a different character, change the tag on these specific images by selecting the image, adding the right tag and deleting the wrong tag.

+1. Index or reindex a video.

+# Animated character detection

+> [!div class="mx-imgBorder"]

+> :::image type="content" source="./media/animated-characters-recognition/flow.png" alt-text="Image of a flow diagram ." lightbox="./media/animated-characters-recognition/flow.png":::

+|Training the model|Azure Video Indexer trains the model for new characters additional examples of existing characters.|The account owner trains the model when they're ready to make changes.|

+* Currently, the "animation identification" capability isn't supported in East-Asia region.

+ Title: Azure Video Indexer compliance, privacy and security

+description: This article discusses Azure Video Indexer compliance, privacy and security.

+# Compliance, Privacy and Security

+As an important reminder, you must comply with all applicable laws in your use of Azure Video Indexer, and you may not use Azure Video Indexer or any Azure service in a manner that violates the rights of others, or that may be harmful to others.

+Before uploading any video/image to Azure Video Indexer, You must have all the proper rights to use the video/image, including, where required by law, all the necessary consents from individuals (if any) in the video/image, for the use, processing, and storage of their data in Azure Video Indexer and Azure. Some jurisdictions may impose special legal requirements for the collection, online processing and storage of certain categories of data, such as biometric data. Before using Azure Video Indexer and Azure for the processing and storage of any data subject to special legal requirements, You must ensure compliance with any such legal requirements that may apply to You.

+To learn about compliance, privacy and security in Azure Video Indexer please visit the Microsoft [Trust Center](https://www.microsoft.com/TrustCenter/CloudServices/Azure/default.aspx). For Microsoft's privacy obligations, data handling and retention practices, including how to delete your data, please review Microsoft's [Privacy Statement](https://privacy.microsoft.com/PrivacyStatement), the [Online Services Terms](https://www.microsoft.com/licensing/product-licensing/products?rtc=1) ("OST") and [Data Processing Addendum](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=67) ("DPA"). By using Azure Video Indexer, you agree to be bound by the OST, DPA and the Privacy Statement.

+## Next steps

+[Azure Video Indexer overview](video-indexer-overview.md)

+# Tutorial: create an ARM-based account with Azure portal

+This tutorial walks you through the steps of creating an Azure Video Indexer account and its accompanying resources by using the Azure portal. The created account is an Azure Resource Manager (ARM) based account (currently in preview). For information about different Azure Video Indexer account types, see the [Overview of account types](accounts-overview.md) topic.

+ Title: People's featured clothing

+description: This article gives an overview of featured clothing images appearing in a video.

+# People's featured clothing (preview)

+Azure Video Indexer enables you to get data on the featured clothing of an observed person. The people's featured clothing feature, helps to enable the following scenarios:

+- Ads placement - using the featured clothing insight information, you can enable more targeted ads placement.

+- Video summarization - you can create a summary of the most interesting outfits appearing in the video.

+## Viewing featured clothing

+The featured clothing insight is available when indexing your file by choosing the Advanced option -> Advanced video or Advanced video + audio preset (under Video + audio indexing). Standard indexing will not include this insight.

+The featured clothing images are ranked based on some of the following factors: key moments of the video, general emotions from text or audio. The `id` property indicates the ranking index. For example, `"id": 1` signifies the most important featured clothing.

+> [!NOTE]

+> The featured clothing currently can be viewed only from the artifact file.

+1. In the right-upper corner, select to download the artifact zip file: **Download** -> **Artifact (ZIP)**

+1. Open `featuredclothing.zip`.

+The .zip file contains two objects:

+- `featuredclothing.map.json` - the file contains instances of each featured clothing, with the following properties:

+ - `id` ΓÇô ranking index (`"id": 1` is the most important clothing).

+ - `confidence` ΓÇô the score of the featured clothing.

+ - `frameIndex` ΓÇô the best frame of the clothing.

+ - `timestamp` ΓÇô corresponding to the frameIndex.

+ - `opBoundingBox` ΓÇô bounding box of the person.

+ - `faceBoundingBox` ΓÇô bounding box of the person's face, if detected.

+ - `fileName` ΓÇô where the best frame of the clothing is saved.

+ An example of the featured clothing with `"id": 1`.

+ ```

+ "instances": [

+ {

+ "confidence": 0.98,

+ "faceBoundingBox": {

+ "x": 0.50158,

+ "y": 0.10508,

+ "width": 0.13589,

+ "height": 0.45372

+ },

+ "fileName": "frame_12147.jpg",

+ "frameIndex": 12147,

+ "id": 1,

+ "opBoundingBox": {

+ "x": 0.34141,

+ "y": 0.16667,

+ "width": 0.28125,

+ "height": 0.82083

+ },

+ "timestamp": "00:08:26.6311250"

+ },

+ ```

+- `featuredclothing.frames.map` ΓÇô this folder contains images of the best frames that the featured clothing appeared in, corresponding to the `fileName` property in each instance in `featuredclothing.map.json`.

+## Limitations and assumptions

+It's important to note the limitations of featured clothing to avoid or mitigate the effects of false detections of images with low quality or low relevancy.ΓÇ»

+- Pre-condition for the featured clothing is that the person wearing the clothes can be found in the observed people insight.

+- If the face of a person wearing the featured clothing wasn't detected, the results won't include the faces bounding box.

+- If a person in a video wears more than one outfit, the algorithm selects its best outfit as a single featured clothing image.

+- When posed, the tracks are optimized to handle observed people who most often appear on the front.

+- Wrong detections may occur when people are overlapping.

+- Frames containing blurred people are more prone to low quality results.

+For more information, see the [limitations of observed people](observed-people-tracing.md#limitations-and-assumptions).

+## Next steps

+- [Trace observed people in a video](observed-people-tracing.md)

+- [People's detected clothing](detected-clothing.md)

+## July 2022 release updates

+### Featured clothing insight (preview)

+You can now view the featured clothing of an observed person, when indexing a video using Azure Video Indexer advanced video settings. With the new featured clothing insight information, you can enable more targeted ads placement.

+For details on how featured clothing images are ranked and how to view this insight, see [observed people featured clothing](observed-people-featured-clothing.md).

+## June 2022

+When indexing a video with Azure Video Indexer advanced video settings, you can view the new matched person detection capability. If there are people observed in your media file, you can now view the specific person who matched each of them through the media player.

+When indexing a video with Azure Video Indexer advanced video settings, you can view the new peopleΓÇÖs clothing detection capability. If there are people detected in your media file, you can now view the clothing type they are wearing through the media player.

+This article examines the Azure Video Indexer output (JSON content). For information about what features and insights are available to you, see [Azure Video Indexer insights](video-indexer-overview.md#video-models).

+> [!Important]

+> Before you continue with Azure Video Indexer, read [Compliance, privacy and security](compliance-privacy-security.md).

+## Video/audio AI features

+The following list shows the insights you can retrieve from your videos using Azure Video Indexer video and audio AI features (models.

+Unless specified otherwise, a model is generally available.

+### Video models

+* **Celebrity identification**: Identifies over 1 million celebritiesΓÇölike world leaders, actors, artists, athletes, researchers, business, and tech leaders across the globe. The data about these celebrities can also be found on various websites (IMDB, Wikipedia, and so on).

+* **Account-based face identification**: Trains a model for a specific account. It then recognizes faces in the video based on the trained model. For more information, see [Customize a Person model from the Azure Video Indexer website](customize-person-model-with-website.md) and [Customize a Person model with the Azure Video Indexer API](customize-person-model-with-api.md).

+* **Thumbnail extraction for faces**: Identifies the best captured face in each group of faces (based on quality, size, and frontal position) and extracts it as an image asset.

+* **Optical character recognition (OCR)**: Extracts text from images like pictures, street signs and products in media files to create insights.

+* **Animated characters detection** : Detects, groups, and recognizes characters in animated content via integration with [Cognitive Services custom vision](https://azure.microsoft.com/services/cognitive-services/custom-vision-service/). For more information, see [Animated character detection](animated-characters-recognition.md).

+* **Editorial shot type detection**: Tags shots based on their type (like wide shot, medium shot, close up, extreme close up, two shot, multiple people, outdoor and indoor, and so on). For more information, see [Editorial shot type detection](scenes-shots-keyframes.md#editorial-shot-type-detection).

+* **Observed people tracking** (preview): Detects observed people in videos and provides information such as the location of the person in the video frame (using bounding boxes) and the exact timestamp (start, end) and confidence when a person appears. For more information, see [Trace observed people in a video](observed-people-tracing.md).

+ * **People's detected clothing** (preview): Detects the clothing types of people appearing in the video and provides information such as long or short sleeves, long or short pants and skirt or dress. The detected clothing is associated with the people wearing it and the exact timestamp (start, end) along with a confidence level for the detection are provided. For more information, see [detected clothing](detected-clothing.md).

+ * **Featured clothing** (preview): captures featured clothing images appearing in a video. You can improve your targeted ads by using the featured clothing insight. For information on how the featured clothing images are ranked and how to get the insights, see [featured clothing](observed-people-featured-clothing.md).

+* **Matched person** (preview): Matches people that were observed in the video with the corresponding faces detected. The matching between the observed people and the faces contain a confidence level.

+### Audio models

+* **Audio transcription**: Converts speech to text over 50 languages and allows extensions. For a comprehensive list of language support by service, see [language support](language-support.md).

+* **Automatic language detection**: Identifies the dominant spoken language. For a comprehensive list of language support by service, see [language support](language-support.md). If the language can't be identified with confidence, Azure Video Indexer assumes the spoken language is English. For more information, see [Language identification model](language-identification-model.md).

+* **Multi-language speech identification and transcription**: Identifies the spoken language in different segments from audio. It sends each segment of the media file to be transcribed and then combines the transcription back to one unified transcription. For more information, see [Automatically identify and transcribe multi-language content](multi-language-identification-transcription.md).

+### Audio and video models (multi-channels)

+* **Topic inference**: Extracts topics based on various keywords (that is, keywords 'Stock Exchange', 'Wall Street' will produce the topic 'Economics'). The model uses three different ontologies ([IPTC](https://iptc.org/standards/media-topics/), [Wikipedia](https://www.wikipedia.org/) and the Video Indexer hierarchical topic ontology). The model uses transcription (spoken words), OCR content (visual text), and celebrities recognized in the video using the Video Indexer facial recognition model.

+### Supported browsers

+The following list shows the supported browsers that you can use for the Azure Video Indexer website and for your apps that embed the widgets. The list also shows the minimum supported browser version:

+- Edge, version: 16

+- Firefox, version: 54

+- Chrome, version: 58

+- Safari, version: 11

+- Opera, version: 44

+- Opera Mobile, version: 59

+- Android Browser, version: 81

+- Samsung Browser, version: 7

+- Chrome for Android, version: 87

+- Firefox for Android, version: 83

+There are multiple ways to generate a default route in Azure and send it towards your Azure VMware Solution private cloud or on-premises. The options are as follows:

+- [Plan the Azure VMware Solution deployment](plan-private-cloud-deployment.md)

+- [Networking planning checklist for Azure VMware Solution](tutorial-network-checklist.md)

+>In Azure VMware Solution environments, it's possible to configure non-routed, overlapping IP deployments on NSX segments that aren't routed to Azure. These don't cause issues with the AVS Interconnect feature, as it only routes between the NSX-T Data Center T0 gateway on each private cloud.

+1. When finished, you can check the new VM in the Azure VMware Solution private cloud vCenter Server.

+| **Virtual Replication appliance (vRA)** | Linux VM to handle data replication from the source to the replication target. One instance of vRA is installed per ESXi host, delivering a true scale architecture that grows and shrinks along with the private cloud's hosts. The vRA manages data replication to and from protected VMs to its local or remote target, storing the data in the journal. |

+### Scenario 1: On-premises VMware vSphere to Azure VMware Solution disaster recovery

+In this article, you'll learn how to disable Internet access or enable a default route for your Azure VMware Solution private cloud. There are multiple ways to set up a default route. You can use a Virtual WAN hub, Network Virtual Appliance in a Virtual Network, or use a default route from on-premises. If you don't set up a default route, there will be no Internet access to your Azure VMware Solution private cloud.

+ Title: Enable VMware Cloud director service with Azure VMware Solution (Public Preview)

+description: This article explains how to use Azure VMware Solution to enable enterprise customers to use Azure VMware Solution for private clouds underlying resources for virtual datacenters.

+# Enable VMware Cloud Director service with Azure VMware Solution (Preview)

+[VMware Cloud Director Service (CDs)](https://docs.vmware.com/en/VMware-Cloud-Director-service/services/getting-started-with-vmware-cloud-director-service/GUID-149EF3CD-700A-4B9F-B58B-8EA5776A7A92.html) with Azure VMware Solution enables enterprise customers to use APIs or the Cloud Director services portal to self-service provision and manage virtual datacenters through multi-tenancy with reduced time and complexity.

+In this article, you'll learn how to enable VMware Cloud Director service (CDs) with Azure VMware Solution for enterprise customers to use Azure VMware Solution resources and Azure VMware Solution private clouds with underlying resources for virtual datacenters.

+>[!IMPORTANT]

+> Cloud Director service (CDs) is now available to use with Azure VMware Solution under the Enterprise Agreement (EA) model only. It's not suitable for MSP / Hoster to resell Azure VMware Solution capacity to customers at this point. For more information, see [Azure Service terms](https://www.microsoft.com/licensing/terms/productoffering/MicrosoftAzure/EAEAS#GeneralServiceTerms).

+## Reference architecture

+The following diagram shows typical architecture for Cloud Director Services with Azure VMware Solution and how they're connected. Communications to Azure VMware Solution endpoints from Cloud Director service are supported by an SSL reverse proxy.

+VMware Cloud Director supports multi-tenancy by using organizations. A single organization can have multiple organization virtual data centers (VDC). Each OrganizationΓÇÖs VDC can have their own dedicated Tier-1 router (Edge Gateway) which is further connected with the providerΓÇÖs managed shared Tier-0 router.

+## Connect tenants and their organization virtual datacenters to Azure vNet based resources

+To provide access to vNET based Azure resources, each tenant can have their own dedicated Azure vNET with Azure VPN gateway. A site-to-site VPN between customer organization VDC and Azure vNET is established. To achieve this connectivity, the provider will provide public IP to the organization VDC. Organization VDCΓÇÖs administrator can configure IPSEC VPN connectivity from Cloud Director Service portal.

+As shown in the diagram above, organization 01 has two organization Virtual datacenters (VDCs): VDC1 and VDC2. The virtual datacenter of each organization has its own Azure vNETs connected with their respective organization VDC Edge gateway through IPSEC VPN.

+Providers provide public IP addresses to the organization VDC Edge gateway for IPSEC VPN configuration. An ORG VDC Edge gateway firewall blocks all traffic by default, specific allow rules needs to be added on organization Edge gateway firewall.

+Organization VDCs can be part of a single organization and still provide isolation between them. For example, VM1 hosted in organization VDC1 cannot ping Azure VM JSVM2 for tenant2.

+### Prerequisites

+- Organization VDC is configured with an Edge gateway and has Public IPs assigned to it to establish IPSEC VPN by provider.

+- Tenants have created a routed Organization VDC network in tenantΓÇÖs Virtual datacenter.

+- Test VM1 and VM2 are created in the Organization VDC1 and VDC2 respectively. Both VMs are connected to the routed orgVDC network in their respective VDCs.

+- Have a dedicated [Azure vNET](tutorial-configure-networking.md#create-a-vnet-manually) configured for each tenant. For this example, we created Tenant1-vNet and Tenant2-vNet for tenant1 and tenant2 respectively.

+- Create an [Azure Virtual network gateway](tutorial-configure-networking.md#create-a-virtual-network-gateway) for vNETs created earlier.

+- Deploy Azure VMs JSVM1 and JSVM2 for tenant1 and tenant2 for test purposes.

+> [!Note]

+> CDS supports a policy-based VPN. Azure VPN gateway configures route-based VPN by default and to configure policy-based VPN policy-based selector needs to be enabled.

+### Configure Azure vNet

+Create the following components in tenantΓÇÖs dedicated Azure vNet to establish IPSEC tunnel connection with the tenantΓÇÖs ORG VDC edge gateway.

+- Azure Virtual network gateway

+- Local network gateway.

+- Add IPSEC connection on VPN gateway.

+- Edit connection configuration to enable policy-based VPN. git status

+### Create Azure virtual network gateway

+To create an Azure virtual network gateway, see the [create-a-virtual-network-gateway tutorial](tutorial-configure-networking.md#create-a-virtual-network-gateway).

+### Create local network gateway

+1. Log in to the Azure portal and select **Local network gateway** from marketplace and then select **Create**.

+1. Local Network Gateway represents remote end site details. Therefore provide tenant1 OrgVDC public IP address and orgVDC Network details to create local end point for tenant1.

+1. Under **Instance details**, select **Endpoint** as IP address

+1. Add IP address (add Public IP address from tenantΓÇÖs OrgVDC Edge gateway).

+1. Under **Address space** add **Tenants Org VDC Network**.

+1. Repeat steps 1-5 to create a local network gateway for tenant 2.

+### Create IPSEC connection on VPN gateway

+1. Select tenant1 VPN Gateway (created earlier) and then select **Connection** (in left pane) to add new IPSEC connection with tenant1 orgVDC Edge gateway.

+1. Enter the following details.

+ | **Name** | **Connection** |

+ |:- | :--|

+ | Connection Type | Site to Site |

+ | VPN Gateway | TenantΓÇÖs VPN Gateway |

+ | Local Network Gateway | TenantΓÇÖs Local Gateway |

+ | PSK | Shared Key (provide a password) |

+ | IKE Protocol | IKEV2 (ORG-VDC is using IKEv2) |

+1. Select **Ok** to deploy local network gateway.

+### Configure IPsec Connection

+Cloud Director Service supports a policy-based VPN. Azure VPN gateway configures route-based VPN by default and to configure policy-based VPN policy-based selector needs to be enabled.

+1. Select the connection you created earlier and then select **configuration** to view the default settings.

+1. **IPSEC/IKE Policy**

+1. **Enable policy base traffic selector**

+1. Modify all other parameters to match what you have in OrgVDC.

+ >[!Note]

+ > Both source and destination of the tunnel should have identical settings for IKE,SA, DPD etc.

+1. Select **Save**.

+### Configure VPN on organization VDC Edge router

+1. Log in to Organization CDS tenant portal and select tenantΓÇÖs edge gateway.

+1. Select **IPSEC VPN** option under **Services** and then select **New**.

+1. Under general setting, provide **Name** and select desired security profile. Ensure that security profile settings (IKE, Tunnel, and DPD configuration) are same on both sides of the IPsec tunnel.

+1. Modify Azure VPN gateway to match the Security profile, if necessary. You can also do security profile customization from CDS tenant portal.

+ >[!Note]

+ > VPN tunnel won't establish if these settings were mismatched.

+1. Under **Peer Authentication Mode**, provide the same pre-shared key that is used at the Azure VPN gateway.

+1. Under **Endpoint configuration**, add the OrganizationΓÇÖs public IP and network details in local endpoint and Azure VNet details in remote endpoint configuration.

+1. Under **Ready to complete**, review applied configuration.

+1. Select **Finish** to apply configuration.

+### Apply firewall configuration

+Organization VDC Edge router firewall denies traffic by default. You'll need to apply specific rules to enable connectivity. Use the following steps to apply firewall rules.

+1. Add IP set in CDS portal

+ 1. Log in to Edge router then select **IP SETS** under the **Security** tab in left plane.

+ 1. Select **New** to create IP sets.

+ 1. Enter **Name** and **IP address** of test VM deployed in orgVDC.

+ 1. Create another IP set for Azure vNET for this tenant.

+2. Apply firewall rules on ORG VDC Edge router.

+ 1. Under **Edge gateway**, select **Edge gateway** and then select **firewall** under **services**.

+ 1. Select **Edit rules**.

+ 1. Select **NEW ON TOP** and enter rule name.

+ 1. Add **source** and **destination** details. Use created IPSET in source and destination.

+ 1. Under **Action**, select **Allow**.

+ 1. Select **Save** to apply configuration.

+3. Verify tunnel status

+ 1. Under **Edge gateway** select **Service**, then select **IPSEC VPN**,

+ 1. Select **View statistics**.

+ Status of tunnel should show **UP**.

+4. Verify IPsec connection

+ 1. Log in to Azure VM deployed in tenants vNET and ping tenantΓÇÖs test VM IP address in tenantΓÇÖs OrgVDC.

+ For example, ping VM1 from JSVM1. Similarly, you should be able to ping VM2 from JSVM2.

+You can verify isolation between tenants Azure vNETs. Tenant1ΓÇÖs VM1 won't be able to ping Tenant2ΓÇÖs Azure VM JSVM2 in tenant2 Azure vNETs.

+## Connect Tenant workload to public Internet

+- Tenants can use public IP to do SNAT configuration to enable Internet access for VM hosted in organization VDC. To achieve this connectivity, the provider can provide public IP to the organization VDC.

+- Each organization VDC can be created with dedicated T1 router (created by provider) with reserved Public & Private IP for NAT configuration. Tenants can use public IP SNAT configuration to enable Internet access for VM hosted in organization VDC.

+- OrgVDC administrator can create a routed OrgVDC network connected to their OrgVDC Edge gateway. To provide Internet access.

+- OrgVDC administrator can configure SNAT to provide a specific VM or use network CIDR to provide public connectivity.

+- OrgVDC Edge has default DENY ALL firewall rule. Organization administrators will need to open appropriate ports to allow access through the firewall by adding a new firewall rule. Virtual machines configured on such OrgVDC network used in SNAT configuration should be able to access the Internet.

+### Prerequisites

+1. Public IP is assigned to the organization VDC Edge router.

+ To verify, log in to the organization's VDC. Under **Networking**> **Edges**, select **Edge Gateway**, then select **IP allocations** under **IP management**. You should see a range of assigned IP address there.

+2. Create a routed Organization VDC network. (Connect OrgvDC network to the edge gateway with public IP address assigned)

+

+### Apply SNAT configuration

+1. Log in to Organization VDC. Navigate to your Edge gateway and then select **NAT** under **Services**.

+2. Select **New** to add new SNAT rule.

+3. Provide **Name** and select **Interface type** as SNAT.

+4. Under **External IP**, enter public IP address from public IP pool assigned to your orgVDC Edge router.

+5. Under **Internal IP**, enter IP address for your test VM.

+ This IP address is one of the orgVDC network IP assigned to the VM.

+6. **State** should be enabled.

+7. Under **Priority**, select a higher number.

+ For example, 4096.

+8. Select **Save** to save the configuration.

+### Apply firewall rule

+1. Log in to Organization VDC and navigate to **Edge Gateway**, then select **IP set** under security.

+2. Create an IPset. Provide IP address of your VM (you can use CIDR also). Select **Save**.

+3. Under **services**, select **Firewall**, then select **Edit rules**.

+4. Select **New ON TOP** and create a firewall rule to allow desired port and destination.

+1. Select the **IPset** your created earlier as source. Under **Action**, select **Allow**.

+1. Select **Keep** to save the configuration.

+1. Log in to your test VM and ping your destination address to verify outbound connectivity.

+## Migrate workloads to Cloud Director Service on Azure VMware Solution

+VMware Cloud Director Availability can be used to migrate VMware Cloud Director workload into Cloud Director service on Azure VMware Solution. Enterprise customers can drive self-serve one-way warm migration from the on-premises Cloud Director Availability vSphere plugin, or they can run the Cloud Director Availability plugin from the provider-managed Cloud Director instance and move workloads into Azure VMware Solution.

+For more information about VMware Cloud Director Availability, see [VMware Cloud Director Availability | Disaster Recovery & Migration](https://www.vmware.com/products/cloud-director-availability.html)

+## FAQs

+**Question**: What are the supported Azure regions for the VMware Cloud Director service?

+**Answer**: This offering is supported in all Azure regions where Azure VMware Solution is available except for Brazil South and South Africa. Ensure that the region you wish to connect to Cloud Director service is within a 150-milliseconds round trip time for latency with Cloud Director service.

+## Next steps

+[VMware Cloud Director Service Documentation](https://docs.vmware.com/en/VMware-Cloud-Director-service/https://docsupdatetracker.net/index.html)

+>Azure VMware Solution service does not provide multi-tenancy support. Hosting partners requiring it are not supported.

+To extend the vRealize Operations capabilities to the Azure VMware Solution private cloud, you create an adapter [instance for the private cloud resources](https://docs.vmware.com/en/vRealize-Operations-Manager/8.1/com.vmware.vcom.config.doc/GUID-640AD750-301E-4D36-8293-1BFEB67E2600.html). It collects data from the Azure VMware Solution private cloud and brings it into on-premises vRealize Operations. The on-premises vRealize Operations Manager instance can directly connect to the vCenter Server and NSX-T Manager on Azure VMware Solution. Optionally, you can deploy a vRealize Operations Remote Collector on the Azure VMware Solution private cloud. The collector compresses and encrypts the data collected from the private cloud before it's sent over the ExpressRoute or VPN network to the vRealize Operations Manager running on-premises.

+* Operate seamlessly with on-premises Nutanix Clusters in Azure

+## Create a pool without public IP addresses using ARM template

+You can use this [Azure Quickstart Template](https://azure.microsoft.com/resources/templates/batch-pool-no-public-ip/) to create a pool without public IP addresses using Azure Resource Manager (ARM) template.

+Following resources will be deployed by the template:

+- Azure Batch account with IP firewall configured to block public network access to Batch node management endpoint

+- Virtual network with network security group to block internet outbound access

+- Private endpoint to access Batch node management endpoint of the account

+- DNS integration for the private endpoint using private DNS zone linked to the virtual network

+- Batch pool deployed in the virtual network and without public IP addresses

+If you're familiar with using ARM templates, select the **Deploy to Azure** button. The template will open in the Azure portal.

+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.batch%2Fbatch-pool-no-public-ip%2Fazuredeploy.json)

+> [!NOTE]

+> If the private endpoint deployment failed due to invalid groupId "nodeManagement", please check if the region is in the supported list, and you've already opted in with [Simplified compute node communication](simplified-compute-node-communication.md). Choose the right region and opt in your Batch account, then retry the deployment.

+In this how-to guide, you'll learn how to upload and install all the required components in your Azure account. You can either [run a pre-installation script to automate the upload process](#option-1-upload-software-components-with-script) or [manually upload the components](#option-2-upload-software-components-manually). Then, you can [run the software installation wizard](#install-software).

+ACSS supports the following SAP software version: **S/4HANA 1909 SPS 03, S/4HANA 2020 SPS 03, S/4HANA 2021 ISS 00**.

+| Red Hat | RHEL-SAP-HA (8.2 HA Pack) | 82sapha-gen2 | 8.2.2021091202 | S/4HANA 1909 SPS 03, S/4HANA 2020 SPS 03, S/4HANA 2021 ISS 00 |

+| Red Hat | RHEL-SAP-HA (8.4 HA Pack) | 84sapha-gen2 | 8.4.2021091202 | S/4HANA 1909 SPS 03, S/4HANA 2020 SPS 03, S/4HANA 2021 ISS 00 |

+| SUSE | sles-sap-15-sp3 | gen2 | 2022.01.26 | S/4HANA 1909 SPS 03, S/4HANA 2020 SPS 03, S/4HANA 2021 ISS 00 |

+ - SAP software (for example, *S/4HANA 2021 ISS 00*)

+- Supporting software packages for the installation process (part of the `deployervmpackages` container described later in this article)

+## Option 1: Upload software components with script

+You also can [upload the components manually](#option-2-upload-software-components-manually) instead.

+Before you can download the software, set up an Azure Storage account for storing the software.

+

+ 1. Grant the ACSS application *Azure SAP Workloads Management* **Storage Blob Data Reader** and **Reader and Data Access** role access on this storage account.

+### Download supporting software

+After setting up your Azure Storage account, you need an Ubuntu VM to run scripts that download the software components.

+1. When asked for the base path to the software storage account, enter the container path. To find the container path:

+1. Once the script completes successfully, in the Azure portal, find the container named `sapbits` in the storage account that you created.

+You can download the SAP installation media required to install the SAP software, using a script as described in this section.

+1. Sign in to the Ubuntu VM that you created in the [previous section](#download-supporting-software).

+1. Install Ansible 2.9.27 on the ubuntu VM

+ - For `<storageAccountAccessKey>`, use your storage account's access key. You found this value in the [previous section](#download-supporting-software).

+ - For `<containerBasePath>`, use the path to your `sapbits` container. You found this value in the [previous section](#download-supporting-software).

+## Option 2: Upload software components manually

+You can use the following method to download and upload the SAP components to your Azure storage account manually. Then, you can [run the software installation wizard](#install-software) to install the SAP software.

+You also can [run scripts to automate this process](#option-1-upload-software-components-with-script) instead.

+1. Create a new Azure storage account for storing the software components.

+1. Create two folders within the container, named **deployervmpackages** and **sapfiles**.

+ - For S/4HANA 2020 SPS 03, make following folders

+ - For S/4HANA 2021 ISS 00, make following folders

+ - For S/4HANA 2020 SPS 03,

+ - For S/4HANA 2021 ISS 00,

+ - For S/4HANA 2020 SPS 03,

+ - For S/4HANA 2021 ISS 00,

+ - For S/4HANA 2020 SPS 03,

+ - For S/4HANA 2021 ISS 00,

+ 1. For **BOM directory location**, select **Browse** and find the path to your BOM file. For example, `https://<your-storage-account>.blob.core.windows.net/sapbits/sapfiles/boms/S41909SPS03_v0010ms.yaml`.

+ 1. For **SAP FQDN**, provide a fully qualified domain name (FQDN) for your SAP system. For example, `sap.contoso.com`.

+ 1. For High Availability (HA) systems only, enter the client identifier for the STONITH Fencing Agent service principal for **Fencing client ID**.

+ 1. For High Availability (HA) systems only, enter the password for the STONITH Fencing Agent service principal for **Fencing client password**.

+1. After the installation completes, sign in with your SAP system credentials. Refer to [this section](manage-virtual-instance.md) to find the SAP system and HANA DB credentials for the newly installed system.

+### SAP package version changes

+ "sourceUrl": "https://<storage_acount>.blob.core.chinacloudapi.cn/source-en?sv=2019-12-12&st=2021-03-05T17%3A45%3A25Z&se=2021-03-13T17%3A45%3A00Z&sr=c&sp=rl&sig=SDRPMjE4nfrH3csmKLILkT%2Fv3e0Q6SWpssuuQl1NmfM%3D"

+ "targetUrl": "https://<storage_acount>.blob.core.chinacloudapi.cn/target-zh-Hans?sv=2019-12-12&st=2021-03-05T17%3A49%3A02Z&se=2021-03-13T17%3A49%3A00Z&sr=c&sp=wdl&sig=Sq%2BYdNbhgbq4hLT0o1UUOsTnQJFU590sWYo4BOhhQhs%3D",

+* A new model version `2021-05-15` for the `/health` endpoint and on-premises container which provides

+* A new model version `2021-03-01` for text analytics for health API and on-premises container which provides:

+Azure OpenAI's models follow a standard naming convention: `{task}-{model name}-{version #}`. For example, our most powerful natural language model is called `text-davinci-001` and a Codex series model would look like `code-cushman-001`.

+Currently we only offer one Codex model: `code-cushman-001`.

+- The following Python libraries: os, requests, json

+The training dataset you use **must** be a JSON lines (JSONL) document where each line is a prompt-completion pair and a single example. The OpenAI Python CLI provides a useful data preparation tool to easily convert your data into this file format.

+The following Python code will create a sample dataset and show how to upload a file and print the returned ID. Make sure to save the IDs returned as you'll need them for the fine-tuning training job creation.

+Once you have the model, you want to fine-tune you need to create a job. The following Python code shows an example of how to create a new job:

+Once your model has been deployed, you can use it like any other model. Reference the deployment name you specified in the previous step. You can use either the REST API or Python SDK and can continue to use all the other Completions parameters like temperature, frequency_penalty, presence_penalty, etc., on these requests to fine-tuned models.

+- Explore more of the [Python SDK operations here](https://github.com/openai/openai-python/blob/main/examples/azure/finetuning.ipynb).

+- The following Python libraries: os, requests, json

+Codex understands dozens of different programming languages. Many share similar conventions for comments, functions and other programming syntax. By specifying the language and what version in a comment, Codex is better able to provide a completion for what you want. That said, Codex is fairly flexible with style and syntax. Here's an example for R and Python.

+POST https://YOUR_RESOURCE_NAME.openai.azure.com/openai/deployments/YOUR_DEPLOYMENT_NAME/completions?api-version=2022-06-01-preview

+We currently have the following versions available: ```2022-06-01-preview```

+- `2022-06-01-preview`

+ - Get started on [media composition](./get-started-media-composition.md)

+ Title: Azure Communication Services Quickstart - Create and manage a media composition

+description: In this quickstart, you'll learn how to create a media composition within your Azure Communication Services resource.

+# Quickstart: Create and manage a media composition resource

+Get started with Azure Communication Services by using the Communication Services C# Media Composition SDK to compose and stream videos.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- The latest version of [.NET Core SDK](https://dotnet.microsoft.com/download/dotnet-core) for your operating system.

+- An active Communication Services resource and connection string. [Create a Communication Services resource](../create-communication-resource.md).

+### Prerequisite check

+- In a terminal or command window, run the `dotnet` command to check that the .NET SDK is installed.

+## Set up the application environment

+To set up an environment for using media composition, take the steps in the following sections.

+### Create a new C# application

+1. In a console window, such as cmd, PowerShell, or Bash, use the `dotnet new` command to create a new console app with the name `MediaCompositionQuickstart`. This command creates a simple "Hello World" C# project with a single source file, **Program.cs**.

+ ```console

+ dotnet new console -o MediaCompositionQuickstart

+ ```

+1. Change your directory to the newly created app folder and use the `dotnet build` command to compile your application.

+ ```console

+ cd MediaCompositionQuickstart

+ dotnet build

+ ```

+### Install the package

+1. While still in the application directory, install the Azure Communication Services MediaComposition SDK for .NET package by using the following command.

+ ```console

+ dotnet add package Azure.Communication.MediaCompositionQuickstart --version 1.0.0-beta.1

+ ```

+1. Add a `using` directive to the top of **Program.cs** to include the `Azure.Communication` namespace.

+ ```csharp

+ using System;

+ using System.Collections.Generic;

+ using Azure;

+ using Azure.Communication;

+ using Azure.Communication.MediaComposition;

+ ```

+## Authenticate the media composition client

+Open **Program.cs** in a text editor and replace the body of the `Main` method with code to initialize a `MediaCompositionClient` with your connection string. The `MediaCompositionClient` will be used to create and manage media composition objects.

+ You can find your Communication Services resource connection string in the Azure portal. For more information on connection strings, see [this page](../create-communication-resource.md#access-your-connection-strings-and-service-endpoints).

+```csharp

+// Find your Communication Services resource in the Azure portal

+var connectionString = "<connection_string>";

+var mediaCompositionClient = new MediaCompositionClient(connectionString);

+```

+## Create a media composition

+Create a new media composition by defining the `inputs`, `layout`, `outputs`, and a user-friendly `mediaCompositionId`. For more information on how to define the values, see [this page](./define-media-composition.md). These values are passed into the `CreateAsync` function exposed on the client. The code snippet below shows and example of defining a simple two by two grid layout:

+```csharp

+var layout = new GridLayout(

+ rows: 2,

+ columns: 2,

+ inputIds: new List<List<string>>

+ {

+ new List<string> { "Jill", "Jack" }, new List<string> { "Jane", "Jerry" }

+ })

+ {

+ Resolution = new(1920, 1080)

+ };

+var inputs = new Dictionary<string, MediaInput>()

+{

+ ["Jill"] = new ParticipantInput

+ (

+ id: new MicrosoftTeamsUserIdentifier("f3ba9014-6dca-4456-8ec0-fa03cfa2b7b7"),

+ call: "teamsMeeting")

+ {

+ PlaceholderImageUri = "https://imageendpoint"

+ },

+ ["Jack"] = new ParticipantInput

+ (

+ id: new MicrosoftTeamsUserIdentifier("fa4337b5-f13a-41c5-a34f-f2aa46699b61"),

+ call: "teamsMeeting")

+ {

+ PlaceholderImageUri = "https://imageendpoint"

+ },

+ ["Jane"] = new ParticipantInput

+ (

+ id: new MicrosoftTeamsUserIdentifier("2dd69470-dc25-49cf-b5c3-f562f08bf3b2"),

+ call: "teamsMeeting"

+ )

+ {

+ PlaceholderImageUri = "https://imageendpoint"

+ },

+ ["Jerry"] = new ParticipantInput

+ (

+ id: new MicrosoftTeamsUserIdentifier("30e29fde-ac1c-448f-bb34-0f3448d5a677"),

+ call: "teamsMeeting")

+ {

+ PlaceholderImageUri = "https://imageendpoint"

+ },

+ ["teamsMeeting"] = new TeamsMeetingInput(teamsJoinUrl: "https://teamsJoinUrl")

+};

+var outputs = new Dictionary<string, MediaOutput>()

+{

+ ["acsGroupCall"] = new GroupCallOutput("d12d2277-ffec-4e22-9979-8c0d8c13d193")

+};

+var mediaCompositionId = "twoByTwoGridLayout"

+var response = await mediaCompositionClient.CreateAsync(mediaCompositionId, layout, inputs, outputs);

+```

+You can use the `mediaCompositionId` to view or update the properties of a media composition object. Therefore, it is important to keep track of and persist the `mediaCompositionId` in your storage medium of choice.

+## Get properties of an existing media composition

+Retrieve the details of an existing media composition by referencing the `mediaCompositionId`.

+```C# Snippet:GetMediaComposition

+var gridMediaComposition = await mediaCompositionClient.GetAsync(mediaCompositionId);

+```

+## Updates

+Updating the `layout` of a media composition can happen on-the-fly as the media composition is running. However, `input` updates while the media composition is running are not supported. The media composition will need to be stopped and restarted before any changes to the inputs are applied.

+### Update layout

+Updating the `layout` can be issued by passing in the new `layout` object and the `mediaCompositionId`. For example, we can update the grid layout to an auto-grid layout following the snippet below:

+```csharp

+var layout = new AutoGridLayout(new List<string>() { "teamsMeeting" })

+{

+ Resolution = new(720, 480),

+};

+var response = await mediaCompositionClient.UpdateLayoutAsync(mediaCompositionId, layout);

+```

+### Upsert or remove inputs

+To upsert inputs from the media composition object, use the `UpsertInputsAsync` function exposed in the client.

+```csharp

+var inputsToUpsert = new Dictionary<string, MediaInput>()

+{

+ ["James"] = new ParticipantInput

+ (

+ id: new MicrosoftTeamsUserIdentifier("f3ba9014-6dca-4456-8ec0-fa03cfa2b70p"),

+ call: "teamsMeeting"

+ )

+ {

+ PlaceholderImageUri = "https://imageendpoint"

+ }

+};

+var response = await mediaCompositionClient.UpsertInputsAsync(mediaCompositionId, inputsToUpsert);

+```

+You can also explicitly remove inputs from the list.

+```csharp

+var inputIdsToRemove = new List<string>()

+{

+ "Jane", "Jerry"

+};

+var response = await mediaCompositionClient.RemoveInputsAsync(mediaCompositionId, inputIdsToRemove);

+```

+### Upsert or remove outputs

+To upsert outputs, you can use the `UpsertOutputsAsync` function from the client.

+```csharp

+var outputsToUpsert = new Dictionary<string, MediaOutput>()

+{

+ ["youtube"] = new RtmpOutput("key", new(1920, 1080), "rtmp://a.rtmp.youtube.com/live2")

+};

+var response = await mediaCompositionClient.UpsertOutputsAsync(mediaCompositionId, outputsToUpsert);

+```

+You can remove outputs by following the snippet below:

+```csharp

+var outputIdsToRemove = new List<string>()

+{

+ "acsGroupCall"

+};

+var response = await mediaCompositionClient.RemoveOutputsAsync(mediaCompositionId, outputIdsToRemove);

+```

+## Start running a media composition

+After defining the media composition with the correct properties, you can start composing the media by calling the `StartAsync` function using the `mediaCompositionId`.

+```csharp

+var compositionSteamState = await mediaCompositionClient.StartAsync(mediaCompositionId);

+```

+## Stop running a media composition

+To stop a media composition, call the `StopAsync` function using the `mediaCompositionId`.

+```csharp

+var compositionSteamState = await mediaCompositionClient.StopAsync(mediaCompositionId);

+```

+## Delete a media composition

+If you wish to delete a media composition, you may issue a delete request:

+```csharp

+await mediaCompositionClient.DeleteAsync(mediaCompositionId);

+```

+## Object model

+The table below lists the main properties of media composition objects:

+| Name | Description |

+|--|-|

+| `mediaCompositionId` | Media composition identifier that can be a user-friendly string. Must be unique across a Communication Service resource. |

+| `layout` | Specifies how the media sources will be composed into a single frame. |

+| `inputs` | Defines which media sources will be used in the layout composition. |

+| `outputs` | Defines where to send the composed streams to.|

+## Next steps

+In this section you learned how to:

+> [!div class="checklist"]

+> - Create a new media composition

+> - Get the properties of a media composition

+> - Update layout

+> - Upsert and remove inputs

+> - Upsert and remove outputs

+> - Start and stop a media composition

+> - Delete a media composition

+You may also want to:

+ - Learn about [media composition concept](../../concepts/voice-video-calling//media-comp.md)

+ - Learn about [how to define a media composition](./define-media-composition.md)

+ Title: Connect to SQL databases from workflows

+# Connect to an SQL database from workflows in Azure Logic Apps

+| **Consumption** | Multi-tenant Azure Logic Apps | Managed connector (Standard class). For more information, review the following documentation: <br><br>- [SQL Server managed connector reference](/connectors/sql). <br>- [Managed connectors in Azure Logic Apps](managed.md) |

+| **Consumption** | Integration service environment (ISE) | Managed connector (Standard class) and ISE version, which has different message limits than the Standard class. For more information, review the following documentation: <br><br>- [SQL Server managed connector reference](/connectors/sql) <br>- [ISE message limits](../logic-apps/logic-apps-limits-and-config.md#message-size-limits) <br>- [Managed connectors in Azure Logic Apps](managed.md) |

+| **Standard** | Single-tenant Azure Logic Apps and App Service Environment v3 (Windows plans only) | Managed connector (Standard class) and built-in connector, which is [service provider based](../logic-apps/custom-connector-overview.md#service-provider-interface-implementation). The built-in version differs in the following ways: <br><br>- The built-in version doesn't have triggers. You can use either an SQL managed connector trigger or a different trigger. <br><br>- The built-in version connects directly to an SQL server and database requiring only a connection string. You don't need the on-premises data gateway. <br><br>- The built-in version can directly access Azure virtual networks. You don't need the on-premises data gateway.<br><br>For more information, review the following documentation: <br><br>- [SQL Server managed connector reference](/connectors/sql/) <br>- [SQL Server built-in connector reference](#built-in-connector-operations) section later in this article <br>- [Built-in connectors in Azure Logic Apps](built-in.md) |

+* The information required to create an SQL database connection, such as your SQL server and database name. If you're using Windows Authentication or SQL Server Authentication to authenticate access, you also need your user name and password. You can usually find this information in the connection string.

+ > [!IMPORTANT]

+ > If you use an SQL Server connection string that you copied directly from the Azure portal,

+ * For an SQL database in Azure, the connection string has the following format:

+ You can use the SQL Server built-in connector, which requires a connection string. The built-in connector currently supports only SQL Server Authentication. You can adjust connection pooling by specifying parameters in the connection string. For more information, review [Connection Pooling](/dotnet/framework/data/adonet/connection-pooling).

+ To use the SQL Server managed connector, follow the same requirements as a Consumption logic app workflow in multi-tenant Azure Logic Apps.

+ For other connector requirements, review [SQL Server managed connector reference](/connectors/sql/).

+In this example, the logic app workflow starts with the [Recurrence trigger](../connectors/connectors-native-recurrence.md), and calls an action that gets a row from an SQL database.

+ * **Built-in** when you want to use SQL Server [built-in actions](#built-in-connector-operations) such as **Execute query**

+ * [Built-in actions](#built-in-connector-operations)

+ This example selects the built-in action named **Execute query**.

+ 

+ * [Managed actions](/connectors/sql/#actions)

+1. Provide the information required by your selected action.

+ The following example continues with the managed action named **Get row**. If you haven't already provided the SQL server name and database name, provide those values. Otherwise, from the **Table name** list, select the table that you want to use. In this example, the table name is **SalesLT.Customer**. In the **Row id** property, enter the ID for the record that you want.

+ 

+ This action returns only one row from the selected table, and nothing else. To view the data in this row, add other actions. For example, such actions might create a file, include the fields from the returned row, and store the file in a cloud storage account. To learn about other available actions for this connector, review the [managed connector's reference page](/connectors/sql/).

+ | [**SQL Server Authentication**](/sql/relational-databases/security/choose-an-authentication-mode#connecting-through-sql-server-authentication) | - Supported with the SQL Server managed connector, SQL Server built-in connector, and ISE-versioned connector. <br><br>- Requires the following items: <br><br> A data gateway resource that's previously created in Azure for your connection, regardless whether your logic app is in multi-tenant Azure Logic Apps or an ISE. <br><br> A valid user name and strong password that are created and stored in your SQL Server database. For more information, see the following topics: <br><br>- [Azure SQL Security Overview - Authentication](/azure/azure-sql/database/security-overview#authentication) <br>- [Authorize database access to Azure SQL - Authentication and authorization](/azure/azure-sql/database/logins-create-manage#authentication-and-authorization) |

+ >

+ | [**SQL Server Authentication**](/sql/relational-databases/security/choose-an-authentication-mode#connecting-through-sql-server-authentication) | - Supported with the SQL Server managed connector, SQL Server built-in connector, and ISE-versioned connector. <br><br>- Requires the following items: <br><br> A data gateway resource that's previously created in Azure for your connection, regardless whether your logic app is in multi-tenant Azure Logic Apps or an ISE. <br><br> A valid user name and strong password that are created and stored in your SQL Server. <br><br>For more information, see [SQL Server Authentication](/sql/relational-databases/security/choose-an-authentication-mode#connecting-through-sql-server-authentication). |

+ > If you get an error that Azure Logic Apps can't generate a schema, check that your

+ > sample output's syntax is correctly formatted. If you still can't generate the schema,

+ > in the **Schema** box, manually enter the schema.

+<a name="built-in-connector-app-settings"></a>

+## Built-in connector app settings

+In a Standard logic app resource, the SQL Server built-in connector includes app settings that control various thresholds for performance, throughput, capacity, and so on. For example, you can change the query timeout value from 30 seconds. For more information, review [Reference for app settings - local.settings.json](../logic-apps/edit-app-settings-host-settings.md#reference-local-settings-json).

+## SQL built-in connector operations

+The SQL Server built-in connector is available only for Standard logic app workflows and provides the following actions, but no triggers:

+| Action | Description |

+|--|-|

+| [**Delete rows**](#delete-rows) | Deletes and returns the table rows that match the specified **Where condition** value. |

+| [**Execute query**](#execute-query) | Runs a query on an SQL database. |

+| [**Execute stored procedure**](#execute-stored-procedure) | Runs a stored procedure on an SQL database. |

+| [**Get rows**](#get-rows) | Gets the table rows that match the specified **Where condition** value. |

+| [**Get tables**](#get-tables) | Gets all the tables from the database. |

+| [**Insert row**](#insert-row) | Inserts a single row in the specified table. |

+| [**Update rows**](#update-rows) | Updates the specified columns in all the table rows that match the specified **Where condition** value using the **Set columns** column names and values. |

+<a name="delete-rows"></a>

+### Delete rows

+Operation ID: `deleteRows`

+Deletes and returns the table rows that match the specified **Where condition** value.

+#### Parameters

+| Name | Key | Required | Type | Description |

+||--|-||-|

+| **Table name** | `tableName` | True | String | The name for the table |

+| **Where condition** | `columnValuesForWhereCondition` | True | Object | This object contains the column names and corresponding values used for selecting the rows to delete. To provide this information, follow the *key-value* pair format, for example, *columnName* and *columnValue*, which also lets you specify single or specific rows to delete. |

+#### Returns

+| Name | Type |

+|||

+| **Result** | An array object that returns all the deleted rows. Each row contains the column name and the corresponding deleted value. |

+| **Result Item** | An array object that returns one deleted row at a time. A **For each** loop is automatically added to your workflow to iterate through the array. Each row contains the column name and the corresponding deleted value. |

+*Example*

+The following example shows sample parameter values for the **Delete rows** action:

+**Sample values**

+| Parameter | JSON name | Sample value |

+|--|--|--|

+| **Table name** | `tableName` | tableName1 |

+| **Where condition** | `columnValuesForWhereCondition` | Key-value pairs: <br><br>- <*columnName1*>, <*columnValue1*> <br><br>- <*columnName2*>, <*columnValue2*> |

+**Parameters in the action's underlying JSON definition**

+```json

+"parameters": {

+ "tableName": "tableName1",

+ "columnValuesForWhereCondition": {

+ "columnName1": "columnValue1",

+ "columnName2": "columnValue2"

+ }

+},

+```

+<a name="execute-query"></a>

+### Execute query

+Runs a query on an SQL database.

+#### Parameters

+| **Query** | `query` | True | Dynamic | The body for your SQL query |

+| **Query parameters** | `queryParameters` | False | Objects | The parameters for your query. <br><br>**Note**: If the query requires input parameters, you must provide these parameters. |

+#### Returns

+| Name | Type |

+|||

+| **Result** | An array object that returns all the query results. Each row contains the column name and the corresponding value. |

+| **Result Item** | An array object that returns one query result at a time. A **For each** loop is automatically added to your workflow to iterate through the array. Each row contains the column name and the corresponding value. |

+<a name="execute-stored-procedure"></a>

+### Execute stored procedure

+Operation ID: `executeStoredProcedure`

+Runs a stored procedure on an SQL database.

+#### Parameters

+| Name | Key | Required | Type | Description |

+||--|-||-|

+| **Procedure name** | `storedProcedureName` | True | String | The name for your stored procedure |

+| **Parameters** | `storedProcedureParameters` | False | Dynamic | The parameters for your stored procedure. <br><br>**Note**: If the stored procedure requires input parameters, you must provide these parameters. |

+#### Returns

+| Name | Type |

+|||

+| **Result** | An object that contains the result sets array, return code, and output parameters |

+| **Result Result Sets** | An object array that contains all the result sets from the stored procedure, which might return zero, one, or multiple result sets. |

+| **Result Return Code** | An integer that represents the status code from the stored procedure |

+| **Result Stored Procedure Parameters** | An object that contains the final values of the stored procedure's output and input-output parameters |

+| **Status Code** | The status code from the **Execute stored procedure** operation |

+<a name="get-rows"></a>

+### Get rows

+Operation ID: `getRows`

+Gets the table rows that match the specified **Where condition** value.

+#### Parameters

+| Name | Key | Required | Type | Description |

+||--|-||-|

+| **Table name** | `tableName` | True | String | The name for the table |

+| **Where condition** | `columnValuesForWhereCondition` | False | Dynamic | This object contains the column names and corresponding values used for selecting the rows to get. To provide this information, follow the *key-value* pair format, for example, *columnName* and *columnValue*, which also lets you specify single or specific rows to get. |

+#### Returns

+| Name | Type |

+|||

+| **Result** | An array object that returns all the row results. |

+| **Result Item** | An array object that returns one row result at a time. A **For each** loop is automatically added to your workflow to iterate through the array. |

+*Example*

+The following example shows sample parameter values for the **Get rows** action:

+**Sample values**

+| Parameter | JSON name | Sample value |

+|--|--|--|

+| **Table name** | `tableName` | tableName1 |

+| **Where condition** | `columnValuesForWhereCondition` | Key-value pairs: <br><br>- <*columnName1*>, <*columnValue1*> <br><br>- <*columnName2*>, <*columnValue2*> |

+**Parameters in the action's underlying JSON definition**

+```json

+"parameters": {

+ "tableName": "tableName1",

+ "columnValuesForWhereCondition": {

+ "columnName1": "columnValue1",

+ "columnName2": "columnValue2"

+ }

+},

+```

+<a name="get-tables"></a>

+### Get tables

+Operation ID: `getTables`

+Gets a list of all the tables in the database.

+#### Parameters

+None.

+#### Returns

+| Name | Type |

+|||

+| **Result** | An array object that contains the full names and display names for all tables in the database. |

+| **Result Display Name** | An array object that contains the display name for each table in the database. A **For each** loop is automatically added to your workflow to iterate through the array. |

+| **Result Full Name** | An array object that contains the full name for each table in the database. A **For each** loop is automatically added to your workflow to iterate through the array. |

+| **Result Item** | An array object that returns the full name and display name one at time for each table. A **For each** loop is automatically added to your workflow to iterate through the array. |

+<a name="insert-row"></a>

+### Insert row

+Operation ID: `insertRow`

+Inserts a single row in the specified table.

+| Name | Key | Required | Type | Description |

+||--|-||-|

+| **Table name** | `tableName` | True | String | The name for the table |

+| **Set columns** | `setColumns` | False | Dynamic | This object contains the column names and corresponding values to insert. To provide this information, follow the *key-value* pair format, for example, *columnName* and *columnValue*. If the table has columns with default or autogenerated values, you can leave this field empty. |

+#### Returns

+| Name | Type |

+|||

+| **Result** | The inserted row, including the names and values of any autogenerated, default, and null value columns. |

+<a name="update-rows"></a>

+### Update rows

+Operation ID: `updateRows`

+Updates the specified columns in all the table rows that match the specified **Where condition** value using the **Set columns** column names and values.

+| Name | Key | Required | Type | Description |

+||--|-||-|

+| **Table name** | `tableName` | True | String | The name for the table |

+| **Where condition** | `columnValuesForWhereCondition` | True | Dynamic | This object contains the column names and corresponding values for selecting the rows to update. To provide this information, follow the *key-value* pair format, for example, *columnName* and *columnValue*, which also lets you specify single or specific rows to update. |

+| **Set columns** | `setColumns` | True | Dynamic | This object contains the column names and the corresponding values to use for the update. To provide this information, follow the *key-value* pair format, for example, *columnName* and *columnValue*. |

+#### Returns

+| Name | Type |

+|||

+| **Result** | An array object that returns all the columns for the updated rows. |

+| **Result Item** | An array object that returns one column at a time from the updated rows. A **For each** loop is automatically added to your workflow to iterate through the array. |

+*Example*

+The following example shows sample parameter values for the **Update rows** action:

+**Sample values**

+| Parameter | JSON name | Sample value |

+|--|--|--|

+| **Table name** | `tableName` | tableName1 |

+| **Where condition** | `columnValuesForWhereCondition` | Key-value pairs: <br><br>- <*columnName1*>, <*columnValue1*> <br><br>- <*columnName2*>, <*columnValue2*> |

+**Parameters in the action's underlying JSON definition**

+```json

+"parameters": {

+ "tableName": "tableName1",

+ "columnValuesForWhereCondition": {

+ "columnName1": "columnValue1",

+ "columnName2": "columnValue2"

+ }

+},

+```

+* [Managed connectors for Azure Logic Apps](/connectors/connector-reference/connector-reference-logicapps-connectors)

+* [Built-in connectors for Azure Logic Apps](built-in.md)

+| [Find existing free-tier account](../scripts/cli/common/free-tier.md)| Find whether there is an existing free-tier account in your subscription.|

+| Maximum number of databases per account | 100 |

+| [Find existing free-tier account](../scripts/cli/common/free-tier.md)| Find whether there is an existing free-tier account in your subscription.|

+| [Find existing free-tier account](../scripts/cli/common/free-tier.md)| Find whether there is an existing free-tier account in your subscription.|

+| [Find existing free-tier account](../scripts/cli/common/free-tier.md)| Find whether there is an existing free-tier account in your subscription.|

+| [Find existing free-tier account](../scripts/cli/common/free-tier.md)| Find whether there is an existing free-tier account in your subscription.|

+The Snowflake account that is used for Source or Sink should have the necessary `USAGE` access on the database and read/write access on schema and the tables/views under it.. In addition, it should also have `CREATE STAGE` on the schema to be able to create the External stage with SAS URI.

+## Error code: AzureBlobFailedToCreateContainer

+- **Message**: `Unable to create Azure Blob container. Endpoint: '%endpoint;', Container Name: '%containerName;'.`

+- **Cause**: This error happens when copying data with Azure Blob Storage account public access.

+- **Recommendation**: For more information about connection errors in the public endpoint, see [Connection error in public endpoint](security-and-access-control-troubleshoot-guide.md#connection-error-in-public-endpoint).

+ Title: Troubleshoot the Azure Data Explorer connector

+description: Learn how to troubleshoot issues with the Azure Data Explorer connector in Azure Data Factory and Azure Synapse Analytics.

+# Troubleshoot the Azure Data Explorer connector in Azure Data Factory and Azure Synapse

+This article provides suggestions to troubleshoot common problems with the Azure Data Explorer connector in Azure Data Factory and Azure Synapse.

+## Error code: KustoMappingReferenceHasWrongKind

+- **Message**: `Mapping reference should be of kind 'Csv'. Mapping reference: '%reference;'. Kind '%kind;'.`

+- **Cause**: The ingestion mapping reference is not CSV type.

+- **Recommendation**: Create a CSV ingestion mapping reference.

+## Error code: KustoWriteFailed

+- **Message**: `Write to Kusto failed with following error: '%message;'.`

+- **Cause**: Wrong configuration or transient errors when the sink reads data from the source.

+- **Recommendation**: For transient failures, set retries for the activity. For permanent failures, check your configuration and contact support.

+## Next steps

+For more troubleshooting help, try these resources:

+- [Connector troubleshooting guide](connector-troubleshoot-guide.md)

+- [Data Factory blog](https://azure.microsoft.com/blog/tag/azure-data-factory/)

+- [Data Factory feature requests](/answers/topics/azure-data-factory.html)

+- [Azure videos](https://azure.microsoft.com/resources/videos/index/?sort=newest&services=data-factory)

+- [Microsoft Q&A page](/answers/topics/azure-data-factory.html)

+- [Stack Overflow forum for Data Factory](https://stackoverflow.com/questions/tagged/azure-data-factory)

+- [Twitter information about Data Factory](https://twitter.com/hashtag/DataFactory)

+ | If the error message is `Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host`, your integration runtime has a network issue in connecting to Azure Data Lake Storage Gen2. | In the firewall rule setting of Azure Data Lake Storage Gen2, make sure Azure Data Factory IP addresses are in the allowed list. For more information, see [Configure Azure Storage firewalls and virtual networks](../storage/common/storage-network-security.md). |

+ | If the error message is `This endpoint does not support BlobStorageEvents or SoftDelete`, you are using an Azure Data Lake Storage Gen2 linked service to connect to an Azure Blob Storage account that enables Blob storage events or soft delete. | Try the following options：<br>1. If you still want to use an Azure Data Lake Storage Gen2 linked service, upgrade your Azure Blob Storage to Azure Data Lake Storage Gen2. For more information, see [Upgrade Azure Blob Storage with Azure Data Lake Storage Gen2 capabilities](../storage/blobs/upgrade-to-data-lake-storage-gen2-how-to.md).<br>2. Switch your linked service to Azure Blob Storage.<br>3. Disable Blob storage events or soft delete in your Azure Blob Storage account. |

+### Error code: HttpSourceUnsupportedStatusCode

+- **Message**: `Http source doesn't support HTTP Status Code '%code;'.`

+- **Cause**: This error happens when Azure Data Factory requests HTTP source but gets unexpected status code.

+- **Recommendation**: For more information about HTTP status code, see this [document](/troubleshoot/developer/webapps/iis/www-administration-management/http-status-code).

+ | Data Stores | Supported Network Security Mechanism on Data Stores | Private Link | Trusted Service | Static IP range | Service Tags | Allow Azure Services |

+ | | Snowflake | Yes | - | Yes | - | - |

+ | On-premises IaaS | SQL Server, Oracle, etc. | - | - | Yes | - | -

+

+

+- [Join Azure-SSIS IR to a virtual network that connects to on-premises sources](/azure/data-factory/join-azure-ssis-integration-runtime-virtual-network)

+- [Use self-hosted IR to connect on-premises sources](/azure/data-factory/self-hosted-integration-runtime-proxy-ssis).

+- [Join Azure-SSIS IR to a virtual network that connects to on-premises sources](/azure/data-factory/join-azure-ssis-integration-runtime-virtual-network).

+- [Use self-hosted IR to connect on-premises sources](/azure/data-factory/self-hosted-integration-runtime-proxy-ssis).

+- [Join Azure-SSIS IR to a virtual network](/azure/data-factory/join-azure-ssis-integration-runtime-virtual-network) that connects to on-premises sources.

+- [Join Azure-SSIS IR to a virtual network that connects to on-premises sources](/azure/data-factory/join-azure-ssis-integration-runtime-virtual-network).

+- [Use self-hosted IR to connect on-premises sources](/azure/data-factory/self-hosted-integration-runtime-proxy-ssis).

+"ErrorCode=AzureBlobFailedToCreateContainer,'Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,Message=Unable to create Azure Blob container. Endpoint: XXXXXXX/, Container Name: test.,Source=Microsoft.DataTransfer.ClientLibrary,''Type=Microsoft.WindowsAzure.Storage.StorageException,Message=Unable to connect to the remote server,Source=Microsoft.WindowsAzure.Storage,''Type=System.Net.WebException,Message=Unable to connect to the remote server,Source=System,''Type=System.Net.Sockets.SocketException,Message=A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond public ip:443,Source=System,'","Details":null}}</Text></LogProperties>.

+Azure DNS Private Resolver enables you to query Azure DNS private zones from an on-premises environment, and vice versa, without deploying VM based DNS servers. You no longer need to provision IaaS based solutions on your virtual networks to resolve names registered on Azure private DNS zones. You can configure conditional forwarding of domains back to on-premises, multicloud and public DNS servers. For more information, including benefits, capabilities, and regional availability, see [What is Azure DNS Private Resolver](dns-private-resolver-overview.md).

+[  ](./media/dns-resolver-overview/resolver-architecture-highres.png#lightbox)

+For more information about endpoints and rulesets, see [Azure DNS Private Resolver endpoints and rulesets](private-resolver-endpoints-rulesets.md).

+A DNS forwarding ruleset is a group of DNS forwarding rules (up to 1,000) that can be applied to one or more outbound endpoints, or linked to one or more virtual networks. This is a 1:N relationship. Rulesets are associated with a specific outbound endpoint. For more information, see [DNS forwarding rulesets](private-resolver-endpoints-rulesets.md#dns-forwarding-rulesets).

+- All IP configurations for a DNS resolver inbound endpoint must reference the same subnet. Spanning multiple subnets in the IP configuration for a single DNS resolver inbound endpoint isn't allowed.

+* Understand how to [Resolve Azure and on-premises domains](private-resolver-hybrid-dns.md) using the Azure DNS Private Resolver.

+* Learn about [Azure DNS Private Resolver endpoints and rulesets](private-resolver-endpoints-rulesets.md).

+* Learn how to [Set up DNS failover using private resolvers](tutorial-dns-private-resolver-failover.md)

+* Learn how to [configure hybrid DNS](private-resolver-hybrid-dns.md) using private resolvers.

+ Title: Azure DNS Private Resolver endpoints and rulesets

+description: In this article, understand the Azure DNS Private Resolver endpoints and rulesets

+#Customer intent: As an administrator, I want to understand components of the Azure DNS Private Resolver.

+# Azure DNS Private Resolver endpoints and rulesets

+In this article, you'll learn about components of the [Azure DNS Private Resolver](dns-private-resolver-overview.md). Inbound endpoints, outbound endpoints, and DNS forwarding rulesets are discussed. Properties and settings of these components are described, and examples are provided for how to use them.

+> [!IMPORTANT]

+> Azure DNS Private Resolver is currently in [public preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+## Inbound endpoints

+As the name suggests, inbound endpoints will ingress to Azure. Inbound endpoints provide an IP address to forward DNS queries from on-premises and other locations outside your virtual network. DNS queries sent to the inbound endpoint are resolved using Azure DNS. Private DNS zones that are linked to the virtual network where the inbound endpoint is provisioned are resolved by the inbound endpoint.

+The IP address associated with an inbound endpoint is always part of the private virtual network address space where the private resolver is deployed. No other resources can exist in the same subnet with the inbound endpoint. The following screenshot shows an inbound endpoint with an IP address of 10.10.0.4 inside the subnet `snet-E-inbound` provisioned within a virtual network with address space of 10.10.0.0/16.

+

+## Outbound endpoints

+Outbound endpoints egress from Azure and can be linked to [DNS Forwarding Rulesets](#dns-forwarding-rulesets).

+Outbound endpoints are also part of the private virtual network address space where the private resolver is deployed. An outbound endpoint is associated with a subnet, but isn't provisioned with an IP address like the inbound endpoint. No other resources can exist in the same subnet with the outbound endpoint. The following screenshot shows an outbound endpoint inside the subnet `snet-E-outbound`.

+

+## DNS forwarding rulesets

+DNS forwarding rulesets enable you to specify one or more custom DNS servers to answer queries for specific DNS namespaces. The individual [rules](#rules) in a ruleset determine how these DNS names are resolved. Rulesets can also be linked one or more virtual networks, enabling resources in the vnets to use the forwarding rules that you configure.

+Rulesets have the following associations:

+- A single ruleset can be associated with multiple outbound endpoints.

+- A ruleset can have up to 1000 DNS forwarding rules.

+- A ruleset can be linked to any number of virtual networks in the same region

+A ruleset can't be linked to a virtual network in another region.

+When you link a ruleset to a virtual network, resources within that virtual network will use the DNS forwarding rules enabled in the ruleset. The linked virtual network must peer with the virtual network where the outbound endpoint exists. This configuration is typically used in a hub and spoke design, with spoke vnets peered to a hub vnet that has one or more private resolver endpoints. In this hub and spoke scenario, the spoke vnet does not need to be linked to the private DNS zone in order to resolve resource records in the zone. In this case, the forwarding ruleset rule for the private zone sends queries to the hub vnet's inbound endpoint. For example: **azure.contoso.com** to **10.10.0.4**.

+The following screenshot shows a DNS forwarding ruleset linked to two virtual networks: a hub vnet: **myeastvnet**, and a spoke vnet: **myeastspoke**.

+

+Virtual network links for DNS forwarding rulesets enable resources in vnets to use forwarding rules when resolving DNS names. Vnets that are linked from a ruleset, but don't have their own private resolver, must have a peering connection to the vnet that contains the private resolver. The vnet with the private resolver must also be linked from any private DNS zones for which there are ruleset rules.

+For example, resources in the vnet `myeastspoke` can resolve records in the private DNS zone `azure.contoso.com` if:

+- The vnet `myeastspoke` peers with `myeastvnet`

+- The ruleset provisioned in `myeastvnet` is linked to `myeastspoke` and `myeastvnet`

+- A ruleset rule is configured and enabled in the linked ruleset to resolve `azure.contoso.com` using the inbound endpoint in `myeastvnet`

+### Rules

+DNS forwarding rules (ruleset rules) have the following properties:

+| Property | Description |

+| | |

+| Rule name | The name of your rule. The name must begin with a letter, and can contain only letters, numbers, underscores, and dashes. |

+| Domain name | The dot-terminated DNS namespace where your rule applies. The namespace must have either zero labels (for wildcard) or between 2 and 34 labels. For example, `contoso.com.` has two labels. |

+| Destination IP:Port | The forwarding destination. One or more IP addresses and ports of DNS servers that will be used to resolve DNS queries in the specified namespace. |

+| Rule state | The rule state: Enabled or disabled. If a rule is disabled, it's ignored. |

+If multiple rules are matched, the longest prefix match is used.

+For example, if you have the following rules:

+| Rule name | Domain name | Destination IP:Port | Rule state |

+| | | | |

+| Contoso | contoso.com. | 10.100.0.2:53 | Enabled |

+| AzurePrivate | azure.contoso.com. | 10.10.0.4:53 | Enabled |

+| Wildcard | . | 10.100.0.2:53 | Enabled |

+A query for `secure.store.azure.contoso.com` will match the **AzurePrivate** rule for `azure.contoso.com` and also the **Contoso** rule for `contoso.com`, but the **AzurePrivate** rule takes precedence because the prefix `azure.contoso` is longer than `contoso`.

+## Next steps

+* Review components, benefits, and requirements for [Azure DNS Private Resolver](dns-private-resolver-overview.md).

+* Learn how to create an Azure DNS Private Resolver by using [Azure PowerShell](./dns-private-resolver-get-started-powershell.md) or [Azure portal](./dns-private-resolver-get-started-portal.md).

+* Understand how to [Resolve Azure and on-premises domains](private-resolver-hybrid-dns.md) using the Azure DNS Private Resolver.

+* Learn how to [Set up DNS failover using private resolvers](tutorial-dns-private-resolver-failover.md)

+* Learn how to [configure hybrid DNS](private-resolver-hybrid-dns.md) using private resolvers.

+* Learn about some of the other key [networking capabilities](../networking/fundamentals/networking-overview.md) of Azure.

+* [Learn module: Introduction to Azure DNS](/learn/modules/intro-to-azure-dns).

+ Title: Resolve Azure and on-premises domains

+description: Configure Azure and on-premises DNS to resolve private DNS zones and on-premises domains

+# Customer intent: As an administrator, I want to resolve on-premises domains in Azure and resolve Azure private zones on-premises.

+# Resolve Azure and on-premises domains

+This article provides guidance on how to configure hybrid DNS resolution by using an [Azure DNS Private Resolver](#azure-dns-private-resolver) with a [DNS forwarding ruleset](#dns-forwarding-ruleset).

+*Hybrid DNS resolution* is defined here as enabling Azure resources to resolve your on-premises domains, and on-premises DNS to resolve your Azure private DNS zones.

+> [!IMPORTANT]

+> Azure DNS Private Resolver is currently in [public preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+## Azure DNS Private Resolver

+The [Azure DNS Private Resolver](dns-private-resolver-overview.md) is a service that can resolve on-premises DNS queries for Azure DNS private zones. Previously, it was necessary to [deploy a VM-based custom DNS resolver](/azure/hdinsight/connect-on-premises-network), or use non-Microsoft DNS, DHCP, and IPAM (DDI) solutions to perform this function.

+Benefits of using the Azure DNS Private Resolver service vs. VM-based resolvers or DDI solutions include:

+- Zero maintenance: Unlike VM or hardware based solutions, the private resolver doesn't require software updates, vulnerability scans, or security patching. The private resolver service is fully managed.

+- Cost reduction: Azure DNS Private Resolver is a multi-tenant service and can cost a fraction of the expense that is required to use and license multiple VM-based DNS resolvers.

+- High availability: The Azure DNS Private Resolver service has built-in high availability features. The service is [availability zone](/azure/availability-zones/az-overview) aware, thus ensuring that high availability and redundancy of your DNS solution can be accomplished with much less effort. For more information on how to configure DNS failover using the private resolver service, see [Tutorial: Set up DNS failover using private resolvers](tutorial-dns-private-resolver-failover.md).

+- DevOps friendly: Traditional DNS solutions are hard to integrate with DevOps workflows as these often require manual configuration for every DNS change. Azure DNS private resolver provides a fully functional ARM interface that can be easily integrated with DevOps workflows.

+## DNS forwarding ruleset

+A DNS forwarding ruleset is a group of rules that specify one or more custom DNS servers to answer queries for specific DNS namespaces. For more information, see [Azure DNS Private Resolver endpoints and rulesets](private-resolver-endpoints-rulesets.md).

+## Procedures

+The following procedures in this article are used to enable and test hybrid DNS:

+- [Create an Azure DNS private zone](#create-an-azure-dns-private-zone)

+- [Create an Azure DNS Private Resolver](#create-an-azure-dns-private-resolver)

+- [Configure an Azure DNS forwarding ruleset](#configure-an-azure-dns-forwarding-ruleset)

+- [Configure on-premises DNS conditional forwarders](#configure-on-premises-dns-conditional-forwarders)

+- [Demonstrate hybrid DNS](#demonstrate-hybrid-dns)

+## Create an Azure DNS private zone

+Create a private zone with at least one resource record to use for testing. The following quickstarts are available to help you create a private zone:

+- [Create a private zone - portal](private-dns-getstarted-portal.md)

+- [Create a private zone - PowerShell](private-dns-getstarted-powershell.md)

+- [Create a private zone - CLI](private-dns-getstarted-cli.md)

+In this article, the private zone **azure.contoso.com** and the resource record **test** are used. Autoregistration isn't required for the current demonstration.

+[  ](./media/private-resolver-hybrid-dns/private-zone-records.png#lightbox)

+**Requirement**: You must create a virtual network link in the zone to the virtual network where you'll deploy your Azure DNS Private Resolver. In the example shown below, the private zone is linked to two vnets: **myeastvnet** and **mywestvnet**. At least one link is required.

+[  ](./media/private-resolver-hybrid-dns/private-zone-links.png#lightbox)

+## Create an Azure DNS Private Resolver

+The following quickstarts are available to help you create a private resolver. These quickstarts walk you through creating a resource group, a virtual network, and Azure DNS Private Resolver. The steps to configure an inbound endpoint, outbound endpoint, and DNS forwarding ruleset are provied:

+- [Create a private resolver - portal](dns-private-resolver-get-started-portal.md)

+- [Create a private resolver - PowerShell](dns-private-resolver-get-started-powershell.md)

+ When you're finished, write down the IP address of the inbound endpoint for the Azure DNS Private Resolver, as shown below. In this case, the IP address is **10.10.0.4**. This IP address will be used later to configure on-premises DNS conditional forwarders.

+[  ](./media/private-resolver-hybrid-dns/inbound-endpoint-ip.png#lightbox)

+## Configure an Azure DNS forwarding ruleset

+Create a forwarding ruleset in the same region as your private resolver. The following example shows two rulesets. The **East US** region ruleset is used for the hybrid DNS demonstration.

+[  ](./media/private-resolver-hybrid-dns/forwarding-ruleset-region.png#lightbox)

+**Requirement**: You must create a virtual network link to the vnet where your private resolver is deployed. In the following example, two virtual network links are present. The link **myeastvnet-link** is created to a hub vnet where the private resolver is provisioned. There's also a virtual network link **myeastspoke-link** that provides hybrid DNS resolution in a spoke vnet that doesn't have its own private resolver. The spoke network is able to use the private resolver because it peers with the hub network. The spoke vnet link isn't required for the current demonstration.

+[  ](./media/private-resolver-hybrid-dns/ruleset-links.png#lightbox)

+Next, create a rule in your ruleset for your on-premises domain. In this example, we use **contoso.com**. Set the destination IP address for your rule to be the IP address of your on-premises DNS server. In this example, the on-premises DNS server is at **10.100.0.2**. Verify that the rule is **Enabled**.

+[  ](./media/private-resolver-hybrid-dns/ruleset-rules.png#lightbox)

+> [!NOTE]

+> Don't change the DNS settings for your virtual network to use the inbound endpoint IP address. Leave the default DNS settings.

+## Configure on-premises DNS conditional forwarders

+The procedure to configure on-premises DNS depends on the type of DNS server you're using. In the following example, a Windows DNS server at **10.100.0.2** is configured with a conditional forwarder for the private DNS zone **azure.contoso.com**. The conditional forwarder is set to forward queries to **10.10.0.4**, which is the inbound endpoint IP address for your Azure DNS Private Resolver. There's another IP address also configured here to enable DNS failover. For more information about enabling failover, see [Tutorial: Set up DNS failover using private resolvers](tutorial-dns-private-resolver-failover.md). For the purposes of this demonstration, only the **10.10.0.4** inbound endpoint is required.

+

+## Demonstrate hybrid DNS

+Using a VM located in the virtual network where the Azure DNS Private Resolver is provisioned, issue a DNS query for a resource record in your on-premises domain. In this example, a query is performed for the record **testdns.contoso.com**:

+

+The path for the query is: Azure DNS > inbound endpoint > outbound endpoint > ruleset rule for contoso.com > on-premises DNS (10.100.0.2). The DNS server at 10.100.0.2 is an on-premises DNS resolver, but it could also be an authoritative DNS server.

+Using an on-premises VM or device, issue a DNS query for a resource record in your Azure private DNS zone. In this example, a query is performed for the record **test.azure.contoso.com**:

+

+The path for this query is: client's default DNS resolver (10.100.0.2) > on-premises conditional forwarder rule for azure.contoso.com > inbound endpoint (10.10.0.4)

+## Next steps

+* Review components, benefits, and requirements for [Azure DNS Private Resolver](dns-private-resolver-overview.md).

+* Learn how to create an Azure DNS Private Resolver by using [Azure PowerShell](./dns-private-resolver-get-started-powershell.md) or [Azure portal](./dns-private-resolver-get-started-portal.md).

+* Understand how to [Resolve Azure and on-premises domains](private-resolver-hybrid-dns.md) using the Azure DNS Private Resolver.

+* Learn about [Azure DNS Private Resolver endpoints and rulesets](private-resolver-endpoints-rulesets.md).

+* Learn how to [Set up DNS failover using private resolvers](tutorial-dns-private-resolver-failover.md)

+* Learn about some of the other key [networking capabilities](../networking/fundamentals/networking-overview.md) of Azure.

+* [Learn module: Introduction to Azure DNS](/learn/modules/intro-to-azure-dns).

+ Title: Tutorial - Set up DNS failover using private resolvers

+description: A tutorial on how to configure regional failover using the Azure DNS Private Resolver

+#Customer intent: As an administrator, I want to avoid having a single point of failure for DNS resolution.

+# Tutorial: Set up DNS failover using private resolvers

+This article details how to eliminate a single point of failure in your on-premises DNS services by using two or more Azure DNS private resolvers deployed across different regions. DNS failover is enabled by assigning a local resolver as your primary DNS and the resolver in an adjacent region as secondary DNS.

+> [!IMPORTANT]

+> Azure DNS Private Resolver is currently in [public preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Resolve Azure Private DNS zones using on-premises conditional fowarders and Azure DNS private resolvers.

+> * Enable on-premises DNS failover for your Azure Private DNS zones.

+The following diagram shows the failover scenario discussed in this article.

+[  ](./media/tutorial-dns-private-resolver-failover/private-resolver-failover-highres.png#lightbox)

+In this scenario, you have connections from two on-premises locations to two Azure hub vnets.

+- In the east region, the primary path is to the east vnet hub. You have a secondary connection to the west hub. The west region is configured in the reverse.

+- Due to an Internet connectivity issue, the connection to one vnet (west) is temporarily broken.

+- Service is maintained in both regions due to the redundant design.

+The DNS resolution path is:

+1) Redundant on-premises DNS [conditional forwarders](#on-premise-forwarding) send DNS queries to inbound endpoints.

+2) [Inbound endpoints](#inbound-endpoints) receive DNS queries from on-premises.

+3) Outbound endpoints and DNS forwarding rulesets process DNS queries and return replies to your on-premises resources.

+Outbound endpoints and DNS forwarding rulesets aren't needed for the failover scenario, but are included here for completeness. Rulesets can be used is to resolve on-premises domains from Azure. For more information, see [Azure DNS Private Resolver endpoints and rulesets](private-resolver-endpoints-rulesets.md) and [Resolve Azure and on-premises domains](private-resolver-hybrid-dns.md).

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- Two [Azure virtual networks](../virtual-network/quick-create-portal.md) in two regions

+- A [VPN](../vpn-gateway/tutorial-site-to-site-portal.md) or [ExpressRoute](../expressroute/expressroute-howto-circuit-portal-resource-manager.md) link from on-premises to each virtual network

+- An [Azure DNS Private Resolver](dns-private-resolver-get-started-portal.md) in each virtual network

+- An Azure [private DNS zone](private-dns-getstarted-portal.md) that is linked to each virtual network

+- An on-premises DNS server

+> [!NOTE]

+> In this tutorial,`azure.contoso.com` is an Azure private DNS zone. Replace `azure.contoso.com` with your private DNS zone name.

+## Sign in to Azure

+Sign in to the [Azure portal](https://portal.azure.com).

+<a name="inbound-endpoints"></a>

+## Determine inbound endpoint IP addresses

+Write down the IP addresses assigned to the inbound endpoints of your DNS private resolvers. The IP addresses will be used to configure on-premises DNS forwarders.

+In this example, there are two virtual networks in two regions:

+- **myeastvnet** is in the East US region, assigned the address space 10.10.0.0/16

+- **mywestvnet** is in the West Central US region, assigned the address space 10.20.0.0/16

+1. Search for **DNS Private Resolvers** and select your private resolver from the first region. For example: **myeastresolver**.

+2. Under **Settings**, select **Inbound endpoints** and write down the **IP address** setting. For example: **10.10.0.4**.

+ 

+3. Return to the list of **DNS Private Resolvers** and select a resolver from a different region. For example: **mywestresolver**.

+4. Under **Settings**, select **Inbound endpoints** and write down the **IP address** setting of this resolver. For example: **10.20.0.4**.

+## Verify private zone links

+To resolve DNS records in an Azure DNS private zone, the zone must be linked to the virtual network. In this example, the zone `azure.contoso.com` is linked to **myeastvnet** and **mywestvnet**. Links to other vnets can also be present.

+1. Search for **Private DNS zones** and select your private zone. For example: **azure.contoso.com**.

+2. Under **Settings**, select **Virtual network links** and verify that the vnets you used for inbound endpoints in the previous procedure are also listed under Virtual network. For example: **myeastvnet** and **mywestvnet**.

+ 

+3. If one or more vnets aren't yet linked, you can add it here by selecting **Add**, providing a **Link name**, choosing your **Subscription**, and then choosing the **Virtual network**.

+> [!TIP]

+> You can also use peering to resolve records in private DNS zones. For more information, see [Azure DNS Private Resolver endpoints and rulesets](private-resolver-endpoints-rulesets.md).

+## Verify Azure DNS resolution

+Check that DNS settings for your virtual networks are set to Default (Azure-provided).

+1. Search for **Virtual networks** and select the first Vnet. For example: **myeastvnet**.

+2. Under **Settings**, select **DNS servers** and verify that **Default (Azure-provided)** is chosen.

+3. Select the next Vnet (ex: **mywestvnet**) and verify that **Default (Azure-provided)** is chosen.

+ > [!NOTE]

+ > Custom DNS settings can also be made to work, but this is not in scope for the current scenario.

+4. Search for **Private DNS zones** and select your private zone name. For example: **azure.contoso.com**.

+5. Create a test record in the zone by selecting **+ Record set** and adding a new A record. For example: **test**.

+ 

+5. Open a command prompt using an on-premises client and use nslookup to look up your test record using the first private resolver IP address that you wrote down (ex: 10.10.0.4). See the following example:

+ ```cmd

+ nslookup test.azure.contoso.com 10.10.0.4

+ ```

+ The query should return the IP address that you assigned to your test record.

+ 

+6. Repeat this nslookup query using the IP address that you wrote down for the second private resolver (ex: 10.20.0.4).

+ 

+ > [!NOTE]

+ > If DNS resolution for the private zone is not working, check that your on-premises links to the Azure Vnets are connected.

+<a name="on-premise-forwarding"></a>

+## Configure on-premises DNS forwarding

+Now that DNS resolution is working from on-premises to Azure using two different Azure DNS Private Resolvers, we can configure forwarding to use both of these addresses. This will enable redundancy in case one of the connections to Azure is interrupted. The procedure to configure forwarders will depend on the type of DNS server that you're using. The following example uses a Windows Server that is running the DNS Server role service and has an IP address of 10.100.0.2.

+ > [!NOTE]

+ > The DNS server that you use to configure forwarding should be a server that client devices on your network will use for DNS resolution. If the server you're configuring is not the default, you'll need to query it's IP address directly (ex: nslookup test.azure.contoso.com 10.100.0.2) after forwarding is configured.

+1. Open an elevated Windows PowerShell prompt and issue the following command. Replace **azure.contoso.com** with the name of your private zone, and replace the IP addresses below with the IP addresses of your private resolvers.

+ ```PowerShell

+ Add-DnsServerConditionalForwarderZone -Name "azure.contoso.com" -MasterServers 10.20.0.4,10.10.0.4

+ ```

+2. If preferred, you can also use the DNS console to enter conditional forwarders. See the following example:

+ 

+3. Now that forwarding is in place, issue the same DNS query that you used in the previous procedure. However, this time don't enter a destination IP address for the query. The query will use the client's default DNS server.

+ 

+## Demonstrate resiliency (optional)

+You can now demonstrate that DNS resolution works when one of the connections is broken.

+1. Interrupt connectivity from on-premises to one of your Vnets by disabling or disconnecting the interface. Verify that the connection doesn't automatically reconnect on-demand.

+2. Run the nslookup query using the private resolver from the Vnet that is no longer connected and verify that it fails (see below).

+3. Run the nslookup query using your default DNS server (configured with forwarders) and verify it still works due to the redundancy you enabled.

+ 

+## Next steps

+* Review components, benefits, and requirements for [Azure DNS Private Resolver](dns-private-resolver-overview.md).

+* Learn how to create an Azure DNS Private Resolver by using [Azure PowerShell](./dns-private-resolver-get-started-powershell.md) or [Azure portal](./dns-private-resolver-get-started-portal.md).

+* Understand how to [Resolve Azure and on-premises domains](private-resolver-hybrid-dns.md) using the Azure DNS Private Resolver.

+* Learn about [Azure DNS Private Resolver endpoints and rulesets](private-resolver-endpoints-rulesets.md).

+* Learn how to [configure hybrid DNS](private-resolver-hybrid-dns.md) using private resolvers.

+* Learn about some of the other key [networking capabilities](../networking/fundamentals/networking-overview.md) of Azure.

+* [Learn module: Introduction to Azure DNS](/learn/modules/intro-to-azure-dns).

+> [!IMPORTANT]

+> To use **Web Category Check** feature, user has to have an access of Microsoft.Network/azureWebCategories/getwebcategory/action for **subscription** level, not resource group level.

+* Azure AD connect syncs from on-premises to Azure AD.

+## How do I troubleshoot YARN common issues?

+### Yarn UI isn't loading

+If your YARN UI isn't loading or is unreachable, and it returns "HTTP Error 502.3 - Bad Gateway," it highly indicates your ResourceManager service is unhealthy. To mitigate the issue, follow these steps:

+1. Go to **Ambari UI** > **YARN** > **SUMMARY** and check to see if only the active ResourceManager is in the **Started** state. If not, try to mitigate by restarting the unhealthy or stopped ResourceManager.

+2. If step 1 doesn't resolve the issue, SSH the active ResourceManager head node and check the garbage collection status using `jstat -gcutil <ResourceManager pid> 1000 100`. If you see the **FGCT** increase significantly in just a few seconds, it indicates ResourceManager is busy in *Full GC*, and is unable to process the other requests.

+3. Go to **Ambari UI** > **YARN** > **CONFIGS** > **Advanced** and increase `ResourceManager java heap size`.

+4. Restart required services in Ambari UI.

+### Both resource managers are in standby

+1. Check ResourceManager log to see if below similar error exists.

+```

+Service RMActiveServices failed in state STARTED; cause: org.apache.hadoop.service.ServiceStateException: com.google.protobuf.InvalidProtocolBufferException: Could not obtain block: BP-452067264-10.0.0.16-1608006815288:blk_1074235266_494491 file=/yarn/node-labels/nodelabel.mirror

+```

+2. If the error exists, check to see if some files are under replication or if there are missing blocks in the HDFS. You can run `hdfs fsck hdfs://mycluster/`

+3. Run `hdfs fsck hdfs://mycluster/ -delete` to forcefully clean up the HDFS and to get rid of the standby RM issue. Alternatively, run [PatchYarnNodeLabel](https://hdiconfigactions.blob.core.windows.net/hadoopcorepatchingscripts/PatchYarnNodeLabel.sh) on one of headnodes to patch the cluster.

+# Optimize Apache Spark applications in HDInsight

+This article provides an overview of strategies to optimize Apache Spark applications on Azure HDInsight.

+You might face below common Scenarios

+- The same spark job is slower than before in the same HDInsight cluster

+- The spark job is slower in HDInsight cluster than on-premise or other third party service provider

+- The spark job is slower in one HDI cluster than another HDI cluster

+The performance of your Apache Spark jobs depends on multiple factors. These performance factors include:

+- How your data is stored

+- How the cluster is configured

+- The operations that are used when processing the data.

+- Unhealthy yarn service

+- Memory constraints due to improperly sized executors and OutOfMemoryError

+- Too many tasks or too few tasks

+- Data skew caused a few heavy tasks or slow tasks

+- Tasks slower in bad nodes

+## Step 1: Check if your yarn service is healthy

+1. Go to Ambari UI:

+- Check if ResourceManager or NodeManager alerts

+- Check ResourceManager and NodeManager status in YARN > SUMMARY: All NodeManager should be in Started and only Active ResourceManager should be in Started

+2. Check if Yarn UI is accessible through `https://YOURCLUSTERNAME.azurehdinsight.net/yarnui/hn/cluster`

+3. Check if any exceptions or errors in ResourceManager log in `/var/log/hadoop-yarn/yarn/hadoop-yarn-resourcemanager-*.log`

+See more information in [Yarn Common Issues](../hdinsight-troubleshoot-yarn.md#how-do-i-troubleshoot-yarn-common-issues)

+## Step 2: Compare your new application resources with yarn available resources

+1. Go to **Ambari UI > YARN > SUMMARY**, check **CLUSTER MEMORY** in ServiceMetrics

+2. Check yarn queue metrics in details:

+- Go to Yarn UI, check Yarn scheduler metrics through `https://YOURCLUSTERNAME.azurehdinsight.net/yarnui/hn/cluster/scheduler`

+- Alternatively, you can check yarn scheduler metrics through Yarn Rest API. For example, `curl -u "xxxx" -sS -G "https://YOURCLUSTERNAME.azurehdinsight.net/ws/v1/cluster/scheduler"`. For ESP, you should use domain admin user.

+3. Calculate total resources for your new application

+- All executors resources: `spark.executor.instances * (spark.executor.memory + spark.yarn.executor.memoryOverhead) and spark.executor.instances * spark.executor.cores`. See more information in [spark executors configuration](apache-spark-settings.md#configuring-spark-executors)

+- ApplicationMaster

+ - In cluster mode, use `spark.driver.memory` and `spark.driver.cores`

+ - In client mode, use `spark.yarn.am.memory+spark.yarn.am.memoryOverhead` and `spark.yarn.am.cores`

+> [!NOTE]

+> `yarn.scheduler.minimum-allocation-mb <= spark.executor.memory+spark.yarn.executor.memoryOverhead <= yarn.scheduler.maximum-allocation-mb`

+4. Compare your new application total resources with yarn available resources in your specified queue

+## Step 3: Track your spark application

+1. [Monitor your running spark application through Spark UI](apache-spark-job-debugging.md#track-an-application-in-the-spark-ui)

+2. [Monitor your complete or incomplete spark application through Spark History Server UI](apache-spark-job-debugging.md#find-information-about-completed-jobs-using-the-spark-history-server)

+We need to identify below symptoms through Spark UI or Spark History UI:

+- Which stage is slow

+- Are total executor CPU v-cores fully utilized in Event-Timeline in **Stage** tab

+- If using spark sql, what's the physical plan in SQL tab

+- Is DAG too long in one stage

+- Observe tasks metrics(input size, shuffle write size, GC Time) in **Stage** tab

+See more information in [Monitoring your Spark Applications ](https://spark.apache.org/docs/latest/monitoring.html)

+## Step 4: Optimize your spark application

+There are many optimizations that can help you overcome these challenges, such as caching, and allowing for data skew.

+### Optimize Spark SQL partitions

+- `spark.sql.shuffle.paritions` is 200 by default. We can adjust based on the business needs when shuffling data for joins or aggregations.

+- `spark.sql.files.maxPartitionBytes` is 1G by default in HDI. The maximum number of bytes to pack into a single partition when reading files. This configuration is effective only when using file-based sources such as Parquet, JSON and ORC.

+- AQE in Spark 3.0. See [Adaptive Query Execution](https://spark.apache.org/docs/latest/sql-performance-tuning.html#adaptive-query-execution)

+## Tasks slower on some executors or nodes

+ * Python: [send_message_x509.py](https://github.com/Azure/azure-iot-sdk-python/blob/main/samples/async-hub-scenarios/send_message_x509.py)

+ * Python: [send_message_x509.py](https://github.com/Azure/azure-iot-sdk-python/blob/main/samples/async-hub-scenarios/send_message_x509.py)

+1. Get the sample for **send_message_downstream** from the [Azure IoT device SDK for Python samples](https://github.com/Azure/azure-iot-sdk-python/tree/main/samples/async-edge-scenarios).

+- [Azure IoT Edge for Linux on Windows virtual switch creation](./how-to-create-virtual-switch.md)

+- [Azure IoT Edge for Linux on Windows virtual switch creation](./how-to-create-virtual-switch.md)

+To add a firewall rule to the EFLOW VM, you can use the [EFLOW Util - Firewall Rules](https://github.com/Azure/iotedge-eflow/tree/main/eflow-util#get-eflowvmfirewallrules) sample PowerShell cmdlets. Also, you can achieve the same rules creation by following these steps:

+1. On Windows Client SKUs, check the [HCS](/virtualization/community/team-blog/2017/20170127-introducing-the-host-compute-service-hcs) virtual machines.

+1. On Windows Server SKUs, check the [VMMS](/windows-server/virtualization/hyper-v/hyper-v-technology-overview) virtual machines

+>[!Note]

+>Publicly trusted certificates are sent to Certificate Authorities (CAs) and Certificate Transparency (CT) logs outside of the Azure boundary during enrollment and will be covered by the GDPR policies of those entities.

+> [!NOTE]

+> The values you provide for Azure resource or object IDs may be copied globally for the purpose of running the service. The value provided should not include personally identifiable or sensitive information.

+## Generate and import keys from on-premises HSM

+- To ensure long term portability and key durability, generate keys in your on-premises HSM and [import them to Managed HSM](hsm-protected-keys-byok.md). You will have a copy of your key securely stored in your on-premises HSM for future use.

+ Azure Key Vault Managed HSM supports importing keys generated in your on-premises hardware security module (HSM); the keys will never leave the HSM protection boundary. This scenario often is referred to as *bring your own key* (BYOK). Managed HSM uses the Marvell LiquidSecurity HSM adapters (FIPS 140-2 Level 3 validated) to protect your keys.

+- Generate HSM-protected keys in your on-premises HSM and import them securely into Managed HSM.

+1. On the **Logic apps** pane, select the logic app that you deployed from Visual Studio Code.

+Azure Machine Learning offers the following two experiences for working with automated ML. See the following sections to understand feature availability in each experience.

+* For code-experienced customers, [Azure Machine Learning Python SDK](/python/api/overview/azure/ml/intro). Get started with [Tutorial: Train an object detection model (preview) with AutoML and Python](tutorial-auto-train-image-models.md)

+Different from classification where predicted output values are categorical, regression models predict numerical output values based on independent predictors. In regression, the objective is to help establish the relationship among those independent predictor variables by estimating how one variable impacts the others. For example, automobile price based on features like, gas mileage, safety rating, etc. Learn more and see an example of [regression with automated machine learning](v1/how-to-auto-train-models-v1.md).

+ Learn about the parity between the [Python SDK and studio web experience](#ways-to-use-automl-in-azure-machine-learning).

+- [Create data assets](how-to-create-data-assets.md#create-data-assets)

+| Microsoft storage access | \*.blob.core.chinacloudapi.cn | TCP | 443 |

+* This article assumes some familiarity with setting up an automated machine learning experiment. Follow the [how-to](how-to-configure-auto-train.md) to see the main automated machine learning experiment design patterns.

+* Learn more about [How to deploy an AutoML model to an online endpoint](how-to-deploy-automl-endpoint.md).

+* Learn more about [how to train a regression model by using automated machine learning](./v1/how-to-auto-train-models-v1.md) or [how to train by using automated machine learning on a remote resource](./v1/concept-automated-ml-v1.md#local-remote).

+* Familiarity with setting up an automated machine learning experiment with the Azure Machine Learning SDK. Follow the [tutorial](tutorial-auto-train-image-models.md) or [how-to](how-to-configure-auto-train.md) to see the fundamental automated machine learning experiment design patterns.

+ Title: Create Data Assets

+description: Learn how to create Azure Machine Learning data assets.

+# Customer intent: As an experienced data scientist, I need to package my data into a consumable and reusable object to train my machine learning models.

+# Create data assets

+> [!div class="op_single_selector" title1="Select the version of Azure Machine Learning SDK you are using:"]

+> * [v1](./v1/how-to-create-register-datasets.md)

+> * [v2 (current version)](how-to-create-data-assets.md)

+In this article, you learn how to create a data asset in Azure Machine Learning. By creating a data asset, you create a *reference* to the data source location, along with a copy of its metadata. Because the data remains in its existing location, you incur no extra storage cost, and don't risk the integrity of your data sources. You can create Data from datastores, Azure Storage, public URLs, and local files.

+The benefits of creating data assets are:

+* You can **share and reuse data** with other members of the team such that they do not need to remember file locations.

+* You can **seamlessly access data** during model training (on any supported compute type) without worrying about connection strings or data paths.

+* You can **version** the data.

+## Prerequisites

+To create and work with data assets, you need:

+* An Azure subscription. If you don't have one, create a free account before you begin. Try the [free or paid version of Azure Machine Learning](https://azure.microsoft.com/free/).

+* An Azure Machine Learning workspace. [Create workspace resources](quickstart-create-resources.md).

+* The [Azure Machine Learning CLI/SDK installed](how-to-configure-cli.md) and MLTable package installed (`pip install mltable`).

+## Supported paths

+When you create a data asset in Azure Machine Learning, you'll need to specify a `path` parameter that points to its location. Below is a table that shows the different data locations supported in Azure Machine Learning and examples for the `path` parameter:

+|Location | Examples |

+|||

+|A path on your local computer | `./home/username/data/my_data` |

+|A path on a public http(s) server | `https://raw.githubusercontent.com/pandas-dev/pandas/main/doc/data/titanic.csv` |

+|A path on Azure Storage | `https://<account_name>.blob.core.windows.net/<container_name>/path` <br> `abfss://<file_system>@<account_name>.dfs.core.windows.net/<path>` |

+|A path on a datastore | `azureml://datastores/<data_store_name>/paths/<path>` |

+> [!NOTE]

+> When you create a data asset from a local path, it will be automatically uploaded to the default Azure Machine Learning datastore in the cloud.

+## Create a `uri_folder` data asset

+Below shows you how to create a *folder* as an asset:

+# [CLI](#tab/CLI)

+Create a `YAML` file (`<file-name>.yml`):

+```yaml

+$schema: https://azuremlschemas.azureedge.net/latest/data.schema.json

+# Supported paths include:

+# local: ./<path>

+# blob: https://<account_name>.blob.core.windows.net/<container_name>/<path>

+# ADLS gen2: abfss://<file_system>@<account_name>.dfs.core.windows.net/<path>/

+# Datastore: azureml://datastores/<data_store_name>/paths/<path>

+type: uri_folder

+name: <name_of_data>

+description: <description goes here>

+path: <path>

+```

+Next, create the data asset using the CLI:

+```azurecli

+az ml data create -f <file-name>.yml

+```

+# [Python-SDK](#tab/Python-SDK)

+You can create a data asset in Azure Machine Learning using the following Python Code:

+```python

+from azure.ai.ml.entities import Data

+from azure.ai.ml.constants import AssetTypes

+# Supported paths include:

+# local: './<path>'

+# blob: 'https://<account_name>.blob.core.windows.net/<container_name>/<path>'

+# ADLS gen2: 'abfss://<file_system>@<account_name>.dfs.core.windows.net/<path>/'

+# Datastore: 'azureml://datastores/<data_store_name>/paths/<path>'

+my_path = '<path>'

+my_data = Data(

+ path=my_path,

+ type=AssetTypes.URI_FOLDER,

+ description="<description>",

+ name="<name>",

+ version='<version>'

+)

+ml_client.data.create_or_update(my_data)

+```

+## Create a `uri_file` data asset

+Below shows you how to create a *specific file* as a data asset:

+# [CLI](#tab/CLI)

+Sample `YAML` file `<file-name>.yml` for data in local path is as below:

+```yaml

+$schema: https://azuremlschemas.azureedge.net/latest/data.schema.json

+# Supported paths include:

+# local: ./<path>/<file>

+# blob: https://<account_name>.blob.core.windows.net/<container_name>/<path>/<file>

+# ADLS gen2: abfss://<file_system>@<account_name>.dfs.core.windows.net/<path>/<file>

+# Datastore: azureml://datastores/<data_store_name>/paths/<path>/<file>

+type: uri_file

+name: <name>

+description: <description>

+path: <uri>

+```

+```cli

+> az ml data create -f <file-name>.yml

+```

+# [Python-SDK](#tab/Python-SDK)

+```python

+from azure.ai.ml.entities import Data

+from azure.ai.ml.constants import AssetTypes

+# Supported paths include:

+# local: './<path>/<file>'

+# blob: 'https://<account_name>.blob.core.windows.net/<container_name>/<path>/<file>'

+# ADLS gen2: 'abfss://<file_system>@<account_name>.dfs.core.windows.net/<path>/<file>'

+# Datastore: 'azureml://datastores/<data_store_name>/paths/<path>/<file>'

+my_path = '<path>'

+my_data = Data(

+ path=my_path,

+ type=AssetTypes.URI_FILE,

+ description="<description>",

+ name="<name>",

+ version="<version>"

+)

+ml_client.data.create_or_update(my_data)

+```

+

+## Create a `mltable` data asset

+`mltable` is a way to abstract the schema definition for tabular data to make it easier to share data assets (an overview can be found in [MLTable](concept-data.md#mltable)).

+In this section, we show you how to create a data asset when the type is an `mltable`.

+### The MLTable file

+The MLTable file is a file that provides the specification of the data's schema so that the `mltable` *engine* can materialize the data into an in-memory object (Pandas/Dask/Spark). An *example* MLTable file is provided below:

+```yml

+type: mltable

+paths:

+ - pattern: ./*.txt

+transformations:

+ - read_delimited:

+ delimiter: ,

+ encoding: ascii

+ header: all_files_same_headers

+```

+> [!IMPORTANT]

+> We recommend co-locating the MLTable file with the underlying data in storage. For example:

+>

+> ```Text

+> Γö£ΓöÇΓöÇ my_data

+> Γöé Γö£ΓöÇΓöÇ MLTable

+> Γöé Γö£ΓöÇΓöÇ file_1.txt

+> .

+> .

+> .

+> Γöé Γö£ΓöÇΓöÇ file_n.txt

+> ```

+> Co-locating the MLTable with the data ensures a **self-contained *artifact*** where all that is needed is stored in that one folder (`my_data`); regardless of whether that folder is stored on your local drive or in your cloud store or on a public http server. You should **not** specify *absolute paths* in the MLTable file.

+In your Python code, you materialize the MLTable artifact into a Pandas dataframe using:

+```python

+import mltable

+tbl = mltable.load(uri="./my_data")

+df = tbl.to_pandas_dataframe()

+```

+The `uri` parameter in `mltable.load()` should be a valid path to a local or cloud **folder** which contains a valid MLTable file.

+> [!NOTE]

+> You will need the `mltable` library installed in your Environment (`pip install mltable`).

+Below shows you how to create an `mltable` data asset. The `path` can be any of the supported path formats outlined above.

+# [CLI](#tab/CLI)

+Create a `YAML` file (`<file-name>.yml`):

+```yaml

+$schema: https://azuremlschemas.azureedge.net/latest/data.schema.json

+# path must point to **folder** containing MLTable artifact (MLTable file + data

+# Supported paths include:

+# local: ./<path>

+# blob: https://<account_name>.blob.core.windows.net/<container_name>/<path>

+# ADLS gen2: abfss://<file_system>@<account_name>.dfs.core.windows.net/<path>/

+# Datastore: azureml://datastores/<data_store_name>/paths/<path>

+type: mltable

+name: <name_of_data>

+description: <description goes here>

+path: <path>

+```

+> [!NOTE]

+> The path points to the **folder** containing the MLTable artifact.

+Next, create the data asset using the CLI:

+```azurecli

+az ml data create -f <file-name>.yml

+```

+# [Python-SDK](#tab/Python-SDK)

+You can create a data asset in Azure Machine Learning using the following Python Code:

+```python

+from azure.ai.ml.entities import Data

+from azure.ai.ml.constants import AssetTypes

+# my_path must point to folder containing MLTable artifact (MLTable file + data

+# Supported paths include:

+# local: './<path>'

+# blob: 'https://<account_name>.blob.core.windows.net/<container_name>/<path>'

+# ADLS gen2: 'abfss://<file_system>@<account_name>.dfs.core.windows.net/<path>/'

+# Datastore: 'azureml://datastores/<data_store_name>/paths/<path>'

+my_path = '<path>'

+my_data = Data(

+ path=my_path,

+ type=AssetTypes.MLTABLE,

+ description="<description>",

+ name="<name>",

+ version='<version>'

+)

+ml_client.data.create_or_update(my_data)

+```

+> [!NOTE]

+> The path points to the **folder** containing the MLTable artifact.

+## Next steps

+- [Read data in a job](how-to-read-write-data-v2.md#read-data-in-a-job)

+- [Create data assets](how-to-create-data-assets.md#create-data-assets)

+* This article assumes some familiarity with setting up an automated machine learning experiment. Follow the [tutorial](tutorial-auto-train-image-models.md) or [how-to](how-to-configure-auto-train.md) to see the main automated machine learning experiment design patterns.

+* Learn more about [how and where to deploy a model](how-to-deploy-and-where.md).

+* Maximize chances to recover logs, notebooks, docker images, and other metadata.

+> Azure Machine Learning itself does not provide automatic failover or disaster recovery. Backup and restore of workspace metadata such as run history is unavailable.

+Azure Machine Learning depends on multiple Azure services. Some of these services are provisioned in your subscription. You're responsible for the high-availability configuration of these services. Other services are created in a Microsoft subscription and are managed by Microsoft.

+* **Associated resources**: Resources provisioned in your subscription during Azure Machine Learning workspace creation. These resources include Azure Storage, Azure Key Vault, Azure Container Registry, and Application Insights.

+### Manage machine learning assets as code

+> [!NOTE]

+> Backup and restore of workspace metadata such as run history, models and environments is unavailable. Specifying assets and configurations as code using YAML specs, will help you re-recreate assets across workspaces in case of a disaster.

+To learn about repeatable infrastructure deployments with Azure Machine Learning, use an [Azure Resource Manager template](https://docs.microsoft.com/azure/machine-learning/tutorial-create-secure-workspace-template).

+- Knowledge of building automated ML experiments. For more information on how to use the Azure Machine Learning SDK, complete this [object detection model tutorial](tutorial-auto-train-image-models.md) or see how to [configure automated ML experiments](how-to-configure-auto-train.md).

+Azure Machine Learning's v2 REST APIs, Azure CLI extension, and Python SDK (preview) introduce consistency and a set of new features to accelerate the production machine learning lifecycle. This article provides an overview of migrating from v1 to v2 with recommendations to help you decide on v1, v2, or both.

+|REST|Fewest dependencies and overhead. Use for building applications on Azure ML as a platform, directly in programming languages without an SDK provided, or per personal preference.|

+|Managed batch endpoint|ParallelRunStep in a pipeline for batch scoring|Enterprise-grade managed model deployment infrastructure with massively parallel batch processing for production.|

+|Azure Arc Kubernetes|N/A|Manage your own Kubernetes cluster(s) in other clouds or on-premises, giving flexibility and granular control at the cost of IT overhead.|

+We recommend migrating the code for [creating data assets](how-to-create-data-assets.md) to v2.

+1. Select a data asset from your storage container, or create a new data asset. Data asset can be created from local files, web urls, datastores, or Azure open datasets. Learn more about [data asset creation](how-to-create-data-assets.md).

+- [Tutorial: Train an object detection model (preview) with AutoML and Python](tutorial-auto-train-image-models.md)

+* For a code first example of an object detection model, see the [Tutorial: Train an object detection model (preview) with AutoML and Python](tutorial-auto-train-image-models.md).

+* For a code first example of an object detection model, see the [Tutorial: Train an object detection model (preview) with AutoML and Python](tutorial-auto-train-image-models.md),

+* For code-experienced customers, [Azure Machine Learning Python SDK](/python/api/overview/azure/ml/intro). Get started with [Tutorial: Use automated machine learning to predict taxi fares (v1)](how-to-auto-train-models-v1.md).

+Different from classification where predicted output values are categorical, regression models predict numerical output values based on independent predictors. In regression, the objective is to help establish the relationship among those independent predictor variables by estimating how one variable impacts the others. For example, automobile price based on features like, gas mileage, safety rating, etc. Learn more and see an example of [regression with automated machine learning (v1)](how-to-auto-train-models-v1.md).

+ Title: 'AutoML-train regression model (SDK v1)'

+description: Train a regression model to predict NYC taxi fares with the Azure Machine Learning Python SDK using Azure Machine Learning automated ML SDK (v1).

+# Train a regression model with AutoML and Python (SDK v1)

+In this article, you learn how to train a regression model with the Azure Machine Learning Python SDK using Azure Machine Learning automated ML. This regression model predicts NYC taxi fares.

+This process accepts training data and configuration settings, and automatically iterates through combinations of different feature normalization/standardization methods, models, and hyperparameter settings to arrive at the best model.

+

+You'll write code using the Python SDK in this article. You'll learn the following tasks:

+> [!div class="checklist"]

+> * Download, transform, and clean data using Azure Open Datasets

+> * Train an automated machine learning regression model

+> * Calculate model accuracy

+For no-code AutoML, try the following tutorials:

+* [Tutorial: Train no-code classification models](../tutorial-first-experiment-automated-ml.md)

+* [Tutorial: Forecast demand with automated machine learning](../tutorial-automated-ml-forecast.md)

+## Prerequisites

+If you donΓÇÖt have an Azure subscription, create a free account before you begin. Try the [free or paid version](https://azure.microsoft.com/free/) of Azure Machine Learning today.

+* Complete the [Quickstart: Get started with Azure Machine Learning](../quickstart-create-resources.md) if you don't already have an Azure Machine Learning workspace or a compute instance.

+* After you complete the quickstart:

+ 1. Select **Notebooks** in the studio.

+ 1. Select the **Samples** tab.

+ 1. Open the *tutorials/regression-automl-nyc-taxi-data/regression-automated-ml.ipynb* notebook.

+ 1. To run each cell in the tutorial, select **Clone this notebook**

+This article is also available on [GitHub](https://github.com/Azure/MachineLearningNotebooks/tree/master/tutorials) if you wish to run it in your own [local environment](../how-to-configure-environment.md#local).

+To get the required packages,

+* [Install the full `automl` client](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/README.md#setup-using-a-local-conda-environment).

+* Run `pip install azureml-opendatasets azureml-widgets` to get the required packages.

+## Download and prepare data

+Import the necessary packages. The Open Datasets package contains a class representing each data source (`NycTlcGreen` for example) to easily filter date parameters before downloading.

+```python

+from azureml.opendatasets import NycTlcGreen

+import pandas as pd

+from datetime import datetime

+from dateutil.relativedelta import relativedelta

+```

+Begin by creating a dataframe to hold the taxi data. When working in a non-Spark environment, Open Datasets only allows downloading one month of data at a time with certain classes to avoid `MemoryError` with large datasets.

+To download taxi data, iteratively fetch one month at a time, and before appending it to `green_taxi_df` randomly sample 2,000 records from each month to avoid bloating the dataframe. Then preview the data.

+```python

+green_taxi_df = pd.DataFrame([])

+start = datetime.strptime("1/1/2015","%m/%d/%Y")

+end = datetime.strptime("1/31/2015","%m/%d/%Y")

+for sample_month in range(12):

+ temp_df_green = NycTlcGreen(start + relativedelta(months=sample_month), end + relativedelta(months=sample_month)) \

+ .to_pandas_dataframe()

+ green_taxi_df = green_taxi_df.append(temp_df_green.sample(2000))

+green_taxi_df.head(10)

+```

+|vendorID| lpepPickupDatetime| lpepDropoffDatetime| passengerCount| tripDistance| puLocationId| doLocationId| pickupLongitude| pickupLatitude| dropoffLongitude |...| paymentType |fareAmount |extra| mtaTax| improvementSurcharge| tipAmount| tollsAmount| ehailFee| totalAmount| tripType|

+|-|-|-|-|-|-||--||||-|-|-|--||-|--|-|-|-|

+|131969|2|2015-01-11 05:34:44|2015-01-11 05:45:03|3|4.84|None|None|-73.88|40.84|-73.94|...|2|15.00|0.50|0.50|0.3|0.00|0.00|nan|16.30|

+|1129817|2|2015-01-20 16:26:29|2015-01-20 16:30:26|1|0.69|None|None|-73.96|40.81|-73.96|...|2|4.50|1.00|0.50|0.3|0.00|0.00|nan|6.30|

+|1278620|2|2015-01-01 05:58:10|2015-01-01 06:00:55|1|0.45|None|None|-73.92|40.76|-73.91|...|2|4.00|0.00|0.50|0.3|0.00|0.00|nan|4.80|

+|348430|2|2015-01-17 02:20:50|2015-01-17 02:41:38|1|0.00|None|None|-73.81|40.70|-73.82|...|2|12.50|0.50|0.50|0.3|0.00|0.00|nan|13.80|

+1269627|1|2015-01-01 05:04:10|2015-01-01 05:06:23|1|0.50|None|None|-73.92|40.76|-73.92|...|2|4.00|0.50|0.50|0|0.00|0.00|nan|5.00|

+|811755|1|2015-01-04 19:57:51|2015-01-04 20:05:45|2|1.10|None|None|-73.96|40.72|-73.95|...|2|6.50|0.50|0.50|0.3|0.00|0.00|nan|7.80|

+|737281|1|2015-01-03 12:27:31|2015-01-03 12:33:52|1|0.90|None|None|-73.88|40.76|-73.87|...|2|6.00|0.00|0.50|0.3|0.00|0.00|nan|6.80|

+|113951|1|2015-01-09 23:25:51|2015-01-09 23:39:52|1|3.30|None|None|-73.96|40.72|-73.91|...|2|12.50|0.50|0.50|0.3|0.00|0.00|nan|13.80|

+|150436|2|2015-01-11 17:15:14|2015-01-11 17:22:57|1|1.19|None|None|-73.94|40.71|-73.95|...|1|7.00|0.00|0.50|0.3|1.75|0.00|nan|9.55|

+|432136|2|2015-01-22 23:16:33 2015-01-22 23:20:13 1 0.65|None|None|-73.94|40.71|-73.94|...|2|5.00|0.50|0.50|0.3|0.00|0.00|nan|6.30|

+Remove some of the columns that you won't need for training or additional feature building. Automate machine learning will automatically handle time-based features such as **lpepPickupDatetime**.

+```python

+columns_to_remove = ["lpepDropoffDatetime", "puLocationId", "doLocationId", "extra", "mtaTax",

+ "improvementSurcharge", "tollsAmount", "ehailFee", "tripType", "rateCodeID",

+ "storeAndFwdFlag", "paymentType", "fareAmount", "tipAmount"

+ ]

+for col in columns_to_remove:

+ green_taxi_df.pop(col)

+green_taxi_df.head(5)

+```

+### Cleanse data

+Run the `describe()` function on the new dataframe to see summary statistics for each field.

+```python

+green_taxi_df.describe()

+```

+|vendorID|passengerCount|tripDistance|pickupLongitude|pickupLatitude|dropoffLongitude|dropoffLatitude| totalAmount|month_num day_of_month|day_of_week|hour_of_day

+|-|-|||-|||||||

+|count|48000.00|48000.00|48000.00|48000.00|48000.00|48000.00|48000.00|48000.00|48000.00|48000.00|

+|mean|1.78|1.37|2.87|-73.83|40.69|-73.84|40.70|14.75|6.50|15.13|

+|std|0.41|1.04|2.93|2.76|1.52|2.61|1.44|12.08|3.45|8.45|

+|min|1.00|0.00|0.00|-74.66|0.00|-74.66|0.00|-300.00|1.00|1.00|

+|25%|2.00|1.00|1.06|-73.96|40.70|-73.97|40.70|7.80|3.75|8.00|

+|50%|2.00|1.00|1.90|-73.94|40.75|-73.94|40.75|11.30|6.50|15.00|

+|75%|2.00|1.00|3.60|-73.92|40.80|-73.91|40.79|17.80|9.25|22.00|

+|max|2.00|9.00|97.57|0.00|41.93|0.00|41.94|450.00|12.00|30.00|

+From the summary statistics, you see that there are several fields that have outliers or values that will reduce model accuracy. First filter the lat/long fields to be within the bounds of the Manhattan area. This will filter out longer taxi trips or trips that are outliers in respect to their relationship with other features.

+Additionally filter the `tripDistance` field to be greater than zero but less than 31 miles (the haversine distance between the two lat/long pairs). This eliminates long outlier trips that have inconsistent trip cost.

+Lastly, the `totalAmount` field has negative values for the taxi fares, which don't make sense in the context of our model, and the `passengerCount` field has bad data with the minimum values being zero.

+Filter out these anomalies using query functions, and then remove the last few columns unnecessary for training.

+```python

+final_df = green_taxi_df.query("pickupLatitude>=40.53 and pickupLatitude<=40.88")

+final_df = final_df.query("pickupLongitude>=-74.09 and pickupLongitude<=-73.72")

+final_df = final_df.query("tripDistance>=0.25 and tripDistance<31")

+final_df = final_df.query("passengerCount>0 and totalAmount>0")

+columns_to_remove_for_training = ["pickupLongitude", "pickupLatitude", "dropoffLongitude", "dropoffLatitude"]

+for col in columns_to_remove_for_training:

+ final_df.pop(col)

+```

+Call `describe()` again on the data to ensure cleansing worked as expected. You now have a prepared and cleansed set of taxi, holiday, and weather data to use for machine learning model training.

+```python

+final_df.describe()

+```

+## Configure workspace

+Create a workspace object from the existing workspace. A [Workspace](/python/api/azureml-core/azureml.core.workspace.workspace) is a class that accepts your Azure subscription and resource information. It also creates a cloud resource to monitor and track your model runs. `Workspace.from_config()` reads the file **config.json** and loads the authentication details into an object named `ws`. `ws` is used throughout the rest of the code in this article.

+```python

+from azureml.core.workspace import Workspace

+ws = Workspace.from_config()

+```

+## Split the data into train and test sets

+Split the data into training and test sets by using the `train_test_split` function in the `scikit-learn` library. This function segregates the data into the x (**features**) data set for model training and the y (**values to predict**) data set for testing.

+The `test_size` parameter determines the percentage of data to allocate to testing. The `random_state` parameter sets a seed to the random generator, so that your train-test splits are deterministic.

+```python

+from sklearn.model_selection import train_test_split

+x_train, x_test = train_test_split(final_df, test_size=0.2, random_state=223)

+```

+The purpose of this step is to have data points to test the finished model that haven't been used to train the model, in order to measure true accuracy.

+In other words, a well-trained model should be able to accurately make predictions from data it hasn't already seen. You now have data prepared for auto-training a machine learning model.

+## Automatically train a model

+To automatically train a model, take the following steps:

+1. Define settings for the experiment run. Attach your training data to the configuration, and modify settings that control the training process.

+1. Submit the experiment for model tuning. After submitting the experiment, the process iterates through different machine learning algorithms and hyperparameter settings, adhering to your defined constraints. It chooses the best-fit model by optimizing an accuracy metric.

+### Define training settings

+Define the experiment parameter and model settings for training. View the full list of [settings](how-to-configure-auto-train-v1.md). Submitting the experiment with these default settings will take approximately 5-20 min, but if you want a shorter run time, reduce the `experiment_timeout_hours` parameter.

+|Property| Value in this article |Description|

+|-|-||

+|**iteration_timeout_minutes**|10|Time limit in minutes for each iteration. Increase this value for larger datasets that need more time for each iteration.|

+|**experiment_timeout_hours**|0.3|Maximum amount of time in hours that all iterations combined can take before the experiment terminates.|

+|**enable_early_stopping**|True|Flag to enable early termination if the score is not improving in the short term.|

+|**primary_metric**| spearman_correlation | Metric that you want to optimize. The best-fit model will be chosen based on this metric.|

+|**featurization**| auto | By using **auto**, the experiment can preprocess the input data (handling missing data, converting text to numeric, etc.)|

+|**verbosity**| logging.INFO | Controls the level of logging.|

+|**n_cross_validations**|5|Number of cross-validation splits to perform when validation data is not specified.|

+```python

+import logging

+automl_settings = {

+ "iteration_timeout_minutes": 10,

+ "experiment_timeout_hours": 0.3,

+ "enable_early_stopping": True,

+ "primary_metric": 'spearman_correlation',

+ "featurization": 'auto',

+ "verbosity": logging.INFO,

+ "n_cross_validations": 5

+}

+```

+Use your defined training settings as a `**kwargs` parameter to an `AutoMLConfig` object. Additionally, specify your training data and the type of model, which is `regression` in this case.

+```python

+from azureml.train.automl import AutoMLConfig

+automl_config = AutoMLConfig(task='regression',

+ debug_log='automated_ml_errors.log',

+ training_data=x_train,

+ label_column_name="totalAmount",

+ **automl_settings)

+```

+> [!NOTE]

+> Automated machine learning pre-processing steps (feature normalization, handling missing data,

+> converting text to numeric, etc.) become part of the underlying model. When using the model for

+> predictions, the same pre-processing steps applied during training are applied to

+> your input data automatically.

+### Train the automatic regression model

+Create an experiment object in your workspace. An experiment acts as a container for your individual jobs. Pass the defined `automl_config` object to the experiment, and set the output to `True` to view progress during the job.

+After starting the experiment, the output shown updates live as the experiment runs. For each iteration, you see the model type, the run duration, and the training accuracy. The field `BEST` tracks the best running training score based on your metric type.

+```python

+from azureml.core.experiment import Experiment

+experiment = Experiment(ws, "Tutorial-NYCTaxi")

+local_run = experiment.submit(automl_config, show_output=True)

+```

+```output

+Running on local machine

+Parent Run ID: AutoML_1766cdf7-56cf-4b28-a340-c4aeee15b12b

+Current status: DatasetFeaturization. Beginning to featurize the dataset.

+Current status: DatasetEvaluation. Gathering dataset statistics.

+Current status: FeaturesGeneration. Generating features for the dataset.

+Current status: DatasetFeaturizationCompleted. Completed featurizing the dataset.

+Current status: DatasetCrossValidationSplit. Generating individually featurized CV splits.

+Current status: ModelSelection. Beginning model selection.

+****************************************************************************************************

+ITERATION: The iteration being evaluated.

+PIPELINE: A summary description of the pipeline being evaluated.

+DURATION: Time taken for the current iteration.

+METRIC: The result of computing score on the fitted pipeline.

+BEST: The best observed score thus far.

+****************************************************************************************************

+ ITERATION PIPELINE DURATION METRIC BEST

+ 0 StandardScalerWrapper RandomForest 0:00:16 0.8746 0.8746

+ 1 MinMaxScaler RandomForest 0:00:15 0.9468 0.9468

+ 2 StandardScalerWrapper ExtremeRandomTrees 0:00:09 0.9303 0.9468

+ 3 StandardScalerWrapper LightGBM 0:00:10 0.9424 0.9468

+ 4 RobustScaler DecisionTree 0:00:09 0.9449 0.9468

+ 5 StandardScalerWrapper LassoLars 0:00:09 0.9440 0.9468

+ 6 StandardScalerWrapper LightGBM 0:00:10 0.9282 0.9468

+ 7 StandardScalerWrapper RandomForest 0:00:12 0.8946 0.9468

+ 8 StandardScalerWrapper LassoLars 0:00:16 0.9439 0.9468

+ 9 MinMaxScaler ExtremeRandomTrees 0:00:35 0.9199 0.9468

+ 10 RobustScaler ExtremeRandomTrees 0:00:19 0.9411 0.9468

+ 11 StandardScalerWrapper ExtremeRandomTrees 0:00:13 0.9077 0.9468

+ 12 StandardScalerWrapper LassoLars 0:00:15 0.9433 0.9468

+ 13 MinMaxScaler ExtremeRandomTrees 0:00:14 0.9186 0.9468

+ 14 RobustScaler RandomForest 0:00:10 0.8810 0.9468

+ 15 StandardScalerWrapper LassoLars 0:00:55 0.9433 0.9468

+ 16 StandardScalerWrapper ExtremeRandomTrees 0:00:13 0.9026 0.9468

+ 17 StandardScalerWrapper RandomForest 0:00:13 0.9140 0.9468

+ 18 VotingEnsemble 0:00:23 0.9471 0.9471

+ 19 StackEnsemble 0:00:27 0.9463 0.9471

+```

+## Explore the results

+Explore the results of automatic training with a [Jupyter widget](/python/api/azureml-widgets/azureml.widgets). The widget allows you to see a graph and table of all individual job iterations, along with training accuracy metrics and metadata. Additionally, you can filter on different accuracy metrics than your primary metric with the dropdown selector.

+```python

+from azureml.widgets import RunDetails

+RunDetails(local_run).show()

+```

+

+

+### Retrieve the best model

+Select the best model from your iterations. The `get_output` function returns the best run and the fitted model for the last fit invocation. By using the overloads on `get_output`, you can retrieve the best run and fitted model for any logged metric or a particular iteration.

+```python

+best_run, fitted_model = local_run.get_output()

+print(best_run)

+print(fitted_model)

+```

+### Test the best model accuracy

+Use the best model to run predictions on the test data set to predict taxi fares. The function `predict` uses the best model and predicts the values of y, **trip cost**, from the `x_test` data set. Print the first 10 predicted cost values from `y_predict`.

+```python

+y_test = x_test.pop("totalAmount")

+y_predict = fitted_model.predict(x_test)

+print(y_predict[:10])

+```

+Calculate the `root mean squared error` of the results. Convert the `y_test` dataframe to a list to compare to the predicted values. The function `mean_squared_error` takes two arrays of values and calculates the average squared error between them. Taking the square root of the result gives an error in the same units as the y variable, **cost**. It indicates roughly how far the taxi fare predictions are from the actual fares.

+```python

+from sklearn.metrics import mean_squared_error

+from math import sqrt

+y_actual = y_test.values.flatten().tolist()

+rmse = sqrt(mean_squared_error(y_actual, y_predict))

+rmse

+```

+Run the following code to calculate mean absolute percent error (MAPE) by using the full `y_actual` and `y_predict` data sets. This metric calculates an absolute difference between each predicted and actual value and sums all the differences. Then it expresses that sum as a percent of the total of the actual values.

+```python

+sum_actuals = sum_errors = 0

+for actual_val, predict_val in zip(y_actual, y_predict):

+ abs_error = actual_val - predict_val

+ if abs_error < 0:

+ abs_error = abs_error * -1

+ sum_errors = sum_errors + abs_error

+ sum_actuals = sum_actuals + actual_val

+mean_abs_percent_error = sum_errors / sum_actuals

+print("Model MAPE:")

+print(mean_abs_percent_error)

+print()

+print("Model Accuracy:")

+print(1 - mean_abs_percent_error)

+```

+```output

+Model MAPE:

+0.14353867606052823

+Model Accuracy:

+0.8564613239394718

+```

+From the two prediction accuracy metrics, you see that the model is fairly good at predicting taxi fares from the data set's features, typically within +- $4.00, and approximately 15% error.

+The traditional machine learning model development process is highly resource-intensive, and requires significant domain knowledge and time investment to run and compare the results of dozens of models. Using automated machine learning is a great way to rapidly test many different models for your scenario.

+## Clean up resources

+Do not complete this section if you plan on running other Azure Machine Learning tutorials.

+### Stop the compute instance

+### Delete everything

+If you don't plan to use the resources you created, delete them, so you don't incur any charges.

+1. In the Azure portal, select **Resource groups** on the far left.

+1. From the list, select the resource group you created.

+1. Select **Delete resource group**.

+1. Enter the resource group name. Then select **Delete**.

+You can also keep the resource group but delete a single workspace. Display the workspace properties and select **Delete**.

+## Next steps

+In this automated machine learning article, you did the following tasks:

+> [!div class="checklist"]

+> * Configured a workspace and prepared data for an experiment.

+> * Trained by using an automated regression model locally with custom parameters.

+> * Explored and reviewed training results.

+[Set up AutoML to train computer vision models with Python (v1)](how-to-auto-train-image-models-v1.md)

+* This article assumes some familiarity with setting up an automated machine learning experiment. Follow the [tutorial](how-to-auto-train-models-v1.md) or [how-to](../how-to-configure-auto-train.md) to see the main automated machine learning experiment design patterns.

+For an end to end example, see [Tutorial: AutoML- train regression model](how-to-auto-train-models-v1.md).

+ Title: Convert notebook code into Python scripts

+description: Turn your machine learning experimental notebooks into production-ready code using the MLOpsPython code template. You can then test, deploy, and automate that code.

+# Convert ML experiments to production Python code

+In this tutorial, you learn how to convert Jupyter notebooks into Python scripts to make it testing and automation friendly using the MLOpsPython code template and Azure Machine Learning. Typically, this process is used to take experimentation / training code from a Jupyter notebook and convert it into Python scripts. Those scripts can then be used testing and CI/CD automation in your production environment.

+A machine learning project requires experimentation where hypotheses are tested with agile tools like Jupyter Notebook using real datasets. Once the model is ready for production, the model code should be placed in a production code repository. In some cases, the model code must be converted to Python scripts to be placed in the production code repository. This tutorial covers a recommended approach on how to export experimentation code to Python scripts.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Clean nonessential code

+> * Refactor Jupyter Notebook code into functions

+> * Create Python scripts for related tasks

+> * Create unit tests

+## Prerequisites

+- Generate the [MLOpsPython template](https://github.com/microsoft/MLOpsPython/generate)

+and use the `experimentation/Diabetes Ridge Regression Training.ipynb` and `experimentation/Diabetes Ridge Regression Scoring.ipynb` notebooks. These notebooks are used as an example of converting from experimentation to production. You can find these notebooks at [https://github.com/microsoft/MLOpsPython/tree/master/experimentation](https://github.com/microsoft/MLOpsPython/tree/master/experimentation).

+- Install `nbconvert`. Follow only the installation instructions under section __Installing nbconvert__ on the [Installation](https://nbconvert.readthedocs.io/en/latest/install.html) page.

+## Remove all nonessential code

+Some code written during experimentation is only intended for exploratory purposes. Therefore, the first step to convert experimental code into production code is to remove this nonessential code. Removing nonessential code will also make the code more maintainable. In this section, you'll remove code from the `experimentation/Diabetes Ridge Regression Training.ipynb` notebook. The statements printing the shape of `X` and `y` and the cell calling `features.describe` are just for data exploration and can be removed. After removing nonessential code, `experimentation/Diabetes Ridge Regression Training.ipynb` should look like the following code without markdown:

+```python

+from sklearn.datasets import load_diabetes

+from sklearn.linear_model import Ridge

+from sklearn.metrics import mean_squared_error

+from sklearn.model_selection import train_test_split

+import joblib

+import pandas as pd

+sample_data = load_diabetes()

+df = pd.DataFrame(

+ data=sample_data.data,

+ columns=sample_data.feature_names)

+df['Y'] = sample_data.target

+X = df.drop('Y', axis=1).values

+y = df['Y'].values

+X_train, X_test, y_train, y_test = train_test_split(

+ X, y, test_size=0.2, random_state=0)

+data = {"train": {"X": X_train, "y": y_train},

+ "test": {"X": X_test, "y": y_test}}

+args = {

+ "alpha": 0.5

+}

+reg_model = Ridge(**args)

+reg_model.fit(data["train"]["X"], data["train"]["y"])

+preds = reg_model.predict(data["test"]["X"])

+mse = mean_squared_error(preds, y_test)

+metrics = {"mse": mse}

+print(metrics)

+model_name = "sklearn_regression_model.pkl"

+joblib.dump(value=reg, filename=model_name)

+```

+## Refactor code into functions

+Second, the Jupyter code needs to be refactored into functions. Refactoring code into functions makes unit testing easier and makes the code more maintainable. In this section, you'll refactor:

+- The Diabetes Ridge Regression Training notebook(`experimentation/Diabetes Ridge Regression Training.ipynb`)

+- The Diabetes Ridge Regression Scoring notebook(`experimentation/Diabetes Ridge Regression Scoring.ipynb`)

+### Refactor Diabetes Ridge Regression Training notebook into functions

+In `experimentation/Diabetes Ridge Regression Training.ipynb`, complete the following steps:

+1. Create a function called `split_data` to split the data frame into test and train data. The function should take the dataframe `df` as a parameter, and return a dictionary containing the keys `train` and `test`.

+ Move the code under the *Split Data into Training and Validation Sets* heading into the `split_data` function and modify it to return the `data` object.

+1. Create a function called `train_model`, which takes the parameters `data` and `args` and returns a trained model.

+ Move the code under the heading *Training Model on Training Set* into the `train_model` function and modify it to return the `reg_model` object. Remove the `args` dictionary, the values will come from the `args` parameter.

+1. Create a function called `get_model_metrics`, which takes parameters `reg_model` and `data`, and evaluates the model then returns a dictionary of metrics for the trained model.

+ Move the code under the *Validate Model on Validation Set* heading into the `get_model_metrics` function and modify it to return the `metrics` object.

+The three functions should be as follows:

+```python

+# Split the dataframe into test and train data

+def split_data(df):

+ X = df.drop('Y', axis=1).values

+ y = df['Y'].values

+ X_train, X_test, y_train, y_test = train_test_split(

+ X, y, test_size=0.2, random_state=0)

+ data = {"train": {"X": X_train, "y": y_train},

+ "test": {"X": X_test, "y": y_test}}

+ return data

+# Train the model, return the model

+def train_model(data, args):

+ reg_model = Ridge(**args)

+ reg_model.fit(data["train"]["X"], data["train"]["y"])

+ return reg_model

+# Evaluate the metrics for the model

+def get_model_metrics(reg_model, data):

+ preds = reg_model.predict(data["test"]["X"])

+ mse = mean_squared_error(preds, data["test"]["y"])

+ metrics = {"mse": mse}

+ return metrics

+```

+Still in `experimentation/Diabetes Ridge Regression Training.ipynb`, complete the following steps:

+1. Create a new function called `main`, which takes no parameters and returns nothing.

+1. Move the code under the "Load Data" heading into the `main` function.

+1. Add invocations for the newly written functions into the `main` function:

+ ```python

+ # Split Data into Training and Validation Sets

+ data = split_data(df)

+ ```

+ ```python

+ # Train Model on Training Set

+ args = {

+ "alpha": 0.5

+ }

+ reg = train_model(data, args)

+ ```

+ ```python

+ # Validate Model on Validation Set

+ metrics = get_model_metrics(reg, data)

+ ```

+1. Move the code under the "Save Model" heading into the `main` function.

+The `main` function should look like the following code:

+```python

+def main():

+ # Load Data

+ sample_data = load_diabetes()

+ df = pd.DataFrame(

+ data=sample_data.data,

+ columns=sample_data.feature_names)

+ df['Y'] = sample_data.target

+ # Split Data into Training and Validation Sets

+ data = split_data(df)

+ # Train Model on Training Set

+ args = {

+ "alpha": 0.5

+ }

+ reg = train_model(data, args)

+ # Validate Model on Validation Set

+ metrics = get_model_metrics(reg, data)

+ # Save Model

+ model_name = "sklearn_regression_model.pkl"

+ joblib.dump(value=reg, filename=model_name)

+```

+At this stage, there should be no code remaining in the notebook that isn't in a function, other than import statements in the first cell.

+Add a statement that calls the `main` function.

+```python

+main()

+```

+After refactoring, `experimentation/Diabetes Ridge Regression Training.ipynb` should look like the following code without the markdown:

+```python

+from sklearn.datasets import load_diabetes

+from sklearn.linear_model import Ridge

+from sklearn.metrics import mean_squared_error

+from sklearn.model_selection import train_test_split

+import pandas as pd

+import joblib

+# Split the dataframe into test and train data

+def split_data(df):

+ X = df.drop('Y', axis=1).values

+ y = df['Y'].values

+ X_train, X_test, y_train, y_test = train_test_split(

+ X, y, test_size=0.2, random_state=0)

+ data = {"train": {"X": X_train, "y": y_train},

+ "test": {"X": X_test, "y": y_test}}

+ return data

+# Train the model, return the model

+def train_model(data, args):

+ reg_model = Ridge(**args)

+ reg_model.fit(data["train"]["X"], data["train"]["y"])

+ return reg_model

+# Evaluate the metrics for the model

+def get_model_metrics(reg_model, data):

+ preds = reg_model.predict(data["test"]["X"])

+ mse = mean_squared_error(preds, data["test"]["y"])

+ metrics = {"mse": mse}

+ return metrics

+def main():

+ # Load Data

+ sample_data = load_diabetes()

+ df = pd.DataFrame(

+ data=sample_data.data,

+ columns=sample_data.feature_names)

+ df['Y'] = sample_data.target

+ # Split Data into Training and Validation Sets

+ data = split_data(df)

+ # Train Model on Training Set

+ args = {

+ "alpha": 0.5

+ }

+ reg = train_model(data, args)

+ # Validate Model on Validation Set

+ metrics = get_model_metrics(reg, data)

+ # Save Model

+ model_name = "sklearn_regression_model.pkl"

+ joblib.dump(value=reg, filename=model_name)

+main()

+```

+### Refactor Diabetes Ridge Regression Scoring notebook into functions

+In `experimentation/Diabetes Ridge Regression Scoring.ipynb`, complete the following steps:

+1. Create a new function called `init`, which takes no parameters and return nothing.

+1. Copy the code under the "Load Model" heading into the `init` function.

+The `init` function should look like the following code:

+```python

+def init():

+ model_path = Model.get_model_path(

+ model_name="sklearn_regression_model.pkl")

+ model = joblib.load(model_path)

+```

+Once the `init` function has been created, replace all the code under the heading "Load Model" with a single call to `init` as follows:

+```python

+init()

+```

+In `experimentation/Diabetes Ridge Regression Scoring.ipynb`, complete the following steps:

+1. Create a new function called `run`, which takes `raw_data` and `request_headers` as parameters and returns a dictionary of results as follows:

+ ```python

+ {"result": result.tolist()}

+ ```

+1. Copy the code under the "Prepare Data" and "Score Data" headings into the `run` function.

+ The `run` function should look like the following code (Remember to remove the statements that set the variables `raw_data` and `request_headers`, which will be used later when the `run` function is called):

+ ```python

+ def run(raw_data, request_headers):

+ data = json.loads(raw_data)["data"]

+ data = numpy.array(data)

+ result = model.predict(data)

+ return {"result": result.tolist()}

+ ```

+Once the `run` function has been created, replace all the code under the "Prepare Data" and "Score Data" headings with the following code:

+```python

+raw_data = '{"data":[[1,2,3,4,5,6,7,8,9,10],[10,9,8,7,6,5,4,3,2,1]]}'

+request_header = {}

+prediction = run(raw_data, request_header)

+print("Test result: ", prediction)

+```

+The previous code sets variables `raw_data` and `request_header`, calls the `run` function with `raw_data` and `request_header`, and prints the predictions.

+After refactoring, `experimentation/Diabetes Ridge Regression Scoring.ipynb` should look like the following code without the markdown:

+```python

+import json

+import numpy

+from azureml.core.model import Model

+import joblib

+def init():

+ model_path = Model.get_model_path(

+ model_name="sklearn_regression_model.pkl")

+ model = joblib.load(model_path)

+def run(raw_data, request_headers):

+ data = json.loads(raw_data)["data"]

+ data = numpy.array(data)

+ result = model.predict(data)

+ return {"result": result.tolist()}

+init()

+test_row = '{"data":[[1,2,3,4,5,6,7,8,9,10],[10,9,8,7,6,5,4,3,2,1]]}'

+request_header = {}

+prediction = run(test_row, {})

+print("Test result: ", prediction)

+```

+## Combine related functions in Python files

+Third, related functions need to be merged into Python files to better help code reuse. In this section, you'll be creating Python files for the following notebooks:

+- The Diabetes Ridge Regression Training notebook(`experimentation/Diabetes Ridge Regression Training.ipynb`)

+- The Diabetes Ridge Regression Scoring notebook(`experimentation/Diabetes Ridge Regression Scoring.ipynb`)

+### Create Python file for the Diabetes Ridge Regression Training notebook

+Convert your notebook to an executable script by running the following statement in a command prompt, which uses the `nbconvert` package and the path of `experimentation/Diabetes Ridge Regression Training.ipynb`:

+```

+jupyter nbconvert "Diabetes Ridge Regression Training.ipynb" --to script --output train

+```

+Once the notebook has been converted to `train.py`, remove any unwanted comments. Replace the call to `main()` at the end of the file with a conditional invocation like the following code:

+```python

+if __name__ == '__main__':

+ main()

+```

+Your `train.py` file should look like the following code:

+```python

+from sklearn.datasets import load_diabetes

+from sklearn.linear_model import Ridge

+from sklearn.metrics import mean_squared_error

+from sklearn.model_selection import train_test_split

+import pandas as pd

+import joblib

+# Split the dataframe into test and train data

+def split_data(df):

+ X = df.drop('Y', axis=1).values

+ y = df['Y'].values

+ X_train, X_test, y_train, y_test = train_test_split(

+ X, y, test_size=0.2, random_state=0)

+ data = {"train": {"X": X_train, "y": y_train},

+ "test": {"X": X_test, "y": y_test}}

+ return data

+# Train the model, return the model

+def train_model(data, args):

+ reg_model = Ridge(**args)

+ reg_model.fit(data["train"]["X"], data["train"]["y"])

+ return reg_model

+# Evaluate the metrics for the model

+def get_model_metrics(reg_model, data):

+ preds = reg_model.predict(data["test"]["X"])

+ mse = mean_squared_error(preds, data["test"]["y"])

+ metrics = {"mse": mse}

+ return metrics

+def main():

+ # Load Data

+ sample_data = load_diabetes()

+ df = pd.DataFrame(

+ data=sample_data.data,

+ columns=sample_data.feature_names)

+ df['Y'] = sample_data.target

+ # Split Data into Training and Validation Sets

+ data = split_data(df)

+ # Train Model on Training Set

+ args = {

+ "alpha": 0.5

+ }

+ reg = train_model(data, args)

+ # Validate Model on Validation Set

+ metrics = get_model_metrics(reg, data)

+ # Save Model

+ model_name = "sklearn_regression_model.pkl"

+ joblib.dump(value=reg, filename=model_name)

+if __name__ == '__main__':

+ main()

+```

+`train.py` can now be invoked from a terminal by running `python train.py`.

+The functions from `train.py` can also be called from other files.

+The `train_aml.py` file found in the `diabetes_regression/training` directory in the MLOpsPython repository calls the functions defined in `train.py` in the context of an Azure Machine Learning experiment job. The functions can also be called in unit tests, covered later in this guide.

+### Create Python file for the Diabetes Ridge Regression Scoring notebook

+Covert your notebook to an executable script by running the following statement in a command prompt that which uses the `nbconvert` package and the path of `experimentation/Diabetes Ridge Regression Scoring.ipynb`:

+```

+jupyter nbconvert "Diabetes Ridge Regression Scoring.ipynb" --to script --output score

+```

+Once the notebook has been converted to `score.py`, remove any unwanted comments. Your `score.py` file should look like the following code:

+```python

+import json

+import numpy

+from azureml.core.model import Model

+import joblib

+def init():

+ model_path = Model.get_model_path(

+ model_name="sklearn_regression_model.pkl")

+ model = joblib.load(model_path)

+def run(raw_data, request_headers):

+ data = json.loads(raw_data)["data"]

+ data = numpy.array(data)

+ result = model.predict(data)

+ return {"result": result.tolist()}

+init()

+test_row = '{"data":[[1,2,3,4,5,6,7,8,9,10],[10,9,8,7,6,5,4,3,2,1]]}'

+request_header = {}

+prediction = run(test_row, request_header)

+print("Test result: ", prediction)

+```

+The `model` variable needs to be global so that it's visible throughout the script. Add the following statement at the beginning of the `init` function:

+```python

+global model

+```

+After adding the previous statement, the `init` function should look like the following code:

+```python

+def init():

+ global model

+ # load the model from file into a global object

+ model_path = Model.get_model_path(

+ model_name="sklearn_regression_model.pkl")

+ model = joblib.load(model_path)

+```

+## Create unit tests for each Python file

+Fourth, create unit tests for your Python functions. Unit tests protect code against functional regressions and make it easier to maintain. In this section, you'll be creating unit tests for the functions in `train.py`.

+`train.py` contains multiple functions, but we'll only create a single unit test for the `train_model` function using the Pytest framework in this tutorial. Pytest isn't the only Python unit testing framework, but it's one of the most commonly used. For more information, visit [Pytest](https://pytest.org).

+A unit test usually contains three main actions:

+- Arrange object - creating and setting up necessary objects

+- Act on an object

+- Assert what is expected

+The unit test will call `train_model` with some hard-coded data and arguments, and validate that `train_model` acted as expected by using the resulting trained model to make a prediction and comparing that prediction to an expected value.

+```python

+import numpy as np

+from code.training.train import train_model

+def test_train_model():

+ # Arrange

+ X_train = np.array([1, 2, 3, 4, 5, 6]).reshape(-1, 1)

+ y_train = np.array([10, 9, 8, 8, 6, 5])

+ data = {"train": {"X": X_train, "y": y_train}}

+ # Act

+ reg_model = train_model(data, {"alpha": 1.2})

+ # Assert

+ preds = reg_model.predict([[1], [2]])

+ np.testing.assert_almost_equal(preds, [9.93939393939394, 9.03030303030303])

+```

+## Next steps

+Now that you understand how to convert from an experiment to production code, see the following links for more information and next steps:

+> * [v2 (current version)](../how-to-create-data-assets.md)

+The above instructions provide guidance for configuring a hybrid cluster. However, this is also a great way of achieving a seamless zero-downtime migration. If you have an on-premises or other Cassandra environment that you want to decommission with zero downtime, in favour of running your workload in Azure Managed Instance for Apache Cassandra, the following steps must be completed in this order:

+When you perform the migrate operation on a replicating virtual machine, you have the option to shut down the on-premises virtual machine and perform one final incremental replication to ensure zero data loss. On performing the migration, the replica managed disks corresponding to the virtual machine are used to create the virtual machine in Azure.

+When you perform the migrate operation on a replicating virtual machine, you have the option to shut down the on-premises virtual machine and perform one final incremental replication to ensure zero data loss. On performing the migration, the replica managed disks corresponding to the virtual machine are used to create the virtual machine in Azure.

+>[!Note]

+>If the user restarting the server is part of [custom role](../../role-based-access-control/custom-roles.md) the user should have write privilege on the server.

+>[!Note]

+>If the user restarting the server is part of [custom role](../../role-based-access-control/custom-roles.md) the user should have write privilege on the server.

+>[!Note]

+>If the user restarting the server is part of [custom role](../../role-based-access-control/custom-roles.md) the user should have write privilege on the server.

+>[!Note]

+>If the user restarting the server is part of [custom role](../../role-based-access-control/custom-roles.md) the user should have write privilege on the server.

+>[!Note]

+>If the user restarting the server is part of [custom role](../../role-based-access-control/custom-roles.md) the user should have write privilege on the server.

+The cloud offers significant benefits, but challenges when migrating a legacy on-premises payment application (involving payment HSMs) to the cloud must be addressed. Some of these are:

+The Azure Payment HSM is a part of a subscription service that offers single-tenant HSMs for the service customer to have complete administrative control and exclusive access to the HSM. The customer could be a payment service provider acting on behalf of multiple financial institutions or a financial institution that wishes to directly access the Azure Payment HSM service. Once the HSM is allocated to a customer, Microsoft has no access to customer data. Likewise, when the HSM is no longer required, customer data is zeroized and erased as soon as the HSM is released to ensure complete privacy and security is maintained. The customer is responsible for ensuring sufficient HSM subscriptions are active to meet their requirements for backup, disaster recovery, and resilience to achieve the same performance available on their on-premises HSMs.

+For existing Thales payShield customers wishing to add a cloud option, the Azure Payment HSM solution offers native access to a payment HSM in Azure for "lift and shift" while still experiencing the low latency they're accustomed to via their on-premises payShield HSMs. The solution also offers high-performance transactions for mission-critical payment applications. Consequently, customers can continue their digital transformation strategy by leveraging technology innovation in the cloud. Existing Thales payShield customers can utilize their existing remote management solutions (payShield Manager and payShield TMD together with associated smart card readers and smart cards as appropriate) to work with the Azure Payment HSM service. Customers new to payShield can source the hardware accessories from Thales or one of its partners before deploying their HSM as part of the subscription service.

+The solution provides clear benefits for both Payment HSM users with a legacy on-premises HSM footprint and those new payment ecosystem entrants with no legacy infrastructure to support and who may choose a cloud-native approach from the outset.

+Benefits for existing on-premises HSM users

+- Avoids introduction of on-premises HSM infrastructure

+ - If this site will support 5G user equipment (UEs):

+ - **N2 interface name** and **N3 interface name** must match the corresponding virtual network names on port 5 on your Azure Stack Edge Pro device.

+ - **N2 subnet** must match **N3 subnet**.

+ - **N2 gateway** must match **N3 gateway**.

+ - If this site will support 4G UEs:

+ - **S1-MME interface name** and **S1-U interface name** must match the corresponding virtual network names on port 5 on your Azure Stack Edge Pro device.

+ - **S1-MME subnet** must match **S1-U subnet**.

+ - **S1-MME gateway** must match **S1-U gateway**.

+1. In the **Attached data networks** section, select **Add data network**. Use the information you collected in [Collect data network values](collect-required-information-for-a-site.md#collect-data-network-values) to fill out the fields. Note the following:

+ - **N6 interface name** (if this site will support 5G UEs) or **SGi interface name** (if this site will support 4G UEs) must match the corresponding virtual network name on port 6 on your Azure Stack Edge Pro device.

+ - If you decided not to configure a DNS server, untick the **Specify DNS addresses for UEs?** checkbox.

+> **\*Data curator** - Data curators can read insights only if they are assigned data curator at the root collection level.

+> **\*\*Data source administrator permissions on Policies** - Data source administrators are also able to publish data policies.

+1. Get the license file from Profisee by raising a support ticket on [https://support.profisee.com/](https://support.profisee.com/). The only pre-requisite for this step is your need to pre-determine the DNS resolved URL your Profisee setup on Azure. In other words, keep the DNS HOST NAME of the load balancer used in the deployment. It will be something like "[profisee_name].[region].cloudapp.azure.com".

+1. [Create a user-assigned managed identity in Azure](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md#create-a-user-assigned-managed-identity). You must have a managed identity created to run the deployment. After the deployment is done, the managed identity can be deleted. Based on your ARM template choices, you'll need some or all of the following roles and permissions assigned to your managed identity:

+For more usage details on Profisee MDM, register for scheduled trainings, live product demonstration and Q&A on [Profisee Academy Tutorials and Demos](https://profisee.com/demo/)!

+ :::image type="content" source="./media/how-to-monitor-scan-runs/monitor-scan-runs.png" alt-text="View scan runs over time" lightbox="./media/how-to-monitor-scan-runs/monitor-scan-runs.png":::

+### Atlas endpoint

+For all the requests, you'll need the Atlas endpoint for your Microsoft Purview account.

+1. Find your Microsoft Purview account in the [Azure portal](https://portal.azure.com)

+1. Select the **Properties** page on the left side menu

+1. Copy the **Atlas endpoint** value

+You may choose between two different LSR modes, namely **Planar LSR** or **Depth LSR**. Both LSR modes improve hologram stability, although they have their distinct limitations. Start by trying Depth LSR, as it's arguably giving better results in most cases.

+Planar LSR doesn't have per-pixel depth information, as Depth LSR does. Instead it reprojects all content based on a plane that you must provide each frame.

+Depending on the `GraphicsBinding` used, ARR provides up to three reprojection modes that work orthogonally to the LSR mode discussed above. These modes are referred to as **:::no-loc text="Remote pose mode":::**, **:::no-loc text="Local pose mode":::**, and **:::no-loc text="Passthrough pose mode":::**. Unlike the LSR mode, the pose modes define how remote and local content is combined. The choice of the mode trades visual quality of local content for runtime performance, so applications should carefully consider which option is appropriate. See considerations below.

+### :::no-loc text="Passthrough pose mode":::

+This pose mode behaves essentially the same as **:::no-loc text="Remote pose mode":::**, meaning the local and remote content are combined in remote space. However, the content won't be reprojected after combination but remain in remote pose space. The main advantage of this mode is that the resulting image won't be affected by reprojection artifacts.

+Conceptually, this mode can be compared to conventional cloud-streaming applications. Due to the high latency it incurs, it isn't suitable for head-mounted scenarios, but is a viable alternative for Desktop and other flat-screen applications where higher image quality is desired. It's therefore only available on `GraphicsBindingSimD3D11` for the time being.

+The choice of the pose mode has visual quality and performance implications. The additional runtime cost on the client side for doing the extra reprojection in :::no-loc text="Local pose mode"::: on a HoloLens 2 device amounts to about 1 millisecond per frame of GPU time. This extra cost needs to be put into consideration if the client application is already close to the frame budget of 16 milliseconds. On the other hand, there are types of applications with either no local content or local content that is not prone to distortion artifacts. In those cases :::no-loc text="Local pose mode"::: doesn't gain any visual benefit because the quality of the remote content reprojection is unaffected.

+The general advice would thus be to test the modes on a per use case basis and see whether the gain in visual quality justifies the extra performance overhead. It's also possible to toggle the mode dynamically, for instance enable local mode only when important UIs are shown.

+In general, the mode can be changed anytime the graphics binding object is available. There's an important distinction for `GraphicsBindingSimD3D11`: the pose mode can only be changed to `PoseMode.Remote`, if it has been initialized with proxy textures. If this isn't the case, the pose mode can only be toggled between `PoseMode.Local` and `PoseMode.Passthrough` until the graphics binding is reinitialized. See the two overloads of `GraphicsBindingSimD3d11.InitSimulation`, which take either native pointers to [ID3D11Texture2D](/windows/win32/api/d3d11/nn-d3d11-id3d11texture2d) objects (proxy path) or the `width` and `height` of the desired user viewport (non-proxy path).

+If `PoseMode.Remote` is specified, the graphics binding will be initialized with offscreen proxy textures and all rendering will be redirected from the Unity scene's main camera to a proxy camera. This code path is only recommended for usage if runtime pose mode changes to `PoseMode.Remote` are required. If no pose mode is specified, the ARR Unity runtime will select an appropriate default depending on the current platform.

+If `PoseMode.Local` or `PoseMode.Passthrough` is used instead, the graphics binding won't be initialized with offscreen proxy textures and a fast path using the Unity scene's main camera to render will be used. If the respective use case requires remote pose mode at runtime, `PoseMode.Remote` should be specified on `RemoteManagerUnity` initialization. Directly rendering with Unity's main camera is more efficient and can prevent issues with other Unity extensions. Therefore, it's recommended to use the non-proxy rendering path.

+Custom roles can be shared between subscriptions that trust the same Azure AD tenant. There is a limit of **5,000** custom roles per tenant. (For Azure Germany and Azure China 21Vianet, the limit is 2,000 custom roles.) Custom roles can be created using the Azure portal, Azure PowerShell, Azure CLI, or the REST API.

+| `Name`</br>`roleName` | Yes | String | The display name of the custom role. While a role definition is a management group or subscription-level resource, a role definition can be used in multiple subscriptions that share the same Azure AD tenant. This display name must be unique at the scope of the Azure AD tenant. Can include letters, numbers, spaces, and special characters. Maximum number of characters is 512. |

+| `AssignableScopes`</br>`assignableScopes` | Yes | String[] | An array of strings that specifies the scopes that the custom role is available for assignment. Maximum number of `AssignableScopes` is 2,000. For more information, see [AssignableScopes](role-definitions.md#assignablescopes). |

+- In the [AssignableScopes](role-definitions.md#assignablescopes) section, get the management groups, subscriptions, and resource groups.

+- Iterate over the `AssignableScopes` and [list the role assignments](role-assignments-list-portal.md).

+- Each tenant can have up to **5000** custom roles.

+- Azure Germany and Azure China 21Vianet can have up to 2000 custom roles for each tenant.

+- Azure Resource Manager doesn't validate the management group's existence in the role definition's `AssignableScopes`.

+> | Microsoft.CognitiveServices/accounts/CustomVoice/endpoints/manifest/read | Returns an endpoint manifest which can be used in an on-premises container. |

+> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/models/base/manifest/read | Returns an manifest for this base model which can be used in an on-premises container. |

+> | Microsoft.CognitiveServices/accounts/SpeechServices/speechrest/models/manifest/read | Returns an manifest for this model which can be used in an on-premises container. |

+> | Microsoft.IoTSecurity/onPremiseSensors/read | Gets on-premises IoT Sensors |

+> | Microsoft.IoTSecurity/onPremiseSensors/write | Creates or updates on-premises IoT Sensors |

+> | Microsoft.IoTSecurity/onPremiseSensors/delete | Deletes on-premises IoT Sensors |

+> | Microsoft.IoTSecurity/onPremiseSensors/downloadActivation/action | Gets on-premises IoT Sensor Activation File |

+> | Microsoft.IoTSecurity/onPremiseSensors/downloadResetPassword/action | Downloads file for reset password of the on-premises IoT Sensor |

+The `AssignableScopes` property specifies the scopes (root, management group, subscriptions, or resource groups) where a role definition can be assigned. You can make a custom role available for assignment in only the management group, subscriptions, or resource groups that require it. You must use at least one management group, subscription, or resource group.

+For example, if `AssignableScopes` is set to a subscription, that means that the custom role is available for assignment at subscription scope for the specified subscription, resource group scope for any resource group in the subscription, or resource scope for any resource in the subscription.

+Built-in roles have `AssignableScopes` set to the root scope (`"/"`). The root scope indicates that the role is available for assignment in all scopes.

+Examples of valid assignable scopes include:

+You can define only one management group in `AssignableScopes` of a custom role. Adding a management group to `AssignableScopes` is currently in preview.

+Although it's possible to create a custom role with a resource instance in `AssignableScopes` using the command line, it's not recommended. Each tenant supports a maximum of 5000 custom roles. Using this strategy could potentially exhaust your available custom roles. Ultimately, the level of access is determined by the custom role assignment (scope + role permissions + security principal) and not the `AssignableScopes` listed in the custom role. So, create your custom roles with `AssignableScopes` of management group, subscription, or resource group, but assign the custom roles with narrow scope, such as resource or resource group.

+For more information about `AssignableScopes` for custom roles, see [Azure custom roles](custom-roles.md).

+Secure enterprise search connector for reliably indexing content from Atlassian Confluence and intelligently searching it with Azure Cognitive Search. It robustly indexes pages, blog posts, attachments, comments, spaces, profiles, and hub sites for tags from on-premises Confluence instances in near real time. The connector fully supports Atlassian ConfluenceΓÇÖs built-in user and group management, as well as Confluence installations based on Active Directory and other directory services.

+Secure enterprise search connector for reliably indexing content from Atlassian Jira and intelligently searching it with Azure Cognitive Search. It robustly indexes projects, issues, attachments, comments, work logs, issue histories, links, and profiles from on-premises Jira instances in near real time. The connector fully supports Atlassian JiraΓÇÖs built-in user and group management, as well as Jira installations based on Active Directory and other directory services.

+Secure enterprise search connector for reliably indexing content from Jive and intelligently searching it with Azure Cognitive Search. It robustly indexes discussions, polls, files, blogs, spaces, groups, projects, tasks, videos, messages, ideas, profiles, and status updates from on-premises and cloud-hosted Jive instances in near real time. The connector fully supports JiveΓÇÖs built-in user and group management and supports JiveΓÇÖs native authentication models, OAuth and Basic authentication.

+Our Microsoft Dynamics 365 CRM connector supports both on-premises CRM installations and Dynamics CRM Online.

+Customer-managed keys can be stored on-premises or, more commonly, in a cloud key management service.

+|**All on-premises environments** | - Review privileged access on-premises and remove unnecessary permissions<br> - Reduce membership of built-in groups<br> - Verify Active Directory delegations<br> - Harden your Tier 0 environment, and limit who has access to Tier 0 assets |

+|**Restrict privileged access accounts** | Ensure that service and user accounts with privileged access are cloud-only accounts, and do not use on-premises accounts that are synced or federated to Azure Active Directory. |

+| 9.0 CU2.1<br>9.0.1086.1 | 8.0 CU3<br>8.0.527.1 | 8.0 | Less than or equal to version 6.0 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | Current version |

+| 9.0 CU2<br>9.0.1056.1 | 8.0 CU3<br>8.0.527.1 | 8.0 | Less than or equal to version 6.0 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | August 19, 2022 |

+| 9.0 CU1<br>9.0.1035.1 | 8.0 CU3<br>8.0.527.1 | 8.0 | Less than or equal to version 6.0 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | August 19, 2022 |

+| 9.0 RTO<br>9.0.1018.1 | 8.0 CU3<br>8.0.527.1 | 8.0 | Less than or equal to version 6.0 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | August 19, 2022 |

+| 8.2 CU5.1<br>8.2.1483.1 | 8.0 CU3<br>8.0.527.1 | 8.0 | Less than or equal to version 5.2 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | December 1, 2022 |

+| 8.2 CU4<br>8.2.1458.1 | 8.0 CU3<br>8.0.527.1 | 8.0 | Less than or equal to version 5.2 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | August 19, 2022 |

+| 8.2 CU3<br>8.2.1434.1 | 8.0 CU3<br>8.0.527.1 | 8.0 | Less than or equal to version 5.2 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | August 19, 2022 |

+| 8.2 CU2.1<br>8.2.1397.1 | 8.0 CU3<br>8.0.527.1 | 8.0 | Less than or equal to version 5.2 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | August 19, 2022 |

+| 8.2 CU2<br>8.2.1285.1 | 8.0 CU3<br>8.0.527.1 | 8.0 | Less than or equal to version 5.2 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | August 19, 2022 |

+| 8.2 CU1<br>8.2.1204.1 | 8.0 CU3<br>8.0.527.1 | 8.0 | Less than or equal to version 5.2 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | August 19, 2022 |

+| 8.2 RTO<br>8.2.1124.1 | 8.0 CU3<br>8.0.527.1 | 8.0 | Less than or equal to version 5.2 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | August 19, 2022 |

+| 9.0 CU2.1 | Not applicable | 9.0.1086.1 |

+When you create an Azure Static Web Apps resource, Azure interacts directly with GitHub or Azure DevOps to monitor a branch of your choice. Every time you push commits or accept pull requests into the watched branch, a build automatically runs and your app and API is deployed to Azure.

+Static web apps are commonly built using libraries and frameworks like Angular, React, Svelte, Vue, or Blazor where server side rendering isn't required. These apps include HTML, CSS, JavaScript, and image assets that make up the application. With a traditional web server, these assets are served from a single server alongside any required API endpoints.

+- **CLI support** through the [Azure CLI](/cli/azure/staticwebapp) to create cloud resources, and via the [Azure Static Web Apps CLI](https://github.com/Azure/static-web-apps-cli#azure-static-web-apps-cli) for local development.

+- [Hot, Cool, and Archive access tiers for blob data](access-tiers-overview.md)

+- [Archive a blob](archive-blob.md)

+Data can be ingested in various formats. Data can be appear in human readable formats such as JSON, CSV, or XML or as compressed binary formats such as `.tar.gz`. Data can come in various sizes as well. Data can be composed of large files (a few terabytes) such as data from an export of a SQL table from your on-premises systems. Data can also come in the form of a large number of tiny files (a few kilobytes) such as data from real-time events from an Internet of things (IoT) solution. You can optimize efficiency and costs by choosing an appropriate file format and file size.

+A container name must be a valid DNS name, as it forms part of the unique URI used to address the container or its blobs. Follow these rules when naming a container:

+- Container names can be between 3 and 63 characters long.

+- Container names must start with a letter or number, and can contain only lowercase letters, numbers, and the dash (-) character.

+- Two or more consecutive dash characters aren't permitted in container names.

+The URI for a container is similar to:

+`https://myaccount.blob.core.windows.net/mycontainer`

+For more information about naming containers, see [Naming and Referencing Containers, Blobs, and Metadata](/rest/api/storageservices/Naming-and-Referencing-Containers--Blobs--and-Metadata).

+The URI for a blob is similar to:

+`https://myaccount.blob.core.windows.net/mycontainer/myblob`

+or

+`https://myaccount.blob.core.windows.net/mycontainer/myvirtualdirectory/myblob`

+Follow these rules when naming a blob:

+

+- A blob name can contain any combination of characters.

+- A blob name must be at least one character long and cannot be more than 1,024 characters long, for blobs in Azure Storage.

+- Blob names are case-sensitive.

+- Reserved URL characters must be properly escaped.

+- The number of path segments comprising the blob name cannot exceed 254. A path segment is the string between consecutive delimiter characters (*e.g.*, the forward slash '/') that corresponds to the name of a virtual directory.

+

+> [!NOTE]

+> Avoid blob names that end with a dot (.), a forward slash (/), or a sequence or combination of the two. No path segments should end with a dot (.).

+For more information about naming blobs, see [Naming and Referencing Containers, Blobs, and Metadata](/rest/api/storageservices/Naming-and-Referencing-Containers--Blobs--and-Metadata).

+The Archive tier for Blob Storage isn't currently supported for ZRS, GZRS, or RA-GZRS accounts. Unmanaged disks don't support ZRS or GZRS.

+- Azure Blob storage (hot and cool block blobs and append blobs, non-disk page blobs)

+All data for all storage accounts is copied from the primary to the secondary according to the redundancy option for the storage account. Objects including block blobs, append blobs, page blobs, queues, tables, and files are copied.

+Data in all tiers, including the Archive tier, is always copied from the primary to the secondary during geo-replication. The Archive tier for Blob Storage is currently supported for LRS, GRS, and RA-GRS accounts, but not for ZRS, GZRS, or RA-GZRS accounts. For more information about blob tiers, see [Hot, Cool, and Archive access tiers for blob data](../blobs/access-tiers-overview.md).

+Unmanaged disks don't support ZRS or GZRS.

+- If the **Registered server** state is **Appears Offline**, the Storage Sync Monitor process (AzureStorageSyncMonitor.exe) is not running or the server is unable to access the Azure File Sync service. See the [troubleshooting documentation](file-sync-troubleshoot-sync-group-management.md?tabs=portal1%252cazure-portal#server-endpoint-noactivity) for guidance.

+- The **server endpoint health** and **sync activity** in the portal is based on the sync events that are logged in the Telemetry event log on the server (ID 9102 and 9302). If a sync session fails because of a transient error, such as error canceled, the server endpoint will still show as **healthy** in the portal as long as the current sync session is making progress (files are applied). Event ID 9302 is the sync progress event and Event ID 9102 is logged once a sync session completes. For more information, see [sync health](file-sync-troubleshoot-sync-errors.md?tabs=server%252cazure-portal#broken-sync) and [sync progress](file-sync-troubleshoot-sync-errors.md?tabs=server%252cazure-portal#how-do-i-monitor-the-progress-of-a-current-sync-session). If the server endpoint health shows an **Error** or **No Activity**, see the [troubleshooting documentation](file-sync-troubleshoot-sync-errors.md?tabs=portal1%252cazure-portal#common-sync-errors) for guidance.

+- The **files not syncing** count in the portal is based on the Event ID 9121 that is logged in the Telemetry event log on the server. This event is logged for each per-item error once the sync session completes. To resolve per-item errors, see [How do I see if there are specific files or folders that are not syncing?](file-sync-troubleshoot-sync-errors.md?tabs=server%252cazure-portal#how-do-i-see-if-there-are-specific-files-or-folders-that-are-not-syncing).

+- To view **files not tiering** and **recall errors** in the portal, go to the **Server Endpoint Properties** and navigate to the **Cloud Tiering** section. **Files not tiering** is based on Event ID 9003 that is logged in the Telemetry event log on the server and **recall errors** is based on Event ID 9006. To investigate files that are failing to tier or recall, see [How to troubleshoot files that fail to tier](file-sync-troubleshoot-cloud-tiering.md?tabs=portal1%252cazure-portal#how-to-troubleshoot-files-that-fail-to-tier) and [How to troubleshoot files that fail to be recalled](file-sync-troubleshoot-cloud-tiering.md?tabs=portal1%252cazure-portal#how-to-troubleshoot-files-that-fail-to-be-recalled).

+- Event ID 9102 is logged once a sync session completes. Use this event to determine if sync sessions are successful (**HResult = 0**) and if there are per-item sync errors (**PerItemErrorCount**). For more information, see the [sync health](file-sync-troubleshoot-sync-errors.md?tabs=server%252cazure-portal#broken-sync) and [per-item errors](file-sync-troubleshoot-sync-errors.md?tabs=server%252cazure-portal#how-do-i-see-if-there-are-specific-files-or-folders-that-are-not-syncing) documentation.

+- Event ID 9121 is logged for each per-item error once the sync session completes. Use this event to determine the number of files that are failing to sync with this error (**PersistentCount** and **TransientCount**). Persistent per-item errors should be investigated, see [How do I see if there are specific files or folders that are not syncing?](file-sync-troubleshoot-sync-errors.md?tabs=server%252cazure-portal#how-do-i-see-if-there-are-specific-files-or-folders-that-are-not-syncing).

+- Event ID 9302 is logged every 5 to 10 minutes if there's an active sync session. Use this event to determine how many items are to be synced (**TotalItemCount**), number of items that have synced so far (**AppliedItemCount**) and number of items that have failed to sync due to a per-item error (**PerItemErrorCount**). If sync is not making progress (**AppliedItemCount=0**), the sync session will eventually fail and an Event ID 9102 will be logged with the error. For more information, see the [sync progress documentation](file-sync-troubleshoot-sync-errors.md?tabs=server%252cazure-portal#how-do-i-monitor-the-progress-of-a-current-sync-session).

+- Event ID 9301 is logged every 30 seconds when a server queries the service for jobs. If GetNextJob finishes with **status = 0**, the server is able to communicate with the service. If GetNextJob finishes with an error, check the [troubleshooting documentation](file-sync-troubleshoot-sync-group-management.md?tabs=portal1%252cazure-portal#server-endpoint-noactivity) for guidance.

+> Azure File Sync service will remove support for TLS1.0 and 1.1 on August 1st, 2020. All supported Azure File Sync agent versions already use TLS1.2 by default. Using an earlier version of TLS could occur if TLS1.2 was disabled on your server or a proxy is used. If you are using a proxy, we recommend you check the proxy configuration. Azure File Sync service regions added after 5/1/2020 will only support TLS1.2 and support for TLS1.0 and 1.1 will be removed from existing regions on August 1st, 2020. For more information, see the [troubleshooting guide](file-sync-troubleshoot-cloud-tiering.md#tls-12-required-for-azure-file-sync).

+- Files with unsupported characters. See [Troubleshooting guide](file-sync-troubleshoot-sync-errors.md#handling-unsupported-characters) for list of unsupported characters.

+- The storage sync service and/or storage account can be moved to a different resource group, subscription, or Azure AD tenant. After the storage sync service or storage account is moved, you need to give the Microsoft.StorageSync application access to the storage account (see [Ensure Azure File Sync has access to the storage account](file-sync-troubleshoot-sync-errors.md?tabs=portal1%252cportal#troubleshoot-rbac)).

+- Files with unsupported characters. See [Troubleshooting guide](file-sync-troubleshoot-sync-errors.md#handling-unsupported-characters) for list of unsupported characters.

+- The storage sync service and/or storage account can be moved to a different resource group, subscription, or Azure AD tenant. After the storage sync service or storage account is moved, you need to give the Microsoft.StorageSync application access to the storage account (see [Ensure Azure File Sync has access to the storage account](file-sync-troubleshoot-sync-errors.md?tabs=portal1%252cportal#troubleshoot-rbac)).

+ Title: Troubleshoot Azure File Sync cloud tiering | Microsoft Docs

+description: Troubleshoot common issues with cloud tiering in an Azure File Sync deployment.

+# Troubleshoot Azure File Sync cloud tiering

+Cloud tiering, an optional feature of Azure File Sync, decreases the amount of local storage required while keeping the performance of an on-premises file server. When enabled, this feature stores only frequently accessed (hot) files on your local server. Infrequently accessed (cool) files are split into namespace (file and folder structure) and file content.

+There are two paths for failures in cloud tiering:

+- Files can fail to tier, which means that Azure File Sync unsuccessfully attempts to tier a file to Azure Files.

+- Files can fail to recall, which means that the Azure File Sync file system filter (StorageSync.sys) fails to download data when a user attempts to access a file that has been tiered.

+There are two main classes of failures that can happen via either failure path:

+- Cloud storage failures

+ - *Transient storage service availability issues*. For more information, see the [Service Level Agreement (SLA) for Azure Storage](https://azure.microsoft.com/support/legal/sla/storage/v1_5/).

+ - *Inaccessible Azure file share*. This failure typically happens when you delete the Azure file share when it is still a cloud endpoint in a sync group.

+ - *Inaccessible storage account*. This failure typically happens when you delete the storage account while it still has an Azure file share that is a cloud endpoint in a sync group.

+- Server failures

+ - *Azure File Sync file system filter (StorageSync.sys) is not loaded*. In order to respond to tiering/recall requests, the Azure File Sync file system filter must be loaded. The filter not being loaded can happen for several reasons, but the most common reason is that an administrator unloaded it manually. The Azure File Sync file system filter must be loaded at all times for Azure File Sync to properly function.

+ - *Missing, corrupt, or otherwise broken reparse point*. A reparse point is a special data structure on a file that consists of two parts:

+ 1. A reparse tag, which indicates to the operating system that the Azure File Sync file system filter (StorageSync.sys) may need to do some action on IO to the file.

+ 2. Reparse data, which indicates to the file system filter the URI of the file on the associated cloud endpoint (the Azure file share).

+

+ The most common way a reparse point could become corrupted is if an administrator attempts to modify either the tag or its data.

+ - *Network connectivity issues*. In order to tier or recall a file, the server must have internet connectivity.

+The following sections indicate how to troubleshoot cloud tiering issues and determine if an issue is a cloud storage issue or a server issue.

+## How to monitor tiering activity on a server

+To monitor tiering activity on a server, use Event ID 9003, 9016 and 9029 in the Telemetry event log (located under Applications and Services\Microsoft\FileSync\Agent in Event Viewer).

+- Event ID 9003 provides error distribution for a server endpoint. For example, Total Error Count, ErrorCode, etc. Note, one event is logged per error code.

+- Event ID 9016 provides ghosting results for a volume. For example, Free space percent is, Number of files ghosted in session, Number of files failed to ghost, etc.

+- Event ID 9029 provides ghosting session information for a server endpoint. For example, Number of files attempted in the session, Number of files tiered in the session, Number of files already tiered, etc.

+## How to monitor recall activity on a server

+To monitor recall activity on a server, use Event ID 9005, 9006, 9009 and 9059 in the Telemetry event log (located under Applications and Services\Microsoft\FileSync\Agent in Event Viewer).

+- Event ID 9005 provides recall reliability for a server endpoint. For example, Total unique files accessed, Total unique files with failed access, etc.

+- Event ID 9006 provides recall error distribution for a server endpoint. For example, Total Failed Requests, ErrorCode, etc. Note, one event is logged per error code.

+- Event ID 9009 provides recall session information for a server endpoint. For example, DurationSeconds, CountFilesRecallSucceeded, CountFilesRecallFailed, etc.

+- Event ID 9059 provides application recall distribution for a server endpoint. For example, ShareId, Application Name, and TotalEgressNetworkBytes.

+## How to troubleshoot files that fail to tier

+If files fail to tier to Azure Files:

+1. In Event Viewer, review the telemetry, operational and diagnostic event logs, located under Applications and Services\Microsoft\FileSync\Agent.

+ 1. Verify the files exist in the Azure file share.

+ > [!NOTE]

+ > A file must be synced to an Azure file share before it can be tiered.

+ 2. Verify the server has internet connectivity.

+ 3. Verify the Azure File Sync filter drivers (StorageSync.sys and StorageSyncGuard.sys) are running:

+ - At an elevated command prompt, run `fltmc`. Verify that the StorageSync.sys and StorageSyncGuard.sys file system filter drivers are listed.

+> [!NOTE]

+> An Event ID 9003 is logged once an hour in the Telemetry event log if a file fails to tier (one event is logged per error code). Check the [Tiering errors and remediation](#tiering-errors-and-remediation) section to see if remediation steps are listed for the error code.

+## Tiering errors and remediation

+| HRESULT | HRESULT (decimal) | Error string | Issue | Remediation |

+||-|--|-|-|

+| 0x80c86045 | -2134351803 | ECS_E_INITIAL_UPLOAD_PENDING | The file failed to tier because the initial upload is in progress. | No action required. The file will be tiered once the initial upload completes. |

+| 0x80c86043 | -2134351805 | ECS_E_GHOSTING_FILE_IN_USE | The file failed to tier because it's in use. | No action required. The file will be tiered when it's no longer in use. |

+| 0x80c80241 | -2134375871 | ECS_E_GHOSTING_EXCLUDED_BY_SYNC | The file failed to tier because it's excluded by sync. | No action required. Files in the sync exclusion list cannot be tiered. |

+| 0x80c86042 | -2134351806 | ECS_E_GHOSTING_FILE_NOT_FOUND | The file failed to tier because it was not found on the server. | No action required. If the error persists, check if the file exists on the server. |

+| 0x80c83053 | -2134364077 | ECS_E_CREATE_SV_FILE_DELETED | The file failed to tier because it was deleted in the Azure file share. | No action required. The file should be deleted on the server when the next download sync session runs. |

+| 0x80c8600e | -2134351858 | ECS_E_AZURE_SERVER_BUSY | The file failed to tier due to a network issue. | No action required. If the error persists, check network connectivity to the Azure file share. |

+| 0x80072ee7 | -2147012889 | WININET_E_NAME_NOT_RESOLVED | The file failed to tier due to a network issue. | No action required. If the error persists, check network connectivity to the Azure file share. |

+| 0x80070005 | -2147024891 | ERROR_ACCESS_DENIED | The file failed to tier due to access denied error. This error can occur if the file is located on a DFS-R read-only replication folder. | Azure Files Sync does not support server endpoints on DFS-R read-only replication folders. See [planning guide](file-sync-planning.md#distributed-file-system-dfs) for more information. |

+| 0x80072efe | -2147012866 | WININET_E_CONNECTION_ABORTED | The file failed to tier due to a network issue. | No action required. If the error persists, check network connectivity to the Azure file share. |

+| 0x80c80261 | -2134375839 | ECS_E_GHOSTING_MIN_FILE_SIZE | The file failed to tier because the file size is less than the supported size. | The minimum supported file size is based on the file system cluster size (double file system cluster size). For example, if the file system cluster size is 4 KiB, the minimum file size is 8 KiB. |

+| 0x80c83007 | -2134364153 | ECS_E_STORAGE_ERROR | The file failed to tier due to an Azure storage issue. | If the error persists, open a support request. |

+| 0x800703e3 | -2147023901 | ERROR_OPERATION_ABORTED | The file failed to tier because it was recalled at the same time. | No action required. The file will be tiered when the recall completes and the file is no longer in use. |

+| 0x80c80264 | -2134375836 | ECS_E_GHOSTING_FILE_NOT_SYNCED | The file failed to tier because it has not synced to the Azure file share. | No action required. The file will tier once it has synced to the Azure file share. |

+| 0x80070001 | -2147942401 | ERROR_INVALID_FUNCTION | The file failed to tier because the cloud tiering filter driver (storagesync.sys) is not running. | To resolve this issue, open an elevated command prompt and run the following command: `fltmc load storagesync`<br>If the Azure File Sync filter driver fails to load when running the fltmc command, uninstall the Azure File Sync agent, restart the server and reinstall the Azure File Sync agent. |

+| 0x80070070 | -2147024784 | ERROR_DISK_FULL | The file failed to tier due to insufficient disk space on the volume where the server endpoint is located. | To resolve this issue, free at least 100 MiB of disk space on the volume where the server endpoint is located. |

+| 0x80070490 | -2147023728 | ERROR_NOT_FOUND | The file failed to tier because it has not synced to the Azure file share. | No action required. The file will tier once it has synced to the Azure file share. |

+| 0x80c80262 | -2134375838 | ECS_E_GHOSTING_UNSUPPORTED_RP | The file failed to tier because it's an unsupported reparse point. | If the file is a Data Deduplication reparse point, follow the steps in the [planning guide](file-sync-planning.md#data-deduplication) to enable Data Deduplication support. Files with reparse points other than Data Deduplication are not supported and will not be tiered. |

+| 0x80c83052 | -2134364078 | ECS_E_CREATE_SV_STREAM_ID_MISMATCH | The file failed to tier because it has been modified. | No action required. The file will tier once the modified file has synced to the Azure file share. |

+| 0x80c80269 | -2134375831 | ECS_E_GHOSTING_REPLICA_NOT_FOUND | The file failed to tier because it has not synced to the Azure file share. | No action required. The file will tier once it has synced to the Azure file share. |

+| 0x80072ee2 | -2147012894 | WININET_E_TIMEOUT | The file failed to tier due to a network issue. | No action required. If the error persists, check network connectivity to the Azure file share. |

+| 0x80c80017 | -2134376425 | ECS_E_SYNC_OPLOCK_BROKEN | The file failed to tier because it has been modified. | No action required. The file will tier once the modified file has synced to the Azure file share. |

+| 0x800705aa | -2147023446 | ERROR_NO_SYSTEM_RESOURCES | The file failed to tier due to insufficient system resources. | If the error persists, investigate which application or kernel-mode driver is exhausting system resources. |

+| 0x8e5e03fe | -1906441218 | JET_errDiskIO | The file failed to tier due to an I/O error when writing to the cloud tiering database. | If the error persists, run chkdsk on the volume and check the storage hardware. |

+| 0x8e5e0442 | -1906441150 | JET_errInstanceUnavailable | The file failed to tier because the cloud tiering database is not running. | To resolve this issue, restart the FileSyncSvc service or server. If the error persists, run chkdsk on the volume and check the storage hardware. |

+| 0x80C80285 | -2160591493 | ECS_E_GHOSTING_SKIPPED_BY_CUSTOM_EXCLUSION_LIST | The file cannot be tiered because the file type is excluded from tiering. | To tier files with this file type, modify the GhostingExclusionList registry setting which is located under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure\StorageSync. |

+| 0x80C86050 | -2160615504 | ECS_E_REPLICA_NOT_READY_FOR_TIERING | The file failed to tier because the current sync mode is initial upload or reconciliation. | No action required. The file will be tiered once sync completes initial upload or reconciliation. |

+## How to troubleshoot files that fail to be recalled

+If files fail to be recalled:

+1. In Event Viewer, review the telemetry, operational and diagnostic event logs, located under Applications and Services\Microsoft\FileSync\Agent.

+ 1. Verify the files exist in the Azure file share.

+ 2. Verify the server has internet connectivity.

+ 3. Open the Services MMC snap-in and verify the Storage Sync Agent service (FileSyncSvc) is running.

+ 4. Verify the Azure File Sync filter drivers (StorageSync.sys and StorageSyncGuard.sys) are running:

+ - At an elevated command prompt, run `fltmc`. Verify that the StorageSync.sys and StorageSyncGuard.sys file system filter drivers are listed.

+> [!NOTE]

+> An Event ID 9006 is logged once per hour in the Telemetry event log if a file fails to recall (one event is logged per error code). Check the [Recall errors and remediation](#recall-errors-and-remediation) section to see if remediation steps are listed for the error code.

+## Recall errors and remediation

+| HRESULT | HRESULT (decimal) | Error string | Issue | Remediation |

+||-|--|-|-|

+| 0x80070079 | -2147942521 | ERROR_SEM_TIMEOUT | The file failed to recall due to an I/O timeout. This issue can occur for several reasons: server resource constraints, poor network connectivity or an Azure storage issue (for example, throttling). | No action required. If the error persists for several hours, please open a support case. |

+| 0x80070036 | -2147024842 | ERROR_NETWORK_BUSY | The file failed to recall due to a network issue. | If the error persists, check network connectivity to the Azure file share. |

+| 0x80c80037 | -2134376393 | ECS_E_SYNC_SHARE_NOT_FOUND | The file failed to recall because the server endpoint was deleted. | To resolve this issue, see [Tiered files are not accessible on the server after deleting a server endpoint](?tabs=portal1%252cazure-portal#tiered-files-are-not-accessible-on-the-server-after-deleting-a-server-endpoint). |

+| 0x80070005 | -2147024891 | ERROR_ACCESS_DENIED | The file failed to recall due to an access denied error. This issue can occur if the firewall and virtual network settings on the storage account are enabled and the server does not have access to the storage account. | To resolve this issue, add the Server IP address or virtual network by following the steps documented in the [Configure firewall and virtual network settings](file-sync-deployment-guide.md?tabs=azure-portal#optional-configure-firewall-and-virtual-network-settings) section in the deployment guide. |

+| 0x80c86002 | -2134351870 | ECS_E_AZURE_RESOURCE_NOT_FOUND | The file failed to recall because it's not accessible in the Azure file share. | To resolve this issue, verify the file exists in the Azure file share. If the file exists in the Azure file share, upgrade to the latest Azure File Sync [agent version](file-sync-release-notes.md#supported-versions). |

+| 0x80c8305f | -2134364065 | ECS_E_EXTERNAL_STORAGE_ACCOUNT_AUTHORIZATION_FAILED | The file failed to recall due to authorization failure to the storage account. | To resolve this issue, verify [Azure File Sync has access to the storage account](file-sync-troubleshoot-sync-errors.md?tabs=portal1%252cazure-portal#troubleshoot-rbac). |

+| 0x80c86030 | -2134351824 | ECS_E_AZURE_FILE_SHARE_NOT_FOUND | The file failed to recall because the Azure file share is not accessible. | Verify the file share exists and is accessible. If the file share was deleted and recreated, perform the steps documented in the [Sync failed because the Azure file share was deleted and recreated](file-sync-troubleshoot-sync-errors.md?tabs=portal1%252cazure-portal#-2134375810) section to delete and recreate the sync group. |

+| 0x800705aa | -2147023446 | ERROR_NO_SYSTEM_RESOURCES | The file failed to recall due to insufficient system resources. | If the error persists, investigate which application or kernel-mode driver is exhausting system resources. |

+| 0x8007000e | -2147024882 | ERROR_OUTOFMEMORY | The file failed to recall due to insufficient memory. | If the error persists, investigate which application or kernel-mode driver is causing the low memory condition. |

+| 0x80070070 | -2147024784 | ERROR_DISK_FULL | The file failed to recall due to insufficient disk space. | To resolve this issue, free up space on the volume by moving files to a different volume, increase the size of the volume, or force files to tier by using the Invoke-StorageSyncCloudTiering cmdlet. |

+| 0x80072f8f | -2147012721 | WININET_E_DECODING_FAILED | The file failed to recall because the server was unable to decode the response from the Azure File Sync service. | This error typically occurs if a network proxy is modifying the response from the Azure File Sync service. Please check your proxy configuration. |

+| 0x80090352 | -2146892974 | SEC_E_ISSUING_CA_UNTRUSTED | The file failed to recall because your organization is using a TLS terminating proxy or a malicious entity is intercepting the traffic between your server and the Azure File Sync service. | If you are certain this is expected (because your organization is using a TLS terminating proxy), follow the steps documented for error [CERT_E_UNTRUSTEDROOT](file-sync-troubleshoot-sync-errors.md#-2146762487) to resolve this issue. |

+| 0x80c86047 | -2134351801 | ECS_E_AZURE_SHARE_SNAPSHOT_NOT_FOUND | The file failed to recall because it's referencing a version of the file which no longer exists in the Azure file share. | This issue can occur if the tiered file was restored from a backup of the Windows Server. To resolve this issue, restore the file from a snapshot in the Azure file share. |

+## Tiered files are not accessible on the server after deleting a server endpoint

+Tiered files on a server will become inaccessible if the files are not recalled prior to deleting a server endpoint.

+Errors logged if tiered files are not accessible

+- When syncing a file, error code -2147942467 (0x80070043 - ERROR_BAD_NET_NAME) is logged in the ItemResults event log

+- When recalling a file, error code -2134376393 (0x80c80037 - ECS_E_SYNC_SHARE_NOT_FOUND) is logged in the RecallResults event log

+Restoring access to your tiered files is possible if the following conditions are met:

+- Server endpoint was deleted within past 30 days

+- Cloud endpoint was not deleted

+- File share was not deleted

+- Sync group was not deleted

+If the above conditions are met, you can restore access to the files on the server by recreating the server endpoint at the same path on the server within the same sync group within 30 days.

+If the above conditions are not met, restoring access is not possible as these tiered files on the server are now orphaned. Follow the instructions below to remove the orphaned tiered files.

+**Notes**

+- When tiered files are not accessible on the server, the full file should still be accessible if you access the Azure file share directly.

+- To prevent orphaned tiered files in the future, follow the steps documented in [Remove a server endpoint](file-sync-server-endpoint-delete.md) when deleting a server endpoint.

+<a id="get-orphaned"></a>**How to get the list of orphaned tiered files**

+1. Run the following PowerShell commands to list orphaned tiered files:

+```powershell

+Import-Module "C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll"

+$orphanFiles = Get-StorageSyncOrphanedTieredFiles -path <server endpoint path>

+$orphanFiles.OrphanedTieredFiles > OrphanTieredFiles.txt

+```

+2. Save the OrphanTieredFiles.txt output file in case files need to be restored from backup after they are deleted.

+<a id="remove-orphaned"></a>**How to remove orphaned tiered files**

+*Option 1: Delete the orphaned tiered files*

+This option deletes the orphaned tiered files on the Windows Server but requires removing the server endpoint if it exists due to recreation after 30 days or is connected to a different sync group. File conflicts will occur if files are updated on the Windows Server or Azure file share before the server endpoint is recreated.

+1. Back up the Azure file share and server endpoint location.

+2. Remove the server endpoint in the sync group (if exists) by following the steps documented in [Remove a server endpoint](file-sync-server-endpoint-delete.md).

+> [!Warning]

+> If the server endpoint is not removed prior to using the Remove-StorageSyncOrphanedTieredFiles cmdlet, deleting the orphaned tiered file on the server will delete the full file in the Azure file share.

+3. Run the following PowerShell commands to list orphaned tiered files:

+```powershell

+Import-Module "C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll"

+$orphanFiles = Get-StorageSyncOrphanedTieredFiles -path <server endpoint path>

+$orphanFiles.OrphanedTieredFiles > OrphanTieredFiles.txt

+```

+4. Save the OrphanTieredFiles.txt output file in case files need to be restored from backup after they are deleted.

+5. Run the following PowerShell commands to delete orphaned tiered files:

+```powershell

+Import-Module "C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll"

+$orphanFilesRemoved = Remove-StorageSyncOrphanedTieredFiles -Path <folder path containing orphaned tiered files> -Verbose

+$orphanFilesRemoved.OrphanedTieredFiles > DeletedOrphanFiles.txt

+```

+**Notes**

+- Tiered files modified on the server that are not synced to the Azure file share will be deleted.

+- Tiered files that are accessible (not orphan) will not be deleted.

+- Non-tiered files will remain on the server.

+6. Optional: Recreate the server endpoint if deleted in step 3.

+*Option 2: Mount the Azure file share and copy the files locally that are orphaned on the server*

+This option doesn't require removing the server endpoint but requires sufficient disk space to copy the full files locally.

+1. [Mount](../files/storage-how-to-use-files-windows.md?toc=%2fazure%2fstorage%2ffilesync%2ftoc.json) the Azure file share on the Windows Server that has orphaned tiered files.

+2. Run the following PowerShell commands to list orphaned tiered files:

+```powershell

+Import-Module "C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll"

+$orphanFiles = Get-StorageSyncOrphanedTieredFiles -path <server endpoint path>

+$orphanFiles.OrphanedTieredFiles > OrphanTieredFiles.txt

+```

+3. Use the OrphanTieredFiles.txt output file to identify orphaned tiered files on the server.

+4. Overwrite the orphaned tiered files by copying the full file from the Azure file share to the Windows Server.

+## How to troubleshoot files unexpectedly recalled on a server

+Antivirus, backup, and other applications that read large numbers of files cause unintended recalls unless they respect the skip offline attribute and skip reading the content of those files. Skipping offline files for products that support this option helps avoid unintended recalls during operations like antivirus scans or backup jobs.

+Consult with your software vendor to learn how to configure their solution to skip reading offline files.

+Unintended recalls also might occur in other scenarios, like when you are browsing cloud-tiered files in File Explorer. This is likely to occur on Windows Server 2016 if the folder contains executable files. File Explorer was improved for Windows Server 2019 and later to better handle offline files.

+> [!NOTE]

+>Use Event ID 9059 in the Telemetry event log to determine which application(s) is causing recalls. This event provides application recall distribution for a server endpoint and is logged once an hour.

+## Process exclusions for Azure File Sync

+If you want to configure your antivirus or other applications to skip scanning for files accessed by Azure File Sync, configure the following process exclusions:

+- C:\Program Files\Azure\StorageSyncAgent\AfsAutoUpdater.exe

+- C:\Program Files\Azure\StorageSyncAgent\FileSyncSvc.exe

+- C:\Program Files\Azure\StorageSyncAgent\MAAgent\MonAgentLauncher.exe

+- C:\Program Files\Azure\StorageSyncAgent\MAAgent\MonAgentHost.exe

+- C:\Program Files\Azure\StorageSyncAgent\MAAgent\MonAgentManager.exe

+- C:\Program Files\Azure\StorageSyncAgent\MAAgent\MonAgentCore.exe

+- C:\Program Files\Azure\StorageSyncAgent\MAAgent\Extensions\XSyncMonitoringExtension\AzureStorageSyncMonitor.exe

+## TLS 1.2 required for Azure File Sync

+You can view the TLS settings at your server by looking at the [registry settings](/windows-server/security/tls/tls-registry-settings).

+If you're using a proxy, consult your proxy's documentation and ensure it is configured to use TLS 1.2.

+## See also

+- [Troubleshoot Azure File Sync agent installation and server registration](file-sync-troubleshoot-installation.md)

+- [Troubleshoot Azure File Sync sync group management](file-sync-troubleshoot-sync-group-management.md)

+- [Troubleshoot Azure File Sync sync errors](file-sync-troubleshoot-sync-errors.md)

+- [Monitor Azure File Sync](file-sync-monitoring.md)

+- [Troubleshoot Azure Files problems in Windows](../files/storage-troubleshoot-windows-file-connection-problems.md)

+- [Troubleshoot Azure Files problems in Linux](../files/storage-troubleshoot-linux-file-connection-problems.md)

+ Title: Troubleshoot Azure File Sync agent installation and server registration | Microsoft Docs

+description: Troubleshoot common issues with installing the Azure File Sync agent and registering Windows Server with the Storage Sync Service.

+# Troubleshoot Azure File Sync agent installation and server registration

+After deploying the Storage Sync Service, the next steps in deploying Azure File Sync are installing the Azure File Sync agent and registering Windows Server with the Storage Sync Service. This article is designed to help you troubleshoot and resolve issues that you might encounter during these steps.

+## Agent installation

+<a id="agent-installation-failures"></a>**Troubleshoot agent installation failures**

+If the Azure File Sync agent installation fails, at an elevated command prompt, run the following command to turn on logging during agent installation:

+```

+StorageSyncAgent.msi /l*v AFSInstaller.log

+```

+Review installer.log to determine the cause of the installation failure.

+<a id="agent-installation-gpo"></a>**Agent installation fails with error: Storage Sync Agent Setup Wizard ended prematurely because of an error**

+In the agent installation log, the following error is logged:

+```

+CAQuietExec64: + CategoryInfo : SecurityError: (:) , PSSecurityException

+CAQuietExec64: + FullyQualifiedErrorId : UnauthorizedAccess

+CAQuietExec64: Error 0x80070001: Command line returned an error.

+```

+This issue occurs if the [PowerShell execution policy](/powershell/module/microsoft.powershell.core/about/about_execution_policies#use-group-policy-to-manage-execution-policy) is configured using group policy and the policy setting is "Allow only signed scripts." All scripts included with the Azure File Sync agent are signed. The Azure File Sync agent installation fails because the installer is performing the script execution using the Bypass execution policy setting.

+To resolve this issue, temporarily disable the [Turn on Script Execution](/powershell/module/microsoft.powershell.core/about/about_execution_policies#use-group-policy-to-manage-execution-policy) group policy setting on the server. Once the agent installation completes, the group policy setting can be re-enabled.

+<a id="agent-installation-on-DC"></a>**Agent installation fails on Active Directory Domain Controller**

+If you try to install the sync agent on an Active Directory domain controller where the PDC role owner is on a Windows Server 2008 R2 or below OS version, you may hit the issue where the sync agent will fail to install.

+To resolve, transfer the PDC role to another domain controller running Windows Server 2012 R2 or more recent, then install sync.

+<a id="parameter-is-incorrect"></a>**Accessing a volume on Windows Server 2012 R2 fails with error: The parameter is incorrect**

+After creating a server endpoint on Windows Server 2012 R2, the following error occurs when accessing the volume:

+drive letter:\ is not accessible.

+The parameter is incorrect.

+To resolve this issue, install [KB2919355](https://support.microsoft.com/help/2919355/windows-rt-8-1-windows-8-1-windows-server-2012-r2-update-april-2014) and restart the server. If this update will not install because a later update is already installed, go to Windows Update, install the latest updates for Windows Server 2012 R2 and restart the server.

+## Server registration

+<a id="server-registration-missing-subscriptions"></a>**Server Registration does not list all Azure Subscriptions**

+When registering a server using ServerRegistration.exe, subscriptions are missing when you click the Azure Subscription drop-down.

+This issue occurs because ServerRegistration.exe will only retrieve subscriptions from the first five Azure AD tenants.

+To increase the Server Registration tenant limit on the server, create a DWORD value called ServerRegistrationTenantLimit under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure\StorageSync with a value greater than 5.

+You can also work around this issue by using the following PowerShell commands to register the server:

+```powershell

+Connect-AzAccount -Subscription "<guid>" -Tenant "<guid>"

+Register-AzStorageSyncServer -ResourceGroupName "<your-resource-group-name>" -StorageSyncServiceName "<your-storage-sync-service-name>"

+```

+<a id="server-registration-prerequisites"></a>**Server Registration displays the following message: "Pre-requisites are missing"**

+This message appears if Az or AzureRM PowerShell module is not installed on PowerShell 5.1.

+> [!Note]

+> ServerRegistration.exe does not support PowerShell 6.x. You can use the Register-AzStorageSyncServer cmdlet on PowerShell 6.x to register the server.

+To install the Az or AzureRM module on PowerShell 5.1, perform the following steps:

+1. Type **powershell** from an elevated command prompt and hit enter.

+2. Install the latest Az or AzureRM module by following the documentation:

+ - [Az module (requires .NET 4.7.2)](/powershell/azure/install-az-ps)

+ - [AzureRM module](https://go.microsoft.com/fwlink/?linkid=856959)

+3. Run ServerRegistration.exe, and complete the wizard to register the server with a Storage Sync Service.

+<a id="server-already-registered"></a>**Server Registration displays the following message: "This server is already registered"**

+

+This message appears if the server was previously registered with a Storage Sync Service. To unregister the server from the current Storage Sync Service and then register with a new Storage Sync Service, complete the steps that are described in [Unregister a server with Azure File Sync](file-sync-server-registration.md#unregister-the-server-with-storage-sync-service).

+If the server is not listed under **Registered servers** in the Storage Sync Service, on the server that you want to unregister, run the following PowerShell commands:

+```powershell

+Import-Module "C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll"

+Reset-StorageSyncServer

+```

+> [!Note]

+> If the server is part of a cluster, use the Reset-StorageSyncServer -CleanClusterRegistration parameter to remove the server from the Azure File Sync cluster registration detail.

+<a id="web-site-not-trusted"></a>**When I register a server, I see numerous "web site not trusted" responses. Why?**

+This issue occurs when the **Enhanced Internet Explorer Security** policy is enabled during server registration. For more information about how to correctly disable the **Enhanced Internet Explorer Security** policy, see [Prepare Windows Server to use with Azure File Sync](file-sync-deployment-guide.md#prepare-windows-server-to-use-with-azure-file-sync) and [How to deploy Azure File Sync](file-sync-deployment-guide.md).

+<a id="server-registration-missing"></a>**Server is not listed under registered servers in the Azure portal**

+If a server is not listed under **Registered servers** for a Storage Sync Service:

+1. Sign in to the server that you want to register.

+2. Open File Explorer, and then go to the Storage Sync Agent installation directory (the default location is C:\Program Files\Azure\StorageSyncAgent).

+3. Run ServerRegistration.exe, and complete the wizard to register the server with a Storage Sync Service.

+## See also

+- [Troubleshoot Azure File Sync sync group management](file-sync-troubleshoot-sync-group-management.md)

+- [Troubleshoot Azure File Sync sync errors](file-sync-troubleshoot-sync-errors.md)

+- [Troubleshoot Azure File Sync cloud tiering](file-sync-troubleshoot-cloud-tiering.md)

+- [Monitor Azure File Sync](file-sync-monitoring.md)

+- [Troubleshoot Azure Files problems in Windows](../files/storage-troubleshoot-windows-file-connection-problems.md)

+- [Troubleshoot Azure Files problems in Linux](../files/storage-troubleshoot-linux-file-connection-problems.md)

+ Title: Troubleshoot sync health and errors in Azure File Sync | Microsoft Docs

+description: Troubleshoot common issues with monitoring sync health and resolving sync errors in an Azure File Sync deployment.

+# Troubleshoot Azure File Sync sync health and errors

+This article is designed to help you troubleshoot and resolve common sync issues that you might encounter with your Azure File Sync deployment.

+## Sync health

+<a id="afs-change-detection"></a>**If I created a file directly in my Azure file share over SMB or through the portal, how long does it take for the file to sync to servers in the sync group?**

+<a id="serverendpoint-pending"></a>**Server endpoint health is in a pending state for several hours**

+This issue is expected if you create a cloud endpoint and use an Azure file share that contains data. The change enumeration job that scans for changes in the Azure file share must complete before files can sync between the cloud and server endpoints. The time to complete the job is dependent on the size of the namespace in the Azure file share. The server endpoint health should update once the change enumeration job completes.

+### <a id="broken-sync"></a>How do I monitor sync health?

+# [Portal](#tab/portal1)

+Within each sync group, you can drill down into its individual server endpoints to see the status of the last completed sync sessions. A green Health column and a Files Not Syncing value of 0 indicate that sync is working as expected. If not, see below for a list of common sync errors and how to handle files that are not syncing.

+

+# [Server](#tab/server)

+Go to the server's telemetry logs, which can be found in the Event Viewer at `Applications and Services Logs\Microsoft\FileSync\Agent\Telemetry`. Event 9102 corresponds to a completed sync session; for the latest status of sync, look for the most recent event with ID 9102. SyncDirection tells you if this session was an upload or download. If the `HResult` is 0, then the sync session was successful. A non-zero `HResult` means that there was an error during sync; see below for a list of common errors. If the PerItemErrorCount is greater than 0, then some files or folders did not sync properly. It is possible to have an `HResult` of 0 but a PerItemErrorCount that is greater than 0.

+Below is an example of a successful upload. For the sake of brevity, only some of the values contained in each 9102 event are listed below.

+```

+Replica Sync session completed.

+SyncDirection: Upload,

+HResult: 0,

+SyncFileCount: 2, SyncDirectoryCount: 0,

+AppliedFileCount: 2, AppliedDirCount: 0, AppliedTombstoneCount 0, AppliedSizeBytes: 0.

+PerItemErrorCount: 0,

+TransferredFiles: 2, TransferredBytes: 0, FailedToTransferFiles: 0, FailedToTransferBytes: 0.

+```

+Conversely, an unsuccessful upload might look like this:

+```

+Replica Sync session completed.

+SyncDirection: Upload,

+HResult: -2134364065,

+SyncFileCount: 0, SyncDirectoryCount: 0,

+AppliedFileCount: 0, AppliedDirCount: 0, AppliedTombstoneCount 0, AppliedSizeBytes: 0.

+PerItemErrorCount: 0,

+TransferredFiles: 0, TransferredBytes: 0, FailedToTransferFiles: 0, FailedToTransferBytes: 0.

+```

+Sometimes sync sessions fail overall or have a non-zero PerItemErrorCount but still make forward progress, with some files syncing successfully. Progress can be determined by looking into the *Applied* fields (AppliedFileCount, AppliedDirCount, AppliedTombstoneCount, and AppliedSizeBytes). These fields describe how much of the session is succeeding. If you see multiple sync sessions in a row that are failing but have an increasing *Applied* count, then you should give sync time to try again before opening a support ticket.

+### How do I monitor the progress of a current sync session?

+# [Portal](#tab/portal1)

+Within your sync group, go to the server endpoint in question and look at the Sync Activity section to see the count of files uploaded or downloaded in the current sync session. Keep in mind that this status will be delayed by about 5 minutes, and if your sync session is small enough to be completed within this period, it may not be reported in the portal.

+# [Server](#tab/server)

+Look at the most recent 9302 event in the telemetry log on the server (in the Event Viewer, go to Applications and Services Logs\Microsoft\FileSync\Agent\Telemetry). This event indicates the state of the current sync session. TotalItemCount denotes how many files are to be synced, AppliedItemCount the number of files that have been synced so far, and PerItemErrorCount the number of files that are failing to sync (see below for how to deal with this).

+```

+Replica Sync Progress.

+ServerEndpointName: <CI>sename</CI>, SyncGroupName: <CI>sgname</CI>, ReplicaName: <CI>rname</CI>,

+SyncDirection: Upload, CorrelationId: {AB4BA07D-5B5C-461D-AAE6-4ED724762B65}.

+AppliedItemCount: 172473, TotalItemCount: 624196. AppliedBytes: 51473711577,

+TotalBytes: 293363829906.

+AreTotalCountsFinal: true.

+PerItemErrorCount: 1006.

+```

+### How do I know if my servers are in sync with each other?

+# [Portal](#tab/portal1)

+For each server in a given sync group, make sure:

+- The timestamps for the Last Attempted Sync for both upload and download are recent.

+- The status is green for both upload and download.

+- The Sync Activity field shows very few or no files remaining to sync.

+- The Files Not Syncing field is 0 for both upload and download.

+# [Server](#tab/server)

+Look at the completed sync sessions, which are marked by 9102 events in the telemetry event log for each server (in the Event Viewer, go to `Applications and Services Logs\Microsoft\FileSync\Agent\Telemetry`).

+1. On any given server, you want to make sure the latest upload and download sessions completed successfully. To do this, check that the `HResult` and PerItemErrorCount are 0 for both upload and download (the SyncDirection field indicates if a given session is an upload or download session). Note that if you do not see a recently completed sync session, it is likely a sync session is currently in progress, which is to be expected if you just added or modified a large amount of data.

+2. When a server is fully up to date with the cloud and has no changes to sync in either direction, you will see empty sync sessions. These are indicated by upload and download events in which all the Sync* fields (SyncFileCount, SyncDirCount, SyncTombstoneCount, and SyncSizeBytes) are zero, meaning there was nothing to sync. Note that these empty sync sessions may not occur on high-churn servers as there is always something new to sync. If there is no sync activity, they should occur every 30 minutes.

+3. If all servers are up to date with the cloud, meaning their recent upload and download sessions are empty sync sessions, you can say with reasonable certainty that the system as a whole is in sync.

+

+If you made changes directly in your Azure file share, Azure File Sync will not detect these changes until change enumeration runs, which happens once every 24 hours. It is possible that a server will say it is up to date with the cloud when it is in fact missing recent changes made directly in the Azure file share.

+### How do I see if there are specific files or folders that are not syncing?

+If your PerItemErrorCount on the server or Files Not Syncing count in the portal are greater than 0 for any given sync session, that means some items are failing to sync. Files and folders can have characteristics that prevent them from syncing. These characteristics can be persistent and require explicit action to resume sync, for example removing unsupported characters from the file or folder name. They can also be transient, meaning the file or folder will automatically resume sync; for example, files with open handles will automatically resume sync when the file is closed. When the Azure File Sync engine detects such a problem, an error log is produced that can be parsed to list the items currently not syncing properly.

+To see these errors, run the **FileSyncErrorsReport.ps1** PowerShell script (located in the agent installation directory of the Azure File Sync agent) to identify files that failed to sync because of open handles, unsupported characters, or other issues. The ItemPath field tells you the location of the file in relation to the root sync directory. See the list of common sync errors below for remediation steps.

+> [!Note]

+> If the FileSyncErrorsReport.ps1 script returns "There were no file errors found" or does not list per-item errors for the sync group, the cause is either:

+>

+>- Cause 1: The last completed sync session did not have per-item errors. The portal should be updated soon to show 0 Files Not Syncing. By default, the FileSyncErrorsReport.ps1 script will only show per-item errors for the last completed sync session. To view per-item errors for all sync sessions, use the -ReportAllErrors parameter.

+> - Check the most recent [Event ID 9102](?tabs=server%252cazure-portal#broken-sync) in the Telemetry event log to confirm the PerItemErrorCount is 0.

+>

+>- Cause 2: The ItemResults event log on the server wrapped due to too many per-item errors and the event log no longer contains errors for this sync group.

+> - To prevent this issue, increase the ItemResults event log size. The ItemResults event log can be found under "Applications and Services Logs\Microsoft\FileSync\Agent" in Event Viewer.

+## Sync errors

+### Troubleshooting per file/directory sync errors

+**ItemResults log - per-item sync errors**

+| HRESULT | HRESULT (decimal) | Error string | Issue | Remediation |

+||-|--|-|-|

+| 0x80070043 | -2147942467 | ERROR_BAD_NET_NAME | The tiered file on the server is not accessible. This issue occurs if the tiered file was not recalled prior to deleting a server endpoint. | To resolve this issue, see [Tiered files are not accessible on the server after deleting a server endpoint](file-sync-troubleshoot-cloud-tiering.md#tiered-files-are-not-accessible-on-the-server-after-deleting-a-server-endpoint). |

+| 0x80c80207 | -2134375929 | ECS_E_SYNC_CONSTRAINT_CONFLICT | The file or directory change cannot be synced yet because a dependent folder is not yet synced. This item will sync after the dependent changes are synced. | No action required. If the error persists for several days, use the FileSyncErrorsReport.ps1 PowerShell script to determine why the dependent folder is not yet synced. |

+| 0x80C8028A | -2134375798 | ECS_E_SYNC_CONSTRAINT_CONFLICT_ON_FAILED_DEPENDEE | The file or directory change cannot be synced yet because a dependent folder is not yet synced. This item will sync after the dependent changes are synced. | No action required. If the error persists for several days, use the FileSyncErrorsReport.ps1 PowerShell script to determine why the dependent folder is not yet synced. |

+| 0x80c80284 | -2134375804 | ECS_E_SYNC_CONSTRAINT_CONFLICT_SESSION_FAILED | The file or directory change cannot be synced yet because a dependent folder is not yet synced and the sync session failed. This item will sync after the dependent changes are synced. | No action required. If the error persists, investigate the sync session failure. |

+| 0x8007007b | -2147024773 | ERROR_INVALID_NAME | The file or directory name is invalid. | Rename the file or directory in question. See [Handling unsupported characters](?tabs=portal1%252cazure-portal#handling-unsupported-characters) for more information. |

+| 0x80c80255 | -2134375851 | ECS_E_XSMB_REST_INCOMPATIBILITY | The file or directory name is invalid. | Rename the file or directory in question. See [Handling unsupported characters](?tabs=portal1%252cazure-portal#handling-unsupported-characters) for more information. |

+| 0x80c80018 | -2134376424 | ECS_E_SYNC_FILE_IN_USE | The file cannot be synced because it's in use. The file will be synced when it's no longer in use. | No action required. Azure File Sync creates a temporary VSS snapshot once a day on the server to sync files that have open handles. |

+| 0x80c8031d | -2134375651 | ECS_E_CONCURRENCY_CHECK_FAILED | The file has changed, but the change has not yet been detected by sync. Sync will recover after this change is detected. | No action required. |

+| 0x80070002 | -2147024894 | ERROR_FILE_NOT_FOUND | The file was deleted and sync is not aware of the change. | No action required. Sync will stop logging this error once change detection detects the file was deleted. |

+| 0x80070003 | -2147942403 | ERROR_PATH_NOT_FOUND | Deletion of a file or directory cannot be synced because the item was already deleted in the destination and sync is not aware of the change. | No action required. Sync will stop logging this error once change detection runs on the destination and sync detects the item was deleted. |

+| 0x80c80205 | -2134375931 | ECS_E_SYNC_ITEM_SKIP | The file or directory was skipped but will be synced during the next sync session. If this error is reported when downloading the item, the file or directory name is more than likely invalid. | No action required if this error is reported when uploading the file. If the error is reported when downloading the file, rename the file or directory in question. See [Handling unsupported characters](?tabs=portal1%252cazure-portal#handling-unsupported-characters) for more information. |

+| 0x800700B7 | -2147024713 | ERROR_ALREADY_EXISTS | Creation of a file or directory cannot be synced because the item already exists in the destination and sync is not aware of the change. | No action required. Sync will stop logging this error once change detection runs on the destination and sync is aware of this new item. |

+| 0x80c8603e | -2134351810 | ECS_E_AZURE_STORAGE_SHARE_SIZE_LIMIT_REACHED | The file cannot be synced because the Azure file share limit is reached. | To resolve this issue, see [You reached the Azure file share storage limit](?tabs=portal1%252cazure-portal#-2134351810) section in the troubleshooting guide. |

+| 0x80c83008 | -2134364152 | ECS_E_CANNOT_CREATE_AZURE_STAGED_FILE | The file cannot be synced because the Azure file share limit is reached. | To resolve this issue, see [You reached the Azure file share storage limit](?tabs=portal1%252cazure-portal#-2134351810) section in the troubleshooting guide. |

+| 0x80c8027C | -2134375812 | ECS_E_ACCESS_DENIED_EFS | The file is encrypted by an unsupported solution (like NTFS EFS). | Decrypt the file and use a supported encryption solution. For a list of support solutions, see the [Encryption](file-sync-planning.md#encryption) section of the planning guide. |

+| 0x80c80283 | -2160591491 | ECS_E_ACCESS_DENIED_DFSRRO | The file is located on a DFS-R read-only replication folder. | File is located on a DFS-R read-only replication folder. Azure Files Sync does not support server endpoints on DFS-R read-only replication folders. See [planning guide](file-sync-planning.md#distributed-file-system-dfs) for more information. |

+| 0x80070005 | -2147024891 | ERROR_ACCESS_DENIED | The file has a delete pending state. | No action required. File will be deleted once all open file handles are closed. |

+| 0x80c86044 | -2134351804 | ECS_E_AZURE_AUTHORIZATION_FAILED | The file cannot be synced because the firewall and virtual network settings on the storage account are enabled and the server does not have access to the storage account. | Add the Server IP address or virtual network by following the steps documented in the [Configure firewall and virtual network settings](file-sync-deployment-guide.md?tabs=azure-portal#optional-configure-firewall-and-virtual-network-settings) section in the deployment guide. |

+| 0x80c80243 | -2134375869 | ECS_E_SECURITY_DESCRIPTOR_SIZE_TOO_LARGE | The file cannot be synced because the security descriptor size exceeds the 64 KiB limit. | To resolve this issue, remove access control entries (ACE) on the file to reduce the security descriptor size. |

+| 0x8000ffff | -2147418113 | E_UNEXPECTED | The file cannot be synced due to an unexpected error. | If the error persists for several days, please open a support case. |

+| 0x80070020 | -2147024864 | ERROR_SHARING_VIOLATION | The file cannot be synced because it's in use. The file will be synced when it's no longer in use. | No action required. |

+| 0x80c80017 | -2134376425 | ECS_E_SYNC_OPLOCK_BROKEN | The file was changed during sync, so it needs to be synced again. | No action required. |

+| 0x80070017 | -2147024873 | ERROR_CRC | The file cannot be synced due to CRC error. This error can occur if a tiered file was not recalled prior to deleting a server endpoint or if the file is corrupt. | To resolve this issue, see [Tiered files are not accessible on the server after deleting a server endpoint](file-sync-troubleshoot-cloud-tiering.md#tiered-files-are-not-accessible-on-the-server-after-deleting-a-server-endpoint) to remove tiered files that are orphaned. If the error continues to occur after removing orphaned tiered files, run [chkdsk](/windows-server/administration/windows-commands/chkdsk) on the volume. |

+| 0x80c80200 | -2134375936 | ECS_E_SYNC_CONFLICT_NAME_EXISTS | The file cannot be synced because the maximum number of conflict files has been reached. Azure File Sync supports 100 conflict files per file. To learn more about file conflicts, see Azure File Sync [FAQ](../files/storage-files-faq.md?toc=%2fazure%2fstorage%2ffilesync%2ftoc.json#afs-conflict-resolution). | To resolve this issue, reduce the number of conflict files. The file will sync once the number of conflict files is less than 100. |

+| 0x80c8027d | -2134375811 | ECS_E_DIRECTORY_RENAME_FAILED | Rename of a directory cannot be synced because files or folders within the directory have open handles. | No action required. The rename of the directory will be synced once all open file handles within the directory are closed. |

+| 0x800700de | -2147024674 | ERROR_BAD_FILE_TYPE | The tiered file on the server is not accessible because it's referencing a version of the file which no longer exists in the Azure file share. | This issue can occur if the tiered file was restored from a backup of the Windows Server. To resolve this issue, restore the file from a snapshot in the Azure file share. |

+### Handling unsupported characters

+If the **FileSyncErrorsReport.ps1** PowerShell script shows per-item sync errors due to unsupported characters (error code 0x8007007b or 0x80c80255), you should remove or rename the characters at fault from the respective file names. PowerShell will likely print these characters as question marks or empty rectangles since most of these characters have no standard visual encoding.

+> [!Note]

+> The [Evaluation Tool](file-sync-planning.md#evaluation-cmdlet) can be used to identify characters that are not supported. If your dataset has several files with invalid characters, use the [ScanUnsupportedChars](https://github.com/Azure-Samples/azure-files-samples/tree/master/ScanUnsupportedChars) script to rename files which contain unsupported characters.

+The table below contains all of the unicode characters Azure File Sync does not yet support.

+| Character set | Character count |

+||--|

+| 0x00000000 - 0x0000001F (control characters) | 32 |

+| 0x0000FDD0 - 0x0000FDDD (arabic presentation forms-a) | 14 |

+| <ul><li>0x00000022 (quotation mark)</li><li>0x0000002A (asterisk)</li><li>0x0000002F (forward slash)</li><li>0x0000003A (colon)</li><li>0x0000003C (less than)</li><li>0x0000003E (greater than)</li><li>0x0000003F (question mark)</li><li>0x0000005C (backslash)</li><li>0x0000007C (pipe or bar)</li></ul> | 9 |

+| <ul><li>0x0004FFFE - 0x0004FFFF = 2 (noncharacter)</li><li>0x0008FFFE - 0x0008FFFF = 2 (noncharacter)</li><li>0x000CFFFE - 0x000CFFFF = 2 (noncharacter)</li><li>0x0010FFFE - 0x0010FFFF = 2 (noncharacter)</li></ul> | 8 |

+| <ul><li>0x0000009D (`osc` operating system command)</li><li>0x00000090 (dcs device control string)</li><li>0x0000008F (ss3 single shift three)</li><li>0x00000081 (high octet preset)</li><li>0x0000007F (del delete)</li><li>0x0000008D (ri reverse line feed)</li></ul> | 6 |

+| 0x0000FFF0, 0x0000FFFD, 0x0000FFFE, 0x0000FFFF (specials) | 4 |

+| Files or directories that end with a period | 1 |

+### Common sync errors

+<a id="-2147023673"></a>**The sync session was canceled.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x800704c7 |

+| **HRESULT (decimal)** | -2147023673 |

+| **Error string** | ERROR_CANCELLED |

+| **Remediation required** | No |

+Sync sessions may fail for various reasons including the server being restarted or updated, VSS snapshots, etc. Although this error looks like it requires follow-up, it is safe to ignore this error unless it persists over a period of several hours.

+<a id="-2147012889"></a>**A connection with the service could not be established.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80072ee7 |

+| **HRESULT (decimal)** | -2147012889 |

+| **Error string** | WININET_E_NAME_NOT_RESOLVED |

+| **Remediation required** | Yes |

+> [!Note]

+> Once network connectivity to the Azure File Sync service is restored, sync may not resume immediately. By default, Azure File Sync will initiate a sync session every 30 minutes if no changes are detected within the server endpoint location. To force a sync session, restart the Storage Sync Agent (FileSyncSvc) service or make a change to a file or directory within the server endpoint location.

+<a id="-2134376372"></a>**The user request was throttled by the service.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c8004c |

+| **HRESULT (decimal)** | -2134376372 |

+| **Error string** | ECS_E_USER_REQUEST_THROTTLED |

+| **Remediation required** | No |

+No action is required; the server will try again. If this error persists for several hours, create a support request.

+<a id="-2134364160"></a>**Sync failed because the operation was aborted**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c83000 |

+| **HRESULT (decimal)** | -2134364160 |

+| **Error string** | ECS_E_OPERATION_ABORTED |

+| **Remediation required** | No |

+No action is required. If this error persists for several hours, create a support request.

+<a id="-2134364043"></a>**Sync is blocked until change detection completes post restore**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c83075 |

+| **HRESULT (decimal)** | -2134364043 |

+| **Error string** | ECS_E_SYNC_BLOCKED_ON_CHANGE_DETECTION_POST_RESTORE |

+| **Remediation required** | No |

+No action is required. When a file or file share (cloud endpoint) is restored using Azure Backup, sync is blocked until change detection completes on the Azure file share. Change detection runs immediately once the restore is complete and the duration is based on the number of files in the file share.

+<a id="-2147216747"></a>**Sync failed because the sync database was unloaded.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80041295 |

+| **HRESULT (decimal)** | -2147216747 |

+| **Error string** | SYNC_E_METADATA_INVALID_OPERATION |

+| **Remediation required** | No |

+This error typically occurs when a backup application creates a VSS snapshot and the sync database is unloaded. If this error persists for several hours, create a support request.

+<a id="-2134364065"></a>**Sync can't access the Azure file share specified in the cloud endpoint.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c8305f |

+| **HRESULT (decimal)** | -2134364065 |

+| **Error string** | ECS_E_EXTERNAL_STORAGE_ACCOUNT_AUTHORIZATION_FAILED |

+| **Remediation required** | Yes |

+This error occurs because the Azure File Sync agent cannot access the Azure file share, which may be because the Azure file share or the storage account hosting it no longer exists. You can troubleshoot this error by working through the following steps:

+1. [Verify the storage account exists.](#troubleshoot-storage-account)

+2. [Ensure the Azure file share exists.](#troubleshoot-azure-file-share)

+3. [Ensure Azure File Sync has access to the storage account.](#troubleshoot-rbac)

+4. [Verify the firewall and virtual network settings on the storage account are configured properly (if enabled)](file-sync-deployment-guide.md?tabs=azure-portal#optional-configure-firewall-and-virtual-network-settings)

+<a id="-2134351804"></a>**Sync failed because the request is not authorized to perform this operation.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c86044 |

+| **HRESULT (decimal)** | -2134351804 |

+| **Error string** | ECS_E_AZURE_AUTHORIZATION_FAILED |

+| **Remediation required** | Yes |

+This error occurs because the Azure File Sync agent is not authorized to access the Azure file share. You can troubleshoot this error by working through the following steps:

+1. [Verify the storage account exists.](#troubleshoot-storage-account)

+2. [Ensure the Azure file share exists.](#troubleshoot-azure-file-share)

+3. [Verify the firewall and virtual network settings on the storage account are configured properly (if enabled)](file-sync-deployment-guide.md?tabs=azure-portal#optional-configure-firewall-and-virtual-network-settings)

+4. [Ensure Azure File Sync has access to the storage account.](#troubleshoot-rbac)

+<a id="-2134364064"></a><a id="cannot-resolve-storage"></a>**The storage account name used could not be resolved.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80C83060 |

+| **HRESULT (decimal)** | -2134364064 |

+| **Error string** | ECS_E_STORAGE_ACCOUNT_NAME_UNRESOLVED |

+| **Remediation required** | Yes |

+1. Check that you can resolve the storage DNS name from the server.

+ ```powershell

+ Test-NetConnection -ComputerName <storage-account-name>.file.core.windows.net -Port 443

+ ```

+2. [Verify the storage account exists.](#troubleshoot-storage-account)

+3. [Verify the firewall and virtual network settings on the storage account are configured properly (if enabled)](file-sync-deployment-guide.md?tabs=azure-portal#optional-configure-firewall-and-virtual-network-settings)

+> [!Note]

+> Once network connectivity to the Azure File Sync service is restored, sync may not resume immediately. By default, Azure File Sync will initiate a sync session every 30 minutes if no changes are detected within the server endpoint location. To force a sync session, restart the Storage Sync Agent (FileSyncSvc) service or make a change to a file or directory within the server endpoint location.

+<a id="-2134364022"></a><a id="storage-unknown-error"></a>**An unknown error occurred while accessing the storage account.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c8308a |

+| **HRESULT (decimal)** | -2134364022 |

+| **Error string** | ECS_E_STORAGE_ACCOUNT_UNKNOWN_ERROR |

+| **Remediation required** | Yes |

+1. [Verify the storage account exists.](#troubleshoot-storage-account)

+2. [Verify the firewall and virtual network settings on the storage account are configured properly (if enabled)](file-sync-deployment-guide.md?tabs=azure-portal#optional-configure-firewall-and-virtual-network-settings)

+<a id="-2134364014"></a>**Sync failed due to storage account locked.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c83092 |

+| **HRESULT (decimal)** | -2134364014 |

+| **Error string** | ECS_E_STORAGE_ACCOUNT_LOCKED |

+| **Remediation required** | Yes |

+This error occurs because the storage account has a read-only [resource lock](../../azure-resource-manager/management/lock-resources.md). To resolve this issue, remove the read-only resource lock on the storage account.

+<a id="-1906441138"></a>**Sync failed due to a problem with the sync database.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x8e5e044e |

+| **HRESULT (decimal)** | -1906441138 |

+| **Error string** | JET_errWriteConflict |

+| **Remediation required** | Yes |

+This error occurs when there is a problem with the internal database used by Azure File Sync. When this issue occurs, create a support request and we will contact you to help you resolve this issue.

+<a id="-2134364053"></a>**The Azure File Sync agent version installed on the server is not supported.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80C8306B |

+| **HRESULT (decimal)** | -2134364053 |

+| **Error string** | ECS_E_AGENT_VERSION_BLOCKED |

+| **Remediation required** | Yes |

+This error occurs if the Azure File Sync agent version installed on the server is not supported. To resolve this issue, [upgrade](file-sync-release-notes.md#azure-file-sync-agent-update-policy) to a [supported agent version](file-sync-release-notes.md#supported-versions).

+<a id="-2134351810"></a>**You reached the Azure file share storage limit.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c8603e |

+| **HRESULT (decimal)** | -2134351810 |

+| **Error string** | ECS_E_AZURE_STORAGE_SHARE_SIZE_LIMIT_REACHED |

+| **Remediation required** | Yes |

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c80249 |

+| **HRESULT (decimal)** | -2134375863 |

+| **Error string** | ECS_E_NOT_ENOUGH_REMOTE_STORAGE |

+| **Remediation required** | Yes |

+Sync sessions fail with either of these errors when the Azure file share storage limit has been reached, which can happen if a quota is applied for an Azure file share or if the usage exceeds the limits for an Azure file share. For more information, see the [current limits for an Azure file share](../files/storage-files-scale-targets.md?toc=%2fazure%2fstorage%2ffilesync%2ftoc.json).

+1. Navigate to the sync group within the Storage Sync Service.

+2. Select the cloud endpoint within the sync group.

+3. Note the Azure file share name in the opened pane.

+4. Select the linked storage account. If this link fails, the referenced storage account has been removed.

+ 

+5. Select **Files** to view the list of file shares.

+6. Click the three dots at the end of the row for the Azure file share referenced by the cloud endpoint.

+7. Verify that the **Usage** is below the **Quota**. Note unless an alternate quota has been specified, the quota will match the [maximum size of the Azure file share](../files/storage-files-scale-targets.md?toc=%2fazure%2fstorage%2ffilesync%2ftoc.json).

+ 

+If the share is full and a quota is not set, one possible way of fixing this issue is to make each subfolder of the current server endpoint into its own server endpoint in their own separate sync groups. This way each subfolder will sync to individual Azure file shares.

+<a id="-2134351824"></a>**The Azure file share cannot be found.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c86030 |

+| **HRESULT (decimal)** | -2134351824 |

+| **Error string** | ECS_E_AZURE_FILE_SHARE_NOT_FOUND |

+| **Remediation required** | Yes |

+This error occurs when the Azure file share is not accessible. To troubleshoot:

+1. [Verify the storage account exists.](#troubleshoot-storage-account)

+2. [Ensure the Azure file share exists.](#troubleshoot-azure-file-share)

+If the Azure file share was deleted, you need to create a new file share and then recreate the sync group.

+<a id="-2134364042"></a>**Sync is paused while this Azure subscription is suspended.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80C83076 |

+| **HRESULT (decimal)** | -2134364042 |

+| **Error string** | ECS_E_SYNC_BLOCKED_ON_SUSPENDED_SUBSCRIPTION |

+| **Remediation required** | Yes |

+This error occurs when the Azure subscription is suspended. Sync will be reenabled when the Azure subscription is restored. See [Why is my Azure subscription disabled and how do I reactivate it?](../../cost-management-billing/manage/subscription-disabled.md) for more information.

+<a id="-2134375618"></a>**The storage account has a firewall or virtual networks configured.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c8033e |

+| **HRESULT (decimal)** | -2134375618 |

+| **Error string** | ECS_E_SERVER_BLOCKED_BY_NETWORK_ACL |

+| **Remediation required** | Yes |

+This error occurs when the Azure file share is inaccessible because of a storage account firewall or because the storage account belongs to a virtual network. Verify the firewall and virtual network settings on the storage account are configured properly. For more information, see [Configure firewall and virtual network settings](file-sync-deployment-guide.md?tabs=azure-portal#optional-configure-firewall-and-virtual-network-settings).

+<a id="-2134375911"></a>**Sync failed due to a problem with the sync database.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c80219 |

+| **HRESULT (decimal)** | -2134375911 |

+| **Error string** | ECS_E_SYNC_METADATA_WRITE_LOCK_TIMEOUT |

+| **Remediation required** | No |

+This error usually resolves itself, and can occur if there are:

+* A high number of file changes across the servers in the sync group.

+* A large number of errors on individual files and directories.

+If this error persists for longer than a few hours, create a support request and we will contact you to help you resolve this issue.

+<a id="-2146762487"></a>**The server failed to establish a secure connection. The cloud service received an unexpected certificate.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x800b0109 |

+| **HRESULT (decimal)** | -2146762487 |

+| **Error string** | CERT_E_UNTRUSTEDROOT |

+| **Remediation required** | Yes |

+This error can happen if your organization is using a TLS terminating proxy or if a malicious entity is intercepting the traffic between your server and the Azure File Sync service. If you are certain that this is expected (because your organization is using a TLS terminating proxy), you skip certificate verification with a registry override.

+1. Create the SkipVerifyingPinnedRootCertificate registry value.

+ ```powershell

+ New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Azure\StorageSync -Name SkipVerifyingPinnedRootCertificate -PropertyType DWORD -Value 1

+ ```

+2. Restart the sync service on the registered server.

+ ```powershell

+ Restart-Service -Name FileSyncSvc -Force

+ ```

+By setting this registry value, the Azure File Sync agent will accept any locally trusted TLS/SSL certificate when transferring data between the server and the cloud service.

+<a id="-2147012894"></a>**A connection with the service could not be established.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80072ee2 |

+| **HRESULT (decimal)** | -2147012894 |

+| **Error string** | WININET_E_TIMEOUT |

+| **Remediation required** | Yes |

+> [!Note]

+> Once network connectivity to the Azure File Sync service is restored, sync may not resume immediately. By default, Azure File Sync will initiate a sync session every 30 minutes if no changes are detected within the server endpoint location. To force a sync session, restart the Storage Sync Agent (FileSyncSvc) service or make a change to a file or directory within the server endpoint location.

+<a id="-2147012721"></a>**Sync failed because the server was unable to decode the response from the Azure File Sync service**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80072f8f |

+| **HRESULT (decimal)** | -2147012721 |

+| **Error string** | WININET_E_DECODING_FAILED |

+| **Remediation required** | Yes |

+This error typically occurs if a network proxy is modifying the response from the Azure File Sync service. Please check your proxy configuration.

+<a id="-2134375680"></a>**Sync failed due to a problem with authentication.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c80300 |

+| **HRESULT (decimal)** | -2134375680 |

+| **Error string** | ECS_E_SERVER_CREDENTIAL_NEEDED |

+| **Remediation required** | Yes |

+This error typically occurs because the server time is incorrect. If the server is running in a virtual machine, verify the time on the host is correct.

+<a id="-2134364040"></a>**Sync failed due to certificate expiration.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c83078 |

+| **HRESULT (decimal)** | -2134364040 |

+| **Error string** | ECS_E_AUTH_SRV_CERT_EXPIRED |

+| **Remediation required** | Yes |

+This error occurs because the certificate used for authentication is expired.

+To confirm the certificate is expired, perform the following steps:

+1. Open the Certificates MMC snap-in, select Computer Account and navigate to Certificates (Local Computer)\Personal\Certificates.

+2. Check if the client authentication certificate is expired.

+If the client authentication certificate is expired, run the following PowerShell command on the server:

+```powershell

+Reset-AzStorageSyncServerCertificate -ResourceGroupName <string> -StorageSyncServiceName <string>

+```

+<a id="-2134375896"></a>**Sync failed due to authentication certificate not found.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c80228 |

+| **HRESULT (decimal)** | -2134375896 |

+| **Error string** | ECS_E_AUTH_SRV_CERT_NOT_FOUND |

+| **Remediation required** | Yes |

+This error occurs because the certificate used for authentication is not found.

+To resolve this issue, run the following PowerShell command on the server:

+```powershell

+Reset-AzStorageSyncServerCertificate -ResourceGroupName <string> -StorageSyncServiceName <string>

+```

+<a id="-2134364039"></a>**Sync failed due to authentication identity not found.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c83079 |

+| **HRESULT (decimal)** | -2134364039 |

+| **Error string** | ECS_E_AUTH_IDENTITY_NOT_FOUND |

+| **Remediation required** | Yes |

+This error occurs because the server endpoint deletion failed and the endpoint is now in a partially deleted state. To resolve this issue, retry deleting the server endpoint.

+<a id="-1906441711"></a><a id="-2134375654"></a><a id="doesnt-have-enough-free-space"></a>**The volume where the server endpoint is located is low on disk space.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x8e5e0211 |

+| **HRESULT (decimal)** | -1906441711 |

+| **Error string** | JET_errLogDiskFull |

+| **Remediation required** | Yes |

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c8031a |

+| **HRESULT (decimal)** | -2134375654 |

+| **Error string** | ECS_E_NOT_ENOUGH_LOCAL_STORAGE |

+| **Remediation required** | Yes |

+Sync sessions fail with one of these errors because either the volume has insufficient disk space or disk quota limit is reached. This error commonly occurs because files outside the server endpoint are using up space on the volume. Free up space on the volume by adding additional server endpoints, moving files to a different volume, or increasing the size of the volume the server endpoint is on. If a disk quota is configured on the volume using [File Server Resource Manager](/windows-server/storage/fsrm/fsrm-overview) or [NTFS quota](/windows-server/administration/windows-commands/fsutil-quota), increase the quota limit.

+<a id="-2134364145"></a><a id="replica-not-ready"></a>**The service is not yet ready to sync with this server endpoint.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c8300f |

+| **HRESULT (decimal)** | -2134364145 |

+| **Error string** | ECS_E_REPLICA_NOT_READY |

+| **Remediation required** | No |

+This error occurs because the cloud endpoint was created with content already existing on the Azure file share. Azure File Sync must scan the Azure file share for all content before allowing the server endpoint to proceed with its initial synchronization.

+<a id="-2134375877"></a><a id="-2134375908"></a><a id="-2134375853"></a>**Sync failed due to problems with many individual files.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c8023b |

+| **HRESULT (decimal)** | -2134375877 |

+| **Error string** | ECS_E_SYNC_METADATA_KNOWLEDGE_SOFT_LIMIT_REACHED |

+| **Remediation required** | Yes |

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c8021c |

+| **HRESULT (decimal)** | -2134375908 |

+| **Error string** | ECS_E_SYNC_METADATA_KNOWLEDGE_LIMIT_REACHED |

+| **Remediation required** | Yes |

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c80253 |

+| **HRESULT (decimal)** | -2134375853 |

+| **Error string** | ECS_E_TOO_MANY_PER_ITEM_ERRORS |

+| **Remediation required** | Yes |

+Sync sessions fail with one of these errors when there are many files that are failing to sync with per-item errors. Perform the steps documented in the [How do I see if there are specific files or folders that are not syncing?](?tabs=portal1%252cazure-portal#how-do-i-see-if-there-are-specific-files-or-folders-that-are-not-syncing) section to resolve the per-item errors. For sync error ECS_E_SYNC_METADATA_KNOWLEDGE_LIMIT_REACHED, please open a support case.

+> [!NOTE]

+> Azure File Sync creates a temporary VSS snapshot once a day on the server to sync files that have open handles.

+<a id="-2134376423"></a>**Sync failed due to a problem with the server endpoint path.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c80019 |

+| **HRESULT (decimal)** | -2134376423 |

+| **Error string** | ECS_E_SYNC_INVALID_PATH |

+| **Remediation required** | Yes |

+Ensure the path exists, is on a local NTFS volume, and is not a reparse point or existing server endpoint.

+<a id="-2134375817"></a>**Sync failed because the filter driver version is not compatible with the agent version**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80C80277 |

+| **HRESULT (decimal)** | -2134375817 |

+| **Error string** | ECS_E_INCOMPATIBLE_FILTER_VERSION |

+| **Remediation required** | Yes |

+This error occurs because the Cloud Tiering filter driver (StorageSync.sys) version loaded is not compatible with the Storage Sync Agent (FileSyncSvc) service. If the Azure File Sync agent was upgraded, restart the server to complete the installation. If the error continues to occur, uninstall the agent, restart the server and reinstall the Azure File Sync agent.

+<a id="-2134376373"></a>**The service is currently unavailable.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c8004b |

+| **HRESULT (decimal)** | -2134376373 |

+| **Error string** | ECS_E_SERVICE_UNAVAILABLE |

+| **Remediation required** | No |

+This error occurs because the Azure File Sync service is unavailable. This error will auto-resolve when the Azure File Sync service is available again.

+> [!Note]

+> Once network connectivity to the Azure File Sync service is restored, sync may not resume immediately. By default, Azure File Sync will initiate a sync session every 30 minutes if no changes are detected within the server endpoint location. To force a sync session, restart the Storage Sync Agent (FileSyncSvc) service or make a change to a file or directory within the server endpoint location.

+<a id="-2146233088"></a>**Sync failed due to an exception.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80131500 |

+| **HRESULT (decimal)** | -2146233088 |

+| **Error string** | COR_E_EXCEPTION |

+| **Remediation required** | No |

+This error occurs because sync failed due to an exception. If the error persists for several hours, please create a support request.

+<a id="-2134364045"></a>**Sync failed because the storage account has failed over to another region.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c83073 |

+| **HRESULT (decimal)** | -2134364045 |

+| **Error string** | ECS_E_STORAGE_ACCOUNT_FAILED_OVER |

+| **Remediation required** | Yes |

+This error occurs because the storage account has failed over to another region. Azure File Sync does not support the storage account failover feature. Storage accounts containing Azure file shares being used as cloud endpoints in Azure File Sync should not be failed over. Doing so will cause sync to stop working and may also cause unexpected data loss in the case of newly tiered files. To resolve this issue, move the storage account to the primary region.

+<a id="-2134375922"></a>**Sync failed due to a transient problem with the sync database.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c8020e |

+| **HRESULT (decimal)** | -2134375922 |

+| **Error string** | ECS_E_SYNC_METADATA_WRITE_LEASE_LOST |

+| **Remediation required** | No |

+This error occurs because of an internal problem with the sync database. This error will auto-resolve when sync retries. If this error continues for an extend period of time, create a support request and we will contact you to help you resolve this issue.

+<a id="-2134364024"></a>**Sync failed due to change in Azure Active Directory tenant**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c83088 |

+| **HRESULT (decimal)** | -2134364024 |

+| **Error string** | ECS_E_INVALID_AAD_TENANT |

+| **Remediation required** | Yes |

+Verify you have the latest Azure File Sync agent version installed and give the Microsoft.StorageSync application access to the storage account (see [Ensure Azure File Sync has access to the storage account](#troubleshoot-rbac)).

+<a id="-2134364010"></a>**Sync failed due to firewall and virtual network exception not configured**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c83096 |

+| **HRESULT (decimal)** | -2134364010 |

+| **Error string** | ECS_E_MGMT_STORAGEACLSBYPASSNOTSET |

+| **Remediation required** | Yes |

+This error occurs if the firewall and virtual network settings are enabled on the storage account and the "Allow trusted Microsoft services to access this storage account" exception is not checked. To resolve this issue, follow the steps documented in the [Configure firewall and virtual network settings](file-sync-deployment-guide.md?tabs=azure-portal#optional-configure-firewall-and-virtual-network-settings) section in the deployment guide.

+<a id="-2147024891"></a>**Sync failed with access denied due to security settings on the storage account or NTFS permissions on the server.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80070005 |

+| **HRESULT (decimal)** | -2147024891 |

+| **Error string** | ERROR_ACCESS_DENIED |

+| **Remediation required** | Yes |

+This error can occur if Azure File Sync cannot access the storage account due to security settings or if the NT AUTHORITY\SYSTEM account does not have permissions to the System Volume Information folder on the volume where the server endpoint is located. Note, if individual files are failing to sync with ERROR_ACCESS_DENIED, perform the steps documented in the [Troubleshooting per file/directory sync errors](?tabs=portal1%252cazure-portal#troubleshooting-per-filedirectory-sync-errors) section.

+1. Verify the **SMB security settings** on the storage account are allowing **SMB 3.1.1** protocol version, **NTLM v2** authentication and **AES-128-GCM** encryption. To check the SMB security settings on the storage account, see [SMB security settings](../files/files-smb-protocol.md#smb-security-settings).

+2. [Verify the firewall and virtual network settings on the storage account are configured properly (if enabled)](file-sync-deployment-guide.md?tabs=azure-portal#optional-configure-firewall-and-virtual-network-settings)

+3. Verify the **NT AUTHORITY\SYSTEM** account has permissions to the System Volume Information folder on the volume where the server endpoint is located by performing the following steps:

+ a. Download [Psexec](/sysinternals/downloads/psexec) tool.

+ b. Run the following command from an elevated command prompt to launch a command prompt using the system account: `PsExec.exe -i -s -d cmd`

+ c. From the command prompt running under the system account, run the following command to confirm the NT AUTHORITY\SYSTEM account does not have access to the System Volume Information folder: `cacls "drive letter:\system volume information" /T /C`

+ d. If the NT AUTHORITY\SYSTEM account does not have access to the System Volume Information folder, run the following command: `cacls "drive letter:\system volume information" /T /E /G "NT AUTHORITY\SYSTEM:F"`

+ - If step #d fails with access denied, run the following command to take ownership of the System Volume Information folder and then repeat step #d: `takeown /A /R /F "drive letter:\System Volume Information"`

+<a id="-2134375810"></a>**Sync failed because the Azure file share was deleted and recreated.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c8027e |

+| **HRESULT (decimal)** | -2134375810 |

+| **Error string** | ECS_E_SYNC_REPLICA_ROOT_CHANGED |

+| **Remediation required** | Yes |

+This error occurs because Azure File Sync does not support deleting and recreating an Azure file share in the same sync group.

+To resolve this issue, delete and recreate the sync group by performing the following steps:

+1. Delete all server endpoints in the sync group.

+2. Delete the cloud endpoint.

+3. Delete the sync group.

+4. If cloud tiering was enabled on a server endpoint, delete the orphaned tiered files on the server by performing the steps documented in the [Tiered files are not accessible on the server after deleting a server endpoint](file-sync-troubleshoot-cloud-tiering.md#tiered-files-are-not-accessible-on-the-server-after-deleting-a-server-endpoint) section.

+5. Recreate the sync group.

+<a id="-2134375852"></a>**Sync detected the replica has been restored to an older state**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c80254 |

+| **HRESULT (decimal)** | -2134375852 |

+| **Error string** | ECS_E_SYNC_REPLICA_BACK_IN_TIME |

+| **Remediation required** | No |

+No action is required. This error occurs because sync detected the replica has been restored to an older state. Sync will now enter a reconciliation mode, where it recreates the sync relationship by merging the contents of the Azure file share and the data on the server endpoint. When reconciliation mode is triggered, the process can be very time consuming depending upon the namespace size. Regular synchronization does not happen until the reconciliation finishes, and files that are different (last modified time or size) between the Azure file share and server endpoint will result in file conflicts.

+<a id="-2145844941"></a>**Sync failed because the HTTP request was redirected**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80190133 |

+| **HRESULT (decimal)** | -2145844941 |

+| **Error string** | HTTP_E_STATUS_REDIRECT_KEEP_VERB |

+| **Remediation required** | Yes |

+This error occurs because Azure File Sync does not support HTTP redirection (3xx status code). To resolve this issue, disable HTTP redirect on your proxy server or network device.

+<a id="-2134364027"></a>**A timeout occurred during offline data transfer, but it is still in progress.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c83085 |

+| **HRESULT (decimal)** | -2134364027 |

+| **Error string** | ECS_E_DATA_INGESTION_WAIT_TIMEOUT |

+| **Remediation required** | No |

+This error occurs when a data ingestion operation exceeds the timeout. This error can be ignored if sync is making progress (AppliedItemCount is greater than 0). See [How do I monitor the progress of a current sync session?](#how-do-i-monitor-the-progress-of-a-current-sync-session).

+<a id="-2134375814"></a>**Sync failed because the server endpoint path cannot be found on the server.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80c8027a |

+| **HRESULT (decimal)** | -2134375814 |

+| **Error string** | ECS_E_SYNC_ROOT_DIRECTORY_NOT_FOUND |

+| **Remediation required** | Yes |

+This error occurs if the directory used as the server endpoint path was renamed or deleted. If the directory was renamed, rename the directory back to the original name and restart the Storage Sync Agent service (FileSyncSvc).

+If the directory was deleted, perform the following steps to remove the existing server endpoint and create a new server endpoint using a new path:

+1. Remove the server endpoint in the sync group by following the steps documented in [Remove a server endpoint](file-sync-server-endpoint-delete.md).

+1. Create a new server endpoint in the sync group by following the steps documented in [Add a server endpoint](file-sync-server-endpoint-create.md).

+<a id="-2134375783"></a>**Server endpoint provisioning failed due to an empty server path.**

+| Error | Code |

+|-|-|

+| **HRESULT** | 0x80C80299 |

+| **HRESULT (decimal)** | -2134375783 |

+| **Error string** | ECS_E_SYNC_AUTHORITATIVE_UPLOAD_EMPTY_SET |

+| **Remediation required** | Yes |

+Server endpoint provisioning fails with this error code if these conditions are met:

+* This server endpoint was provisioned with the initial sync mode: [server authoritative](file-sync-server-endpoint-create.md#initial-sync-section)

+* Local server path is empty or contains no items recognized as able to sync.

+This provisioning error protects you from deleting all content that might be available in an Azure file share. Server authoritative upload is a special mode to catch up a cloud location that was already seeded, with the updates from the server location. Review this [migration guide](../files/storage-files-migration-server-hybrid-databox.md) to understand the scenario for which this mode has been built for.

+1. Remove the server endpoint in the sync group by following the steps documented in [Remove a server endpoint](file-sync-server-endpoint-delete.md).

+1. Create a new server endpoint in the sync group by following the steps documented in [Add a server endpoint](file-sync-server-endpoint-create.md).

+### Common troubleshooting steps

+<a id="troubleshoot-storage-account"></a>**Verify the storage account exists.**

+# [Portal](#tab/azure-portal)

+1. Navigate to the sync group within the Storage Sync Service.

+2. Select the cloud endpoint within the sync group.

+3. Note the Azure file share name in the opened pane.

+4. Select the linked storage account. If this link fails, the referenced storage account has been removed.

+ 

+# [PowerShell](#tab/azure-powershell)

+```powershell

+# Variables for you to populate based on your configuration

+$region = "<Az_Region>"

+$resourceGroup = "<RG_Name>"

+$syncService = "<storage-sync-service>"

+$syncGroup = "<sync-group>"

+# Log into the Azure account

+Connect-AzAccount

+# Check to ensure Azure File Sync is available in the selected Azure

+# region.

+$regions = [System.String[]]@()

+Get-AzLocation | ForEach-Object {

+ if ($_.Providers -contains "Microsoft.StorageSync") {

+ $regions += $_.Location

+ }

+}

+if ($regions -notcontains $region) {

+ throw [System.Exception]::new("Azure File Sync is either not available in the " + `

+ " selected Azure Region or the region is mistyped.")

+}

+# Check to ensure resource group exists

+$resourceGroups = [System.String[]]@()

+Get-AzResourceGroup | ForEach-Object {

+ $resourceGroups += $_.ResourceGroupName

+}

+if ($resourceGroups -notcontains $resourceGroup) {

+ throw [System.Exception]::new("The provided resource group $resourceGroup does not exist.")

+}

+# Check to make sure the provided Storage Sync Service

+# exists.

+$syncServices = [System.String[]]@()

+Get-AzStorageSyncService -ResourceGroupName $resourceGroup | ForEach-Object {

+ $syncServices += $_.StorageSyncServiceName

+}

+if ($syncServices -notcontains $syncService) {

+ throw [System.Exception]::new("The provided Storage Sync Service $syncService does not exist.")

+}

+# Check to make sure the provided Sync Group exists

+$syncGroups = [System.String[]]@()

+Get-AzStorageSyncGroup -ResourceGroupName $resourceGroup -StorageSyncServiceName $syncService | ForEach-Object {

+ $syncGroups += $_.SyncGroupName

+}

+if ($syncGroups -notcontains $syncGroup) {

+ throw [System.Exception]::new("The provided sync group $syncGroup does not exist.")

+}

+# Get reference to cloud endpoint

+$cloudEndpoint = Get-AzStorageSyncCloudEndpoint `

+ -ResourceGroupName $resourceGroup `

+ -StorageSyncServiceName $syncService `

+ -SyncGroupName $syncGroup

+# Get reference to storage account

+$storageAccount = Get-AzStorageAccount | Where-Object {

+ $_.Id -eq $cloudEndpoint.StorageAccountResourceId

+}

+if ($storageAccount -eq $null) {

+ throw [System.Exception]::new("The storage account referenced in the cloud endpoint does not exist.")

+}

+```

+<a id="troubleshoot-azure-file-share"></a>**Ensure the Azure file share exists.**

+# [Portal](#tab/azure-portal)

+1. Click **Overview** on the left-hand table of contents to return to the main storage account page.

+2. Select **Files** to view the list of file shares.

+3. Verify the file share referenced by the cloud endpoint appears in the list of file shares (you should have noted this in step 1 above).

+# [PowerShell](#tab/azure-powershell)

+```powershell

+$fileShare = Get-AzStorageShare -Context $storageAccount.Context | Where-Object {

+ $_.Name -eq $cloudEndpoint.AzureFileShareName -and

+ $_.IsSnapshot -eq $false

+}

+if ($fileShare -eq $null) {

+ throw [System.Exception]::new("The Azure file share referenced by the cloud endpoint does not exist")

+}

+```

+<a id="troubleshoot-rbac"></a>**Ensure Azure File Sync has access to the storage account.**

+# [Portal](#tab/azure-portal)

+1. Click **Access control (IAM)** on the left-hand table of contents.

+1. Click the **Role assignments** tab to the list the users and applications (*service principals*) that have access to your storage account.

+1. Verify **Microsoft.StorageSync** or **Hybrid File Sync Service** (old application name) appears in the list with the **Reader and Data Access** role.

+ 

+ If **Microsoft.StorageSync** or **Hybrid File Sync Service** does not appear in the list, perform the following steps:

+ - Click **Add**.

+ - In the **Role** field, select **Reader and Data Access**.

+ - In the **Select** field, type **Microsoft.StorageSync**, select the role and click **Save**.

+# [PowerShell](#tab/azure-powershell)

+```powershell

+$role = Get-AzRoleAssignment -Scope $storageAccount.Id | Where-Object { $_.DisplayName -eq "Microsoft.StorageSync" }

+if ($role -eq $null) {

+ throw [System.Exception]::new("The storage account does not have the Azure File Sync " + `

+ "service principal authorized to access the data within the " + `

+ "referenced Azure file share.")

+}

+```

+## See also

+- [Troubleshoot Azure File Sync sync group management](file-sync-troubleshoot-sync-group-management.md)

+- [Troubleshoot Azure File Sync agent installation and server registration](file-sync-troubleshoot-installation.md)

+- [Troubleshoot Azure File Sync cloud tiering](file-sync-troubleshoot-cloud-tiering.md)

+- [Monitor Azure File Sync](file-sync-monitoring.md)

+- [Troubleshoot Azure Files problems in Windows](../files/storage-troubleshoot-windows-file-connection-problems.md)

+- [Troubleshoot Azure Files problems in Linux](../files/storage-troubleshoot-linux-file-connection-problems.md)

+ Title: Troubleshoot Azure File Sync sync group management | Microsoft Docs

+description: Troubleshoot common issues in managing Azure File Sync sync groups, including cloud endpoint creation and server endpoint creation, deletion, and health.

+# Troubleshoot Azure File Sync sync group management

+A sync group defines the sync topology for a set of files. Endpoints within a sync group are kept in sync with each other. A sync group must contain one cloud endpoint, which represents an Azure file share, and one or more server endpoints, which represents a path on a registered server. This article is designed to help you troubleshoot and resolve issues that you might encounter when managing sync groups.

+## Cloud endpoint creation errors

+<a id="cloud-endpoint-mgmtinternalerror"></a>**Cloud endpoint creation fails, with this error: "MgmtInternalError"**

+This error can occur if the Azure File Sync service cannot access the storage account due to SMB security settings. To enable Azure File Sync to access the storage account, the SMB security settings on the storage account must allow **SMB 3.1.1** protocol version, **NTLM v2** authentication and **AES-128-GCM** encryption. To check the SMB security settings on the storage account, see [SMB security settings](../files/files-smb-protocol.md#smb-security-settings).

+<a id="cloud-endpoint-authfailed"></a>**Cloud endpoint creation fails, with this error: "AuthorizationFailed"**

+This error occurs if your user account doesn't have sufficient rights to create a cloud endpoint.

+To create a cloud endpoint, your user account must have the following Microsoft Authorization permissions:

+* Read: Get role definition

+* Write: Create or update custom role definition

+* Read: Get role assignment

+* Write: Create role assignment

+The following built-in roles have the required Microsoft Authorization permissions:

+* Owner

+* User Access Administrator

+To determine whether your user account role has the required permissions:

+1. In the Azure portal, select **Resource groups**.

+2. Select the resource group where the storage account is located, and then select **Access control (IAM)**.

+3. Select the **Role assignments** tab.

+4. Select the **Role** (for example, Owner or Contributor) for your user account.

+5. In the **Resource Provider** list, select **Microsoft Authorization**.

+ * **Role assignment** should have **Read** and **Write** permissions.

+ * **Role definition** should have **Read** and **Write** permissions.

+<a id="cloud-endpoint-using-share"></a>**Cloud endpoint creation fails, with this error: "The specified Azure FileShare is already in use by a different CloudEndpoint"**

+This error occurs if the Azure file share is already in use by another cloud endpoint.

+If you see this message and the Azure file share currently is not in use by a cloud endpoint, complete the following steps to clear the Azure File Sync metadata on the Azure file share:

+> [!Warning]

+> Deleting the metadata on an Azure file share that is currently in use by a cloud endpoint causes Azure File Sync operations to fail. If you then use this file share for sync in a different sync group, data loss for files in the old sync group is almost certain.

+1. In the Azure portal, go to your Azure file share.  

+2. Right-click the Azure file share, and then select **Edit metadata**.

+3. Right-click **SyncService**, and then select **Delete**.

+## Server endpoint creation and deletion errors

+<a id="-2134375898"></a>**Server endpoint creation fails, with this error: "MgmtServerJobFailed" (Error code: -2134375898 or 0x80c80226)**

+This error occurs if the server endpoint path is on the system volume and cloud tiering is enabled. Cloud tiering is not supported on the system volume. To create a server endpoint on the system volume, disable cloud tiering when creating the server endpoint.

+<a id="-2147024894"></a>**Server endpoint creation fails, with this error: "MgmtServerJobFailed" (Error code: -2147024894 or 0x80070002)**

+This error occurs if the server endpoint path specified is not valid. Verify the server endpoint path specified is a locally attached NTFS volume. Note, Azure File Sync does not support mapped drives as a server endpoint path.

+<a id="-2134375640"></a>**Server endpoint creation fails, with this error: "MgmtServerJobFailed" (Error code: -2134375640 or 0x80c80328)**

+This error occurs if the server endpoint path specified is not an NTFS volume. Verify the server endpoint path specified is a locally attached NTFS volume. Note, Azure File Sync does not support mapped drives as a server endpoint path.

+<a id="-2134347507"></a>**Server endpoint creation fails, with this error: "MgmtServerJobFailed" (Error code: -2134347507 or 0x80c8710d)**

+This error occurs because Azure File Sync does not support server endpoints on volumes, which have a compressed System Volume Information folder. To resolve this issue, decompress the System Volume Information folder. If the System Volume Information folder is the only folder compressed on the volume, perform the following steps:

+1. Download [PsExec](/sysinternals/downloads/psexec) tool.

+2. Run the following command from an elevated command prompt to launch a command prompt running under the system account: **PsExec.exe -i -s -d cmd**

+3. From the command prompt running under the system account, type the following commands and hit enter:

+ **cd /d "drive letter:\System Volume Information"**

+ **compact /u /s**

+<a id="-2134376345"></a>**Server endpoint creation fails, with this error: "MgmtServerJobFailed" (Error code: -2134376345 or 0x80C80067)**

+This error occurs if the limit of server endpoints per server is reached. Azure File Sync currently supports up to 30 server endpoints per server. For more information, see

+[Azure File Sync scale targets](../files/storage-files-scale-targets.md?toc=%2fazure%2fstorage%2ffilesync%2ftoc.json#azure-file-sync-scale-targets).

+<a id="-2134376427"></a>**Server endpoint creation fails, with this error: "MgmtServerJobFailed" (Error code: -2134376427 or 0x80c80015)**

+This error occurs if another server endpoint is already syncing the server endpoint path specified. Azure File Sync does not support multiple server endpoints syncing the same directory or volume.

+<a id="-2160590967"></a>**Server endpoint creation fails, with this error: "MgmtServerJobFailed" (Error code: -2160590967 or 0x80c80077)**

+This error occurs if the server endpoint path contains orphaned tiered files. If a server endpoint was recently removed, wait until the orphaned tiered files cleanup has completed. An Event ID 6662 is logged to the Telemetry event log once the orphaned tiered files cleanup has started. An Event ID 6661 is logged once the orphaned tiered files cleanup has completed and a server endpoint can be recreated using the path. If the server endpoint creation fails after the tiered files cleanup has completed or if Event ID 6661 cannot be found in the Telemetry event log due to event log rollover, remove the orphaned tiered files by performing the steps documented in [Tiered files are not accessible on the server after deleting a server endpoint](file-sync-troubleshoot-cloud-tiering.md#tiered-files-are-not-accessible-on-the-server-after-deleting-a-server-endpoint).

+<a id="-2134347757"></a>**Server endpoint deletion fails, with this error: "MgmtServerJobExpired" (Error code: -2134347757 or 0x80c87013)**

+This error occurs if the server is offline or doesn't have network connectivity. If the server is no longer available, unregister the server in the portal, which will delete the server endpoints. To delete the server endpoints, follow the steps that are described in [Unregister a server with Azure File Sync](file-sync-server-registration.md#unregister-the-server-with-storage-sync-service).

+## Server endpoint health

+<a id="server-endpoint-provisioningfailed"></a>**Unable to open server endpoint properties page or update cloud tiering policy**

+This issue can occur if a management operation on the server endpoint fails. If the server endpoint properties page does not open in the Azure portal, updating server endpoint using PowerShell commands from the server may fix this issue.

+```powershell

+# Get the server endpoint id based on the server endpoint DisplayName property

+Get-AzStorageSyncServerEndpoint `

+ -ResourceGroupName myrgname `

+ -StorageSyncServiceName storagesvcname `

+ -SyncGroupName mysyncgroup | `

+Tee-Object -Variable serverEndpoint

+# Update the free space percent policy for the server endpoint

+Set-AzStorageSyncServerEndpoint `

+ -InputObject $serverEndpoint

+ -CloudTiering `

+ -VolumeFreeSpacePercent 60

+```

+<a id="server-endpoint-noactivity"></a>**Server endpoint has a health status of "No Activity" or "Pending" and the server state on the registered servers blade is "Appears offline"**

+This issue can occur if the Storage Sync Monitor process (AzureStorageSyncMonitor.exe) is not running or the server is unable to access the Azure File Sync service.

+On the server that is showing as "Appears offline" in the portal, look at Event ID 9301 in the Telemetry event log (located under Applications and Services\Microsoft\FileSync\Agent in Event Viewer) to determine why the server is unable to access the Azure File Sync service.

+- If **GetNextJob completed with status: 0** is logged, the server can communicate with the Azure File Sync service.

+ - Open Task Manager on the server and verify the Storage Sync Monitor (AzureStorageSyncMonitor.exe) process is running. If the process is not running, first try restarting the server. If restarting the server does not resolve the issue, upgrade to the latest Azure File Sync [agent version](file-sync-release-notes.md).

+- If **GetNextJob completed with status: -2134347756** is logged, the server is unable to communicate with the Azure File Sync service due to a firewall, proxy, or TLS cipher suite order configuration.

+ - If the server is behind a firewall, verify port 443 outbound is allowed. If the firewall restricts traffic to specific domains, confirm the domains listed in the Firewall [documentation](file-sync-firewall-and-proxy.md#firewall) are accessible.

+ - If the server is behind a proxy, configure the machine-wide or app-specific proxy settings by following the steps in the Proxy [documentation](file-sync-firewall-and-proxy.md#proxy).

+ - Use the Test-StorageSyncNetworkConnectivity cmdlet to check network connectivity to the service endpoints. To learn more, see [Test network connectivity to service endpoints](file-sync-firewall-and-proxy.md#test-network-connectivity-to-service-endpoints).

+ - If the TLS cipher suite order is configured on the server, you can use group policy or TLS cmdlets to add cipher suites:

+ - To use group policy, see [Configuring TLS Cipher Suite Order by using Group Policy](/windows-server/security/tls/manage-tls#configuring-tls-cipher-suite-order-by-using-group-policy).

+ - To use TLS cmdlets, see [Configuring TLS Cipher Suite Order by using TLS PowerShell Cmdlets](/windows-server/security/tls/manage-tls#configuring-tls-cipher-suite-order-by-using-tls-powershell-cmdlets).

+

+ Azure File Sync currently supports the following cipher suites for TLS 1.2 protocol:

+ - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

+ - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

+ - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

+ - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

+- If **GetNextJob completed with status: -2134347764** is logged, the server is unable to communicate with the Azure File Sync service due to an expired or deleted certificate.

+ - Run the following PowerShell command on the server to reset the certificate used for authentication:

+ ```powershell

+ Reset-AzStorageSyncServerCertificate -ResourceGroupName <string> -StorageSyncServiceName <string>

+ ```

+<a id="endpoint-noactivity-sync"></a>**Server endpoint has a health status of "No Activity" and the server state on the registered servers blade is "Online"**

+A server endpoint health status of "No Activity" means the server endpoint has not logged sync activity in the past two hours.

+To check current sync activity on a server, see [How do I monitor the progress of a current sync session?](file-sync-troubleshoot-sync-errors.md#how-do-i-monitor-the-progress-of-a-current-sync-session)

+A server endpoint may not log sync activity for several hours due to a bug or insufficient system resources. Verify the latest Azure File Sync [agent version](file-sync-release-notes.md) is installed. If the issue persists, open a support request.

+> [!Note]

+> If the server state on the registered servers blade is "Appears Offline," perform the steps documented in the [Server endpoint has a health status of "No Activity" or "Pending" and the server state on the registered servers blade is "Appears offline"](#server-endpoint-noactivity) section.

+## See also

+- [Troubleshoot Azure File Sync sync errors](file-sync-troubleshoot-sync-errors.md)

+- [Troubleshoot Azure File Sync agent installation and server registration](file-sync-troubleshoot-installation.md)

+- [Troubleshoot Azure File Sync cloud tiering](file-sync-troubleshoot-cloud-tiering.md)

+- [Monitor Azure File Sync](file-sync-monitoring.md)

+- [Troubleshoot Azure Files problems in Windows](../files/storage-troubleshoot-windows-file-connection-problems.md)

+- [Troubleshoot Azure Files problems in Linux](../files/storage-troubleshoot-linux-file-connection-problems.md)

+description: Troubleshoot common issues that you might encounter with Azure File Sync, which you can use to transform Windows Server into a quick cache of your Azure file share.

+You can use Azure File Sync to centralize your organization's file shares in Azure Files, while keeping the flexibility, performance, and compatibility of an on-premises file server. This article is designed to help you troubleshoot and resolve issues that you might encounter with your Azure File Sync deployment. We also describe how to collect important logs from the system if a deeper investigation of the issue is required. If you don't see the answer to your question, you can contact us through the following channels (in escalating order):