+- A premium Azure subscription.

+1. Under **Assignments**, select **Users or workload identities**.. Choose the users and groups you want this policy to apply to, then select **Done**.

+# Block legacy authentication with Azure AD with Conditional Access

+To give your users easy access to your cloud apps, Azure Active Directory (Azure AD) supports a broad variety of authentication protocols including legacy authentication. However, legacy authentication doesn't support things like multifactor authentication (MFA). MFA is a common requirement to improve security posture in organizations.

+If you're ready to block legacy authentication to improve your tenant's protection, you can accomplish this goal with Conditional Access. This article explains how you can configure Conditional Access policies that block legacy authentication for all workloads within your tenant.

+> For more Information on implementing support for CBA with Azure AD and modern authentication See: [How to configure Azure AD certificate-based authentication (Preview)](../authentication/how-to-certificate-based-authentication.md). As another option, CBA performed at a federation server can be used with modern authentication.

+If your organization isn't ready to block legacy authentication across the entire organization, you should ensure that sign-ins using legacy authentication aren't bypassing policies that require grant controls such as requiring multifactor authentication or compliant/hybrid Azure AD joined devices. During authentication, legacy authentication clients don't support sending MFA, device compliance, or join state information to Azure AD. Therefore, apply policies with grant controls to all client applications so that legacy authentication based sign-ins that canΓÇÖt satisfy the grant controls are blocked. With the general availability of the client apps condition in August 2020, newly created Conditional Access policies apply to all client apps by default.

+- [How to set up a multifunction device or application to send email using Microsoft 365](/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365)

+- [Enable modern authentication in Exchange Online](/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online)

+- [Enable Modern Authentication for Office 2013 on Windows devices](/office365/admin/security-and-compliance/enable-modern-authentication)

+- [How to configure Exchange Server on-premises to use Hybrid Modern Authentication](/office365/enterprise/configure-exchange-server-for-hybrid-modern-authentication)

+- [How to use Modern Authentication with Skype for Business](/skypeforbusiness/manage/authentication/use-adal)

+When creating Conditional Access policies, administrators have asked for the ability to target or exclude specific devices in their environment. The condition filter for devices gives administrators this capability. Now you can target specific devices using [supported operators and properties for device filters](#supported-operators-and-device-properties-for-filters) and the other available assignment conditions in your Conditional Access policies.

+1. Under **Assignments**, select **Users or workload identities**..

+1. Under **Assignments**, select **Users or workload identities**..

+Custom controls are a preview capability of the Azure Active Directory. When using custom controls, your users are redirected to a compatible service to satisfy authentication requirements outside of Azure Active Directory. To satisfy this control, a user's browser is redirected to the external service, performs any required authentication, and is then redirected back to Azure Active Directory. Azure Active Directory verifies the response and, if the user was successfully authenticated or validated, the user continues in the Conditional Access flow.

+> Custom controls cannot be used with Identity Protection's automation requiring Azure AD Multifactor Authentication, Azure AD self-service password reset (SSPR), satisfying multifactor authentication claim requirements, to elevate roles in Privileged Identity Manager (PIM), as part of Intune device enrollment, or when joining devices to Azure AD.

+Copy the JSON data and then paste it into the related textbox. Don't make any changes to the JSON unless you explicitly understand the change you're making. Making any change could break the connection between the provider and Microsoft and potentially lock you and your users out of your accounts.

+1. Select …

+Custom controls can't be used with Identity Protection's automation requiring Azure AD Multifactor Authentication, Azure AD self-service password reset (SSPR), satisfying multifactor authentication claim requirements, to elevate roles in Privileged Identity Manager (PIM), as part of Intune device enrollment, or when joining devices to Azure AD.

+ Title: Azure Active Directory Conditional Access FAQs

+Policies are enforced for business-to-business (B2B) collaboration users. However, in some cases, a user might not be able to satisfy the policy requirements. For example, a guest user's organization might not support multifactor authentication.

+A Conditional Access policy sets requirements for accessing a service. It's enforced when authentication to that service occurs. The policy isn't set directly on a client application. Instead, it's applied when a client calls a service. For example, a policy set on SharePoint applies to clients calling SharePoint. A policy set on Exchange applies to Outlook. For more information, see the article, [Conditional Access service dependencies](service-dependencies.md) and consider targeting policies to the [Office 365 app](concept-conditional-access-cloud-apps.md#office-365) instead.

+Conditional Access policies apply to all user accounts. This includes user accounts that are used as service accounts. Often, a service account that runs unattended can't satisfy the requirements of a Conditional Access policy. For example, multifactor authentication might be required. Service accounts can be excluded from a policy by using a [user or group exclusion](concept-conditional-access-users-groups.md#exclude-users).

+Currently, Conditional Access policies are selectively enforced on users of iOS and Android devices. Applications on other device platforms are, by default, not affected by the Conditional Access policy for iOS and Android devices. A tenant admin can choose to override the global policy to disallow access to users on platforms that aren't supported.

+To see the affected tabs you must use the Teams web client in Microsoft Edge, Internet Explorer, or Chrome with the Windows 10 Accounts extension installed. Some tabs depend on web authentication, which doesn't work in the Microsoft Teams desktop client when Conditional Access is enabled. Microsoft is working with partners to enable these scenarios. To date, we have enabled scenarios involving Planner, OneNote, and Stream.

+description: Create a custom Conditional Access policy to require administrators to perform multifactor authentication

+Accounts that are assigned administrative rights are targeted by attackers. Requiring multifactor authentication (MFA) on those accounts is an easy way to reduce the risk of those accounts being compromised.

+- **Service accounts** and **service principals**, such as the Azure AD Connect Sync Account. Service accounts are non-interactive accounts that aren't tied to any particular user. They're normally used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Service accounts like these should be excluded since MFA can't be completed programmatically. Calls made by service principals aren't blocked by Conditional Access.

+The following steps will help create a Conditional Access policy to require those assigned administrative roles to perform multifactor authentication.

+1. Under **Assignments**, select **Users or workload identities**.

+1. Under **Cloud apps or actions** > **Include**, select **All cloud apps**.

+1. Under **Access controls** > **Grant**, select **Grant access**, **Require multifactor authentication**, and select **Select**.

+description: Create a custom Conditional Access policy to require all users do multifactor authentication

+Organizations that use [Subscription Activation](/windows/deployment/windows-10-subscription-activation) to enable users to ΓÇ£step-upΓÇ¥ from one version of Windows to another, may want to exclude the Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f from their all users all cloud apps MFA policy.

+The following steps will help create a Conditional Access policy to require all users do multifactor authentication.

+1. Under **Assignments**, select **Users or workload identities**.

+ 1. Under **Exclude**, select any applications that don't require multifactor authentication.

+1. Under **Access controls** > **Grant**, select **Grant access**, **Require multifactor authentication**, and select **Select**.

+In the example policy above, an organization may choose to not require multifactor authentication if accessing a cloud app from their corporate network. In this case they could add the following configuration to the policy:

+description: Create a custom Conditional Access policy to require multifactor authentication for Azure management tasks

+These tools can provide highly privileged access to resources that can make the following changes:

+- Alter subscription-wide configurations

+- Service settings

+- Subscription billing

+To protect these privileged resources, Microsoft recommends requiring multifactor authentication for any user accessing these resources. In Azure AD, these tools are grouped together in a suite called [Microsoft Azure Management](concept-conditional-access-cloud-apps.md#microsoft-azure-management). For Azure Government, this suite should be the Azure Government Cloud Management API app.

+* **Service accounts** and **service principals**, such as the Azure AD Connect Sync Account. Service accounts are non-interactive accounts that aren't tied to any particular user. They're normally used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Service accounts like these should be excluded since MFA can't be completed programmatically. Calls made by service principals aren't blocked by Conditional Access.

+The following steps will help create a Conditional Access policy to require users who access the [Microsoft Azure Management](concept-conditional-access-cloud-apps.md#microsoft-azure-management) suite do multifactor authentication.

+1. Under **Assignments**, select **Users or workload identities**.

+1. Under **Cloud apps or actions** > **Include**, select **Select apps**, choose **Microsoft Azure Management**, and select **Select**.

+1. Under **Access controls** > **Grant**, select **Grant access**, **Require multifactor authentication**, and select **Select**.

+description: Create a custom Conditional Access policy to Block access

+* **Service accounts** and **service principals**, such as the Azure AD Connect Sync Account. Service accounts are non-interactive accounts that aren't tied to any particular user. They're normally used by back-end services allowing programmatic access to applications, but are also used to sign in to systems for administrative purposes. Service accounts like these should be excluded since MFA can't be completed programmatically. Calls made by service principals aren't blocked by Conditional Access.

+The following steps will help create Conditional Access policies to block access to all apps except for [Office 365](concept-conditional-access-cloud-apps.md#office-365) if users aren't on a trusted network. These policies are put in to [Report-only mode](howto-conditional-access-insights-reporting.md) to start so administrators can determine the impact they'll have on existing users. When administrators are comfortable that the policies apply as they intend, they can switch them to **On**.

+1. Under **Assignments**, select **Users or workload identities**.

+ 1. Under **Exclude**, select **Office 365**, select **Select**.

+ 1. Under **Client apps**, set **Configure** to **Yes**, and select **Done**.

+A second policy is created below to require multifactor authentication or a compliant device for users of Microsoft 365.

+1. Under **Assignments**, select **Users or workload identities**.

+1. Under **Cloud apps or actions** > **Include**, select **Select apps**, choose **Office 365**, and select **Select**.

+ 1. Select **Require multifactor authentication** and **Require device to be marked as compliant** select **Select**.

+The following steps will help create a Conditional Access policy to block legacy authentication requests. This policy is put in to [Report-only mode](howto-conditional-access-insights-reporting.md) to start so administrators can determine the impact they'll have on existing users. When administrators are comfortable that the policy applies as they intend, they can switch to **On** or stage the deployment by adding specific groups and excluding others.

+1. Under **Assignments**, select **Users or workload identities**.

+ 1. Under **Exclude**, select **Users and groups** and choose any accounts that must maintain the ability to use legacy authentication. Exclude at least one account to prevent yourself from being locked out. If you don't exclude any account, you won't be able to create this policy.

+1. Under **Assignments**, select **Users or workload identities**.

+With the location condition in Conditional Access, you can control access to your cloud apps based on the network location of a user. The location condition is commonly used to block access from countries/regions where your organization knows traffic shouldn't come from.

+ 1. Provide the **IP ranges** or select the **Countries/Regions** for the location you're specifying.

+1. Under **Assignments**, select **Users or workload identities**.

+Securing when and how users register for Azure AD multifactor Authentication and self-service password reset is possible with user actions in a Conditional Access policy. This feature is available to organizations who have enabled the [combined registration](../authentication/concept-registration-mfa-sspr-combined.md). This functionality allows organizations to treat the registration process like any application in a Conditional Access policy and use the full power of Conditional Access to secure the experience. Users signing in to the Microsoft Authenticator app or enabling passwordless phone sign-in are subject to this policy.

+Some organizations in the past may have used trusted network location or device compliance as a means to secure the registration experience. With the addition of [Temporary Access Pass](../authentication/howto-authentication-temporary-access-pass.md) in Azure AD, administrators can provide time-limited credentials to their users that allow them to register from any device or location. Temporary Access Pass credentials satisfy Conditional Access requirements for multifactor authentication.

+The following policy applies to the selected users, who attempt to register using the combined registration experience. The policy requires users to be in a trusted network location, do multifactor authentication or use Temporary Access Pass credentials.

+1. Under **Assignments**, select **Users or workload identities**.

+ 1. Select **Grant access**, **Require multifactor authentication**.

+Administrators will now have to issue Temporary Access Pass credentials to new users so they can satisfy the requirements for multifactor authentication to register. Steps to accomplish this task, are found in the section [Create a Temporary Access Pass in the Azure AD Portal](../authentication/howto-authentication-temporary-access-pass.md#create-a-temporary-access-pass).

+Organizations may choose to require other grant controls with or in place of **Require multifactor authentication** at step 6b. When selecting multiple controls, be sure to select the appropriate radio button toggle to require **all** or **one** of the selected controls when making this change.

+For [guest users](../external-identities/what-is-b2b.md) who need to register for multifactor authentication in your directory you may choose to block registration from outside of [trusted network locations](concept-conditional-access-conditions.md#locations) using the following guide.

+1. Under **Assignments**, select **Users or workload identities**.

+1. Under **Assignments**, select **Users or workload identities**.

+Most users have a normal behavior that can be tracked, when they fall outside of this norm it could be risky to allow them to just sign in. You may want to block that user or maybe just ask them to perform multifactor authentication to prove that they're really who they say they are.

+The Sign-in risk-based policy protects users from registering MFA in risky sessions. If users aren't registered for MFA, their risky sign-ins will get blocked, and they see an AADSTS53004 error.

+1. Under **Assignments**, select **Users or workload identities**.

+ 1. Select **Grant access**, **Require multifactor authentication**.

+1. Under **Assignments**, select **Users or workload identities**.

+Use the What-If tool to simulate a sign-in from the user to the target application and other conditions based on how you configured your policy. The authentication session management controls show up in the result of the tool.

+1. Under **Assignments**, select **Users or workload identities**.

+1. Under **Assignments**, select **Users or workload identities**.

+ Title: Migrate a classic Conditional Access policy - Azure Active Directory

+description: This article shows how to migrate a classic Conditional Access policy in the Azure portal.

+This article shows how to migrate a classic policy that requires **multifactor authentication** for a cloud app. Although it isn't a prerequisite, we recommend that you read [Migrate classic policies in the Azure portal](policy-migration.md) before you start migrating your classic policies.

+For examples of common policies and their configuration in the Azure portal, see the article [Common Conditional Access policies](concept-conditional-access-policy-common.md).

+To disable your classic policy, select **Disable** in the **Details** view.

+Consider migrating the policies you haven't created in the Azure portal because:

+- You can now address scenarios you couldn't handle before.

+In the [Azure portal](https://portal.azure.com), Conditional Access policies can be found under **Azure Active Directory** > **Security** > **Conditional Access**. Your organization might also have older Conditional Access policies not created using this page. These policies are known as *classic policies*. Classic policies are Conditional Access policies, you've created in:

+A consolidation into one new policy is also not possible if your classic policies contain several conditions. A new policy that has **Exchange Active Sync** as client apps condition configured doesn't support other conditions:

+If you have a new policy that has **Exchange Active Sync** as client apps condition configured, you need to make sure that all other conditions aren't configured.

+- Several requirements for granting access are configured

+- If you're ready to configure Conditional Access policies for your environment, see the article [How To: Plan your Conditional Access deployment in Azure Active Directory](plan-conditional-access.md).

+ Title: Troubleshoot Conditional Access policy changes - Azure Active Directory

+- Stream data to Event Hubs

+1. Under **Assignments**, select **Users or workload identities**..

+1. Under **Assignments**, select **Users or workload identities**..

+> Before you enable security defaults, make sure your administrators aren't using older authentication protocols. For more information, see [How to move away from legacy authentication](../conditional-access/block-legacy-authentication.md).

+Azure Active Directory (Azure AD) simplifies how enterprises manage access to groups and applications in Azure AD and other Microsoft web services with a feature called Azure AD access reviews. This article will cover how a designated reviewer performs an access review for members of a group or users with access to an application. If you want to review access to an access package, read [Review access of an access package in Azure AD entitlement management](entitlement-management-access-reviews-review-access.md).

+## Perform access review by using My Access

+You can review access to groups and applications via My Access. My Access is a user-friendly portal for granting, approving, and reviewing access needs.

+### Use email to go to My Access

+> There could be delays in receiving email. In some cases, it could take up to 24 hours. Add azure-noreply@microsoft.com to your safe recipients list to make sure that you're receiving all emails.

+1. Look for an email from Microsoft asking you to review access. Here's an example email message:

+ 

+1. Select the **Start review** link to open the access review.

+### Go directly to My Access

+1. Sign in to My Access at https://myaccess.microsoft.com/.

+2. Select **Access reviews** from the left menu to see a list of pending access reviews assigned to you.

+After you open My Access under **Groups and Apps**, you can see:

+- **Name**: The name of the access review.

+- **Due**: The due date for the review. After this date, denied users could be removed from the group or app being reviewed.

+- **Resource**: The name of the resource under review.

+- **Progress**: The number of users reviewed over the total number of users part of this access review.

+Select the name of an access review to get started.

+

+After it opens, you'll see the list of users in scope for the access review.

+> [!NOTE]

+1. Select one or more users by selecting the circle next to their names.

+1. Select **Approve** or **Deny** on the bar.

+ If you're unsure if a user should continue to have access, you can select **Don't know**. The user gets to keep their access, and your choice is recorded in the audit logs. Keep in mind that any information you provide will be available to other reviewers. They can read your comments and take them into account when they review the request.

+ 

+1. The administrator of the access review might require you to supply a reason for your decision in the **Reason** box, even when a reason is not required. You can still provide a reason for your decision. The information that you include will be available to other approvers for review.

+1. Select **Submit**.

+ You can change your response at any time until the access review has ended. If you want to change your response, select the row and update the response. For example, you can approve a previously denied user or deny a previously approved user.

+ > - If a user is denied access, they aren't removed immediately. The user is removed when the review period has ended or when an administrator stops the review.

+ > - If there are multiple reviewers, the last submitted response is recorded. Consider an example where an administrator designates two reviewers: Alice and Bob. Alice opens the access review first and approves a user's access request. Before the review period ends, Bob opens the access review and denies access on the same request previously approved by Alice. The last decision denying the access is the response that gets recorded.

+To make access reviews easier and faster for you, we also provide recommendations that you can accept with a single selection. There are two ways that the system generates recommendations for the reviewer. One method is by the user's sign-in activity. If a user has been inactive for 30 days or more, the system will recommend that the reviewer deny access.

+The other method is based on the access that the user's peers have. If the user doesn't have the same access as their peers, the system will recommend that the reviewer deny that user access.

+If you have **No sign-in within 30 days** or **Peer outlier** enabled, follow these steps to accept recommendations:

+1. Select one or more users, and then select **Accept recommendations**.

+ 

+ Or to accept recommendations for all unreviewed users, make sure that no users are selected and then select the **Accept recommendations** button on the top bar.

+1. Select **Submit** to accept the recommendations.

+> When you accept recommendations, previous decisions won't be changed.

+If the administrator has enabled multi-stage access reviews, there will be two or three total stages of review. Each stage of review will have a specified reviewer.

+You will either review access manually or accept the recommendations based on sign-in activity for the stage you're assigned as the reviewer.

+If you're the second-stage or third-stage reviewer, you'll also see the decisions made by the reviewers in the prior stages, if the administrator enabled this setting when creating the access review. The decision made by a second-stage or third-stage reviewer will overwrite the previous stage. So, the decision that the second-stage reviewer makes will overwrite the first stage. And the third-stage reviewer's decision will overwrite the second stage.

+ 

+> The next stage of the review won't become active until the duration specified during the access review setup has passed. If the administrator believes a stage is done but the review duration for this stage has not expired yet, they can use the **Stop current stage** button in the overview of the access review in the Azure AD portal. This action will close the active stage and start the next stage.

+### Review access for B2B direct connect users in Teams shared channels and Microsoft 365 groups (preview)

+1. As the reviewer, you should receive an email that requests you to review access for the team or group. Select the link in the email, or go directly to https://myaccess.microsoft.com/.

+1. Follow the instructions in [Review access for one or more users](#review-access-for-one-or-more-users) to make decisions to approve or deny the users access to the teams.

+> Unlike internal users and B2B collaboration users, B2B direct connect users and teams _don't_ have recommendations based on last sign-in activity to make decisions when you perform the review.

+If a team you review has shared channels, all B2B direct connect users and teams that access those shared channels are part of the review. This includes B2B collaboration users and internal users. When a B2B direct connect user or team is denied access in an access review, the user will lose access to every shared channel in the team. To learn more about B2B direct connect users, read [B2B direct connect](../external-identities/b2b-direct-connect-overview.md).

+## Set up what will happen if no action is taken on access review

+When the access review is set up, the administrator has the option to use advanced settings to determine what will happen if a reviewer doesn't respond to an access review request.

+The administrator can set up the review so that if reviewers don't respond at the end of the review period, all unreviewed users can have an automatic decision made on their access. This includes the loss of access to the group or application under review.

+3. Set optional claims for group name configuration.

+After the domain conversion, Azure AD might continue to send some legacy authentication requests from Exchange Online to your AD FS servers for up to four hours. The delay is because the Exchange Online cache for legacy applications authentication can take up to 4 hours to be aware of the cutover from federation to cloud authentication.

+1. Under **Assignments**, select **Users or workload identities**..

+1. Under **Assignments**, select **Users or workload identities**..

+1. Under **Assignments**, select **Users or workload identities**.

+ [  ](./media/tutorial-azure-monitor-stream-logs-to-event-hub/diagnostic-setting-stream-to-event-hub.png#lightbox)

+ 1. Select the Azure subscription and Event Hubs namespace that you want to route the logs to.

+ [ ](./media/tutorial-azure-monitor-stream-logs-to-event-hub/azure-monitor-event-hub-instance.png#lightbox)

+ Title: 'Tutorial: Azure AD SSO integration with 4DX'

+description: Learn how to configure single sign-on between Azure Active Directory and 4DX.

+# Tutorial: Azure AD SSO integration with 4DX

+In this tutorial, you'll learn how to integrate 4DX with Azure Active Directory (Azure AD). When you integrate 4DX with Azure AD, you can:

+* Control in Azure AD who has access to 4DX.

+* Enable your users to be automatically signed-in to 4DX with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* 4DX single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* 4DX supports **IDP** initiated SSO.

+## Add 4DX from the gallery

+To configure the integration of 4DX into Azure AD, you need to add 4DX from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **4DX** in the search box.

+1. Select **4DX** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for 4DX

+Configure and test Azure AD SSO with 4DX using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in 4DX.

+To configure and test Azure AD SSO with 4DX, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure 4DX SSO](#configure-4dx-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create 4DX test user](#create-4dx-test-user)** - to have a counterpart of B.Simon in 4DX that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **4DX** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, the application is pre-configured and the necessary URLs are already pre-populated with Azure. The user needs to save the configuration by clicking the **Save** button.

+1. 4DX application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, 4DX application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.

+ | Name | Source Attribute|

+ | | |

+ | companykey | `<unique ID>` |

+ > [!Note]

+ > For this `<unique ID>` of a customer assertion, please reach out to [4DX support team](mailto:support@bahrcode.com).

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up 4DX** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to 4DX.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **4DX**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure 4DX SSO

+To configure single sign-on on **4DX** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [4DX support team](mailto:support@bahrcode.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create 4DX test user

+In this section, you create a user called Britta Simon in 4DX. Work with [4DX support team](mailto:support@bahrcode.com) to add the users in the 4DX platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on Test this application in Azure portal and you should be automatically signed in to the 4DX for which you set up the SSO.

+* You can use Microsoft My Apps. When you click the 4DX tile in the My Apps, you should be automatically signed in to the 4DX for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure 4DX you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Adra by Trintech'

+description: Learn how to configure single sign-on between Azure Active Directory and Adra by Trintech.

+# Tutorial: Azure AD SSO integration with Adra by Trintech

+In this tutorial, you'll learn how to integrate Adra by Trintech with Azure Active Directory (Azure AD). When you integrate Adra by Trintech with Azure AD, you can:

+* Control in Azure AD who has access to Adra by Trintech.

+* Enable your users to be automatically signed-in to Adra by Trintech with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Adra by Trintech single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Adra by Trintech supports **SP** and **IDP** initiated SSO.

+## Add Adra by Trintech from the gallery

+To configure the integration of Adra by Trintech into Azure AD, you need to add Adra by Trintech from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Adra by Trintech** in the search box.

+1. Select **Adra by Trintech** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Adra by Trintech

+Configure and test Azure AD SSO with Adra by Trintech using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Adra by Trintech.

+To configure and test Azure AD SSO with Adra by Trintech, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Adra by Trintech SSO](#configure-adra-by-trintech-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Adra by Trintech test user](#create-adra-by-trintech-test-user)** - to have a counterpart of B.Simon in Adra by Trintech that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Adra by Trintech** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, if you have **Service Provider metadata file** and wish to configure in **IDP** initiated mode, perform the following steps:

+ a. Click **Upload metadata file**.

+ 

+ b. Click on **folder logo** to select the metadata file and click **Upload**.

+ 

+ c. After the metadata file is successfully uploaded, the **Identifier** and **Reply URL** values get auto populated in **Basic SAML Configuration** section.

+ d. In the **Sign-on URL** text box, type the URL:

+ `https://login.adra.com`

+ e. In the **Relay state** text box, type the URL:

+ `https://setup.adra.com`

+ f. In the **Logout URL** text box, type the URL:

+ `https://login.adra.com/Saml/SLOServiceSP`

+ > [!Note]

+ > You will get the **Service Provider metadata file** from the **Configure Adra by Trintech SSO** section, which is explained later in the tutorial. If the **Identifier** and **Reply URL** values do not get auto populated, then fill in the values manually according to your requirement.

+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Adra by Trintech.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Adra by Trintech**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Adra by Trintech SSO

+1. Log in to your Adra by Trintech company site as an administrator.

+1. Go to **Engagement** > **Security** Tab > **Security Policy** > select **Use a federated identity provider** button.

+1. Download the **Service Provider metadata file** by clicking **here** in the Adra page and upload this metadata file in the Azure portal.

+ [  ](./media/adra-by-trintech-tutorial/settings.png#lightbox)

+1. Click on the **Add a new federated identity provider** button and perform the following steps:

+ [  ](./media/adra-by-trintech-tutorial/certificate.png#lightbox)

+ a. Enter a valid **Name** and **Description** values in the textbox.

+ b. In the **Metadata URL** textbox, paste the **App Federation Metadata Url** which you've copied from the Azure portal and click on the **Test URL** button.

+ c. Click **Save** to save the SAML configuration..

+### Create Adra by Trintech test user

+In this section, you create a user called Britta Simon at Adra by Trintech. Work with [Adra by Trintech support team](mailto:support@adra.com) to add the users in the Adra by Trintech platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Adra by Trintech Sign-on URL where you can initiate the login flow.

+* Go to Adra by Trintech Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Adra by Trintech for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Adra by Trintech tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Adra by Trintech for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Adra by Trintech you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+ Title: 'Tutorial: Azure AD SSO integration with Lattice'

+description: Learn how to configure single sign-on between Azure Active Directory and Lattice.

+# Tutorial: Azure AD SSO integration with Lattice

+In this tutorial, you'll learn how to integrate Lattice with Azure Active Directory (Azure AD). When you integrate Lattice with Azure AD, you can:

+* Control in Azure AD who has access to Lattice.

+* Enable your users to be automatically signed-in to Lattice with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Lattice single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Lattice supports **SP** and **IDP** initiated SSO.

+## Add Lattice from the gallery

+To configure the integration of Lattice into Azure AD, you need to add Lattice from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Lattice** in the search box.

+1. Select **Lattice** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Lattice

+Configure and test Azure AD SSO with Lattice using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Lattice.

+To configure and test Azure AD SSO with Lattice, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Lattice SSO](#configure-lattice-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Lattice test user](#create-lattice-test-user)** - to have a counterpart of B.Simon in Lattice that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Lattice** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a URL using the following pattern:

+ `https://router.latticehq.com/sso/<subdomain>/metadata`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://router.latticehq.com/sso/<subdomain>/acs`

+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:

+ In the **Sign-on URL** text box, type the URL:

+ `https://router.latticehq.com/sso/lattice/sp-login-redirect`

+ > [!Note]

+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Lattice support team](mailto:customercare@lattice.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Lattice** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Lattice.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Lattice**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Lattice SSO

+1. Log in to your Lattice company site as an administrator.

+1. Go to **Admin** > **Platform** > **Settings** > **Single sign-on settings** and perform the following steps:

+ 

+ a. In the **XML Metadata** textbox, paste the **Federation Metadata XML** file which you have copied from the Azure portal.

+ b. Click **Save**.

+### Create Lattice test user

+In this section, you create a user called Britta Simon in Lattice. Work with [Lattice support team](mailto:customercare@lattice.com) to add the users in the Lattice platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Lattice Sign-on URL where you can initiate the login flow.

+* Go to Lattice Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Lattice for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Lattice tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Lattice for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Lattice you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Sketch'

+description: Learn how to configure single sign-on between Azure Active Directory and Sketch.

+# Tutorial: Azure AD SSO integration with Sketch

+In this tutorial, you'll learn how to integrate Sketch with Azure Active Directory (Azure AD). When you integrate Sketch with Azure AD, you can:

+* Control in Azure AD who has access to Sketch.

+* Enable your users to be automatically signed-in to Sketch with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Sketch single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Sketch supports **SP** initiated SSO.

+* Sketch supports **Just In Time** user provisioning.

+## Add Sketch from the gallery

+To configure the integration of Sketch into Azure AD, you need to add Sketch from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Sketch** in the search box.

+1. Select **Sketch** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Sketch

+Configure and test Azure AD SSO with Sketch using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Sketch.

+To configure and test Azure AD SSO with Sketch, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Sketch SSO](#configure-sketch-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Sketch test user](#create-sketch-test-user)** - to have a counterpart of B.Simon in Sketch that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Sketch** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a value using the following pattern:

+ `sketch-<uuid_v4>`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://sso.sketch.com/saml/acs?id=<uuid_v4>`

+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:

+ In the **Sign-on URL** text box, type the URL:

+ `https://www.sketch.com`

+ > [!Note]

+ > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Sketch support team](mailto:sso-support@sketch.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. Sketch application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, Sketch application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.

+ | Name | Source Attribute|

+ | | |

+ | email | user.mail |

+ | first_name | user.givenname |

+ | surname | user.surname |

+1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up Sketch** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Sketch.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Sketch**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Sketch SSO

+To configure single sign-on on **Sketch** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Sketch support team](mailto:sso-support@sketch.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Sketch test user

+In this section, a user called B.Simon is created in Sketch. Sketch supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Sketch, a new one is created after authentication.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to Sketch Sign-on URL where you can initiate the login flow.

+* Go to Sketch Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Sketch tile in the My Apps, this will redirect to Sketch Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Sketch you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with Skybreathe® Analytics'

+description: Learn how to configure single sign-on between Azure Active Directory and Skybreathe® Analytics.

+# Tutorial: Azure AD SSO integration with Skybreathe® Analytics

+In this tutorial, you'll learn how to integrate Skybreathe® Analytics with Azure Active Directory (Azure AD). When you integrate Skybreathe® Analytics with Azure AD, you can:

+* Control in Azure AD who has access to Skybreathe® Analytics.

+* Enable your users to be automatically signed-in to Skybreathe® Analytics with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* Skybreathe® Analytics single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* Skybreathe® Analytics supports **SP** and **IDP** initiated SSO.

+## Add Skybreathe® Analytics from the gallery

+To configure the integration of Skybreathe® Analytics into Azure AD, you need to add Skybreathe® Analytics from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **Skybreathe® Analytics** in the search box.

+1. Select **Skybreathe® Analytics** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for Skybreathe® Analytics

+Configure and test Azure AD SSO with Skybreathe® Analytics using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Skybreathe® Analytics.

+To configure and test Azure AD SSO with Skybreathe® Analytics, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure Skybreathe Analytics SSO](#configure-skybreathe-analytics-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create Skybreathe Analytics test user](#create-skybreathe-analytics-test-user)** - to have a counterpart of B.Simon in Skybreathe® Analytics that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **Skybreathe® Analytics** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:

+ 1. In the **Identifier** text box, type a URL using the following pattern:

+ `https://auth.skybreathe.com/auth/realms/<ICAO>`

+`

+ 1. In the **Reply URL** text box, type a URL using the following pattern:

+ `https://auth.skybreathe.com/auth/realms/<ICAO>/broker/sbfe-<icao>-idp/endpoint/client/sso`

+1. Click **Set additional URLs** and perform the following steps if you wish to configure the application in SP initiated mode:

+ 1. In the **Reply URL** text box, type a URL using the following pattern:

+ `https://auth.skybreathe.com/auth/realms/<ICAO>/broker/sbfe-<icao>-idp/endpoint`

+ 1. In the **Sign-on URL** text box, type a URL using the following pattern:

+ `https://<domain>.skybreathe.com/saml/login`

+

+ > [!NOTE]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Skybreathe® Analytics Client support team](mailto:support@openairlines.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. Skybreathe® Analytics application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.

+ 

+1. In addition to above, Skybreathe® Analytics application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.

+ | Name | Source Attribute|

+ | | |

+ | firstname | user.givenname |

+ | initials | user.employeeid |

+ | lastname | user.surname |

+ | groups | user.groups |

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Skybreathe® Analytics.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **Skybreathe® Analytics**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure Skybreathe Analytics SSO

+To configure single sign-on on **Skybreathe® Analytics** side, you need to send the **App Federation Metadata Url** to [Skybreathe® Analytics support team](mailto:support@openairlines.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create Skybreathe Analytics test user

+In this section, you create a user called Britta Simon in Skybreathe® Analytics. Work with [Skybreathe® Analytics support team](mailto:support@openairlines.com) to add the users in the Skybreathe® Analytics platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to Skybreathe® Analytics Sign-on URL where you can initiate the login flow.

+* Go to Skybreathe® Analytics Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Skybreathe® Analytics for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the Skybreathe® Analytics tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Skybreathe® Analytics for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure Skybreathe® Analytics you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+ Title: 'Tutorial: Azure AD SSO integration with TigerGraph'

+description: Learn how to configure single sign-on between Azure Active Directory and TigerGraph.

+# Tutorial: Azure AD SSO integration with TigerGraph

+In this tutorial, you'll learn how to integrate TigerGraph with Azure Active Directory (Azure AD). When you integrate TigerGraph with Azure AD, you can:

+* Control in Azure AD who has access to TigerGraph.

+* Enable your users to be automatically signed-in to TigerGraph with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* TigerGraph single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* TigerGraph supports **SP** and **IDP** initiated SSO.

+## Add TigerGraph from the gallery

+To configure the integration of TigerGraph into Azure AD, you need to add TigerGraph from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **TigerGraph** in the search box.

+1. Select **TigerGraph** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for TigerGraph

+Configure and test Azure AD SSO with TigerGraph using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user at TigerGraph.

+To configure and test Azure AD SSO with TigerGraph, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure TigerGraph SSO](#configure-tigergraph-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create TigerGraph test user](#create-tigergraph-test-user)** - to have a counterpart of B.Simon in TigerGraph that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **TigerGraph** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type a URL using the following pattern:

+ `https://<your-tigergraph-hostname>:14240/gsqlserver/gsql/saml/meta`

+ b. In the **Reply URL** textbox, type a URL using the following pattern:

+ `https://<your-tigergraph-hostname>:14240/api/auth/saml/acs`

+ c. In the **Sign-on URL** text box, type a URL using the following pattern:

+ `https://<your-tigergraph-hostname>:14240/#/login`

+ > [!Note]

+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [TigerGraph support team](mailto:support@tigergraph.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up TigerGraph** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to TigerGraph.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **TigerGraph**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure TigerGraph SSO

+To configure single sign-on on **TigerGraph** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [TigerGraph support team](mailto:support@tigergraph.com). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create TigerGraph test user

+In this section, you create a user called Britta Simon at TigerGraph. Work with [TigerGraph support team](mailto:support@tigergraph.com) to add the users in the TigerGraph platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+#### SP initiated:

+* Click on **Test this application** in Azure portal. This will redirect to TigerGraph Sign-on URL where you can initiate the login flow.

+* Go to TigerGraph Sign-on URL directly and initiate the login flow from there.

+#### IDP initiated:

+* Click on **Test this application** in Azure portal and you should be automatically signed in to the TigerGraph for which you set up the SSO.

+You can also use Microsoft My Apps to test the application in any mode. When you click the TigerGraph tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the TigerGraph for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure TigerGraph you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+ Title: 'Tutorial: Azure AD SSO integration with workhub'

+description: Learn how to configure single sign-on between Azure Active Directory and workhub.

+# Tutorial: Azure AD SSO integration with workhub

+In this tutorial, you'll learn how to integrate workhub with Azure Active Directory (Azure AD). When you integrate workhub with Azure AD, you can:

+* Control in Azure AD who has access to workhub.

+* Enable your users to be automatically signed-in to workhub with their Azure AD accounts.

+* Manage your accounts in one central location - the Azure portal.

+## Prerequisites

+To get started, you need the following items:

+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).

+* workhub single sign-on (SSO) enabled subscription.

+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.

+For more information, see [Azure built-in roles](../roles/permissions-reference.md).

+## Scenario description

+In this tutorial, you configure and test Azure AD SSO in a test environment.

+* workhub supports **SP** initiated SSO.

+> [!NOTE]

+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.

+## Add workhub from the gallery

+To configure the integration of workhub into Azure AD, you need to add workhub from the gallery to your list of managed SaaS apps.

+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.

+1. On the left navigation pane, select the **Azure Active Directory** service.

+1. Navigate to **Enterprise Applications** and then select **All Applications**.

+1. To add new application, select **New application**.

+1. In the **Add from the gallery** section, type **workhub** in the search box.

+1. Select **workhub** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for workhub

+Configure and test Azure AD SSO with workhub using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user at workhub.

+To configure and test Azure AD SSO with workhub, perform the following steps:

+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.

+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

+1. **[Configure workhub SSO](#configure-workhub-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create workhub test user](#create-workhub-test-user)** - to have a counterpart of B.Simon in workhub that is linked to the Azure AD representation of user.

+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.

+## Configure Azure AD SSO

+Follow these steps to enable Azure AD SSO in the Azure portal.

+1. In the Azure portal, on the **workhub** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Select a single sign-on method** page, select **SAML**.

+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.

+ 

+1. On the **Basic SAML Configuration** section, perform the following steps:

+ a. In the **Identifier** textbox, type the URL:

+ `https://ainz-okal-gown.firebaseapp.com/__/auth/handler`

+ b. In the **Reply URL** textbox, type the URL:

+ `https://ainz-okal-gown.firebaseapp.com/__/auth/handler`

+ c. In the **Sign-on URL** text box, type the URL:

+ `https://admin.workhub.site/sso`

+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.

+ 

+1. On the **Set up workhub** section, copy the appropriate URL(s) based on your requirement.

+ 

+### Create an Azure AD test user

+In this section, you'll create a test user in the Azure portal called B.Simon.

+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.

+1. Select **New user** at the top of the screen.

+1. In the **User** properties, follow these steps:

+ 1. In the **Name** field, enter `B.Simon`.

+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.

+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.

+ 1. Click **Create**.

+### Assign the Azure AD test user

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to workhub.

+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.

+1. In the applications list, select **workhub**.

+1. In the app's overview page, find the **Manage** section and select **Users and groups**.

+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.

+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.

+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.

+1. In the **Add Assignment** dialog, click the **Assign** button.

+## Configure workhub SSO

+To configure single sign-on on **workhub** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [workhub support team](mailto:team_bkp@bitkey.jp). They set this setting to have the SAML SSO connection set properly on both sides.

+### Create workhub test user

+In this section, you create a user called Britta Simon at workhub. Work with [workhub support team](mailto:team_bkp@bitkey.jp) to add the users in the workhub platform. Users must be created and activated before you use single sign-on.

+## Test SSO

+In this section, you test your Azure AD single sign-on configuration with following options.

+* Click on **Test this application** in Azure portal. This will redirect to workhub Sign-on URL where you can initiate the login flow.

+* Go to workhub Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the workhub tile in the My Apps, this will redirect to workhub Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).

+## Next steps

+Once you configure workhub you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).

+We evaluate if workloads are eligible to run on specialized SKUs called **Burstable SKUs** that support variable workload performance requirements and are less expensive than general purpose SKUs. Learn more about burstable SKUs here: [B-series burstable - Azure Virtual Machines](../virtual-machines/sizes-b-series-burstable.md).

+* The use of pod security admission.

+> Currently, Kubernetes environments aren't completely safe for hostile multi-tenant usage. Additional security features, like *Microsoft Defender for Containers* *AppArmor*, *seccomp*,*Pod Security Admission*, or Kubernetes RBAC for nodes, efficiently block exploits.

+| ApiId | string | API entity identifier for current request |

+| ApimSubscriptionId | string | Subscription entity identifier for current request |

+| ApiRevision | string | API revision for current request |

+| BackendId | string | Backend entity identifier for current request |

+| BackendMethod | string | HTTP method of the request sent to a backend |

+| BackendProtocol | string | HTTP protocol version of the request sent to a backend |

+| BackendRequestBody | string | Backend request body |

+| BackendRequestHeaders | dynamic | Collection of HTTP headers sent to a backend |

+| BackendResponseBody | string | Backend response body |

+| BackendResponseCode | int | Code of the HTTP response received from a backend |

+| BackendResponseHeaders | dynamic | Collection of HTTP headers received from a backend |

+| BackendTime | long | Number of milliseconds spent on overall backend I/O (connecting, sending, and receiving bytes) |

+| BackendUrl | string | URL of the request sent to a backend |

+| Cache | string | Status of API Management cache involvement in request processing (hit, miss, none) |

+| CacheTime | long | Number of milliseconds spent on overall API Management cache IO (connecting, sending and receiving bytes) |

+| ClientProtocol | string | HTTP protocol version of the incoming request |

+| ClientTime | long | Number of milliseconds spent on overall client I/O (connecting, sending, and receiving bytes) |

+| ClientTlsVersion | string | TLS version used by client sending request |

+| Errors | dynamic | Collection of error occurred during request processing |

+| IsRequestSuccess | bool | HTTP request completed with response status code within 2xx or 3xx range |

+| LastErrorElapsed | long | Number of milliseconds elapsed since gateway received request until the error occurred |

+| LastErrorMessage | string | Error message |

+| LastErrorReason | string | Error reason |

+| LastErrorScope | string | Scope of the policy document containing policy caused the error |

+| LastErrorSection | string | Section of the policy document containing policy caused the error |

+| LastErrorSource | string | Naming of the policy or processing internal handler caused the error |

+| Method | string | HTTP method of the incoming request |

+| OperationId | string | Operation entity identifier for current request |

+| ProductId | string | Product entity identifier for current request |

+| RequestBody | string | Client request body |

+| RequestHeaders | dynamic | Collection of HTTP headers sent by a client |

+| RequestSize | int | Number of bytes received from a client during request processing |

+| ResponseBody | string | Gateway response body |

+| ResponseCode | int | Status code of the HTTP response sent to a client |

+| ResponseHeaders | dynamic | Collection of HTTP headers sent to a client |

+| ResponseSize | int | Number of bytes sent to a client during request processing |

+| TotalTime | long | Number of milliseconds spent on overall HTTP request (from first byte received by API Management to last byte a client received back) |

+| TraceRecords | dynamic | Records emitted by trace policies |

+| Url | string | URL of the incoming request |

+| UserId | string | User entity identifier for current request |

+After the Azure Database for PostgreSQL server is created, configure access to the server from the web app by adding a firewall rule. This can be done through the Azure portal or the Azure CLI.

+ Title: "How to guide: create and compose custom models with Form Recognizer v2.1"

+description: Learn how to create, compose use, and manage custom models with Form Recognizer v2.1

+recommendations: false

+# Compose custom models v2.1

+> [!NOTE]

+> This how-to guide references Form Recognizer v2.1 . To try Form Recognizer v3.0 , see [Compose custom models v3.0](compose-custom-models-v3.md).

+Form Recognizer uses advanced machine-learning technology to detect and extract information from document images and return the extracted data in a structured JSON output. With Form Recognizer, you can train standalone custom models or combine custom models to create composed models.

+* **Custom models**. Form Recognizer custom models enable you to analyze and extract data from forms and documents specific to your business. Custom models are trained for your distinct data and use cases.

+* **Composed models**. A composed model is created by taking a collection of custom models and assigning them to a single model that encompasses your form types. When a document is submitted to a composed model, the service performs a classification step to decide which custom model accurately represents the form presented for analysis.

+In this article, you'll learn how to create Form Recognizer custom and composed models using our [Form Recognizer Sample Labeling tool](label-tool.md), [REST APIs](quickstarts/client-library.md?branch=main&pivots=programming-language-rest-api#train-a-custom-model), or [client-library SDKs](quickstarts/client-library.md?branch=main&pivots=programming-language-csharp#train-a-custom-model).

+## Sample Labeling tool

+Try extracting data from custom forms using our Sample Labeling tool. You'll need the following resources:

+* An Azure subscriptionΓÇöyou can [create one for free](https://azure.microsoft.com/free/cognitive-services/)

+* A [Form Recognizer instance](https://portal.azure.com/#create/Microsoft.CognitiveServicesFormRecognizer) in the Azure portal. You can use the free pricing tier (`F0`) to try the service. After your resource deploys, select **Go to resource** to get your key and endpoint.

+ :::image type="content" source="media/containers/keys-and-endpoint.png" alt-text="Screenshot: keys and endpoint location in the Azure portal.":::

+> [!div class="nextstepaction"]

+> [Try it](https://fott-2-1.azurewebsites.net/projects/create)

+In the Form Recognizer UI:

+1. Select **Use Custom to train a model with labels and get key value pairs**.

+ :::image type="content" source="media/label-tool/fott-use-custom.png" alt-text="Screenshot of the FOTT tool select custom model option.":::

+1. In the next window, select **New project**:

+ :::image type="content" source="media/label-tool/fott-new-project.png" alt-text="Screenshot of the FOTT tool select new project option.":::

+## Create your models

+The steps for building, training, and using custom and composed models are as follows:

+* [**Assemble your training dataset**](#assemble-your-training-dataset)

+* [**Upload your training set to Azure blob storage**](#upload-your-training-dataset)

+* [**Train your custom model**](#train-your-custom-model)

+* [**Compose custom models**](#create-a-composed-model)

+* [**Analyze documents**](#analyze-documents-with-your-custom-or-composed-model)

+* [**Manage your custom models**](#manage-your-custom-models)

+## Assemble your training dataset

+Building a custom model begins with establishing your training dataset. You'll need a minimum of five completed forms of the same type for your sample dataset. They can be of different file types (jpg, png, pdf, tiff) and contain both text and handwriting. Your forms must follow the [input requirements](build-training-data-set.md#custom-model-input-requirements) for Form Recognizer.

+## Upload your training dataset

+You'll need to [upload your training data](build-training-data-set.md#upload-your-training-data)

+to an Azure blob storage container. If you don't know how to create an Azure storage account with a container, *see* [Azure Storage quickstart for Azure portal](../../storage/blobs/storage-quickstart-blobs-portal.md). You can use the free pricing tier (F0) to try the service, and upgrade later to a paid tier for production.

+## Train your custom model

+You [train your model](./quickstarts/try-sdk-rest-api.md#train-a-custom-model) with labeled data sets. Labeled datasets rely on the prebuilt-layout API, but supplementary human input is included such as your specific labels and field locations. Start with at least five completed forms of the same type for your labeled training data.

+When you train with labeled data, the model uses supervised learning to extract values of interest, using the labeled forms you provide. Labeled data results in better-performing models and can produce models that work with complex forms or forms containing values without keys.

+Form Recognizer uses the [Layout](concept-layout.md) API to learn the expected sizes and positions of typeface and handwritten text elements and extract tables. Then it uses user-specified labels to learn the key/value associations and tables in the documents. We recommend that you use five manually labeled forms of the same type (same structure) to get started when training a new model. Add more labeled data as needed to improve the model accuracy. Form Recognizer enables training a model to extract key value pairs and tables using supervised learning capabilities.

+[Get started with Train with labels](label-tool.md)

+> [!VIDEO https://docs.microsoft.com/Shows/Docs-Azure/Azure-Form-Recognizer/player]

+## Create a composed model

+> [!NOTE]

+> **Model Compose is only available for custom models trained _with_ labels.** Attempting to compose unlabeled models will produce an error.

+With the Model Compose operation, you can assign up to 100 trained custom models to a single model ID. When you call Analyze with the composed model ID, Form Recognizer will first classify the form you submitted, choose the best matching assigned model, and then return results for that model. This operation is useful when incoming forms may belong to one of several templates.

+Using the Form Recognizer Sample Labeling tool, the REST API, or the Client-library SDKs, follow the steps below to set up a composed model:

+1. [**Gather your custom model IDs**](#gather-your-custom-model-ids)

+1. [**Compose your custom models**](#compose-your-custom-models)

+#### Gather your custom model IDs

+Once the training process has successfully completed, your custom model will be assigned a model ID. You can retrieve a model ID as follows:

+### [**Form Recognizer Sample Labeling tool**](#tab/fott)

+When you train models using the [**Form Recognizer Sample Labeling tool**](https://fott-2-1.azurewebsites.net/), the model ID is located in the Train Result window:

+### [**REST API**](#tab/rest-api)

+The [**REST API**](./quickstarts/try-sdk-rest-api.md?pivots=programming-language-rest-api#train-a-custom-model) will return a `201 (Success)` response with a **Location** header. The value of the last parameter in this header is the model ID for the newly trained model:

+### [**Client-library SDKs**](#tab/sdks)

+ The [**client-library SDKs**](./quickstarts/try-sdk-rest-api.md?pivots=programming-language-csharp#train-a-custom-model) return a model object that can be queried to return the trained model ID:

+* C\# | [CustomFormModel Class](/dotnet/api/azure.ai.formrecognizer.training.customformmodel?view=azure-dotnet&preserve-view=true#properties "Azure SDK for .NET")

+* Java | [CustomFormModelInfo Class](/java/api/com.azure.ai.formrecognizer.training.models.customformmodelinfo?view=azure-java-stable&preserve-view=true#methods "Azure SDK for Java")

+* JavaScript | [CustomFormModelInfo interface](/javascript/api/@azure/ai-form-recognizer/customformmodelinfo?view=azure-node-latest&preserve-view=true&branch=main#properties "Azure SDK for JavaScript")

+* Python | [CustomFormModelInfo Class](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.customformmodelinfo?view=azure-python&preserve-view=true&branch=main#variables "Azure SDK for Python")

+#### Compose your custom models

+After you've gathered your custom models corresponding to a single form type, you can compose them into a single model.

+### [**Form Recognizer Sample Labeling tool**](#tab/fott)

+The **Sample Labeling tool** enables you to quickly get started training models and composing them to a single model ID.

+After you have completed training, compose your models as follows:

+1. On the left rail menu, select the **Model Compose** icon (merging arrow).

+1. In the main window, select the models you wish to assign to a single model ID. Models with the arrows icon are already composed models.

+1. Choose the **Compose button** from the upper-left corner.

+1. In the pop-up window, name your newly composed model and select **Compose**.

+When the operation completes, your newly composed model will appear in the list.

+ :::image type="content" source="media/custom-model-compose.png" alt-text="Screenshot of the model compose window." lightbox="media/custom-model-compose-expanded.png":::

+### [**REST API**](#tab/rest-api)

+Using the **REST API**, you can make a [**Compose Custom Model**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/ComposeDocumentModel) request to create a single composed model from existing models. The request body requires a string array of your `modelIds` to compose and you can optionally define the `modelName`.

+### [**Client-library SDKs**](#tab/sdks)

+Use the programming language code of your choice to create a composed model that will be called with a single model ID. Below are links to code samples that demonstrate how to create a composed model from existing custom models:

+* [**C#/.NET**](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/formrecognizer/Azure.AI.FormRecognizer/samples/Sample_ModelCompose.md).

+* [**Java**](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/formrecognizer/azure-ai-formrecognizer/src/samples/java/com/azure/ai/formrecognizer/administration/ComposeModel.java).

+* [**JavaScript**](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/formrecognizer/ai-form-recognizer/samples/v3/javascript/createComposedModel.js).

+* [**Python**](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/formrecognizer/azure-ai-formrecognizer/samples/v3.2-beta/sample_compose_model.py)

+## Analyze documents with your custom or composed model

+ The custom form **Analyze** operation requires you to provide the `modelID` in the call to Form Recognizer. You can provide a single custom model ID or a composed model ID for the `modelID` parameter.

+### [**Form Recognizer Sample Labeling tool**](#tab/fott)

+1. On the tool's left-pane menu, select the **Analyze icon** (light bulb).

+1. Choose a local file or image URL to analyze.

+1. Select the **Run Analysis** button.

+1. The tool will apply tags in bounding boxes and report the confidence percentage for each tag.

+### [**REST API**](#tab/rest-api)

+Using the REST API, you can make an [Analyze Document](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument) request to analyze a document and extract key-value pairs and table data.

+### [**Client-library SDKs**](#tab/sdks)

+Using the programming language of your choice to analyze a form or document with a custom or composed model. You'll need your Form Recognizer endpoint, key, and model ID.

+* [**C#/.NET**](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/formrecognizer/Azure.AI.FormRecognizer/samples/Sample_ModelCompose.md)

+* [**Java**](https://github.com/Azure/azure-sdk-for-javocumentFromUrl.java)

+* [**JavaScript**](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/formrecognizer/ai-form-recognizer/samples/v3/javascript/recognizeCustomForm.js)

+* [**Python**](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/formrecognizer/azure-ai-formrecognizer/samples/v3.1/sample_recognize_custom_forms.py)

+Test your newly trained models by [analyzing forms](./quickstarts/try-sdk-rest-api.md#analyze-forms-with-a-custom-model) that weren't part of the training dataset. Depending on the reported accuracy, you may want to do further training to improve the model. You can continue further training to [improve results](label-tool.md#improve-results).

+## Manage your custom models

+You can [manage your custom models](./quickstarts/try-sdk-rest-api.md#manage-custom-models) throughout their lifecycle by viewing a [list of all custom models](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/GetModels) under your subscription, retrieving information about [a specific custom model](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/GetModel), and [deleting custom models](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/DeleteModel) from your account.

+Great! You've learned the steps to create custom and composed models and use them in your Form Recognizer projects and applications.

+## Next steps

+Learn more about the Form Recognizer client library by exploring our API reference documentation.

+> [!div class="nextstepaction"]

+> [Form Recognizer API reference](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)

+>

+ Title: "How to guide: create and compose custom models with Form Recognizer v2.0"

+description: Learn how to create, use, and manage Form Recognizer v2.0 custom and composed models

+recommendations: false

+# Compose custom models v3.0

+> [!NOTE]

+> This how-to guide references Form Recognizer v3.0 . To use Form Recognizer v2.1 , see [Compose custom models v2.1](compose-custom-models-v2-1.md).

+A composed model is created by taking a collection of custom models and assigning them to a single model ID. You can assign up to 100 trained custom models to a single composed model ID. When a document is submitted to a composed model, the service performs a classification step to decide which custom model accurately represents the form presented for analysis. Composed models are useful when you've trained several models and want to group them to analyze similar form types. For example, your composed model might include custom models trained to analyze your supply, equipment, and furniture purchase orders. Instead of manually trying to select the appropriate model, you can use a composed model to determine the appropriate custom model for each analysis and extraction.

+To learn more, see [Composed custom models](concept-composed-models.md).

+In this article, you'll learn how to create and use composed custom models to analyze your forms and documents.

+## Prerequisites

+To get started, you'll need the following resources:

+* **An Azure subscription**. You can [create a free Azure subscription](https://azure.microsoft.com/free/cognitive-services/).

+* **A Form Recognizer instance**. Once you have your Azure subscription, [create a Form Recognizer resource](https://portal.azure.com/#create/Microsoft.CognitiveServicesFormRecognizer) in the Azure portal to get your key and endpoint. If you have an existing Form Recognizer resource, navigate directly to your resource page. You can use the free pricing tier (F0) to try the service, and upgrade later to a paid tier for production.

+ 1. After the resource deploys, select **Go to resource**.

+ 1. Copy the **Keys and Endpoint** values from the Azure portal and paste them in a convenient location, such as *Microsoft Notepad*. You'll need the key and endpoint values to connect your application to the Form Recognizer API.

+ :::image border="true" type="content" source="media/containers/keys-and-endpoint.png" alt-text="Still photo showing how to access resource key and endpoint URL.":::

+ > [!TIP]

+ > For more information, see [**create a Form Recognizer resource**](create-a-form-recognizer-resource.md).

+* **An Azure storage account.** If you don't know how to create an Azure storage account, follow the [Azure Storage quickstart for Azure portal](../../storage/blobs/storage-quickstart-blobs-portal.md). You can use the free pricing tier (F0) to try the service, and upgrade later to a paid tier for production.

+## Create your custom models

+First, you'll need a set of custom models to compose. You can use the Form Recognizer Studio, REST API, or client-library SDKs. The steps are as follows:

+* [**Assemble your training dataset**](#assemble-your-training-dataset)

+* [**Upload your training set to Azure blob storage**](#upload-your-training-dataset)

+* [**Train your custom models**](#train-your-custom-model)

+## Assemble your training dataset

+Building a custom model begins with establishing your training dataset. You'll need a minimum of five completed forms of the same type for your sample dataset. They can be of different file types (jpg, png, pdf, tiff) and contain both text and handwriting. Your forms must follow the [input requirements](build-training-data-set.md#custom-model-input-requirements) for Form Recognizer.

+>[!TIP]

+> Follow these tips to optimize your data set for training:

+>

+> * If possible, use text-based PDF documents instead of image-based documents. Scanned PDFs are handled as images.

+> * For filled-in forms, use examples that have all of their fields filled in.

+> * Use forms with different values in each field.

+> * If your form images are of lower quality, use a larger data set (10-15 images, for example).

+See [Build a training data set](./build-training-data-set.md) for tips on how to collect your training documents.

+## Upload your training dataset

+When you've gathered a set of training documents, you'll need to [upload your training data](build-training-data-set.md#upload-your-training-data) to an Azure blob storage container.

+If you want to use manually labeled data, you'll also have to upload the *.labels.json* and *.ocr.json* files that correspond to your training documents.

+## Train your custom model

+When you [train your model](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects) with labeled data, the model uses supervised learning to extract values of interest, using the labeled forms you provide. Labeled data results in better-performing models and can produce models that work with complex forms or forms containing values without keys.

+Form Recognizer uses the [prebuilt-layout model](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument) API to learn the expected sizes and positions of typeface and handwritten text elements and extract tables. Then it uses user-specified labels to learn the key/value associations and tables in the documents. We recommend that you use five manually labeled forms of the same type (same structure) to get started with training a new model. Then, add more labeled data, as needed, to improve the model accuracy. Form Recognizer enables training a model to extract key-value pairs and tables using supervised learning capabilities.

+### [Form Recognizer Studio](#tab/studio)

+To create custom models, start with configuring your project:

+1. From the Studio homepage, select [**Create new**](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects) from the Custom model card.

+1. Use the Γ₧ò **Create a project** command to start the new project configuration wizard.

+1. Enter project details, select the Azure subscription and resource, and the Azure Blob storage container that contains your data.

+1. Review and submit your settings to create the project.

+While creating your custom models, you may need to extract data collections from your documents. The collections may appear one of two formats. Using tables as the visual pattern:

+* Dynamic or variable count of values (rows) for a given set of fields (columns)

+* Specific collection of values for a given set of fields (columns and/or rows)

+See [Form Recognizer Studio: labeling as tables](quickstarts/try-v3-form-recognizer-studio.md#labeling-as-tables)

+### [REST API](#tab/rest)

+Training with labels leads to better performance in some scenarios. To train with labels, you need to have special label information files (*\<filename\>.pdf.labels.json*) in your blob storage container alongside the training documents.

+Label files contain key-value associations that a user has entered manually. They're needed for labeled data training, but not every source file needs to have a corresponding label file. Source files without labels will be treated as ordinary training documents. We recommend five or more labeled files for reliable training. You can use a UI tool like [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio/customform/projects) to generate these files.

+Once you have your label files, you can include them with by calling the training method with the *useLabelFile* parameter set to `true`.

+### [Client-libraries](#tab/sdks)

+Training with labels leads to better performance in some scenarios. To train with labels, you need to have special label information files (*\<filename\>.pdf.labels.json*) in your blob storage container alongside the training documents. Once you've them, you can call the training method with the *useTrainingLabels* parameter set to `true`.

+|Language |Method|

+|--|--|

+|**C#**|[**StartBuildModel**](/dotnet/api/azure.ai.formrecognizer.documentanalysis.documentmodeladministrationclient.startbuildmodel?view=azure-dotnet#azure-ai-formrecognizer-documentanalysis-documentmodeladministrationclient-startbuildmodel&preserve-view=true)|

+|**Java**| [**beginBuildModel**](/java/api/com.azure.ai.formrecognizer.administration.documentmodeladministrationclient.beginbuildmodel?view=azure-java-preview&preserve-view=true)|

+|**JavaScript** | [**beginBuildModel**](/javascript/api/@azure/ai-form-recognizer/documentmodeladministrationclient?view=azure-node-latest#@azure-ai-form-recognizer-documentmodeladministrationclient-beginbuildmodel&preserve-view=true)|

+| **Python** | [**begin_build_model**](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.aio.documentmodeladministrationclient?view=azure-python#azure-ai-formrecognizer-aio-documentmodeladministrationclient-begin-build-model&preserve-view=true)

+## Create a composed model

+> [!NOTE]

+> **the `create compose model` operation is only available for custom models trained _with_ labels.** Attempting to compose unlabeled models will produce an error.

+With the [**create compose model**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/ComposeDocumentModel) operation, you can assign up to 100 trained custom models to a single model ID. When analyze documents with a composed model, Form Recognizer first classifies the form you submitted, then chooses the best matching assigned model, and returns results for that model. This operation is useful when incoming forms may belong to one of several templates.

+### [Form Recognizer Studio](#tab/studio)

+Once the training process has successfully completed, you can begin to build your composed model. Here are the steps for creating and using composed models:

+* [**Gather your custom model IDs**](#gather-your-model-ids)

+* [**Compose your custom models**](#compose-your-custom-models)

+* [**Analyze documents**](#analyze-documents)

+* [**Manage your composed models**](#manage-your-composed-models)

+#### Gather your model IDs

+When you train models using the [**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/), the model ID is located in the models menu under a project:

+#### Compose your custom models

+1. Select a custom models project.

+1. In the project, select the ```Models``` menu item.

+1. From the resulting list of models, select the models you wish to compose.

+1. Choose the **Compose button** from the upper-left corner.

+1. In the pop-up window, name your newly composed model and select **Compose**.

+1. When the operation completes, your newly composed model will appear in the list.

+1. Once the model is ready, use the **Test** command to validate it with your test documents and observe the results.

+#### Analyze documents

+The custom model **Analyze** operation requires you to provide the `modelID` in the call to Form Recognizer. You should provide the composed model ID for the `modelID` parameter in your applications.

+#### Manage your composed models

+You can manage your custom models throughout life cycles:

+* Test and validate new documents.

+* Download your model to use in your applications.

+* Delete your model when its lifecycle is complete.

+### [REST API](#tab/rest)

+Once the training process has successfully completed, you can begin to build your composed model. Here are the steps for creating and using composed models:

+* [**Compose your custom models**](#compose-your-custom-models)

+* [**Analyze documents**](#analyze-documents)

+* [**Manage your composed models**](#manage-your-composed-models)

+#### Compose your custom models

+The [compose model API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/ComposeDocumentModel) accepts a list of model IDs to be composed.

+#### Analyze documents

+To make an [**Analyze document**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument) request, use a unique model name in the request parameters.

+#### Manage your composed models

+You can manage custom models throughout your development needs including [**copying**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/CopyDocumentModelTo), [**listing**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/GetModels), and [**deleting**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/DeleteModel) your models.

+### [Client-libraries](#tab/sdks)

+Once the training process has successfully completed, you can begin to build your composed model. Here are the steps for creating and using composed models:

+* [**Create a composed model**](#create-a-composed-model)

+* [**Analyze documents**](#analyze-documents)

+* [**Manage your composed models**](#manage-your-composed-models)

+#### Create a composed model

+You can use the programming language of your choice to create a composed model:

+| Programming language| Code sample |

+|--|--|

+|**C#** | [Model compose](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/formrecognizer/Azure.AI.FormRecognizer/samples/Sample_ModelCompose.md#create-a-composed-model)

+|**Java** | [Model compose](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/formrecognizer/Azure.AI.FormRecognizer/samples/Sample_ModelCompose.md#create-a-composed-model)

+|**JavaScript** | [Compose model](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/formrecognizer/ai-form-recognizer/samples/v4-beta/javascript/composeModel.js)

+|**Python** | [Create composed model](https://github.com/Azure/azure-sdk-for-python/blob/azure-ai-formrecognizer_3.2.0b3/sdk/formrecognizer/azure-ai-formrecognizer/samples/v3.2-beta/sample_create_composed_model.py)

+#### Analyze documents

+Once you've built your composed model, you can use it to analyze forms and documents. Use your composed `model ID` and let the service decide which of your aggregated custom models fits best according to the document provided.

+|Programming language| Code sample |

+|--|--|

+|**C#** | [Analyze a document with a custom/composed model](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/formrecognizer/Azure.AI.FormRecognizer/samples/Sample_AnalyzeWithCustomModel.md)

+|**Java** | [Analyze forms with your custom/composed model ](https://github.com/Azure/azure-sdk-for-javocumentFromUrl.java)

+|**JavaScript** | [Analyze documents by model ID](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/formrecognizer/ai-form-recognizer/samples/v4-beta/javascript/analyzeReceiptByModelId.js)

+|**Python** | [Analyze custom documents](https://github.com/Azure/azure-sdk-for-python/blob/azure-ai-formrecognizer_3.2.0b3/sdk/formrecognizer/azure-ai-formrecognizer/samples/v3.2-beta/sample_analyze_custom_documents.py)

+## Manage your composed models

+You can manage a custom model at each stage in its life cycles. You can view a list of all custom models under your subscription, retrieve information about a specific custom model, and delete custom models from your account.

+|Programming language| Code sample |

+|--|--|

+|**C#** | [Analyze a document with a custom/composed model](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/formrecognizer/Azure.AI.FormRecognizer/samples/Sample_AnalyzeWithCustomModel.md)|

+|**Java** | [Custom model management operations](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/formrecognizer/azure-ai-formrecognizer/src/samples/java/com/azure/ai/formrecognizer/administration/ManageCustomModels.java)|

+|**JavaScript** | [Get model types and schema](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/formrecognizer/ai-form-recognizer/samples/v4-beta/javascript/getModel.js)|

+|**Python** | [Manage models](https://github.com/Azure/azure-sdk-for-python/blob/azure-ai-formrecognizer_3.2.0b3/sdk/formrecognizer/azure-ai-formrecognizer/samples/v3.2-beta/sample_manage_models.py)|

+## Next steps

+Try one of our Form Recognizer quickstarts:

+> [!div class="nextstepaction"]

+> [Form Recognizer Studio](quickstarts/try-v3-form-recognizer-studio.md)

+> [!div class="nextstepaction"]

+> [REST API](quickstarts/get-started-v3-sdk-rest-api.md)

+> [!div class="nextstepaction"]

+> [C#](quickstarts/get-started-v3-sdk-rest-api.md#prerequisites)

+> [!div class="nextstepaction"]

+> [Java](quickstarts/get-started-v3-sdk-rest-api.md)

+> [!div class="nextstepaction"]

+> [JavaScript](quickstarts/get-started-v3-sdk-rest-api.md)

+> [!div class="nextstepaction"]

+> [Python](quickstarts/get-started-v3-sdk-rest-api.md)

+Confidence scores have two data points: the field level confidence score and the text extraction confidence score. In addition to the field confidence of position and span, the text extraction confidence in the ```pages``` section of the response is the model's confidence in the text extraction (OCR) process. The two confidence scores should be combined to generate one overall confidence score.

+ * If the documents are dissimilar, split your training data into different folders and train a model for each variation. You can then [compose](compose-custom-models-v2-1.md#create-a-composed-model) the different variations into a single model.

+The following tools are supported by Form Recognizer v3.0:

+| Feature | Resources | Model ID |

+|-|-|--|

+|**Business card model**| <ul><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com)</li><li>[**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)</li><li>[**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**Java SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**JavaScript SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li></ul>|**prebuilt-businessCard**|

+#### Form Recognizer Studio

+> Form Recognizer studio is available with the v3.0 API.

+## Field extractions

+## Form Recognizer v3.0

+ Form Recognizer v3.0 introduces several new features and capabilities.

+* Follow our [**Form Recognizer v3.0 migration guide**](v3-migration-guide.md) to learn how to use the v3.0 version in your applications and workflows.

+* Explore our [**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument) to learn more about the v3.0 version and new capabilities.

+ > [Form Recognizer API v3.0](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)

+* ```Custom form```and ```Custom document``` models can be composed together into a single composed model when they're trained with the same API version or an API version later than ```2022-08-31```. For more information on composing custom template and custom neural models, see [compose model limits](#compose-model-limits).

+ |Custom model type | API Version |Custom form `2022-08-31` (v3.0)| Custom document `2022-08-31` (v3.0) | Custom form GA version (v2.1) or earlier|

+|**Custom template** (updated custom form)| v3.0 | &#10033;| Γ£ô | X |

+|**Custom neural**| trained with current API version (`2022-08-31`) |Γ£ô |Γ£ô | X |

+The following resources are supported by Form Recognizer **v3.0** :

+|_**Custom model**_| <ul><li>[Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects)</li><li>[REST API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)</li><li>[C# SDK](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[Java SDK](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[JavaScript SDK](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[Python SDK](quickstarts/get-started-v3-sdk-rest-api.md)</li></ul>|

+| _**Composed model**_| <ul><li>[Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects)</li><li>[REST API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/ComposeDocumentModel)</li><li>[C# SDK](/dotnet/api/azure.ai.formrecognizer.documentanalysis.documentmodeladministrationclient.startcreatecomposedmodel?view=azure-dotnet&preserve-view=true)</li><li>[Java SDK](/java/api/com.azure.ai.formrecognizer.administration.documentmodeladministrationclient.begincreatecomposedmodel?view=azure-java-stable&preserve-view=true)</li><li>[JavaScript SDK](/javascript/api/@azure/ai-form-recognizer/documentmodeladministrationclient?view=azure-node-latest#@azure-ai-form-recognizer-documentmodeladministrationclient-begincomposemodel&preserve-view=true)</li><li>[Python SDK](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.formtrainingclient?view=azure-python#azure-ai-formrecognizer-formtrainingclient-begin-create-composed-model&preserve-view=true)</li></ul>|

+> [**Form Recognizer v2.1**](compose-custom-models-v2-1.md)

+With the release of API versions **2022-06-30-preview** and later, custom neural models will support tabular fields (tables):

+* Models trained with API version 2022-08-31, or later will accept tabular field labels.

+As of August 01, 2022, Form Recognizer custom neural model training will only be available in the following Azure regions until further notice:

+> Use the [**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/CopyDocumentModelTo) or [**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects) to copy a model to another region.

+| Custom document | [Form Recognizer 3.0 ](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)| [Form Recognizer SDK](quickstarts/get-started-v3-sdk-rest-api.md)| [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio)

+https://{endpoint}/formrecognizer/documentModels:build?api-version=2022-08-31

+ > [Form Recognizer API v3.0](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)

+Custom template (formerly custom form) is an easy-to-train model that accurately extracts labeled key-value pairs, selection marks, tables, regions, and signatures from documents. Template models use layout cues to extract values from documents and are suitable to extract fields from highly structured documents with defined visual templates.

+| Supported| Supported | Supported | Supported| Supported |

+With the release of API versions **2022-06-30-preview** and later, custom template models will add support for **cross page** tabular fields (tables):

+Template models are available generally [v3.0 API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/BuildDocumentModel) and [v2.1 API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/AnalyzeWithCustomForm). If you're starting with a new project or have an existing labeled dataset, work with the v3 API and Form Recognizer Studio to train a custom template model.

+| Custom template | [Form Recognizer 3.0 ](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)| [Form Recognizer SDK](quickstarts/get-started-v3-sdk-rest-api.md)| [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio)|

+| Custom template | [Form Recognizer 2.1 ](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/AnalyzeWithCustomForm)| [Form Recognizer SDK](quickstarts/get-started-v2-1-sdk-rest-api.md?pivots=programming-language-python)| [Form Recognizer Sample labeling tool](https://fott-2-1.azurewebsites.net/)|

+https://{endpoint}/formrecognizer/documentModels:build?api-version=2022-08-31

+| C#/.NET | [DocumentBuildMode Struct](/dotnet/api/azure.ai.formrecognizer.documentanalysis.documentbuildmode?view=azure-dotnet&preserve-view=true#properties) | [Sample_BuildCustomModelAsync.cs](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/formrecognizer/Azure.AI.FormRecognizer/tests/samples/Sample_BuildCustomModelAsync.cs)

+|JavaScript | [DocumentBuildMode type](/javascript/api/@azure/ai-form-recognizer/documentbuildmode?view=azure-node-latest&preserve-view=true)| [buildModel.js](https://github.com/Azure/azure-sdk-for-js/blob/main/sdk/formrecognizer/ai-form-recognizer/samples/v4-beta/javascript/buildModel.js)|

+|Python | [DocumentBuildMode Enum](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.documentbuildmode?view=azure-python&preserve-view=true#fields)| [sample_build_model.py](https://github.com/Azure/azure-sdk-for-python/blob/azure-ai-formrecognizer_3.2.0b3/sdk/formrecognizer/azure-ai-formrecognizer/samples/v3.2-beta/sample_build_model.py)|

+The following tools are supported by Form Recognizer v3.0:

+|Custom model| <ul><li>[Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio/customform/projects)</li><li>[REST API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)</li><li>[C# SDK](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[Python SDK](quickstarts/get-started-v3-sdk-rest-api.md)</li></ul>|***custom-model-id***|

+The following tools are supported by Form Recognizer v2.1:

+|Custom model| <ul><li>[Form Recognizer labeling tool](https://fott-2-1.azurewebsites.net)</li><li>[REST API](quickstarts/try-sdk-rest-api.md?pivots=programming-language-rest-api#analyze-forms-with-a-custom-model)</li><li>[Client library SDK](quickstarts/try-sdk-rest-api.md)</li><li>[Form Recognizer Docker container](containers/form-recognizer-container-install-run.md?tabs=custom#run-the-container-with-the-docker-compose-up-command)</li></ul>|***custom-model-id***|

+#### Form Recognizer Studio

+> Form Recognizer Studio is available with the v3.0 API.

+|Custom template| Γ£ö | Γ£ö | Γ£ö | Γ£ö | Γ£ö |

+**Table symbols**: Γ£öΓÇösupported; **n/aΓÇöcurrently unavailable

+| Custom form 2.1 | [Form Recognizer 2.1 GA API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/AnalyzeWithCustomForm) | [Form Recognizer SDK](quickstarts/get-started-v2-1-sdk-rest-api.md?pivots=programming-language-python)| [Sample labeling tool](https://fott-2-1.azurewebsites.net/)|

+| Custom template 3.0 | [Form Recognizer 3.0 ](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)| [Form Recognizer SDK](quickstarts/get-started-v3-sdk-rest-api.md)| [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio)|

+| Custom neural | [Form Recognizer 3.0 ](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)| [Form Recognizer SDK](quickstarts/get-started-v3-sdk-rest-api.md)| [Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio)

+ The Form Recognizer v3.0 version introduces more language support for custom models. For a list of supported handwritten and printed text, see [Language support](language-support.md).

+## Form Recognizer v3.0

+ Form Recognizer v3.0 introduces several new features and capabilities:

+* [Form Recognizer v3.0 migration guide](v3-migration-guide.md): This guide shows you how to use the v3.0 version in your applications and workflows.

+* [REST API ](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument): This API shows you more about the v3.0 version and new capabilities.

+|[v3.0 Studio quickstart](quickstarts/try-v3-form-recognizer-studio.md) |[Form Recognizer v3.0 API 2022-08-31](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)|

+| [v2.1 quickstart](quickstarts/get-started-v2-1-sdk-rest-api.md) | [Form Recognizer API v2.1](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v3-0-preview-2/operations/BuildDocumentModel) |

+ Title: "Form Recognizer Studio"

+description: "Concept: Form and document processing, data extraction, and analysis using Form Recognizer Studio "

+# Form Recognizer Studio

+[Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/) is an online tool for visually exploring, understanding, and integrating features from the Form Recognizer service into your applications. Use the [Form Recognizer Studio quickstart](quickstarts/try-v3-form-recognizer-studio.md) to get started analyzing documents with pre-trained models. Build custom template models and reference the models in your applications using the [Python SDK v3.0](quickstarts/get-started-v3-sdk-rest-api.md) and other quickstarts.

+* **Read**: Try out Form Recognizer's Read feature to extract text lines, words, detected languages, and handwritten style if detected. Start with the [Studio Read feature](https://formrecognizer.appliedai.azure.com/studio/read). Explore with sample documents and your documents. Use the interactive visualization and JSON output to understand how the feature works. See the [Read overview](concept-read.md) to learn more and get started with the [Python SDK quickstart for Layout](quickstarts/get-started-v3-sdk-rest-api.md).

+* **Layout**: Try out Form Recognizer's Layout feature to extract text, tables, selection marks, and structure information. Start with the [Studio Layout feature](https://formrecognizer.appliedai.azure.com/studio/layout). Explore with sample documents and your documents. Use the interactive visualization and JSON output to understand how the feature works. See the [Layout overview](concept-layout.md) to learn more and get started with the [Python SDK quickstart for Layout](quickstarts/get-started-v3-sdk-rest-api.md#layout-model).

+* **General Documents**: Try out Form Recognizer's General Documents feature to extract key-value pairs and entities. Start with the [Studio General Documents feature](https://formrecognizer.appliedai.azure.com/studio/document). Explore with sample documents and your documents. Use the interactive visualization and JSON output to understand how the feature works. See the [General Documents overview](concept-general-document.md) to learn more and get started with the [Python SDK quickstart for Layout](quickstarts/get-started-v3-sdk-rest-api.md#general-document-model).

+* **Prebuilt models**: Form Recognizer's pre-built models enable you to add intelligent document processing to your apps and flows without having to train and build your own models. As an example, start with the [Studio Invoice feature](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=invoice). Explore with sample documents and your documents. Use the interactive visualization, extracted fields list, and JSON output to understand how the feature works. See the [Models overview](concept-model-overview.md) to learn more and get started with the [Python SDK quickstart for Prebuilt Invoice](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model).

+* **Custom models**: Form Recognizer's custom models enable you to extract fields and values from models trained with your data, tailored to your forms and documents. Create standalone custom models or combine two or more custom models to create a composed model to extract data from multiple form types. Start with the [Studio Custom models feature](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects). Use the online wizard, labeling interface, training step, and visualizations to understand how the feature works. Test the custom model with your sample documents and iterate to improve the model. See the [Custom models overview](concept-custom.md) to learn more and use the [Form Recognizer v3.0 migration guide](v3-migration-guide.md) to start integrating the new models with your applications.

+* Explore our [**v3.0 SDK quickstarts**](quickstarts/get-started-v3-sdk-rest-api.md) to try the v3.0 features in your applications using the new SDKs.

+* Refer to our [**v3.0 REST API quickstarts**](quickstarts/get-started-v3-sdk-rest-api.md) to try the v3.0features using the new REST API.

+> [Form Recognizer Studio quickstart](quickstarts/try-v3-form-recognizer-studio.md)

+ Title: Form Recognizer general document model

+description: Concepts related to data extraction and analysis using prebuilt general document v3.0 model

+# Form Recognizer general document model

+The General document v3.0 model combines powerful Optical Character Recognition (OCR) capabilities with deep learning models to extract key-value pairs, tables, and selection marks from documents. General document is only available with the v3.0 API. For more information on using the v3.0 API, see our [migration guide](v3-migration-guide.md).

+> The ```2022-06-30``` and later versions of the general document model add support for selection marks.

+| **General document model**|<ul ><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com)</li><li>[**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)</li><li>[**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**Java SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**JavaScript SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li></ul>|

+#### Form Recognizer Studio

+> Form Recognizer studio and the general document model are available with the v3.0 API.

+Keys can also exist in isolation when the model detects that a key exists, with no associated value or when processing optional fields. For example, a middle name field may be left blank on a form in some instances. Key-value pairs are spans of text contained in the document. If you have documents where the same value is described in different ways, for example, customer and user, the associated key will be either customer or user, based on context.

+* Follow our [**Form Recognizer v3.0 migration guide**](v3-migration-guide.md) to learn how to use the v3.0 version in your applications and workflows.

+* Explore our [**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument) to learn more about the v3.0 version and new capabilities.

+The ID document model combines Optical Character Recognition (OCR) with deep learning models to analyze and extracts key information from US Drivers Licenses (all 50 states and District of Columbia), international passport biographical pages, US state ID, social security card, green card and more. The API analyzes identity documents, extracts key information, and returns a structured JSON data representation.

+The following tools are supported by Form Recognizer v3.0:

+| Feature | Resources | Model ID |

+|-|-|--|

+|**ID document model**|<ul><li> [**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com)</li><li>[**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)</li><li>[**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**Java SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**JavaScript SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li></ul>|**prebuilt-idDocument**|

+Extract data, including name, birth date, machine-readable zone, and expiration date, from ID documents using the Form Recognizer Studio. You'll need the following resources:

+#### Form Recognizer Studio

+> Form Recognizer studio is available with the v3.0 API (API version 2022-08-31 generally available (GA) release)

+## Supported languages and locales

+|ID document| <ul><li>English (United States)ΓÇöen-US (driver's license)</li><li>Biographical pages from international passports</br> (excluding visa and other travel documents)</li><li>English (United States)ΓÇöen-US (state ID)</li><li>English (United States)ΓÇöen-US (social security card)</li><li>English (United States)ΓÇöen-US (Green card)</li></ul></br>|English (United States)ΓÇöen-US|

+## Field extractions

+## Form Recognizer v3.0

+ The Form Recognizer v3.0 introduces several new features and capabilities:

+* The ID Document **2022-06-30** and later releases support the following data extraction from US driver's licenses:

+### ID document field extractions

+| DateOfIssue | Date | Issue date | yyyy-mm-dd |

+| Height | String | Height of the holder. | |

+| Weight | String | Weight of the holder. | |

+| EyeColor | String | Eye color of the holder. | |

+| HairColor | String | Hair color of the holder. | |

+| DocumentDiscriminator | String | Document discriminator is a security code that identifies where and when the license was issued. | |

+| DocumentType | String | Document type, for example, Passport, Driver's License, Social security card and more | "passport" |

+| Address | String | Extracted address, address is also parsed to its components - address, city, state, country, zip code ||

+* Follow our [**Form Recognizer v3.0 migration guide**](v3-migration-guide.md) to learn how to use the v3.0 version in your applications and workflows.

+* Explore our [**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument) to learn more about the v3.0 version and new capabilities.

+ > [Form Recognizer API v3.0](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)

+The following tools are supported by Form Recognizer v3.0:

+| Feature | Resources | Model ID |

+|-|-|--|

+|**Invoice model** | <ul><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com)</li><li>[**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)</li><li>[**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**Java SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**JavaScript SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li></ul>|**prebuilt-invoice**|

+See how data, including customer information, vendor details, and line items, is extracted from invoices using the Form Recognizer Studio. You'll need the following resources:

+#### Form Recognizer Studio

+|Invoice | <ul><li>GermanΓÇöde</li></ul>| German (Germany)-de|

+|Invoice | <ul><li>FrenchΓÇöfr</li></ul>| French (France)ΓÇöfr|

+|Invoice | <ul><li>ItalianΓÇöit</li></ul>| Italian (Italy)ΓÇöit|

+|Invoice | <ul><li>PortugueseΓÇöpt</li></ul>| Portuguese (Portugal)ΓÇöpt|

+|Invoice | <ul><li>DutchΓÇönl</li></ul>| Dutch (Netherlands)ΓÇönl|

+### Key-value pairs

+The prebuilt invoice **2022-06-30** and later releases support returns key-value pairs at no extra cost. Key-value pairs are specific spans within the invoice that identify a label or key and its associated response or value. In an invoice, these pairs could be the label and the value the user entered for that field or telephone number. The AI model is trained to extract identifiable keys and values based on a wide variety of document types, formats, and structures.

+## Form Recognizer v3.0

+ The Form Recognizer v3.0 introduces several new features, capabilities, and AI quality improvements to underlying technologies.

+* Follow our [**Form Recognizer v3.0 migration guide**](v3-migration-guide.md) to learn how to use the v3.0 version in your applications and workflows.

+* Explore our [**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument) to learn more about the v3.0 version and new capabilities.

+ > [Form Recognizer API v3.0 ](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)

+|**Layout model**| <ul><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com)</li><li>[**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)</li><li>[**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**Java SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**JavaScript SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li></ul>|**prebuilt-layout**|

+The following tools are supported by Form Recognizer v2.1:

+| Feature | Resources |

+|-|-|

+|**Layout API**| <ul><li>[**Form Recognizer labeling tool**](https://fott-2-1.azurewebsites.net/layout-analyze)</li><li>[**REST API**](quickstarts/try-sdk-rest-api.md?pivots=programming-language-rest-api#analyze-layout)</li><li>[**Client-library SDK**](quickstarts/try-sdk-rest-api.md)</li><li>[**Form Recognizer Docker container**](containers/form-recognizer-container-install-run.md?branch=main&tabs=layout#run-the-container-with-the-docker-compose-up-command)</li></ul>|

+### Form Recognizer Studio

+> Form Recognizer studio is available with the v3.0 API.

+```json

+{

+ "words": [

+ {

+ "content": "CONTOSO",

+ "polygon": [

+ 76,

+ 30,

+ 118,

+ 32,

+ 118,

+ 43,

+ 76,

+ 43

+ ],

+ "confidence": 1,

+ "span": {

+ "offset": 0,

+ "length": 7

+ }

+ }

+ ]

+}

+```

+```json

+{

+ "selectionMarks": [

+ {

+ "state": "unselected",

+ "polygon": [

+ 217,

+ 862,

+ 254,

+ 862,

+ 254,

+ 899,

+ 217,

+ 899

+ ],

+ "confidence": 0.995,

+ "span": {

+ "offset": 1421,

+ "length": 12

+ }

+ }

+ ]

+}

+```

+```json

+{

+ "tables": [

+ {

+ "rowCount": 9,

+ "columnCount": 4,

+ "cells": [

+ {

+ "kind": "columnHeader",

+ "rowIndex": 0,

+ "columnIndex": 0,

+ "columnSpan": 4,

+ "content": "(In millions, except earnings per share)",

+ "boundingRegions": [

+ {

+ "pageNumber": 1,

+ "polygon": [

+ 36,

+ 184,

+ 843,

+ 183,

+ 843,

+ 209,

+ 36,

+ 207

+ ]

+ }

+ ],

+ "spans": [

+ {

+ "offset": 511,

+ "length": 40

+ }

+ ]

+ },

+ ]

+ }

+ .

+ .

+ .

+ ]

+}

+```

+```json

+{

+ "paragraphs": [

+ {

+ "spans": [

+ {

+ "offset": 0,

+ "length": 21

+ }

+ ],

+ "boundingRegions": [

+ {

+ "pageNumber": 1,

+ "polygon": [

+ 75,

+ 30,

+ 118,

+ 31,

+ 117,

+ 68,

+ 74,

+ 67

+ ]

+ }

+ ],

+ "content": "Tuesday, Sep 20, YYYY"

+ }

+ ]

+}

+```

+```json

+{

+ "paragraphs": [

+ {

+ "spans": [

+ {

+ "offset": 22,

+ "length": 10

+ }

+ ],

+ "boundingRegions": [

+ {

+ "pageNumber": 1,

+ "polygon": [

+ 139,

+ 10,

+ 605,

+ 8,

+ 605,

+ 56,

+ 139,

+ 58

+ ]

+ }

+ ],

+ "role": "title",

+ "content": "NEWS TODAY"

+ }

+ ]

+}

+```

+ > [!div class="nextstepaction"]

+ > [Form Recognizer API v3.0](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)

+| [Read](#read) | Extract typeface and handwritten text lines, words, locations, and detected languages.|

+| [General document](#general-document) | Extract text, tables, structure, key-value pairs, and named entities.|

+| [W-2](#w-2) | Extract employee, employer, wage information, etc. from US W-2 forms. |

+### Read

+### W-2

+### General document

+* Version v3.0 also supports single-page hotel receipt processing.

+* Version v3.0 custom model supports signature detection in custom forms (template model) and cross-page tables in both template and neural models.

+| [prebuilt-read](concept-read.md#data-extraction) | Γ£ô | Γ£ô | | | Γ£ô | | | |

+| [prebuilt-tax.us.w2](concept-w2.md#field-extraction) | Γ£ô | | Γ£ô | | Γ£ô | | | Γ£ô |

+| [prebuilt-document](concept-general-document.md#data-extraction)| Γ£ô | | Γ£ô | Γ£ô | Γ£ô | | Γ£ô | |

+| [prebuilt-idDocument](concept-id-document.md#field-extractions) | Γ£ô | | | | Γ£ô | | | Γ£ô |

+| [prebuilt-businessCard](concept-business-card.md#field-extractions) | Γ£ô | | | | Γ£ô | | | Γ£ô |

+Form Recognizer v3.0 includes the new Read Optical Character Recognition (OCR) model. The Read OCR model extracts typeface and handwritten text including mixed languages in documents. The Read OCR model can detect lines, words, locations, and languages and is the core of all other Form Recognizer models. Layout, general document, custom, and prebuilt models all use the Read OCR model as a foundation for extracting texts from documents.

+> [!NOTE]

+>

+> * Only API Version 2022-06-30-preview supports Microsoft Word, Excel, PowerPoint, and HTML file formats in addition to all other document types supported by the GA versions.

+> * For these file formats, Read API ignores the pages parameter and extracts all pages by default. Each embedded image counts as 1 page unit and each worksheet, slide, and page (up to 3000 characters) count as 1 page.

+### Form Recognizer Studio

+> Currently, Form Recognizer Studio doesn't support Microsoft Word, Excel, PowerPoint, and HTML file formats in the Read version v3.0.

+Form Recognizer v3.0 version supports several languages for the read model. *See* our [Language Support](language-support.md) for a complete list of supported handwritten and printed languages.

+> [Form Recognizer API v3.0](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)

+The receipt model combines powerful Optical Character Recognition (OCR) capabilities with deep learning models to analyze and extract key information from sales receipts. Receipts can be of various formats and quality including printed and handwritten receipts. The API extracts key information such as merchant name, merchant phone number, transaction date, tax, and transaction total and returns structured JSON data.

+The following tools are supported by Form Recognizer v3.0:

+| Feature | Resources | Model ID |

+|-|-|--|

+|**Receipt model**| <ul><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com)</li><li>[**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)</li><li>[**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li></ul>|**prebuilt-receipt**|

+See how data, including time and date of transactions, merchant information, and amount totals, is extracted from receipts using the Form Recognizer Studio. You'll need the following resources:

+#### Form Recognizer Studio

+> Form Recognizer studio is available with the v3.0 API.

+ | Tax | Number (USD) | Total tax on receipt (often sales tax or equivalent). **Renamed to "TotalTax" in 2022-06-30 version**. | Two-decimal float |

+| Name | String | Item description. **Renamed to "Description" in 2022-06-30 version**. | |

+## Form Recognizer v3.0

+ Form Recognizer v3.0 introduces several new features and capabilities. The **Receipt** model supports single-page hotel receipt processing.

+* Follow our [**Form Recognizer v3.0 migration guide**](v3-migration-guide.md) to learn how to use the v3.0 version in your applications and workflows.

+* Explore our [**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument) to learn more about the v3.0 version and new capabilities.

+ > [Form Recognizer API v3.0](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)

+# Form Recognizer W-2 model | v3.0

+|**W-2 model**|<ul><li> [**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com)</li><li>[**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)</li><li>[**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**Java SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**JavaScript SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li></ul>|**prebuilt-tax.us.w2**|

+> Form Recognizer studio is available with v3.0 API.

+* Follow our [**Form Recognizer v3.0 migration guide**](v3-migration-guide.md) to learn how to use the v3.0 version in your applications and workflows.

+* Explore our [**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument) to learn more about the v3.0 version and new capabilities.

+> * [**REST API**](quickstarts/get-started-v3-sdk-rest-api.md)

+> * [**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)

+> * [**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)

+> * [**Java SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)

+> * [**JavaScript**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li></ul>

+Azure Form Recognizer is an Azure Applied AI Service that lets you build automated data processing software using machine-learning technology. Form Recognizer enables you to identify and extract text, key/value pairs, selection marks, table data, and more from your form documents. The results are delivered as structured data that includes the relationships in the original file.

+> [!NOTE]

+>

+The container needs the billing argument values to run. These values allow the container to connect to the billing endpoint. The container reports usage about every 10 to 15 minutes. If the container doesn't connect to Azure within the allowed time window, the container continues to run, but doesn't serve queries until the billing endpoint is restored. The connection is attempted 10 times at the same time interval of 10 to 15 minutes. If it can't connect to the billing endpoint within the 10 tries, the container stops serving requests. See the [Cognitive Services container FAQ](../../../cognitive-services/containers/container-faq.yml#how-does-billing-work) for an example of the information sent to Microsoft for billing.

+1. If your overview page doesn't have the keys and endpoint visible, you can select the **Keys and Endpoint** button, on the left navigation bar, and retrieve them there.

+ * [C#](quickstarts/get-started-v3-sdk-rest-api.md)

+ * [Python](quickstarts/get-started-v3-sdk-rest-api.md)

+ * [Java](quickstarts/get-started-v3-sdk-rest-api.md)

+ * [JavaScript](quickstarts/get-started-v3-sdk-rest-api.md)

+To use your SAS URL with the [REST API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/BuildDocumentModel), add the SAS URL to the request body:

+> * For an enhanced experience and advanced model quality, try the [Form Recognizer v3.0 Studio ](https://formrecognizer.appliedai.azure.com/studio).

+> * *See* our [**REST API**](quickstarts/get-started-v3-sdk-rest-api.md) or [**C#**](quickstarts/get-started-v3-sdk-rest-api.md), [**Java**](quickstarts/get-started-v3-sdk-rest-api.md), [**JavaScript**](quickstarts/get-started-v3-sdk-rest-api.md), or [Python](quickstarts/get-started-v3-sdk-rest-api.md) SDK quickstarts to get started with the v3.0 version.

+### [Form Recognizer REST API v3.0 ](#tab/v30)

+POST https://{TARGET_FORM_RECOGNIZER_RESOURCE_ENDPOINT}/formrecognizer/documentModels:authorizeCopy?api-version=2022-08-31

+POST {{source-endpoint}}formrecognizer/documentModels/{model-to-be-copied}:copyTo?api-version=2022-08-31

+Operation-Location: https://{source-resource}.cognitiveservices.azure.com/formrecognizer/operations/{operation-id}?api-version=2022-08-31

+### [Form Recognizer REST API v2.1 ](#tab/v21)

+### [Form Recognizer v3.0 ](#tab/v30)

+GET https://{source-resource}.cognitiveservices.azure.com/formrecognizer/operations/{operation-id}?api-version=2022-08-31

+### [Form Recognizer v2.1 ](#tab/v21)

+* [REST API reference documentation](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)

+The studio supports Form Recognizer v3.0 models and v3.0 model training. Previously trained v2.1 models with labeled data are supported, but not v2.1 model training. Refer to the [REST API migration guide](v3-migration-guide.md) for detailed information about migrating from v2.1 to v3.0.

+1. After you've tried Form Recognizer Studio, use the [**C#**](quickstarts/get-started-v3-sdk-rest-api.md), [**Java**](quickstarts/get-started-v3-sdk-rest-api.md), [**JavaScript**](quickstarts/get-started-v3-sdk-rest-api.md) or [**Python**](quickstarts/get-started-v3-sdk-rest-api.md) client libraries or the [**REST API**](quickstarts/get-started-v3-sdk-rest-api.md) to get started incorporating Form Recognizer models into your own applications.

+ Title: "Use Form Recognizer client library SDKs or REST API"

+description: How to use a Form Recognizer client libraries or REST API to create apps that extracts key-value pairs and table data from your custom documents.

+zone_pivot_groups: programming-languages-set-formre

+recommendations: false

+# Use Form Recognizer SDKs or REST API

+ In this how-to guide, you'll learn how to add Form Recognizer to your applications and workflows using an SDK, in a programming language of your choice, or the REST API. Azure Form Recognizer is a cloud-based Azure Applied AI Service that uses machine learning to extract key-value pairs, text, and tables from your documents. We recommend that you use the free service when you're learning the technology. Remember that the number of free pages is limited to 500 per month.

+You'll use the following APIs to extract structured data from forms and documents:

+* [Authenticate the client](#authenticate-the-client)

+* [Analyze Layout](#analyze-layout)

+* [Analyze receipts](#analyze-receipts)

+* [Analyze business cards](#analyze-business-cards)

+* [Analyze invoices](#analyze-invoices)

+* [Analyze ID documents](#analyze-id-documents)

+* [Train a custom model](#train-a-custom-model)

+* [Analyze forms with a custom model](#analyze-forms-with-a-custom-model)

+* [Manage custom models](#manage-custom-models)

+The current API version is ```2022-08-31```.

+> * For an enhanced experience and advanced model quality, try the [Form Recognizer v3.0 Studio ](https://formrecognizer.appliedai.azure.com/studio).

+> * *See* our [**REST API**](quickstarts/get-started-v3-sdk-rest-api.md) or [**C#**](quickstarts/get-started-v3-sdk-rest-api.md), [**Java**](quickstarts/get-started-v3-sdk-rest-api.md), [**JavaScript**](quickstarts/get-started-v3-sdk-rest-api.md), or [Python](quickstarts/get-started-v3-sdk-rest-api.md) SDK quickstarts to get started with the V3.0.

+* A resizable v3.0 pane that contains a scrollable list of forms from the source connection.

+The following lists include the currently GA languages in for the v2.1 version and the most recent v3.0 version. These languages are supported by Read, Layout, and Custom form (template) model features.

+To use the v3.0-supported languages, refer to the [v3.0 REST API migration guide](/rest/api/medi).

+### Handwritten text (v3.0 and v2.1)

+|English|`en`|Japanese |`ja`|

+|Chinese Simplified |`zh-Hans`|Korean |`ko`|

+|French |`fr`|Portuguese |`pt`|

+|German |`de`|Spanish |`es`|

+|Italian |`it`|

+### Print text

+This section lists the supported languages for extracting printed texts using version v3.0.

+### Print text

+The **2022-06-30** and later releases include Japanese language support:

+|German (**2022-06-30** and later)| de|

+|French (**2022-06-30** and later)| fr|

+|Italian (**2022-06-30** and later)|it|

+|Portuguese (**2022-06-30** and later)|pt|

+|Dutch (**2022-06-30** and later)| nl|

+* Communication between Form Recognizer Studio and your Form Recognizer resource.

+|**A text-based document** like a contract or letter.|You want to extract primarily text lines, words, locations, and detected languages.|</li></ul>The document is written or printed in a [supported language](language-support.md#read-layout-and-custom-form-template-model).| [**Read model**](concept-read.md)|

+|**A structured or semi-structured document that includes content formatted as fields and values**, like a credit application or survey form.|You want to extract fields and values including ones not covered by the scenario-specific prebuilt models **without having to train a custom model**.| The form or document is a standardized format commonly used in your business or industry and printed in a [supported language](language-support.md#read-layout-and-custom-form-template-model).|[**General document model**](concept-general-document.md)

+### [Form Recognizer v3.0](#tab/v3-0)

+|[ **Read**](concept-read.md)|Extract text lines, words, detected languages, and handwritten style if detected.| <ul><li>Contract processing. </li><li>Financial or medical report processing.</li></ul>|<ul ><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio/read)</li><li>[**REST API**](how-to-guides/use-prebuilt-read.md?pivots=programming-language-rest-api)</li><li>[**C# SDK**](how-to-guides/use-prebuilt-read.md?pivots=programming-language-csharp)</li><li>[**Python SDK**](how-to-guides/use-prebuilt-read.md?pivots=programming-language-python)</li><li>[**Java SDK**](how-to-guides/use-prebuilt-read.md?pivots=programming-language-java)</li><li>[**JavaScript**](how-to-guides/use-prebuilt-read.md?pivots=programming-language-javascript)</li></ul> |

+|[**General document model**](concept-general-document.md)|Extract text, tables, structure, and key-value pairs.|<ul><li>Key-value pair extraction.</li><li>Form processing.</li><li>Survey data collection and analysis.</li></ul>|<ul ><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio/document)</li><li>[**REST API**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md#general-document-model)</li><li>[**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md#general-document-model)</li><li>[**Java SDK**](quickstarts/get-started-v3-sdk-rest-api.md#general-document-model)</li><li>[**JavaScript**](quickstarts/get-started-v3-sdk-rest-api.md#general-document-model)</li></ul> |

+|[**Layout model**](concept-layout.md) | Extract text, selection marks, and tables structures, along with their bounding box coordinates, from forms and documents.</br></br> Layout API has been updated to a prebuilt model. |<ul><li>Document indexing and retrieval by structure.</li><li>Preprocessing prior to OCR analysis.</li></ul> |<ul><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio/layout)</li><li>[**REST API**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md#layout-model)</li><li>[**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md#layout-model)</li><li>[**Java SDK**](quickstarts/get-started-v3-sdk-rest-api.md#layout-model)</li><li>[**JavaScript**](quickstarts/get-started-v3-sdk-rest-api.md#layout-model)</li></ul>|

+|[**Custom model (updated)**](concept-custom.md) | Extraction and analysis of data from forms and documents specific to distinct business data and use cases.</br></br>Custom model API v3.0 supports **signature detection for custom template (custom form) models**.</br></br>Custom model API v3.0 now supports two model types:ul><li>[**Custom Template model**](concept-custom-template.md) (custom form) is used to analyze structured and semi-structured documents.</li><li> [**Custom Neural model**](concept-custom-neural.md) (custom document) is used to analyze unstructured documents.</li></ul>|<ul><li>Identification and compilation of data, unique to your business, impacted by a regulatory change or market event.</li><li>Identification and analysis of previously overlooked unique data.</li></ul> |[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects)</li><li>[**REST API**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**Java SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**JavaScript**](quickstarts/get-started-v3-sdk-rest-api.md)</li></ul>|

+|[ **W-2 Form**](concept-w2.md) | Extract information reported in each box on a W-2 form.|<ul><li>Automated tax document management.</li><li>Mortgage loan application processing.</li></ul> |<ul ><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=tax.us.w2)<li>[**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v3-0-preview-2/operations/AnalyzeDocument)</li><li>[**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**Java SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**JavaScript**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li></ul> |

+|[**Invoice model**](concept-invoice.md) | Automated data processing and extraction of key information from sales invoices. |<ul><li>Accounts payable processing.</li><li>Automated tax recording and reporting.</li></ul> |<ul><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=invoice)</li><li>[**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)</li><li>[**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li></ul>|

+|[**Receipt model (updated)**](concept-receipt.md) | Automated data processing and extraction of key information from sales receipts.</br></br>Receipt model v3.0 supports processing of **single-page hotel receipts**.|<ul><li>Expense management.</li><li>Consumer behavior data analysis.</li><li>Customer loyalty program.</li><li>Merchandise return processing.</li><li>Automated tax recording and reporting.</li></ul> |<ul><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=receipt)</li><li>[**REST API**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**Java SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**JavaScript**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li></ul>|

+|[**ID document model (updated)**](concept-id-document.md) |Automated data processing and extraction of key information from US driver's licenses and international passports.</br></br>Prebuilt ID document API supports the **extraction of endorsements, restrictions, and vehicle classifications from US driver's licenses**. |<ul><li>Know your customer (KYC) financial services guidelines compliance.</li><li>Medical account management.</li><li>Identity checkpoints and gateways.</li><li>Hotel registration.</li></ul> |<ul><li> [**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=idDocument)</li><li>[**REST API**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**Java SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**JavaScript**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li></ul>|

+|[**Business card model**](concept-business-card.md) |Automated data processing and extraction of key information from business cards.|<ul><li>Sales lead and marketing management.</li></ul> |<ul><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=businessCard)</li><li>[**REST API**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**Java SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**JavaScript**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li></ul>|

+ > * For an enhanced experience and advanced model quality, try the [Form Recognizer v3.0 Studio ](https://formrecognizer.appliedai.azure.com/studio).

+|[**Layout API**](concept-layout.md) | Extraction and analysis of text, selection marks, tables, and bounding box coordinates, from forms and documents. | <ul><li>[**Form Recognizer labeling tool**](quickstarts/try-sample-label-tool.md#analyze-layout)</li><li>[**REST API**](quickstarts/get-started-v2-1-sdk-rest-api.md#try-it-layout-model)</li><li>[**Client-library SDK**](quickstarts/try-sdk-rest-api.md)</li><li>[**Form Recognizer Docker container**](containers/form-recognizer-container-install-run.md?branch=main&tabs=layout#run-the-container-with-the-docker-compose-up-command)</li></ul>|

+|[**Invoice model**](concept-invoice.md) | Automated data processing and extraction of key information from sales invoices. | <ul><li>[**Form Recognizer labeling tool**](quickstarts/try-sample-label-tool.md#analyze-using-a-prebuilt-model)</li><li>[**REST API**](quickstarts/get-started-v2-1-sdk-rest-api.md#try-it-prebuilt-model)</li><li>[**Client-library SDK**](quickstarts/try-sdk-rest-api.md)</li><li>[**Form Recognizer Docker container**](containers/form-recognizer-container-install-run.md?tabs=invoice#run-the-container-with-the-docker-compose-up-command)</li></ul>|

+|[**Receipt model**](concept-receipt.md) | Automated data processing and extraction of key information from sales receipts.| <ul><li>[**Form Recognizer labeling tool**](quickstarts/try-sample-label-tool.md#analyze-using-a-prebuilt-model)</li><li>[**REST API**](quickstarts/get-started-v2-1-sdk-rest-api.md#try-it-prebuilt-model)</li><li>[**Client-library SDK**](how-to-guides/try-sdk-rest-api.md)</li><li>[**Form Recognizer Docker container**](containers/form-recognizer-container-install-run.md?tabs=receipt#run-the-container-with-the-docker-compose-up-command)</li></ul>|

+|[**ID document model**](concept-id-document.md) | Automated data processing and extraction of key information from US driver's licenses and international passports.| <ul><li>[**Form Recognizer labeling tool**](quickstarts/try-sample-label-tool.md#analyze-using-a-prebuilt-model)</li><li>[**REST API**](quickstarts/get-started-v2-1-sdk-rest-api.md#try-it-prebuilt-model)</li><li>[**Client-library SDK**](how-to-guides/try-sdk-rest-api.md)</li><li>[**Form Recognizer Docker container**](containers/form-recognizer-container-install-run.md?tabs=id-document#run-the-container-with-the-docker-compose-up-command)</li></ul>|

+|[**Business card model**](concept-business-card.md) | Automated data processing and extraction of key information from business cards.| <ul><li>[**Form Recognizer labeling tool**](quickstarts/try-sample-label-tool.md#analyze-using-a-prebuilt-model)</li><li>[**REST API**](quickstarts/get-started-v2-1-sdk-rest-api.md#try-it-prebuilt-model)</li><li>[**Client-library SDK**](how-to-guides/try-sdk-rest-api.md)</li><li>[**Form Recognizer Docker container**](containers/form-recognizer-container-install-run.md?tabs=business-card#run-the-container-with-the-docker-compose-up-command)</li></ul>|

+> * Explore the [**REST API reference documentation**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument) to learn more.

+|<ul><li>**W-2 Form**</li></yl>| Is your W-2 document composed in United States English (en-US) text?|<ul><li>If **Yes**, use the [**W-2 Form**](concept-w2.md) model.<li>If **No**, use the [**Layout**](concept-layout.md) or [**General document **](concept-general-document.md) model.</li></ul>|

+|<ul><li>**General structured document**</li></yl>| Is your document mostly structured and does it contain a few fields and values that may not be covered by the other prebuilt models?|<ul><li>If **Yes**, use the [**General document **](concept-general-document.md) model.</li><li> If **No**, because the fields and values are complex and highly variable, train and build a [**Custom**](how-to-guides/build-custom-model-v3.md) model.</li></ul>

+|<ul><li>**Invoice**</li></yl>| Is your invoice document composed in a [supported language](language-support.md#invoice-model) text?|<ul><li>If **Yes**, use the [**Invoice**](concept-invoice.md) model.<li>If **No**, use the [**Layout**](concept-layout.md) or [**General document **](concept-general-document.md) model.</li></ul>

+|<ul><li>**Receipt**</li><li>**Business card**</li></ul>| Is your receipt or business card document composed in English text? | <ul><li>If **Yes**, use the [**Receipt**](concept-receipt.md) or [**Business Card**](concept-business-card.md) model.</li><li>If **No**, use the [**Layout**](concept-layout.md) or [**General document **](concept-general-document.md) model.</li></ul>|

+|<ul><li>**ID document**</li></ul>| Is your ID document a US driver's license or an international passport?| <ul><li>If **Yes**, use the [**ID document**](concept-id-document.md) model.</li><li>If **No**, use the [**Layout**](concept-layout.md) or [**General document **](concept-general-document.md) model</li></ul>|

+ |<ul><li>**Form** or **Document**</li></ul>| Is your form or document an industry-standard format commonly used in your business or industry?| <ul><li>If **Yes**, use the [**Layout**](concept-layout.md) or [**General document **](concept-general-document.md).</li><li>If **No**, you can [**Train and build a custom model**](quickstarts/try-sample-label-tool.md#train-a-custom-form-model).

+### [Form Recognizer v3.0](#tab/v3-0)

+|[ **Read**](concept-read.md)|Extract text lines, words, detected languages, and handwritten style if detected.|<ul ><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio/read)</li><li>[**REST API**](how-to-guides/use-prebuilt-read.md?pivots=programming-language-rest-api)</li><li>[**C# SDK**](how-to-guides/use-prebuilt-read.md?pivots=programming-language-csharp)</li><li>[**Python SDK**](how-to-guides/use-prebuilt-read.md?pivots=programming-language-python)</li><li>[**Java SDK**](how-to-guides/use-prebuilt-read.md?pivots=programming-language-java)</li><li>[**JavaScript**](how-to-guides/use-prebuilt-read.md?pivots=programming-language-javascript)</li></ul> |

+|[ **W-2 Form**](concept-w2.md) | Extract information reported in each box on a W-2 form.|<ul ><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=tax.us.w2)<li>[**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)</li><li>[**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**Java SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**JavaScript**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li></ul> |

+|[**General document model**](concept-general-document.md)|Extract text, tables, structure, key-value pairs and, named entities.|<ul ><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio/document)</li><li>[**REST API**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md#general-document-model)</li><li>[**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md#general-document-model)</li><li>[**Java SDK**](quickstarts/get-started-v3-sdk-rest-api.md#general-document-model)</li><li>[**JavaScript**](quickstarts/get-started-v3-sdk-rest-api.md#general-document-model)</li></ul> |

+|[**Layout model**](concept-layout.md) | Extract text, selection marks, and tables structures, along with their bounding box coordinates, from forms and documents.</br></br> Layout API has been updated to a prebuilt model. | <ul><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio/layout)</li><li>[**REST API**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md#layout-model)</li><li>[**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md#layout-model)</li><li>[**Java SDK**](quickstarts/get-started-v3-sdk-rest-api.md#layout-model)</li><li>[**JavaScript**](quickstarts/get-started-v3-sdk-rest-api.md#layout-model)</li></ul>|

+|[**Custom model (updated)**](concept-custom.md) | Extraction and analysis of data from forms and documents specific to distinct business data and use cases.<ul><li>Custom model API v3.0 supports **signature detection for custom template (custom form) models**.</br></br></li><li>Custom model API v3.0 offers a new model type **Custom Neural** or custom document to analyze unstructured documents.</li></ul>| [**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio/custommodel/projects)</li><li>[**REST API**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**Java SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**JavaScript**](quickstarts/get-started-v3-sdk-rest-api.md)</li></ul>|

+|[**Invoice model**](concept-invoice.md) | Automated data processing and extraction of key information from sales invoices. | <ul><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=invoice)</li><li>[**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)</li><li>[**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li></ul>|

+|[**Receipt model (updated)**](concept-receipt.md) | Automated data processing and extraction of key information from sales receipts.</br></br>Receipt model v3.0 supports processing of **single-page hotel receipts**.| <ul><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=receipt)</li><li>[**REST API**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**Java SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**JavaScript**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li></ul>|

+|[**ID document model (updated)**](concept-id-document.md) |Automated data processing and extraction of key information from US driver's licenses and international passports.</br></br>Prebuilt ID document API supports the **extraction of endorsements, restrictions, and vehicle classifications from US driver's licenses**. |<ul><li> [**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=idDocument)</li><li>[**REST API**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**Java SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**JavaScript**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li></ul>|

+|[**Business card model**](concept-business-card.md) |Automated data processing and extraction of key information from business cards.| <ul><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=businessCard)</li><li>[**REST API**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**Java SDK**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li><li>[**JavaScript**](quickstarts/get-started-v3-sdk-rest-api.md#prebuilt-model)</li></ul>|

+|[**Layout API**](concept-layout.md) | Extraction and analysis of text, selection marks, tables, and bounding box coordinates, from forms and documents. | <ul><li>[**Form Recognizer labeling tool**](quickstarts/try-sample-label-tool.md#analyze-layout)</li><li>[**REST API**](quickstarts/get-started-v2-1-sdk-rest-api.md#try-it-layout-model)</li><li>[**Client-library SDK**](quickstarts/try-sdk-rest-api.md)</li><li>[**Form Recognizer Docker container**](containers/form-recognizer-container-install-run.md?branch=main&tabs=layout#run-the-container-with-the-docker-compose-up-command)</li></ul>|

+|[**Invoice model**](concept-invoice.md) | Automated data processing and extraction of key information from sales invoices. | <ul><li>[**Form Recognizer labeling tool**](quickstarts/try-sample-label-tool.md#analyze-using-a-prebuilt-model)</li><li>[**REST API**](quickstarts/get-started-v2-1-sdk-rest-api.md#try-it-prebuilt-model)</li><li>[**Client-library SDK**](quickstarts/try-sdk-rest-api.md)</li><li>[**Form Recognizer Docker container**](containers/form-recognizer-container-install-run.md?tabs=invoice#run-the-container-with-the-docker-compose-up-command)</li></ul>|

+|[**Receipt model**](concept-receipt.md) | Automated data processing and extraction of key information from sales receipts.| <ul><li>[**Form Recognizer labeling tool**](quickstarts/try-sample-label-tool.md#analyze-using-a-prebuilt-model)</li><li>[**REST API**](quickstarts/get-started-v2-1-sdk-rest-api.md#try-it-prebuilt-model)</li><li>[**Client-library SDK**](how-to-guides/try-sdk-rest-api.md)</li><li>[**Form Recognizer Docker container**](containers/form-recognizer-container-install-run.md?tabs=receipt#run-the-container-with-the-docker-compose-up-command)</li></ul>|

+|[**ID document model**](concept-id-document.md) | Automated data processing and extraction of key information from US driver's licenses and international passports.| <ul><li>[**Form Recognizer labeling tool**](quickstarts/try-sample-label-tool.md#analyze-using-a-prebuilt-model)</li><li>[**REST API**](quickstarts/get-started-v2-1-sdk-rest-api.md#try-it-prebuilt-model)</li><li>[**Client-library SDK**](how-to-guides/try-sdk-rest-api.md)</li><li>[**Form Recognizer Docker container**](containers/form-recognizer-container-install-run.md?tabs=id-document#run-the-container-with-the-docker-compose-up-command)</li></ul>|

+|[**Business card model**](concept-business-card.md) | Automated data processing and extraction of key information from business cards.| <ul><li>[**Form Recognizer labeling tool**](quickstarts/try-sample-label-tool.md#analyze-using-a-prebuilt-model)</li><li>[**REST API**](quickstarts/get-started-v2-1-sdk-rest-api.md#try-it-prebuilt-model)</li><li>[**Client-library SDK**](how-to-guides/try-sdk-rest-api.md)</li><li>[**Form Recognizer Docker container**](containers/form-recognizer-container-install-run.md?tabs=business-card#run-the-container-with-the-docker-compose-up-command)</li></ul>|

+> * Explore the [**REST API reference documentation**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument) to learn more.

+ Title: "Quickstart: Form Recognizer client library SDKs | REST API"

+description: Use the Form Recognizer client library SDKs or REST API to create a forms processing app that extracts key/value pairs and table data from your custom documents.

+zone_pivot_groups: programming-languages-set-formre

+recommendations: false

+# Get started with Form Recognizer client library SDKs or REST API

+Get started with Azure Form Recognizer using the programming language of your choice. Azure Form Recognizer is a cloud-based Azure Applied AI Service that uses machine learning to extract key-value pairs, text, and tables from your documents. You can easily call Form Recognizer models by integrating our client library SDKs into your workflows and applications. We recommend that you use the free service when you're learning the technology. Remember that the number of free pages is limited to 500 per month.

+To learn more about Form Recognizer features and development options, visit our [Overview](../overview.md#form-recognizer-features-and-development-options) page.

+ Title: "Quickstart: Form Recognizer SDKs | REST API v3.0"

+description: Use a Form Recognizer SDK or the REST API to create a forms processing app that extracts key data from your documents.

+zone_pivot_groups: programming-languages-set-formre

+recommendations: false

+# Quickstart: Form Recognizer SDKs | REST API v3.0

+Get started with the latest version of Azure Form Recognizer. Azure Form Recognizer is a cloud-based Azure Applied AI Service that uses machine learning to extract key-value pairs, text, tables and key data from your documents. You can easily integrate Form Recognizer models into your workflows and applications by using an SDK in the programming language of your choice or calling the REST API. For this quickstart, we recommend that you use the free service while you're learning the technology. Remember that the number of free pages is limited to 500 per month.

+To learn more about Form Recognizer features and development options, visit our [Overview](../overview.md#form-recognizer-features-and-development-options) page.

+That's it, congratulations!

+In this quickstart, you used a form Form Recognizer model to analyze various forms and documents. Next, explore the Form Recognizer Studio and reference documentation to learn about Form Recognizer API in depth.

+## Next steps

+>[!div class="nextstepaction"]

+> [**Try the Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com/studio)

+> [!div class="nextstepaction"]

+> [**Explore the Form Recognizer REST API v3.0**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)

+> * For an enhanced experience and advanced model quality, try the [Form Recognizer v3.0 Studio ](https://formrecognizer.appliedai.azure.com/studio).

+> * *See* our [**REST API**](get-started-v3-sdk-rest-api.md) or [**C#**](get-started-v3-sdk-rest-api.md), [**Java**](get-started-v3-sdk-rest-api.md), [**JavaScript**](get-started-v3-sdk-rest-api.md), or [Python](get-started-v3-sdk-rest-api.md) SDK quickstarts to get started with the v3.0 version.

+ Title: "Quickstart: Form Recognizer Studio | v3.0"

+description: Form and document processing, data extraction, and analysis using Form Recognizer Studio

+# Get started: Form Recognizer Studio | v3.0

+[Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/) is an online tool for visually exploring, understanding, and integrating features from the Form Recognizer service in your applications. You can get started by exploring the pre-trained models with sample or your own documents. You can also create projects to build custom template models and reference the models in your applications using the [Python SDK](get-started-v3-sdk-rest-api.md) and other quickstarts.

+* [**General document**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=document): extract text, tables, structure, key-value pairs and named entities.

+* [**W-2**](https://formrecognizer.appliedai.azure.com/studio/prebuilt?formType=tax.us.w2): extract text and key information from W-2 tax forms.

+* [ **Read**](https://formrecognizer.appliedai.azure.com/studio/read): extract text lines, words, their locations, detected languages, and handwritten style if detected from documents (PDF, TIFF) and images (JPG, PNG, BMP).

+* Explore our [**v3.0 SDK quickstarts**](get-started-v3-sdk-rest-api.md) to try the v3.0 features in your applications using the new SDKs.

+* Refer to our [**v3.0 REST API quickstarts**](get-started-v3-sdk-rest-api.md) to try the v3.0 features using the new REST API.

+[Get started with the Form Recognizer Studio](https://formrecognizer.appliedai.azure.com).

+ Title: About the Form Recognizer SDK?

+description: The Form Recognizer software development kit (SDK) exposes Form Recognizer models, features and capabilities, making it easier to develop document-processing applications.

+recommendations: false

+<!-- markdownlint-disable MD024 -->

+<!-- markdownlint-disable MD023 -->

+# What is the Form Recognizer SDK?

+Azure Cognitive Services Form Recognizer is a cloud service that uses machine learning to analyze text and structured data from documents. The Form Recognizer software development kit (SDK) is a set of libraries and tools that enable you to easily integrate Form Recognizer models and capabilities into your applications. Form Recognizer SDK is available across platforms in C#/.NET, Java, JavaScript, and Python programming languages.

+## Supported languages

+Form Recognizer SDK supports the following languages and platforms:

+> [!NOTE]

+>

+> * Form Recognizer SDKs are currently not supported by Form Recognizer REST API 2022-08-31.

+> * [REST API 2022-06-30](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-06-30-preview/operations/AnalyzeDocument) and earlier releases support the current SDKs.

+| Programming language/SDK | Package| Azure SDK client-library |Supported API version| Platform support |

+|:-:|:-|:-| :-|--|

+|[C#/4.0.0-beta.5](quickstarts/get-started-v3-sdk-rest-api.md?pivots=programming-language-csharp#set-up)| [NuGet](https://www.nuget.org/packages/Azure.AI.FormRecognizer/4.0.0-beta.5) | [Azure SDK for .NET](https://azuresdkdocs.blob.core.windows.net/$web/dotnet/Azure.AI.FormRecognizer/4.0.0-beta.5/https://docsupdatetracker.net/index.html)|[2022-06-30-preview, 2022-01-30-preview, 2021-09-30-preview, **v2.1-ga**, v2.0](https://westus.dev.cognitive.microsoft.com/docs/services?pattern=form+recognizer) |[Windows, macOS, Linux, Docker](/dotnet.microsoft.com/download)|

+|[Jav?pivots=programming-language-java#set-up) |[Maven](https://search.maven.org/artifact/com.azure/azure-ai-formrecognizer/4.0.0-beta.5/jar) | [Azure SDK for Java](https://azuresdkdocs.blob.core.windows.net/$web/java/azure-ai-formrecognizer/4.0.0-beta.6/https://docsupdatetracker.net/index.html)|[2022-06-30-preview, 2022-01-30-preview, 2021-09-30-preview, **v2.1-ga**, v2.0](https://westus.dev.cognitive.microsoft.com/docs/services?pattern=form+recognizer)|[Windows, macOS, Linux](/java/openjdk/install)|

+|[JavaScript/4.0.0-beta.6](quickstarts/get-started-v3-sdk-rest-api.md?pivots=programming-language-javascript#set-up)| [npm](https://www.npmjs.com/package/@azure/ai-form-recognizer/v/4.0.0-beta.6)| [Azure SDK for JavaScript](https://azuresdkdocs.blob.core.windows.net/$web/javascript/azure-ai-form-recognizer/4.0.0-beta.6/https://docsupdatetracker.net/index.html) | [2022-06-30-preview, 2022-01-30-preview, 2021-09-30-preview, **v2.1-ga**, v2.0](https://westus.dev.cognitive.microsoft.com/docs/services?pattern=form+recognizer) | [Browser, Windows, macOS, Linux](https://nodejs.org/en/download/) |

+|[Python/3.2.0b6](quickstarts/get-started-v3-sdk-rest-api.md?pivots=programming-language-python#set-up) | [PyPI](https://pypi.org/project/azure-ai-formrecognizer/3.2.0b6/)| [Azure SDK for Python](https://azuresdkdocs.blob.core.windows.net/$web/python/azure-ai-formrecognizer/3.2.0b6/https://docsupdatetracker.net/index.html)| [2022-06-30-preview, 2022-01-30-preview, 2021-09-30-preview, **v2.1-ga**, v2.0](https://westus.dev.cognitive.microsoft.com/docs/services?pattern=form+recognizer) |[Windows, macOS, Linux](/azure/developer/python/configure-local-development-environment?tabs=windows%2Capt%2Ccmd#use-the-azure-cli)

+## How to use the Form Recognizer SDK in your applications

+The Form Recognizer SDK enables the use and management of the Form Recognizer service in your application. The SDK builds on the underlying Form Recognizer REST API allowing you to easily use those APIs within your programming language paradigm. Here's how you use the Form Recognizer SDK for your preferred language:

+### 1. Install the SDK client library

+### [C#/.NET](#tab/csharp)

+```dotnetcli

+dotnet add package Azure.AI.FormRecognizer --version 4.0.0-beta.5

+```

+```powershell

+Install-Package Azure.AI.FormRecognizer -Version 4.0.0-beta.5

+```

+### [Java](#tab/java)

+```xml

+ <dependency>

+ <groupId>com.azure</groupId>

+ <artifactId>azure-ai-formrecognizer</artifactId>

+ <version>4.0.0-beta.5</version>

+ </dependency>

+```

+```kotlin

+implementation("com.azure:azure-ai-formrecognizer:4.0.0-beta.5")

+```

+### [JavaScript](#tab/javascript)

+```javascript

+npm i @azure/ai-form-recognizer@4.0.0-beta.6

+```

+### [Python](#tab/python)

+```python

+pip install azure-ai-formrecognizer==3.2.0b6

+```

+### 2. Import the SDK client library into your application

+### [C#/.NET](#tab/csharp)

+```csharp

+using Azure;

+using Azure.AI.FormRecognizer.DocumentAnalysis;

+```

+### [Java](#tab/java)

+```java

+import com.azure.ai.formrecognizer.*;

+import com.azure.ai.formrecognizer.models.*;

+import com.azure.ai.formrecognizer.DocumentAnalysisClient.*;

+import com.azure.core.credential.AzureKeyCredential;

+```

+### [JavaScript](#tab/javascript)

+```javascript

+const { AzureKeyCredential, DocumentAnalysisClient } = require("@azure/ai-form-recognizer");

+```

+### [Python](#tab/python)

+```python

+from azure.ai.formrecognizer import DocumentAnalysisClient

+from azure.core.credentials import AzureKeyCredential

+```

+### 3. Set up authentication

+There are two supported methods for authentication

+* Use a [Form Recognizer API key](#use-your-api-key) with AzureKeyCredential from azure.core.credentials.

+* Use a [token credential from azure-identity](#use-an-azure-active-directory-azure-ad-token-credential) to authenticate with [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis).

+#### Use your API key

+Here's where to find your Form Recognizer API key in the Azure portal:

+### [C#/.NET](#tab/csharp)

+```csharp

+//set `<your-endpoint>` and `<your-key>` variables with the values from the Azure portal to create your `AzureKeyCredential` and `DocumentAnalysisClient` instance

+string key = "<your-key>";

+string endpoint = "<your-endpoint>";

+AzureKeyCredential credential = new AzureKeyCredential(key);

+DocumentAnalysisClient client = new DocumentAnalysisClient(new Uri(endpoint), credential);

+```

+### [Java](#tab/java)

+```java

+// create your `DocumentAnalysisClient` instance and `AzureKeyCredential` variable

+DocumentAnalysisClient client = new DocumentAnalysisClientBuilder()

+ .credential(new AzureKeyCredential("<your-key>"))

+ .endpoint("<your-endpoint>")

+ .buildClient();

+```

+### [JavaScript](#tab/javascript)

+```javascript

+// create your `DocumentAnalysisClient` instance and `AzureKeyCredential` variable

+async function main() {

+ const client = new DocumentAnalysisClient("<your-endpoint>", new AzureKeyCredential("<your-key>"));

+```

+### [Python](#tab/python)

+```python

+# create your `DocumentAnalysisClient` instance and `AzureKeyCredential` variable

+ document_analysis_client = DocumentAnalysisClient(endpoint="<your-endpoint>", credential=AzureKeyCredential("<your-key>"))

+```

+#### Use an Azure Active Directory (Azure AD) token credential

+> [!NOTE]

+> Regional endpoints do not support AAD authentication. Create a [custom subdomain](/azure/cognitive-services/authentication?tabs=powershell#create-a-resource-with-a-custom-subdomain) for your resource in order to use this type of authentication.

+Authorization is easiest using the `DefaultAzureCredential`. It provides a default token credential, based upon the running environment, capable of handling most Azure authentication scenarios.

+### [C#/.NET](#tab/csharp)

+Here's how to acquire and use the [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet&preserve-view=true) for .NET applications:

+1. Install the [Azure Identity library for .NET](/dotnet/api/overview/azure/identity-readme):

+ ```console

+ dotnet add package Azure.Identity

+ ```

+ ```powershell

+ Install-Package Azure.Identity

+ ```

+1. [Register an Azure AD application and create a new service principal](/azure/cognitive-services/authentication?tabs=powershell#assign-a-role-to-a-service-principal).

+1. Grant access to Form Recognizer by assigning the **`Cognitive Services User`** role to your service principal.

+1. Set the values of the client ID, tenant ID, and client secret in the Azure AD application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively.

+1. Create your **`DocumentAnalysisClient`** instance including the **`DefaultAzureCredential`**:

+ ```csharp

+ string endpoint = "<your-endpoint>";

+ var client = new DocumentAnalysisClient(new Uri(endpoint), new DefaultAzureCredential());

+ ```

+For more information, *see* [Authenticate the client](https://github.com/Azure/azure-sdk-for-net/tree/Azure.AI.FormRecognizer_4.0.0-beta.4/sdk/formrecognizer/Azure.AI.FormRecognizer#authenticate-the-client)

+### [Java](#tab/java)

+Here's how to acquire and use the [DefaultAzureCredential](/java/api/com.azure.identity.defaultazurecredential?view=azure-java-stable&preserve-view=true) for Java applications:

+1. Install the [Azure Identity library for Java](/java/api/overview/azure/identity-readme?view=azure-java-stable&preserve-view=true):

+ ```xml

+ <dependency>

+ <groupId>com.azure</groupId>

+ <artifactId>azure-identity</artifactId>

+ <version>1.5.3</version>

+ </dependency>

+ ```

+1. [Register an Azure AD application and create a new service principal](/azure/cognitive-services/authentication?tabs=powershell#assign-a-role-to-a-service-principal).

+1. Grant access to Form Recognizer by assigning the **`Cognitive Services User`** role to your service principal.

+1. Set the values of the client ID, tenant ID, and client secret of the Azure AD application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively.

+1. Create your **`DocumentAnalysisClient`** instance and **`TokenCredential`** variable:

+ ```java

+ TokenCredential credential = new DefaultAzureCredentialBuilder().build();

+ DocumentAnalysisClient documentAnalysisClient = new DocumentAnalysisClientBuilder()

+ .endpoint("{your-endpoint}")

+ .credential(credential)

+ .buildClient();

+ ```

+For more information, *see* [Authenticate the client](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/formrecognizer/azure-ai-formrecognizer#authenticate-the-client)

+### [JavaScript](#tab/javascript)

+Here's how to acquire and use the [DefaultAzureCredential](/javascript/api/@azure/identity/defaultazurecredential?view=azure-node-latest&preserve-view=true) for JavaScript applications:

+1. Install the [Azure Identity library for JavaScript](/javascript/api/overview/azure/identity-readme?view=azure-node-latest&preserve-view=true):

+ ```javascript

+ npm install @azure/identity

+ ```

+1. [Register an Azure AD application and create a new service principal](/azure/cognitive-services/authentication?tabs=powershell#assign-a-role-to-a-service-principal).

+1. Grant access to Form Recognizer by assigning the **`Cognitive Services User`** role to your service principal.

+1. Set the values of the client ID, tenant ID, and client secret of the Azure AD application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively.

+1. Create your **`DocumentAnalysisClient`** instance including the **`DefaultAzureCredential`**:

+ ```javascript

+ const { DocumentAnalysisClient } = require("@azure/ai-form-recognizer");

+ const { DefaultAzureCredential } = require("@azure/identity");

+ const client = new DocumentAnalysisClient("<your-endpoint>", new DefaultAzureCredential());

+ ```

+For more information, *see* [Create and authenticate a client](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/formrecognizer/ai-form-recognizer#create-and-authenticate-a-client).

+### [Python](#tab/python)

+Here's how to acquire and use the [DefaultAzureCredential](/python/api/azure-identity/azure.identity.defaultazurecredential?view=azure-python&preserve-view=true) for Python applications.

+1. Install the [Azure Identity library for Python](/python/api/overview/azure/identity-readme?view=azure-python&preserve-view=true):

+ ```python

+ pip install azure-identity

+ ```

+1. [Register an Azure AD application and create a new service principal](/azure/cognitive-services/authentication?tabs=powershell#assign-a-role-to-a-service-principal).

+1. Grant access to Form Recognizer by assigning the **`Cognitive Services User`** role to your service principal.

+1. Set the values of the client ID, tenant ID, and client secret of the Azure AD application as environment variables: **`AZURE_CLIENT_ID`**, **`AZURE_TENANT_ID`**, and **`AZURE_CLIENT_SECRET`**, respectively.

+1. Create your **`DocumentAnalysisClient`** instance including the **`DefaultAzureCredential`**:

+ ```python

+ from azure.identity import DefaultAzureCredential

+ from azure.ai.formrecognizer import DocumentAnalysisClient

+ credential = DefaultAzureCredential()

+ document_analysis_client = DocumentAnalysisClient(

+ endpoint="https://<my-custom-subdomain>.cognitiveservices.azure.com/",

+ credential=credential

+ )

+ ```

+For more information, *see* [Authenticate the client](https://github.com/Azure/azure-sdk-for-python/tree/azure-ai-formrecognizer_3.2.0b5/sdk/formrecognizer/azure-ai-formrecognizer#authenticate-the-client)

+### 4. Build your application

+First, you'll create a client object to interact with the Form Recognizer SDK, and then call methods on that client object to interact with the service. The SDKs provide both synchronous and asynchronous methods. For more insight, try a [quickstart](quickstarts/get-started-v3-sdk-rest-api.md) in a language of your choice.

+## Help options

+The [Microsoft Q&A](/answers/topics/azure-form-recognizer.html) and [Stack Overflow](https://stackoverflow.com/questions/tagged/azure-form-recognizer) forums are available for the developer community to ask and answer questions about Azure Form Recognizer and other services. Microsoft monitors the forums and replies to questions that the community has yet to answer. To make sure that we see your question, tag it with **`azure-form-recognizer`**.

+## Next steps

+>[!div class="nextstepaction"]

+> [**Try a Form Recognizer quickstart**](quickstarts/get-started-v3-sdk-rest-api.md)

+> [!div class="nextstepaction"]

+> [**Explore the Form Recognizer REST API v3.0**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)

+For the usage with [Form Recognizer SDK](quickstarts/get-started-v3-sdk-rest-api.md), [Form Recognizer REST API](quickstarts/get-started-v3-sdk-rest-api.md), [Form Recognizer Studio](quickstarts/try-v3-form-recognizer-studio.md) and [Sample Labeling Tool](https://fott-2-1.azurewebsites.net/).

+# [Form Recognizer v3.0 ](#tab/v30)

+# [Form Recognizer v2.1 ](#tab/v21)

+> [Learn about error codes and troubleshooting](v3-error-guide.md)

+> * For an enhanced experience and advanced model quality, try the [Form Recognizer v3.0 Studio ](https://formrecognizer.appliedai.azure.com/studio).

+> * *See* our [**REST API**](quickstarts/get-started-v3-sdk-rest-api.md) or [**C#**](quickstarts/get-started-v3-sdk-rest-api.md), [**Java**](quickstarts/get-started-v3-sdk-rest-api.md), [**JavaScript**](quickstarts/get-started-v3-sdk-rest-api.md), or [Python](quickstarts/get-started-v3-sdk-rest-api.md) SDK quickstarts to get started with version v3.0.

+> This tutorial and the Logic App Form Recognizer connector targets Form Recognizer REST API v2.1 and must be used in conjuction with the [FOTT sample labeling tool](https://fott-2-1.azurewebsites.net/).

+To complete this tutorial, you'll need the following resources:

+ 1. Copy the **Keys and Endpoint** values from your resource in the Azure portal and paste them in a convenient location, such as *Microsoft Notepad*. You'll need the key and endpoint values to connect your application to the Form Recognizer API.

+ > For more information, *see* [**create a Form Recognizer resource**](create-a-form-recognizer-resource.md).

+1. You'll be redirected to a screen that says **Deployment in progress**. Give Azure some time to deploy; it can take a few minutes. After the deployment is complete, you should see a banner that says, **Your deployment is complete**. When you reach this screen, select **Go to resource**.

+1. You'll be redirected to the **Logic Apps Designer** page. There's a short video for a quick introduction to Logic Apps available on the home screen. When you're ready to begin designing your Logic App, select the **Blank Logic App** button.

+Now that you have the Logic App connector resource set up and configured, the only thing left is to create the automation flow and test it out!

+1. A new node should be added to the Logic App designer view. Search for "Form Recognizer" in the search bar and select **Analyze invoice** from the list.

+1. Now, you should see a window where you'll create your connection. Specifically, you're going to connect your Form Recognizer resource to the Logic Apps Designer Studio:

+ Title: "Reference: Form Recognizer Errors"

+description: Learn how errors are represented in Form Recognizer and find a list of possible errors returned by the service.

+# Form Recognizer error guide v3.0

+Form Recognizer uses a unified design to represent all errors encountered in the REST APIs. Whenever an API operation returns a 4xx or 5xx status code, additional information about the error is returned in the response JSON body as follows:

+```json

+{

+ "error": {

+ "code": "InvalidRequest",

+ "message": "Invalid request.",

+ "innererror": {

+ "code": "InvalidContent",

+ "message": "The file format is unsupported or corrupted. Refer to documentation for the list of supported formats."

+ }

+ }

+}

+```

+For long-running operations where multiple errors may be encountered, the top-level error code is set to the most severe error, with the individual errors listed under the *error.details* property. In such scenarios, the *target* property of each individual error specifies the trigger of the error.

+```json

+{

+ "status": "failed",

+ "createdDateTime": "2021-07-14T10:17:51Z",

+ "lastUpdatedDateTime": "2021-07-14T10:17:51Z",

+ "error": {

+ "code": "InternalServerError",

+ "message": "An unexpected error occurred.",

+ "details": [

+ {

+ "code": "InternalServerError",

+ "message": "An unexpected error occurred."

+ },

+ {

+ "code": "InvalidContentDimensions",

+ "message": "The input image dimensions are out of range. Refer to documentation for supported image dimensions.",

+ "target": "2"

+ }

+ ]

+ }

+}

+```

+The top-level *error.code* property can be one of the following error code messages:

+| Error Code | Message | Http Status |

+| -- | | -- |

+| InvalidRequest | Invalid request. | 400 |

+| InvalidArgument | Invalid argument. | 400 |

+| Forbidden | Access forbidden due to policy or other configuration. | 403 |

+| NotFound | Resource not found. | 404 |

+| MethodNotAllowed | The requested HTTP method is not allowed. | 405 |

+| Conflict | The request could not be completed due to a conflict. | 409 |

+| UnsupportedMediaType | Request content type is not supported. | 415 |

+| InternalServerError | An unexpected error occurred. | 500 |

+| ServiceUnavailable | A transient error has occurred. Try again. | 503 |

+When possible, more details are specified in the *inner error* property.

+| Top Error Code | Inner Error Code | Message |

+| -- | - | - |

+| Conflict | ModelExists | A model with the provided name already exists. |

+| Forbidden | AuthorizationFailed | Authorization failed: {details} |

+| Forbidden | InvalidDataProtectionKey | Data protection key is invalid: {details} |

+| Forbidden | OutboundAccessForbidden | The request contains a domain name that is not allowed by the current access control policy. |

+| InternalServerError | Unknown | Unknown error. |

+| InvalidArgument | InvalidContentSourceFormat | Invalid content source: {details} |

+| InvalidArgument | InvalidParameter | The parameter {parameterName} is invalid: {details} |

+| InvalidArgument | InvalidParameterLength | Parameter {parameterName} length must not exceed {maxChars} characters. |

+| InvalidArgument | InvalidSasToken | The shared access signature (SAS) is invalid: {details} |

+| InvalidArgument | ParameterMissing | The parameter {parameterName} is required. |

+| InvalidRequest | ContentSourceNotAccessible | Content is not accessible: {details} |

+| InvalidRequest | ContentSourceTimeout | Timeout while receiving the file from client. |

+| InvalidRequest | DocumentModelLimit | Account cannot create more than {maximumModels} models. |

+| InvalidRequest | DocumentModelLimitNeural | Account cannot create more than 10 custom neural models per month. Please contact support to request additional capacity. |

+| InvalidRequest | DocumentModelLimitComposed | Account cannot create a model with more than {details} component models. |

+| InvalidRequest | InvalidContent | The file is corrupted or format is unsupported. Refer to documentation for the list of supported formats. |

+| InvalidRequest | InvalidContentDimensions | The input image dimensions are out of range. Refer to documentation for supported image dimensions. |

+| InvalidRequest | InvalidContentLength | The input image is too large. Refer to documentation for the maximum file size. |

+| InvalidRequest | InvalidFieldsDefinition | Invalid fields: {details} |

+| InvalidRequest | InvalidTrainingContentLength | Training content contains {bytes} bytes. Training is limited to {maxBytes} bytes. |

+| InvalidRequest | InvalidTrainingContentPageCount | Training content contains {pages} pages. Training is limited to {pages} pages. |

+| InvalidRequest | ModelAnalyzeError | Could not analyze using a custom model: {details} |

+| InvalidRequest | ModelBuildError | Could not build the model: {details} |

+| InvalidRequest | ModelComposeError | Could not compose the model: {details} |

+| InvalidRequest | ModelNotReady | Model is not ready for the requested operation. Wait for training to complete or check for operation errors. |

+| InvalidRequest | ModelReadOnly | The requested model is read-only. |

+| InvalidRequest | NotSupportedApiVersion | The requested operation requires {minimumApiVersion} or later. |

+| InvalidRequest | OperationNotCancellable | The operation can no longer be canceled. |

+| InvalidRequest | TrainingContentMissing | Training data is missing: {details} |

+| InvalidRequest | UnsupportedContent | Content is not supported: {details} |

+| NotFound | ModelNotFound | The requested model was not found. It may have been deleted or is still building. |

+| NotFound | OperationNotFound | The requested operation was not found. The identifier may be invalid or the operation may have expired. |

+# Form Recognizer v3.0 migration

+Form Recognizer v3.0 introduces several new features and capabilities:

+* [Form Recognizer REST API](quickstarts/get-started-v3-sdk-rest-api.md) has been redesigned for better usability.

+* [**Custom neural model (v3.0)**](concept-custom-neural.md) is a new custom model type to extract fields from structured and unstructured documents.

+> * REST API **2022-08-31** release includes a breaking change in the REST API analyze response JSON.

+https://{your-form-recognizer-endpoint}/formrecognizer/documentModels/{modelId}?api-version=2022-08-31

+https://{your-form-recognizer-endpoint}/formrecognizer/documentModels/{modelId}/AnalyzeResult/{resultId}?api-version=2022-08-31

+* Upon success, status is set to succeeded and [analyzeResult](#changes-to-analyze-result) is returned in the response body. If errors are encountered, status will be set to `failed`, and an error will be returned.

+| **General document**|N/A|`/documentModels/prebuilt-document:analyze` |

+### Additional supported parameters

+"apiVersion": "2022-08-31", // REST API version used

+"polygon": [ ... ], // Previously Bounding box, renamed to polygon in the 2022-08-31 API

+* ```buildMode``` is a new property with values of ```template``` for custom form models or ```neural``` for custom neural models.

+The ```build``` operation is invoked to train a model. The request payload and call pattern remain unchanged. The build operation specifies the model and training dataset, it returns the result via the Operation-Location header in the response. Poll this model operation URL, via a GET request to check the status of the build operation (minimum recommended interval between requests is 1 second). Unlike v2.1, this URL isn't the resource location of the model. Instead, the model URL can be constructed from the given modelId, also retrieved from the resourceLocation property in the response. Upon success, status is set to ```succeeded``` and result contains the custom model info. If errors are encountered, status is set to ```failed```, and the error is returned.

+POST https://{your-form-recognizer-endpoint}/formrecognizer/documentModels:build?api-version=2022-08-31

+POST https://{your-form-recognizer-endpoint}/formrecognizer/documentModels:compose?api-version=2022-08-31

+POST https://{targetHost}/formrecognizer/documentModels:authorizeCopy?api-version=2022-08-31

+POST https://{sourceHost}/formrecognizer/documentModels/{sourceModelId}:copy-to?api-version=2022-08-31

+GET https://{your-form-recognizer-endpoint}/formrecognizer/documentModels?api-version=2022-08-31

+GET https://{your-form-recognizer-endpoint}/formrecognizer/documentModels/{modelId}?api-version=2022-08-31

+GET https://{your-form-recognizer-endpoint}/formrecognizer/info? api-version=2022-08-31

+In this migration guide, you've learned how to upgrade your existing Form Recognizer application to use the v3.0 APIs.

+* [Review the new REST API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)

+## August 2022

+### Form Recognizer v3.0 generally available

+**Form Recognizer REST API v3.0 is now generally available and ready for use in production applications!**

+#### The August release introduces the following performance updates:

+##### Form Recognizer Studio updates

+* **Next steps**. Under each model page, the Studio now has a next steps section. Users can quickly reference sample code, troubleshooting guidelines, and pricing information.

+* **Custom models**. The Studio now includes the ability to reorder labels in custom model projects to improve labeling efficiency.

+* **Copy Models** Custom models can be copied across Form Recognizer services from within the Studio. This enables the promotion of a trained model to other environments and regions.

+* **Delete documents**. The Studio now supports deleting documents from labeled dataset within custom projects.

+##### Form Recognizer service updates

+* [**prebuilt-invoice**](concept-invoice.md). The TotalVAT and Line/VAT fields will now resolve to the existing fields TotalTax and Line/Tax respectively.

+* [**prebuilt-idDocument**](concept-id-document.md). Data extraction support for US state ID, social security, and green cards as well as passport visa information.

+* [**prebuilt-receipt**](concept-receipt.md). Expanded locale support for French (fr-FR), Spanish (es-ES), Portuguese (pt-PT), Italian (it-IT) and German (de-DE).

+* [**prebuilt-businessCard**](concept-business-card.md). Address parsing support to extract sub-fields for address components like address, city, state, country, and zip code.

+* **AI quality improvements**

+ * [**custom-neural**](concept-custom-neural.md). Improved accuracy for table detection and extraction.

+ * [**prebuilt-layout**](concept-layout.md). Support for better detection of cropped tables, borderless tables, and improved recognition of long spanning cells. As well improved paragraph grouping detection and logical identification of headers and titles.

+ * [**prebuilt-document**](concept-general-document.md). Improved value and check box detection.

+The June release is the latest update to the Form Recognizer Studio. There are considerable user experience and accessibility improvements addressed in this update:

+* **Code sample for Javascript and C#**. The Studio code tab now adds JavaScript and C# code samples in addition to the existing Python one.

+* **New document upload UI**. Studio now supports uploading a document with drag & drop into the new upload user interface.

+* **New feature for custom projects**. Custom projects now support creating storage account and blobs when configuring the project. In addition, custom project now supports uploading training files directly within the Studio and copying the existing custom model.

+The **2022-06-30-preview** release presents extensive updates across the feature APIs:

+* [**Layout extends structure extraction**](concept-layout.md). Layout now includes added structure elements including sections, section headers, and paragraphs. This update enables finer grain document segmentation scenarios. For a complete list of structure elements identified, _see_ [enhanced structure](concept-layout.md#data-extraction).

+* [**Custom neural model tabular fields support**](concept-custom-neural.md). Custom document models now support tabular fields. Tabular fields by default are also multi page. To learn more about tabular fields in custom neural models, _see_ [tabular fields](concept-custom-neural.md#tabular-fields).

+* [**Custom template model tabular fields support for cross page tables**](concept-custom-template.md). Custom form models now support tabular fields across pages. To learn more about tabular fields in custom template models, _see_ [tabular fields](concept-custom-neural.md#tabular-fields).

+* [**Invoice model output now includes general document key-value pairs**](concept-invoice.md). Where invoices contain required fields beyond the fields included in the prebuilt model, the general document model supplements the output with key-value pairs. _See_ [key value pairs](concept-invoice.md#key-value-pairs).

+* [**Invoice language expansion**](concept-invoice.md). The invoice model includes expanded language support. _See_ [supported languages](concept-invoice.md#supported-languages-and-locales).

+* [**Prebuilt business card**](concept-business-card.md) now includes Japanese language support. _See_ [supported languages](concept-business-card.md#supported-languages-and-locales).

+* [**Prebuilt ID document model**](concept-id-document.md). The ID document model now extracts DateOfIssue, Height, Weight, EyeColor, HairColor, and DocumentDiscriminator from US driver's licenses. _See_ [field extraction](concept-id-document.md).

+* [**Read model now supports common Microsoft Office document types**](concept-read.md). Document types like Word (docx) and PowerPoint (ppt) are now supported with the Read API. See [page extraction](concept-read.md#pages).

+* [**Custom neural model**](concept-custom-neural.md) or custom document model is a new custom model to extract text and selection marks from structured forms, semi-strutured and **unstructured documents**.

+* [**W-2 prebuilt model**](concept-w2.md) is a new prebuilt model to extract fields from W-2 forms for tax reporting and income verification scenarios.

+* [**Read**](concept-read.md) API extracts printed text lines, words, text locations, detected languages, and handwritten text, if detected.

+Get started with the new [REST API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v3-0-preview-2/operations/AnalyzeDocument), [Python](quickstarts/get-started-v3-sdk-rest-api.md), or [.NET](quickstarts/get-started-v3-sdk-rest-api.md) SDK for the v3.0 preview API.

+ | **Model** | **Text extraction** |**Key-Value pairs** |**Selection Marks** | **Tables** |**Signatures**|

+ |Read | Γ£ô | | | | |

+ |General document | Γ£ô | Γ£ô | Γ£ô | Γ£ô | |

+ | Layout | Γ£ô | | Γ£ô | Γ£ô | |

+ | Invoice | Γ£ô | Γ£ô | Γ£ô | Γ£ô ||

+ |Receipt | Γ£ô | Γ£ô | | |Γ£ô|

+ | ID document | Γ£ô | Γ£ô | | ||

+ | Business card | Γ£ô | Γ£ô | | ||

+ | Custom template |Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+ | Custom neural |Γ£ô | Γ£ô | Γ£ô | Γ£ô | |

+* [Custom Document models and modes](concept-custom.md):

+* [W-2 prebuilt model](concept-w2.md) (prebuilt-tax.us.w2).

+* [Read prebuilt model](concept-read.md) (prebuilt-read).

+* [Invoice prebuilt model (Spanish)](concept-invoice.md#supported-languages-and-locales) (prebuilt-invoice).

+Get started with the new [REST API](https://westus2.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/AnalyzeWithCustomForm), [Python](quickstarts/get-started-v3-sdk-rest-api.md), or [.NET](quickstarts/get-started-v3-sdk-rest-api.md) SDK for the v3.0 preview API.

+ |General document | Γ£ô | Γ£ô | Γ£ô | Γ£ô | Γ£ô |

+### Form Recognizer 2.1 API Generally Available release

+* Form Recognizer 2.1 is generally available. The General Availability release marks the stability of the changes introduced in prior 2.1 preview package versions. This release enables you to detect and extract information and data from the following document types:

+* **SDK support for Form Recognizer API v2.0 Public Preview** - This month we expanded our service support to include a preview SDK for Form Recognizer v2.0 release. Use the links below to get started with your language of choice:

+This release introduces the Form Recognizer 2.0. In the sections below, you'll find more information about new features, enhancements, and changes.

+* [What is Form Recognizer?](./overview.md)

+**An Arc-enabled server or Arc-enabled VMware vSphere VM** running as a Hybrid Runbook Worker already has a built-in System Managed Identity assigned to it which can be used for authentication.

+Azure Automation provides native integration of the Hybrid Runbook Worker role through the Azure virtual machine (VM) extension framework. The Azure VM agent is responsible for management of the extension on Azure VMs on Windows and Linux VMs, and [Azure Connected Machine agent](../azure-arc/servers/agent-overview.md) on Non-Azure machines including [Azure Arc-enabled Servers](../azure-arc/servers/overview.md) and [Azure Arc-enabled VMware vSphere](../azure-arc/vmware-vsphere/overview.md). Now there are two Hybrid Runbook Workers installation platforms supported by Azure Automation.

+

+You can use the user Hybrid Runbook Worker feature of Azure Automation to run runbooks directly on an Azure or non-Azure machine, including [Azure Arc-enabled servers](../azure-arc/servers/overview.md) and [Arc-enabled VMware vSphere](../azure-arc/vmware-vsphere/overview.md). From the machine or server that's hosting the role, you can run runbooks directly against it and against resources in the environment to manage those local resources.

+- The system-assigned managed identity must be enabled on the Azure virtual machine, Arc-enabled server or Arc-enabled VMware vSphere VM. If the system-assigned managed identity isn't enabled, it will be enabled as part of the adding process.

+- Non-Azure machines must have the [Azure Connected Machine agent](../azure-arc/servers/agent-overview.md) installed. To install the `AzureConnectedMachineAgent`, see [Connect hybrid machines to Azure from the Azure portal](../azure-arc/servers/onboard-portal.md) for Arc-enabled servers or see [Manage VMware virtual machines Azure Arc](../azure-arc/vmware-vsphere/manage-vmware-vms-in-azure.md#enable-guest-management) for Arc-enabled VMware vSphere VMs.

+> For Azure VMs and Arc-enabled Servers, you can set up the proxy settings using PowerShell cmdlets or API. This is currently not supported for Arc-enabled VMware vSphere VMs.

+1. Select **Next** to advance to the **Hybrid workers** tab. You can select Azure virtual machines, Azure Arc-enabled servers or Azure Arc enabled VMware vSphere to be added to this Hybrid worker group. If you don't select any machines, an empty Hybrid worker group will be created. You can still add machines later.

+ After adding, you can see the machine type as Azure virtual machine, Server-Azure Arc or VMware virtual machine-Azure Arc. The **Platform** field shows the worker as **Agent based (V1)** or **Extension based (V2)**.

+ :::image type="content" source="./media/extension-based-hybrid-runbook-worker-install/hybrid-worker-group-platform-inline.png" alt-text="Screenshot of platform field showing agent or extension based." lightbox="./media/extension-based-hybrid-runbook-worker-install/hybrid-worker-group-platform-expanded.png":::

+- To learn about VM extensions for Arc-enabled servers, see [VM extension management with Azure Arc-enabled servers](../azure-arc/servers/manage-vm-extensions.md).

+- To learn about VM extensions for Arc-enabled VMware vSphere VMs, see [Manage VMware VMs in Azure through Arc-enabled VMware vSphere](../azure-arc/vmware-vsphere/manage-vmware-vms-in-azure.md).

+Azure Arc-enabled Kubernetes requires deployment of Azure Arc agents on your Kubernetes clusters so that capabilities such as configurations (GitOps), extensions, Cluster Connect and Custom Location are made available on the cluster. Kubernetes clusters deployed on the edge may not have constant network connectivity, and as a result, in a semi-connected mode the agents may not always be able to reach the Azure Arc services. This topic explains how Azure Arc features can be used with semi-connected modes of deployment.

+When working with Azure Arc-enabled Kubernetes clusters, it's important to understand how network connectivity modes impact your operations.

+- **Fully connected**: With ongoing network connectivity, agents can consistently communicate with Azure. In this mode, there is typically little delay with tasks such as propagating GitOps configurations, enforcing Azure Policy and Gatekeeper policies, or collecting workload metrics and logs in Azure Monitor.

+- **Semi-connected**: Azure Arc agents can pull desired state specification from the Arc services, then later realize this state on the cluster.

+ > [!IMPORTANT]

+ > The managed identity certificate pulled down by the `clusteridentityoperator` is valid for up to 90 days before it expires. The agents will try to renew the certificate during this time period; however, if there is no network connectivity, the certificate may expire, and the Azure Arc-enabled Kubernetes resource will stop working. Because of this, we recommend ensuring that the connected cluster has network connectivity at least once every 30 days. If the certificate expires, you'll need to delete and then recreate the Azure Arc-enabled Kubernetes resource and agents in order to reactivate Azure Arc features on the cluster.

+- **Disconnected**: Kubernetes clusters in disconnected environments that are unable to access Azure are not currently supported by Azure Arc-enabled Kubernetes.

+| Connecting | The Azure Arc-enabled Kubernetes resource has been created in Azure, but the service hasn't received the agent heartbeat yet. |

+| Connected | The Azure Arc-enabled Kubernetes service received an agent heartbeat within the previous 15 minutes. |

+| Offline | The Azure Arc-enabled Kubernetes resource was previously connected, but the service hasn't received any agent heartbeat for 15 minutes. |

+| Expired | The managed identity certificate of the cluster has expired. In this state, Azure Arc features will no longer work on the cluster. For more information on how to address expired Azure Arc-enabled Kubernetes resources, see the [FAQ](./faq.md#how-do-i-address-expired-azure-arc-enabled-kubernetes-resources). |

+- Walk through our quickstart to [connect a Kubernetes cluster to Azure Arc](./quickstart-connect-cluster.md).

+- Learn more about creating connections between your cluster and a Git repository as a [configuration resource with Azure Arc-enabled Kubernetes](./conceptual-configurations.md).

+The system-assigned managed identity associated with your Azure Arc-enabled Kubernetes cluster is only used by the Azure Arc agents to communicate with the Azure Arc services. The certificate associated with this system assigned managed identity has an expiration window of 90 days, and the agents will attempt to renew this certificate between Day 46 to Day 90. To avoid having your managed identity certificate expire, be sure that the cluster comes online at least once between Day 46 and Day 90 so that the certificate can be renewed.

+If the managed identity certificate expires, the resource is considered `Expired` and all Azure Arc features (such as configuration, monitoring, and policy) will stop working on the cluster.

+To check when the managed identity certificate will expire for a given cluster, run the following command:

+In the output, the value of the `managedIdentityCertificateExpirationTime` indicates when the managed identity certificate will expire (90D mark for that certificate).

+1. Delete the Azure Arc-enabled Kubernetes resource and agents on the cluster.

+To update the credentials of the account for Arc resource bridge, use the Azure CLI command [`az arcappliance update-infracredentials vmware`](/cli/azure/arcappliance/update-infracredentials#az-arcappliance-update-infracredentials-vmware). Run the command from a workstation that can access cluster configuration IP address of the Arc resource bridge locally:

+1. Select the **Next: Virtual Network** button at the bottom of the page.

+1. In the **Virtual Network** tab, select the virtual network and subnet you created in the previous section.

+- To compare various network isolation options for your cache, see [Azure Cache for Redis network isolation options documentation](cache-network-isolation.md).

+| July 2022 | Fix for mismatch event timestamps for Sentinel Windows Event Forwarding | 1.7.0.0 | None |

+| June 2022 | Bugfixes with user assigned identity support, and reliability improvements | 1.6.0.0 | None |

+8. Classic alert rules can no longer be created via PowerShell. Use the new ['Add-AzMetricAlertRuleV2'](/powershell/module/az.monitor/add-azmetricalertrulev2) command to create a metric alert rule instead.

+- A single resource, such as a VM. See [this article](alerts-metric-near-real-time.md) for supported resource types.

+|Latest GA SDK | Newer preview version available | **NO UPDATE NECESSARY** |

+|GA SDK | Newer GA released < one year ago | **UPDATE RECOMMENDED** |

+|GA SDK | Newer GA released > one year ago | **UPDATE REQUIRED** |

+|Latest Preview | No newer version available | **NO UPDATE NECESSARY** |

+|Latest Preview | Newer GA SDK | **UPDATE REQUIRED** |

+|Preview | Newer preview version | **UPDATE REQUIRED** |

+> [!NOTE]

+> * General Availability (GA) refers to non-beta versions.

+> * Preview refers to beta versions.

+ Title: Application Insights SDK for ASP.NET Core applications | Microsoft Docs

+description: Application Insights SDK tutorial to monitor ASP.NET Core web applications for availability, performance, and usage.

+ms.devlang: csharp

+# Enable Application Insights for ASP.NET Core applications

+This article describes how to enable Application Insights for an [ASP.NET Core](/aspnet/core) application deployed as an Azure Web App. This implementation utilizes an SDK-based approach, an [auto-instrumentation approach](./codeless-overview.md) is also available.

+Application Insights can collect the following telemetry from your ASP.NET Core application:

+> [!div class="checklist"]

+> * Requests

+> * Dependencies

+> * Exceptions

+> * Performance counters

+> * Heartbeats

+> * Logs

+We'll use an [ASP.NET Core MVC application](/aspnet/core/tutorials/first-mvc-app) example that targets `net6.0`. You can apply these instructions to all ASP.NET Core applications. If you're using the [Worker Service](/aspnet/core/fundamentals/host/hosted-services#worker-service-template), use the instructions from [here](./worker-service.md).

+> [!NOTE]

+> A preview [OpenTelemetry-based .NET offering](./opentelemetry-enable.md?tabs=net) is available. [Learn more](./opentelemetry-overview.md).

+## Supported scenarios

+The [Application Insights SDK for ASP.NET Core](https://nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore) can monitor your applications no matter where or how they run. If your application is running and has network connectivity to Azure, telemetry can be collected. Application Insights monitoring is supported everywhere .NET Core is supported. Support covers the following scenarios:

+* **Operating system**: Windows, Linux, or Mac

+* **Hosting method**: In process or out of process

+* **Deployment method**: Framework dependent or self-contained

+* **Web server**: IIS (Internet Information Server) or Kestrel

+* **Hosting platform**: The Web Apps feature of Azure App Service, Azure VM, Docker, Azure Kubernetes Service (AKS), and so on

+* **.NET Core version**: All officially [supported .NET Core versions](https://dotnet.microsoft.com/download/dotnet-core) that aren't in preview

+* **IDE**: Visual Studio, Visual Studio Code, or command line

+## Prerequisites

+If you'd like to follow along with the guidance in this article, certain pre-requisites are needed.

+* Visual Studio 2022

+* Visual Studio Workloads: ASP.NET and web development, Data storage and processing, and Azure development

+* .NET 6.0

+* Azure subscription and user account (with the ability to create and delete resources)

+## Deploy Azure resources

+Please follow the guidance to deploy the sample application from its [GitHub repository.](https://github.com/solliancenet/appinsights-azurecafe).

+In order to provide globally unique names to some resources, a 5 character suffix has been assigned. Please make note of this suffix for use later on in this article.

+

+## Create an Application Insights resource

+1. In the [Azure portal](https://portal.azure.com), locate and select the **application-insights-azure-cafe** resource group.

+2. From the top toolbar menu, select **+ Create**.

+ 

+3. On the **Create a resource** screen, search for and select `Application Insights` in the marketplace search textbox.

+ 

+4. On the Application Insights resource overview screen, select **Create**.

+ 

+5. On the Application Insights screen **Basics** tab. Complete the form as follows, then select the **Review + create** button. Fields not specified in the table below may retain their default values.

+ | Field | Value |

+ |-|-|

+ | Name | Enter `azure-cafe-application-insights-{SUFFIX}`, replacing **{SUFFIX}** with the appropriate suffix value recorded earlier. |

+ | Region | Select the same region chosen when deploying the article resources. |

+ | Log Analytics Workspace | Select `azure-cafe-log-analytics-workspace`, alternatively a new log analytics workspace can be created here. |

+ 

+6. Once validation has passed, select **Create** to deploy the resource.

+ 

+7. Once deployment has completed, return to the `application-insights-azure-cafe` resource group, and select the deployed Application Insights resource.

+ 

+8. On the Overview screen of the Application Insights resource, copy the **Connection String** value for use in the next section of this article.

+ 

+## Configure the Application Insights connection string application setting in the web App Service

+1. Return to the `application-insights-azure-cafe` resource group, locate and open the **azure-cafe-web-{SUFFIX}** App Service resource.

+ 

+2. From the left menu, beneath the Settings header, select **Configuration**. Then, on the **Application settings** tab, select **+ New application setting** beneath the Application settings header.

+ 

+3. In the Add/Edit application setting blade, complete the form as follows and select **OK**.

+ | Field | Value |

+ |-|-|

+ | Name | APPLICATIONINSIGHTS_CONNECTION_STRING |

+ | Value | Paste the Application Insights connection string obtained in the preceding section. |

+ 

+4. On the App Service Configuration screen, select the **Save** button from the toolbar menu. When prompted to save the changes, select **Continue**.

+ 

+## Install the Application Insights NuGet Package

+We need to configure the ASP.NET Core MVC web application to send telemetry. This is accomplished using the [Application Insights for ASP.NET Core web applications NuGet package](https://nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore).

+1. With Visual Studio, open `1 - Starter Application\src\AzureCafe.sln`.

+2. In the Solution Explorer panel, right-click the AzureCafe project file, and select **Manage NuGet Packages**.

+ 

+3. Select the **Browse** tab, then search for and select **Microsoft.ApplicationInsights.AspNetCore**. Select **Install**, and accept the license terms. It is recommended to use the latest stable version. Find full release notes for the SDK on the [open-source GitHub repo](https://github.com/Microsoft/ApplicationInsights-dotnet/releases).

+ 

+4. Keep Visual Studio open for the next section of the article.

+## Enable Application Insights server-side telemetry

+The Application Insights for ASP.NET Core web applications NuGet package encapsulates features to enable sending server-side telemetry to the Application Insights resource in Azure.

+1. From the Visual Studio Solution Explorer, locate and open the **Program.cs** file.

+ 

+2. Insert the following code prior to the `builder.Services.AddControllersWithViews()` statement. This code automatically reads the Application Insights connection string value from configuration. The `AddApplicationInsightsTelemetry` method registers the `ApplicationInsightsLoggerProvider` with the built-in dependency injection container, that will then be used to fulfill [ILogger](/dotnet/api/microsoft.extensions.logging.ilogger) and [ILogger\<TCategoryName\>](/dotnet/api/microsoft.extensions.logging.iloggerprovider) implementation requests.

+ ```csharp

+ builder.Services.AddApplicationInsightsTelemetry();

+ ```

+ 

+ > [!TIP]

+ > Learn more about [configuration options in ASP.NET Core](/aspnet/core/fundamentals/configuration).

+## Enable client-side telemetry for web applications

+The preceding steps are enough to help you start collecting server-side telemetry. This application has client-side components, follow the next steps to start collecting [usage telemetry](./usage-overview.md).

+1. In Visual Studio Solution explorer, locate and open `\Views\_ViewImports.cshtml`. Add the following code at the end of the existing file.

+ ```cshtml

+ @inject Microsoft.ApplicationInsights.AspNetCore.JavaScriptSnippet JavaScriptSnippet

+ ```

+ 

+2. To properly enable client-side monitoring for your application, the JavaScript snippet must appear in the `<head>` section of each page of your application that you want to monitor. In Visual Studio Solution Explorer, locate and open `\Views\Shared\_Layout.cshtml`, insert the following code immediately preceding the closing `<\head>` tag.

+ ```cshtml

+ @Html.Raw(JavaScriptSnippet.FullScript)

+ ```

+ 

+ > [!TIP]

+ > As an alternative to using the `FullScript`, the `ScriptBody` is available. Use `ScriptBody` if you need to control the `<script>` tag to set a Content Security Policy:

+ ```cshtml

+ <script> // apply custom changes to this script tag.

+ @Html.Raw(JavaScriptSnippet.ScriptBody)

+ </script>

+ ```

+> [!NOTE]

+> JavaScript injection provides a default configuration experience. If you require [configuration](./javascript.md#configuration) beyond setting the connection string, you are required to remove auto-injection as described above and manually add the [JavaScript SDK](./javascript.md#add-the-javascript-sdk).

+## Enable monitoring of database queries

+When investigating causes for performance degradation, it is important to include insights into database calls. Enable monitoring through configuration of the [dependency module](./asp-net-dependencies.md). Dependency monitoring, including SQL is enabled by default. The following steps can be followed to capture the full SQL query text.

+> [!NOTE]

+> SQL text may contain sensitive data such as passwords and PII. Be careful when enabling this feature.

+1. From the Visual Studio Solution Explorer, locate and open the **Program.cs** file.

+2. At the top of the file, add the following `using` statement.

+ ```csharp

+ using Microsoft.ApplicationInsights.DependencyCollector;

+ ```

+3. Immediately following the `builder.Services.AddApplicationInsightsTelemetry()` code, insert the following to enable SQL command text instrumentation.

+ ```csharp

+ builder.Services.ConfigureTelemetryModule<DependencyTrackingTelemetryModule>((module, o) => { module.EnableSqlCommandTextInstrumentation = true; });

+ ```

+ 

+## Run the Azure Cafe web application

+After the web application code is deployed, telemetry will flow to Application Insights. The Application Insights SDK automatically collects incoming web requests to your application.

+1. Right-click the **AzureCafe** project in Solution Explorer and select **Publish** from the context menu.

+ 

+2. Select **Publish** to promote the new code to the Azure App Service.

+ 

+3. Once the publish has succeeded, a new browser window opens to the Azure Cafe web application.

+ 

+4. Perform various activities in the web application to generate some telemetry.

+ 1. Select **Details** next to a Cafe to view its menu and reviews.

+ 

+ 2. On the Cafe screen, select the **Reviews** tab to view and add reviews. Select the **Add review** button to add a review.

+ 

+ 3. On the Create a review dialog, enter a name, rating, comments, and upload a photo for the review. Once completed, select **Add review**.

+ 

+ 4. Repeat adding reviews as desired to generate additional telemetry.

+### Live metrics

+[Live Metrics](./live-stream.md) can be used to quickly verify if Application Insights monitoring is configured correctly. It might take a few minutes for telemetry to appear in the portal and analytics, but Live Metrics shows CPU usage of the running process in near real time. It can also show other telemetry like Requests, Dependencies, and Traces.

+### Application map

+The sample application makes calls to multiple Azure resources, including Azure SQL, Azure Blob Storage, and the Azure Language Service (for review sentiment analysis).

+

+Application Insights introspects incoming telemetry data and is able to generate a visual map of detected system integrations.

+1. Access and log into the [Azure portal](https://portal.azure.com).

+2. Open the sample application resource group `application-insights-azure-cafe`.

+3. From the list of resources, select the `azure-cafe-insights-{SUFFIX}` Application Insights resource.

+4. Select **Application map** from the left menu, beneath the **Investigate** heading. Observe the generated Application map.

+ 

+### Viewing HTTP calls and database SQL command text

+1. In the Azure portal, open the Application Insights resource.

+2. Beneath the **Investigate** header on the left menu, select **Performance**.

+3. The **Operations** tab contains details of the HTTP calls received by the application. You can also toggle between Server and Browser (client-side) views of data.

+ 

+4. Select an Operation from the table, and choose to drill into a sample of the request.

+ 

+5. The End-to-end transaction displays for the selected request. In this case, a review was created including an image, thus it includes calls to Azure Storage, the Language Service (for sentiment analysis), as well as database calls into SQL Azure to persist the review. In this example, the first selected Event displays information relative to the HTTP POST call.

+ 

+6. Select a SQL item to review the SQL command text issued to the database.

+ 

+7. Optionally select Dependency (outgoing) requests to Azure Storage or the Language Service.

+8. Return to the **Performance** screen, and select the **Dependencies** tab to investigate calls into external resources. Notice the Operations table includes calls into Sentiment Analysis, Blob Storage, and Azure SQL.

+ 

+## Application logging with Application Insights

+### Logging overview

+Application Insights is one type of [logging provider](/dotnet/core/extensions/logging-providers) available to ASP.NET Core applications that becomes available to applications when the [Application Insights for ASP.NET Core](#install-the-application-insights-nuget-package) NuGet package is installed and [server-side telemetry collection enabled](#enable-application-insights-server-side-telemetry). As a reminder, the following code in **Program.cs** registers the `ApplicationInsightsLoggerProvider` with the built-in dependency injection container.

+```csharp

+builder.Services.AddApplicationInsightsTelemetry();

+```

+With the `ApplicationInsightsLoggerProvider` registered as the logging provider, the app is ready to log to Application Insights using either constructor injection with <xref:Microsoft.Extensions.Logging.ILogger> or the generic-type alternative <xref:Microsoft.Extensions.Logging.ILogger%601>.

+> [!NOTE]

+> With default settings, the logging provider is configured to automatically capture log events with a severity of <xref:Microsoft.Extensions.Logging.LogLevel.Warning?displayProperty=nameWithType> or greater.

+Consider the following example controller that demonstrates the injection of ILogger which is resolved with the `ApplicationInsightsLoggerProvider` that is registered with the dependency injection container. Observe in the **Get** method that an Informational, Warning and Error message are recorded.

+> [!NOTE]

+> By default, the Information level trace will not be recorded. Only the Warning and above levels are captured.

+```csharp

+using Microsoft.AspNetCore.Mvc;

+[Route("api/[controller]")]

+[ApiController]

+public class ValuesController : ControllerBase

+{

+ private readonly ILogger _logger;

+ public ValuesController(ILogger<ValuesController> logger)

+ {

+ _logger = logger;

+ }

+ [HttpGet]

+ public ActionResult<IEnumerable<string>> Get()

+ {

+ //Info level traces are not captured by default

+ _logger.LogInfo("An example of an Info trace..")

+ _logger.LogWarning("An example of a Warning trace..");

+ _logger.LogError("An example of an Error level message");

+ return new string[] { "value1", "value2" };

+ }

+}

+```

+For more information, see [Logging in ASP.NET Core](/aspnet/core/fundamentals/logging).

+## View logs in Application Insights

+The ValuesController above is deployed with the sample application and is located in the **Controllers** folder of the project.

+1. Using an internet browser, open the sample application. In the address bar, append `/api/Values` and press <kbd>Enter</kbd>.

+ 

+2. Wait a few moments, then return to the **Application Insights** resource in the [Azure portal](https://portal.azure.com).

+ 

+3. From the left menu of the Application Insights resource, select **Logs** from beneath the **Monitoring** section. In the **Tables** pane, double-click on the **traces** table, located under the **Application Insights** tree. Modify the query to retrieve traces for the **Values** controller as follows, then select **Run** to filter the results.

+ ```kql

+ traces

+ | where operation_Name == "GET Values/Get"

+ ```

+4. Observe the results display the logging messages present in the controller. A log severity of 2 indicates a warning level, and a log severity of 3 indicates an Error level.

+5. Alternatively, the query can also be written to retrieve results based on the category of the log. By default, the category is the fully qualified name of the class where the ILogger is injected, in this case **ValuesController** (if there was a namespace associated with the class the name will be prefixed with the namespace). Re-write and run the following query to retrieve results based on category.

+ ```kql

+ traces

+ | where customDimensions.CategoryName == "ValuesController"

+ ```

+## Control the level of logs sent to Application Insights

+`ILogger` implementations have a built-in mechanism to apply [log filtering](/dotnet/core/extensions/logging#how-filtering-rules-are-applied). This filtering lets you control the logs that are sent to each registered provider, including the Application Insights provider. You can use the filtering either in configuration (using an *appsettings.json* file) or in code. For more information about log levels and guidance on appropriate use, see the [Log Level](/aspnet/core/fundamentals/logging#log-level) documentation.

+The following examples show how to apply filter rules to the `ApplicationInsightsLoggerProvider` to control the level of logs sent to Application Insights.

+### Create filter rules with configuration

+The `ApplicationInsightsLoggerProvider` is aliased as **ApplicationInsights** in configuration. The following section of an *appsettings.json* file sets the default log level for all providers to <xref:Microsoft.Extensions.Logging.LogLevel.Warning?displayProperty=nameWithType>. The configuration for the ApplicationInsights provider specifically for categories that start with "ValuesController" override this default value with <xref:Microsoft.Extensions.Logging.LogLevel.Error?displayProperty=nameWithType> and higher.

+```json

+{

+ //... additional code removed for brevity

+ "Logging": {

+ "LogLevel": { // No provider, LogLevel applies to all the enabled providers.

+ "Default": "Warning"

+ },

+ "ApplicationInsights": { // Specific to the provider, LogLevel applies to the Application Insights provider.

+ "LogLevel": {

+ "ValuesController": "Error" //Log Level for the "ValuesController" category

+ }

+ }

+ }

+}

+```

+Deploying the sample application with the preceding code in *appsettings.json* will yield only the error trace being sent to Application Insights when interacting with the **ValuesController**. This is because the **LogLevel** for the **ValuesController** category is set to **Error**, therefore the **Warning** trace is suppressed.

+## Turn off logging to Application Insights

+To disable logging using configuration, set all LogLevel values to "None".

+```json

+{

+ //... additional code removed for brevity

+ "Logging": {

+ "LogLevel": { // No provider, LogLevel applies to all the enabled providers.

+ "Default": "None"

+ },

+ "ApplicationInsights": { // Specific to the provider, LogLevel applies to the Application Insights provider.

+ "LogLevel": {

+ "ValuesController": "None" //Log Level for the "ValuesController" category

+ }

+ }

+ }

+}

+```

+Similarly, within code, set the default level for the `ApplicationInsightsLoggerProvider` and any subsequent log levels to **None**.

+```csharp

+var builder = WebApplication.CreateBuilder(args);

+builder.Logging.AddFilter<ApplicationInsightsLoggerProvider>("", LogLevel.None);

+builder.Logging.AddFilter<Microsoft.Extensions.Logging.ApplicationInsights.ApplicationInsightsLoggerProvider>("ValuesController", LogLevel.None);

+```

+## Open-source SDK

+* [Read and contribute to the code](https://github.com/microsoft/ApplicationInsights-dotnet).

+For the latest updates and bug fixes, see the [release notes](./release-notes.md).

+## Next steps

+* [Explore user flows](./usage-flows.md) to understand how users navigate through your app.

+* [Configure a snapshot collection](./snapshot-debugger.md) to see the state of source code and variables at the moment an exception is thrown.

+* [Use the API](./api-custom-events-metrics.md) to send your own events and metrics for a detailed view of your app's performance and usage.

+* Use [availability tests](./monitor-web-app-availability.md) to check your app constantly from around the world.

+* [Dependency Injection in ASP.NET Core](/aspnet/core/fundamentals/dependency-injection)

+* [Logging in ASP.NET Core](/aspnet/core/fundamentals/logging)

+* [.NET trace logs in Application Insights](./asp-net-trace-logs.md)

+* [Auto-instrumentation for Application Insights](./codeless-overview.md)

+|ByteCount|No|Bytes|Bytes|Total|Total number of Bytes transmitted within time period|Protocol, Direction|

+|DatapathAvailability|No|Datapath Availability (Preview)|Count|Average|NAT Gateway Datapath Availability|No Dimensions|

+|PacketCount|No|Packets|Count|Total|Total number of Packets transmitted within time period|Protocol, Direction|

+|PacketDropCount|No|Dropped Packets|Count|Total|Count of dropped packets|No Dimensions|

+|SNATConnectionCount|No|SNAT Connection Count|Count|Total|Total concurrent active connections|Protocol, ConnectionState|

+|TotalConnectionCount|No|Total SNAT Connection Count|Count|Total|Total number of active SNAT connections|Protocol|

+[](media/logs-export-logic-app/logic-app-overview.png#lightbox)

+ 1. Go to **Logic Apps** in the Azure portal and click **Add**. Select a **Subscription**, **Resource group**, and **Region** to store the new Logic App and then give it a unique name. You can turn on **Log Analytics** setting to collect information about runtime data and events as described in [Set up Azure Monitor logs and collect diagnostics data for Azure Logic Apps](../../logic-apps/monitor-logic-apps-log-analytics.md). This setting isn't required for using the Azure Monitor Logs connector.

+\

+ [](media/logs-export-logic-app/create-logic-app.png#lightbox)

+ 2. Click **Review + create** and then **Create**. When the deployment is complete, click **Go to resource** to open the **Logic Apps Designer**.

+2. **Create a trigger for the Logic App**

+ 1. Under **Start with a common trigger**, select **Recurrence**. This creates a Logic App that automatically runs at a regular interval. In the **Frequency** box of the action, select **Day** and in the **Interval** box, enter **1** to run the workflow once per day.

+ \

+ [](media/logs-export-logic-app/recurrence-action.png#lightbox)

+3. **Add Azure Monitor Logs action**

+ 1. Click **+ New step** to add an action that runs after the recurrence action. Under **Choose an action**, type **azure monitor** and then select **Azure Monitor Logs**.

+ \

+ [](media/logs-export-logic-app/select-azure-monitor-connector.png#lightbox)

+ 1. Click **Azure Log Analytics ΓÇô Run query and list results**.

+ \

+ [](media/logs-export-logic-app/select-query-action-list.png#lightbox)

+ 2. Select the **Subscription** and **Resource Group** for your Log Analytics workspace. Select *Log Analytics Workspace* for the **Resource Type** and then select the workspace's name under **Resource Name**.

+ 3. Add the following log query to the **Query** window.

+ 4. The **Time Range** specifies the records that will be included in the query based on the **TimeGenerated** column. This should be set to a value greater than the time range selected in the query. Since this query isn't using the **TimeGenerated** column, then **Set in query** option isn't available. See [Query scope](./scope.md) for more details about the time range. Select **Last 4 hours** for the **Time Range**. This will ensure that any records with an ingestion time larger than **TimeGenerated** will be included in the results.

+ \

+ [](media/logs-export-logic-app/run-query-list-action.png#lightbox)

+4. **Add Parse JSON activity (optional)**

+ You can provide a JSON schema that describes the payload you expect to receive. The designer parses JSON content by using this schema and generates user-friendly tokens that represent the properties in your JSON content. You can then easily reference and use those properties throughout your Logic App's workflow.

+

+ You can use a sample output from **Run query and list results** step. Click **Run Trigger** in Logic App ribbon, then **Run**, download and save an output record. For the sample query in previous stem, you can use the following sample output:

+ ```json

+ {

+ "TimeGenerated": "2020-09-29T23:11:02.578Z",

+ "BlobTime": "2020-09-29T23:00:00Z",

+ "OperationName": "Returns Storage Account SAS Token",

+ "OperationNameValue": "MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE",

+ "Level": "Informational",

+ "ActivityStatus": "Started",

+ "ResourceGroup": "monitoring",

+ "SubscriptionId": "00000000-0000-0000-0000-000000000000",

+ "Category": "Administrative",

+ "EventSubmissionTimestamp": "2020-09-29T23:11:02Z",

+ "ClientIpAddress": "192.168.1.100",

+ "ResourceId": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/monitoring/providers/microsoft.storage/storageaccounts/my-storage-account"

+ }

+ ```

+ 1. Click **+ New step**, and then click **+ Add an action**. Under **Choose an action**, type **json** and then select **Parse JSON**.

+ \

+ [](media/logs-export-logic-app/select-parse-json.png#lightbox)

+ 1. Click in the **Content** box to display a list of values from previous activities. Select **Body** from the **Run query and list results** action. This is the output from the log query.

+ \

+ [](media/logs-export-logic-app/select-body.png#lightbox)

+ 1. Copy the sample record saved earlier, click **Use sample payload to generate schema** and paste.

+\

+ [](media/logs-export-logic-app/parse-json-payload.png#lightbox)

+5. **Add the Compose action**

+ 1. Click **+ New step**, and then click **+ Add an action**. Under **Choose an action**, type **compose** and then select the **Compose** action.

+ \

+ [](media/logs-export-logic-app/select-compose.png#lightbox)

+ 1. Click the **Inputs** box display a list of values from previous activities. Select **Body** from the **Parse JSON** action. This is the parsed output from the log query.

+ \

+ [](media/logs-export-logic-app/select-body-compose.png#lightbox)

+6. **Add the Create Blob action**

+ 1. Click **+ New step**, and then click **+ Add an action**. Under **Choose an action**, type **blob** and then select the **Create Blob** action.

+ \

+ [](media/logs-export-logic-app/select-create-blob.png#lightbox)

+ 1. Type a name for the connection to your Storage Account in **Connection Name** and then click the folder icon in the **Folder path** box to select the container in your Storage Account. Click the **Blob name** to see a list of values from previous activities. Click **Expression** and enter an expression that matches your time interval. For this query which is run hourly, the following expression sets the blob name per previous hour:

+ \

+ [](media/logs-export-logic-app/blob-expression.png#lightbox)

+ 2. Click the **Blob content** box to display a list of values from previous activities and then select **Outputs** in the **Compose** section.

+ \

+ [](media/logs-export-logic-app/create-blob.png#lightbox)

+7. **Test the Logic App**

+ Test the workflow by clicking **Run**. If the workflow has errors, it will be indicated on the step with the problem. You can view the executions and drill in to each step to view the input and output to investigate failures. See [Troubleshoot and diagnose workflow failures in Azure Logic Apps](../../logic-apps/logic-apps-diagnosing-failures.md) if necessary.

+ \

+ [](media/logs-export-logic-app/runs-history.png#lightbox)

+8. **View logs in Storage**

+ Go to the **Storage accounts** menu in the Azure portal and select your Storage Account. Click the **Blobs** tile and select the container you specified in the Create blob action. Select one of the blobs and then **Edit blob**.

+ \

+ [](media/logs-export-logic-app/blob-data.png#lightbox)

+## Performance considerations with `nconnect`

+[Azure Percept Studio](/azure/azure-percept/studio/azure-percept-studio-overview) is a user-friendly portal for creating, deploying, and operating Edge artificial intelligence (AI) solutions. Using a low-code to no-code approach, you can discover and complete guided workflows and create an end-to-end Edge AI solution. This solution integrates Azure IoT and Azure AI cloud services like Azure IoT Hub, IoT Edge, Azure Storage, Log Analytics, and Spatial Analysis from Azure Cognitive Services.

+[Azure Percept for DeepStream](/azure/azure-percept/deepstream/azure-percept-for-deepstream-overview) includes developer tools that provide a custom developer experience. It enables you to create NVIDIA DeepStream containers using Microsoft-based images and guidance, supported models from NVIDIA out of the box, and/or bring your own models (BYOM). DeepStream is NVIDIAΓÇÖs toolkit to develop and deploy Vision AI applications and services. It provides multi-platform, scalable, Transport Layer Security (TLS)-encrypted security that can be deployed on-premises, on the edge, and in the cloud.

+[Azure Percept Open-Source Project](/azure/azure-percept/open-source/azure-percept-open-source-project-overview) is a framework for creating, deploying, and operating Edge artificial intelligence (AI) solutions at scale with the control and flexibility of open-source natively on your environment. Azure Percept Open-Source Project is fully open-sourced and leverages the open-source software (OSS) community to deliver enhanced experiences. It's a self-managed solution where you host the environment in your own cluster.

+After you [create an Azure support request](how-to-create-azure-support-request.md), you can manage it in the [Azure portal](https://portal.azure.com).

+> [!TIP]

+> You can create and manage requests programmatically by using the [Azure support ticket REST API](/rest/api/support) or [Azure CLI](/cli/azure/azure-cli-support-request). Additionally, you can view open requests, reply to your support engineer, or edit the severity of your ticket in the [Azure mobile app](https://azure.microsoft.com/get-started/azure-portal/mobile-app/).

+View the details and status of support requests by going to **Help + support** > **All support requests** in the Azure portal.

+1. On the **Support Request** page, select the **File upload** box, then browse to find your file and select **Upload**. Repeat the process if you have multiple files.

+Which can be used in a subsequent deployment as shown in the following example

+description: Describes the concepts for Azure Managed Applications that provide cloud solutions that are easy for customers to deploy and operate.

+Azure Managed Applications enable you to offer cloud solutions that are easy for customers to deploy and operate. You implement the infrastructure and provide ongoing support. To make a managed application available to all customers, publish it in Azure Marketplace. To make it available to only users in your organization, publish it to an internal catalog.

+A managed application is similar to a solution template in Azure Marketplace, with one key difference. In a managed application, the resources are deployed to a resource group that's managed by the publisher of the app. The resource group is present in the customer's subscription, but an identity in the publisher's tenant has access to the resource group. As the publisher, you specify the cost for ongoing support of the solution.

+Managed applications reduce barriers to customers using your solutions. They don't need expertise in cloud infrastructure to use your solution. Customers have limited access to the critical resources and don't need to worry about making a mistake when managing it.

+Managed applications enable you to establish an ongoing relationship with your customers. You define terms for managing the application and all charges are handled through Azure billing.

+Managed applications support [managed identities for Azure resources](./publish-managed-identity.md).

+Typically, the resources for a managed application are in two resource groups. The customer manages one resource group, and the publisher manages the other resource group. When the managed application is defined, the publisher specifies the levels of access. The publisher can request either a permanent role assignment, or [just-in-time access](request-just-in-time-access.md) for an assignment that's constrained to a time period.

+The following image shows the relationship between the customer's Azure subscription and the publisher's Azure subscription. The managed application and managed resource group are in the customer's subscription. The publisher has management access to the managed resource group to maintain the managed application's resources. The publisher places a read-only lock on the managed resource group that limits the customer's access to manage resources. The publisher's identities that have access to the managed resource group are exempt from the lock.

+This resource group holds the managed application instance. This resource group may only contain one resource. The resource type of the managed application is [Microsoft.Solutions/applications](#resource-provider).

+The customer has full access to the resource group and uses it to manage the lifecycle of the managed application.

+This resource group holds all the resources that are required by the managed application. For example, this resource group contains the virtual machines, storage accounts, and virtual networks for the solution. The customer has limited access to this resource group because the customer doesn't manage the individual resources for the managed application. The publisher's access to this resource group corresponds to the role specified in the managed application definition. For example, the publisher might request the Owner or Contributor role for this resource group. The access is either permanent or limited to a specific time.

+When the [managed application is published to the marketplace](../../marketplace/azure-app-offer-setup.md), the publisher can grant customers the ability to perform specific actions on resources in the managed resource group. For example, the publisher can specify that customers can restart virtual machines. All other actions beyond read actions are still denied. Changes to resources in a managed resource group by a customer with granted actions are subject to the [Azure Policy](../../governance/policy/overview.md) assignments within the customer's tenant scoped to include the managed resource group.

+When the customer deletes the managed application, the managed resource group is also deleted.

+## Resource provider

+Managed applications use the `Microsoft.Solutions` resource provider with ARM template JSON. For more information, see the resource types and API versions.

+- [Microsoft.Solutions/applicationDefinitions](/azure/templates/microsoft.solutions/applicationdefinitions?pivots=deployment-language-arm-template)

+- [Microsoft.Solutions/applications](/azure/templates/microsoft.solutions/applications?pivots=deployment-language-arm-template)

+- [Microsoft.Solutions/jitRequests](/azure/templates/microsoft.solutions/jitrequests?pivots=deployment-language-arm-template)

+> [Quickstart: Create and publish an Azure managed application definition](publish-service-catalog-app.md)

+For more information about the ARM template's properties, see [Microsoft.Solutions/applicationDefinitions](/azure/templates/microsoft.solutions/applicationdefinitions?pivots=deployment-language-arm-template). Managed applications only use ARM template JSON.

+- A delete-only lock on a **Log Analytics workspace** does not prevent [data purge operations](../../azure-monitor/logs/personal-data-mgmt.md#delete), remove the [data purge](../../role-based-access-control/built-in-roles.md#data-purger role from the user instead.

+- For guidance on how enterprises can use Resource Manager to effectively manage subscriptions, see [Azure enterprise scaffold - prescriptive subscription governance](/azure/architecture/cloud-adoption-guide/subscription-governance).

+In this tutorial, you learn how to add tags to resources in your Azure Resource Manager template (ARM template). [Tags](../management/tag-resources.md) are metadata elements made up of key-value pairs that help you identify resources and show up in cost reports. This instruction takes **8 minutes** to complete.

+We recommend that you complete the [tutorial about Quickstart Templates](template-tutorial-quickstart-template.md), but it's not required.

+You need to have Visual Studio Code with the Resource Manager Tools extension and either Azure PowerShell or Azure Command-Line Interface (CLI). For more information, see [template tools](template-tutorial-create-first-template.md#get-tools).

+Your previous template deployed a storage account, an App Service plan, and a web app.

+After you deploy these resources, you might need to track costs and find resources that belong to a category. You can add tags to help solve these issues.

+You tag resources to add values that help you identify their use. You can add tags that list the environment and the project. You can also add them to identify a cost center or the team that owns the resource. Add any values that make sense for your organization.

+To run this deployment command, you need to have the [latest version](/cli/azure/install-azure-cli) of Azure CLI.

+> If the deployment fails, use the `verbose` switch to get information about the resources you're creating. Use the `debug` switch to get more information for debugging.

+If you're stopping now, you might want to delete the resource group.

+1. From the Azure portal, select **Resource groups** from the left menu.

+2. Type the resource group name in the **Filter for any field...** text field.

+3. Check the box next to **myResourceGroup** and select **myResourceGroup** or your resource group name.

+In this tutorial, you add tags to the resources. In the next tutorial, you learn how to use parameter files to simplify passing in values to the template.

+* ARM accounts: **The recommended paid account type is the ARM-based account**.

+ * You can create an Azure Video Indexer **ARM-based** account through one of the following:

+

+ 1. [Azure Video Indexer portal](https://aka.ms/vi-portal-link)

+ 2. [Azure portal](https://portal.azure.com/#home)

+

+ For the detailed description, [Get started with Azure Video Indexer in Azure portal](create-account-portal.md).

+* Upgrade a trial account to an ARM-based account and [import your content for free](import-content-from-trial.md).

+ Title: Create a classic Azure Video Indexer account connected to Azure

+description: Learn how to create a classic Azure Video Indexer account connected to Azure.

+# Create a classic Azure Video Indexer account

+This topic shows how to create a new classic account connected to Azure using the [Azure Video Indexer website](https://aka.ms/vi-portal-link). You can also create an Azure Video Indexer classic account through our [API](https://aka.ms/avam-dev-portal).

+The topic discusses prerequisites that you need to connect to your Azure subscription and how to configure an Azure Media Services account.

+A few Azure Video Indexer account types are available to you. For detailed explanation, review [Account types](accounts-overview.md).

+For the pricing details, see [pricing](https://azure.microsoft.com/pricing/details/video-indexer/).

+ Search for **Microsoft.Media** and **Microsoft.EventGrid**. If not in the "Registered" state, select **Register**. It takes a couple of minutes to register.

+## Connect to Azure

+> Use the same Azure AD user you used when connecting to Azure.

+It's mandatory to have the following three accounts located in the same region:

+* The Azure Video Indexer account that you're creating.

+* The Azure Video Indexer account that you're connecting with the Media Services account.

+* The Azure storage account connected to the same Media Services account.

+ When you create an Azure Video Indexer account and connect it to Media Services, the media and metadata files are stored in the Azure storage account associated with that Media Services account.

+If your storage account is behind a firewall, see [storage account that is behind a firewall](faq.yml#can-a-storage-account-connected-to-the-media-services-account-be-behind-a-firewall).

+ > Make sure to write down the Media Services resource and account names.

+1. For Azure Video Indexer to authenticate with Media Services API, an AD app needs to be created. The following steps guide you through the Azure AD authentication process described in [Get started with Azure AD authentication by using the Azure portal](/azure/media-services/previous/media-services-portal-get-started-with-aad):

+### Azure Media Services considerations

+## Create a classic account

+1. On the [Azure Video Indexer website](https://aka.ms/vi-portal-link), select **Create unlimited account** (the paid account).

+2. To create a classic account, select **Switch to manual configuration**.

+In the dialog, provide the following information:

+|Setting|Description|

+|||

+|Azure Video Indexer account region|The name of the Azure Video Indexer account region. For better performance and lower costs, it's highly recommended to specify the name of the region where the Azure Media Services resource and Azure Storage account are located. |

+|Azure AD tenant|The name of the Azure AD tenant, for example "contoso.onmicrosoft.com". The tenant information can be retrieved from the Azure portal. Place your cursor over the name of the signed-in user in the top-right corner. Find the name to the right of **Domain**.|

+|Subscription ID|The Azure subscription under which this connection should be created. The subscription ID can be retrieved from the Azure portal. Select **All services** in the left panel, and search for "subscriptions". Select **Subscriptions** and choose the desired ID from the list of your subscriptions.|

+|Azure Media Services resource group name|The name for the resource group in which you created the Media Services account.|

+|Media service resource name|The name of the Azure Media Services account that you created in the previous section.|

+|Application ID|The Azure AD application ID (with permissions for the specified Media Services account) that you created in the previous section.|

+|Application key|The Azure AD application key that you created in the previous section. |

+## Import your content from the trial account

+See [Import your content from the trial account](import-content-from-trial.md).

+- An Azure subscription in [Azure Government](../azure-government/index.yml).

+- All pre-requirements of permissions and resources as described above in [Prerequisites for connecting to Azure](#prerequisites-for-connecting-to-azure).

+1. Sign-in with your Azure Government Azure AD account.

+1. If you don't have any Azure Video Indexer accounts in Azure Government that you're an owner or a contributor to, you'll get an empty experience from which you can start creating your account.

+ If you already are a contributor or an admin of an existing one or more Azure Video Indexer accounts in Azure Government, you'll be taken to that account and from there you can start a following steps for creating an additional account if needed, as described above.

+* Bing description - in Gov cloud we won't present a description of celebrities and named entities identified. This is a UI capability only.

+After you're done with this tutorial, delete resources that you aren't planning to use.

+ Title: Import your content from the trial account

+description: Learn how to import your content from the trial account.

+# Import your content from the trial account

+When creating a new ARM-based account, you have an option to import your content from the trial account into the new ARM-based account free of charge.

+> [!NOTE]

+> Make sure to review the following considerations.

+## Considerations

+Review the following considerations.

+* Import from trial can be performed only once per trial account.

+* The target ARM-based account needs to be created and available before import is assigned.

+* Target ARM-based account has to be an empty account (never indexed any media files).

+## Import your data

+To import your data, follow the steps:

+ 1. Go to [Azure Video Indexer portal](https://aka.ms/vi-portal-link)

+ 2. Select your trial account and go to the **Account settings** page.

+ 3. Click the **Import content to an ARM-based account**.

+ 4. From the dropdown menu choose the ARM-based account you wish to import the data to.

+

+ * If the account ID isn't showing, you can copy and paste the account ID from Azure portal or the account list, on the side blade in the Azure Video Indexer Portal.

+ 5. Click **Import content**

+ :::image type="content" alt-text="Screenshot that shows how to import your data." source="./media/create-account/import-to-arm-account.png":::

+All media and content model customizations will be copied from the trial account into the new ARM-based account.

+## Next steps

+You can programmatically interact with your trial account and/or with your Azure Video Indexer accounts that are connected to Azure by following the instructions in: [Use APIs](video-indexer-use-apis.md).

+You should use the same Azure AD user you used when connecting to Azure.

+In this article, you'll learn how to perform HCX migration over a public IP address using Azure VMware Solution.

+>Before configuring a public IP on your Azure VMware Solution private cloud, consult your network administrator to understand the implications and the impact to your environment.

+You'll also learn how to pair HCX sites and create service mesh from on-premises to an Azure VMware Solution private cloud using Public IP. The service mesh allows you to migrate a workload from an on-premises datacenter to an Azure VMware Solution private cloud over the public internet. This solution is useful when the customer isn't using ExpressRoute or VPN connectivity with the Azure cloud.

+> [!IMPORTANT]

+> The on-premises HCX appliance should be reachable from the internet to establish HCX communication from on-premises to the Azure VMware Solution private cloud.

+## Configure public IP block

+For HCX manager to be available over the public IP address, you'll need one public IP address for DNAT rule.

+To perform HCX migration over the public internet, you'll need other IP addresses. You can have a /29 subnet to create minimum configuration when defining HCX network profile (usable IPs in subnet will be assigned to IX, NE appliances). You can choose a bigger subnet based on the requirements. You'll create an NSX-T segment using this public subnet. This segment can be used for creating HCX network profile.

+>[!Note]

+> After assigning a subnet to NSX-T segment, you can't use an IP from that subnet to create a DNAT rule. Both subnets should be different.

+Configure a Public IP block through portal by using the [Public IP feature of the Azure VMware Solution](enable-hcx-access-over-internet.MD#enable-hcx-access-over-the-internet) private cloud.

+## Use public IP address for Cloud HCX Manager public access

+Cloud HCX manager can be available over a public IP address by using a DNAT rule. However, since Cloud HCX manager is in the provider space, the null route is necessary to allow HCX Manager to route back to the client by way of the DNAT rule. It forces the NAT traffic through NSX-T Tier-0 router.

+## Add static null route to the Tier1 router

+The static null route is used to allow HCX private IP to route through the NSX Tier-1 for public endpoints. This static route can be the default Tier-1 router created in your private cloud or you can create a new tier-1 router.

+1. Edit the existing Tier-1 gateway.

+1. Under **Network**, enter a non-overlapping /32 IP address under Network.

+ > This address should not overlap with any other IP addresses on the private cloud network and the customer network.

+

+ :::image type="content" source="media/hcx-over-internet/hcx-sample-static-route.png" alt-text="Diagram showing a sample static route configuration." border="false" lightbox="media/hcx-over-internet/hcx-sample-static-route.png":::

+ Leave defaults for Admin distance and scope.

+1. Select **ADD**, then select **APPLY**.

+ :::image type="content" source="media/hcx-over-internet/hcx-sample-null-route.png" alt-text="Diagram showing a sample Null route configuration." border="false" lightbox="media/hcx-over-internet/hcx-sample-null-route.png":::

+## Add NAT rule to Tier-1 gateway

+1. Select the Tier-1 Gateway. Use same Tier-1 router to create NAT rule that you used to create null route in previous steps.

+1. Add one SNAT rule and one DNAT rule for HCX Manager.

+ 1. The SNAT Rule Destination is the HCX Manager IP in the cloud. The Translated IP is the non-overlapping /32 IP from the Static Route.

+ 1. Make sure to set the Firewall option on DNAT rule to **Match External Address**.

+ :::image type="content" source="media/hcx-over-internet/hcx-sample-public-access-route.png" alt-text="Diagram showing a sample NAT rule for public access of HCX Virtual machine." border="false" lightbox="media/hcx-over-internet/hcx-sample-public-access-route.png":::

+1. Create Tier-1 Gateway Firewall rules to allow only expected traffic to the Public IP for HCX Manager and drop everything else.

+ 1. Create a Gateway Firewall rule on the T1 that allows your on-premises as the **Source IP** and the Azure VMware Solution reserved Public as the **Destination IP**. This rule should be the highest priority.

+ 1. Create a Gateway Firewall rule on the Tier-1 that denies all other traffic where the **Source IP** is **Any** and **Destination IP** is the Azure VMware Solution reserved Public IP.

+For more information, see [HCX ports](https://ports.esp.vmware.com/home/VMware-HCX)

+> [!NOTE]

+## Pair sites using HCX Cloud manager's public IP address

+Site pairing is required before you create service mesh between source and destination sites.

+1. Select **Site Pairing** and select **ADD SITE PAIRING**.

+1. Enter the **Cloud HCX Manager Public URL** as remote site and sign in credentials, then select **Connect**.

+## Create public IP segment on NSX-T

+Before you create a Public IP segment, get your credentials for NSX-T Manager from Azure VMware Solution portal.

+1. Under the **Networking** section select **Connectivity**, **Segments**, and then select **ADD SEGMENT**.

+1. Provide Segment name, select **Tier-1 router** as connected gateway, and provide the reserved public IP under subnets.

+1. Select **Save**. ΓÇ»

+## Create network profile for HCX at destination site

+1. Sign in to Destination HCX Manager (cloud manager in this case).

+1. Select **Interconnect** and then select the **Network Profiles** tab.

+1. Select **Create Network Profile**.

+1. Select **NSX Networks** as network type under **Network**.

+1. Select the **Public-IP-Segment** created on NSX-T.

+1. Enter **Name**.

+1. Under IP pools, enter the **IP Ranges** for HCX uplink, **Prefix Length**, and **Gateway** of public IP segment.

+1. Scroll down and select the **HCX Uplink** checkbox under **HCX Traffic Type** as this profile will be used for HCX uplink.

+1. Select **Create** to create the network profile.

+## Create service mesh

+Service Mesh will deploy HCX WAN Optimizer, HCX Network Extension and HCX-IX appliances.

+1. Select **CREATE SERVICE MESH**.

+1. Select the **destination** site to create service mesh with and then select **Continue**.

+1. Select the HCX services to be activated and select **Continue**.

+ >Premium services require an additional HCX Enterprise license.

+1. Select the network profile of source site.

+1. Select the network profile of destination that you created in the **Network Profile** section.

+1. Review the **Transport Zone** information, and then select **Continue**.

+1. Review the **Topological view**, and select **Continue**.

+1. Enter the **Service Mesh name** and select **FINISH**.

+1. Add the public IP addresses in firewall to allow required ports only.

+## Extend network

+The HCX Network Extension service provides layer 2 connectivity between sites. The extension service also allows you to keep the same IP and MAC addresses during virtual machine migrations.

+1. Sign in to **source** HCX Manager.

+1. Under the **Network Extension** section, select the site for which you want to extend the network, and then select **EXTEND NETWORKS**.

+1. Select the network that you want to extend to destination site, and select **Next**.

+1. Select the destination first hop route (Tier-1), and select **Submit**.

+1. Sign in to the **destination** NSX, you'll see Network 10.14.27.1/24 has been extended.

+After the network is extended to destination site, VMs can be migrated over Layer 2 extension.

+## Next steps

+ | where message == "QnAMaker GenerateAnswer"

+### SpeechRecognizer, SpeechSynthesizer, IntentRecognizer, ConversationTranscriber, and SourceLanguageRecognizer

+For ```SpeechRecognizer```, ```SpeechSynthesizer```, ```IntentRecognizer```, ```ConversationTranscriber```, and ```SourceLanguageRecognizer``` objects, build the authorization token from the resource ID and the Azure AD access token and then use it to create a ```SpeechConfig``` object.

+| Script | No valid end punctuation| Add one of the following at the end of the line: full stop (half-width '.' or full-width '。'), exclamation point (half-width '!' or full-width '！' ), or question mark ( half-width '?' or full-width '？').|

+- [Long Audio API](long-audio-api.md)

+- [Quickstart: Join a BYOI chat app to a Teams meeting](../quickstarts/chat/meeting-interop.md)

+## Email

+Sending high volume of messages has a set of limitation on the number of email messages that you can send. If you hit these limits, your messages will not be queued to be sent. You can submit these requests again, once the Retry-After time expires.

+### Rate Limits

+|Operation|Scope|Timeframe (minutes)| Limit (number of email) |

+||--|-|-|

+|Send Email|Per Subscription|1|10|

+|Send Email|Per Subscription|60|25|

+|Get Email Status|Per Subscription|1|20|

+|Get Email Status|Per Subscription|60|50|

+### Size Limits

+| **Name** | Limit |

+|--|--|

+|Number of recipients in Email|50 |

+|Attachment size - per messages|10 MB |

+### Action to take

+This sandbox setup is to help developers to start building the application and gradually you can request to increase the sending volume as soon as the application is ready to go live. If you require sending a number of messages that exceeds the rate-limits, please submit a support request to increase to your desired sending limit.

+* [.NET 6.0](https://dotnet.microsoft.com/download)

+This section walks you through how to create an Azure Cosmos account and set up a project that uses the Table API NuGet packages.

+Create a new .NET application in an empty folder using your preferred terminal. Use the [``dotnet new console``](/dotnet/core/tools/dotnet-new) to create a new console app.

+dotnet new console --output <app-name>

+* [``TableServiceClient``](/dotnet/api/azure.data.tables.tableserviceclient) - This class provides methods to perform service level operations with Azure Cosmos DB Table API.

+* [``TableClient``](/dotnet/api/azure.data.tables.tableclient) - This class allows you to interact with tables hosted in the Azure Cosmos DB table API.

+* [``TableEntity``](/dotnet/api/azure.data.tables.tableentity) - This class is a reference to a row in a table that allows you to manage properties and column data.

+Create an item in the collection using the `Product` class by calling [``TableClient.AddEntityAsync<T>``](/dotnet/api/azure.data.tables.tableclient.addentityasync).

+After you insert an item, you can also run a query to get all items that match a specific filter by using the `TableClient.Query<T>` method. This example filters products by category using [Linq](/dotnet/standard/linq) syntax, which is a benefit of using typed `ITableEntity` models like the `Product` class.

+You need to have **Owner** or **Contributor** role on your data factory to connect to a Microsoft Purview account. Your data factory needs to have system assigned managed identity enabled.

+ [  ](media/azure-stack-edge-gpu-manage-certificates/delete-signing-certificate-01.png#lightbox)

+> The policy definition will only enable Defender for Cloud on **existing** subscriptions. To register newly created subscriptions, open the compliance tab, select the relevant non-compliant subscriptions, and create a remediation task. Repeat this step when you have one or more new subscriptions you want to monitor with Defender for Cloud.

+| 22.2.5 | 08/2022 | 04/2023 |

+- **Sensor software version 22.2.5**: Minor version with stability improvements

+1. First, create a new Azure Functions project of Event Grid trigger type.

+1. You should see the IIS default page with `Hello World from Web-02`. The Traffic Manager handled the situation and directed traffic to the second IIS server after shutting down the first server that has the highest priority.

+ |`spark.datasource.hive.warehouse.load.staging.dir`| If you are using ADLS Gen2 Storage Account, use `abfss://STORAGE_CONTAINER_NAME@STORAGE_ACCOUNT_NAME.dfs.core.windows.net/tmp`<br>If you are using Azure Blob Storage Account, use `wasbs://STORAGE_CONTAINER_NAME@STORAGE_ACCOUNT_NAME.blob.core.windows.net/tmp`. <br> Set to a suitable HDFS-compatible staging directory. If you have two different clusters, the staging directory should be a folder in the staging directory of the LLAP cluster's storage account so that HiveServer2 has access to it. Replace `STORAGE_ACCOUNT_NAME` with the name of the storage account being used by the cluster, and `STORAGE_CONTAINER_NAME` with the name of the storage container. |

+The Fast Healthcare Interoperability Resources (FHIR&#174;) specification defines the fundamentals of search for FHIR resources. This article will guide you through some key aspects to searching resources in FHIR. For complete details about searching FHIR resources, refer to [Search](https://www.hl7.org/fhir/search.html) in the HL7 FHIR Specification. Throughout this article, we'll give examples of search syntax. Each search will be against your FHIR server, which typically has a URL of `https://<WORKSPACE NAME>-<ACCOUNT-NAME>.fhir.azurehealthcareapis.com`. In the examples, we'll use the placeholder `{{FHIR_URL}}` for this URL.

+ [  ](./media/storage-import-export-view-drive-status/preview-jobs-list.png#lightbox)

+> You can [import and export a complete device model or individual interface](howto-set-up-template.md#interfaces-and-components) from an IoT Central device template as a DTDL v2 file.

+A device model defines how a device interacts with your IoT Central application. The device developer must make sure that the device implements the behaviors defined in the device model so that IoT Central can monitor and manage the device. A device model is made up of one or more _interfaces_, and each interface can define a collection of _telemetry_ types, _device properties_, and _commands_. A solution developer can import a JSON file that defines a complete device model or individual interface into a device template, or use the web UI in IoT Central to create or edit a device model.

+A solution developer can also export a JSON file from the device template that contains a complete device model or individual interface. A device developer can use this JSON document to understand how the device should communicate with the IoT Central application.

+> Offline commands are marked as `durable` if you export the model as DTDL.

+Offline commands are marked as `durable` if you export the model as DTDL.

+> You can also use the REST API to [create and manage organizations](/rest/api/iotcentral/2022-07-31dataplane/organizations).

+Device templates: If you're currently using legacy data exports with the device templates data type, then you can obtain the same data using the [Device Templates - Get API call](/rest/api/iotcentral/2022-07-31dataplane/device-templates/get).

+Starting 3 February 2020, all new exports in applications with Devices and Device templates enabled will have the data format described above. All exports created before this date remain on the old data format until 30 June 2020, at which time these exports will automatically be migrated to the new data format. The new data format matches the [device](/rest/api/iotcentral/2022-07-31dataplane/devices/get), [device property](/rest/api/iotcentral/2022-07-31dataplane/devices/get-properties), and [device template](/rest/api/iotcentral/2022-07-31dataplane/device-templates/get) objects in the IoT Central public API.

+> The device template JSON is not a standard DTDL document. The device template JSON includes IoT Central specific data such as cloud property definitions and display units. You can use the device template JSON format to import and export device templates in IoT Central by using the REST API, the CLI, and the UI.

+You can also add a service principal user which is useful if you need to use service principal authentication for REST API calls. To learn more, see [Add or update a service principal user](/rest/api/iotcentral/2022-07-31dataplane/users/create#add-or-update-a-service-principal-user).

+Now that you've learned how to manage users and roles with the REST API, a suggested next step is to [How to use the IoT Central REST API to manage organizations.](howto-manage-organizations-with-rest-api.md)

+After the migrator app starts, navigate to `http://localhost:3000` to view the tool.

+You can also use the [Devices - Get](/rest/api/iotcentral/2022-07-31dataplane/devices/get) REST API call to get the device template ID for a device.

+> Offline commands are marked as `durable` if you export the model as DTDL.

+> You can export a device model or interface from the device template page.

+- *Data plane* operations that let you work with resources inside IoT Central applications. Data plane operations let you automate tasks that can also be completed using the IoT Central UI. Currently, there are [generally available](/rest/api/iotcentral/2022-07-31dataplane/api-tokens) and [preview](/rest/api/iotcentral/2022-06-30-previewdataplane/api-tokens) versions of the data plane API.

+ Title: Tutorial - develop C module for Linux - Azure IoT Edge | Microsoft Docs

+| **Linux ARM64** |  |  |

+To develop an IoT Edge module in C, install the following prerequisites on your development machine:

+Installing the Azure IoT C SDK isn't required for this tutorial, but can provide helpful functionality like intellisense and reading program definitions. For installation information, see [Azure IoT C SDKs and Libraries](https://github.com/Azure/azure-iot-sdk-c).

+The default module code receives messages on an input queue and passes them along through an output queue. Let's add more code so the module processes messages at the edge before forwarding them to IoT Hub. Update the module so that it analyzes the temperature data in each message, and only sends the message to IoT Hub if the temperature exceeds a certain threshold.

+3. Select the **deployment.amd64.json** file in the **config** folder and then click **Select Edge Deployment Manifest**. Don't use the deployment.template.json file, as that file is only a template.

+If you continue to the next recommended article, you can keep your resources and configurations and reuse them. You can also keep using the same IoT Edge device as a test device.

+| **Linux ARM64** |  | |

+| **Linux ARM64** |  | |

+# Device Update for Azure IoT Hub using Azure RTOS

+This article shows you how to create the Device Update for Azure IoT Hub agent in Azure RTOS NetX Duo. It also provides simple APIs for developers to integrate the Device Update capability in their application. Explore [samples](https://github.com/azure-rtos/samples/tree/PublicPreview/ADU) of key semiconductors evaluation boards that include the get-started guides to learn how to configure, build, and deploy over-the-air updates to the devices.

+* UK West

+* Uk South

+# Deploy an IPv6 dual stack application using Standard Internal Load Balancer in Azure - PowerShell

+the underlying workflow definitions use simple

+make workflow definitions easier to read and

+When you want to automate creating and deploying logic app resources,

+you can include workflow definitions as

+To work with workflow definitions in JSON,

+If you're new to Azure Logic Apps, review

+[how to create your first logic app workflow](../logic-apps/quickstart-create-first-logic-app-workflow.md).

+> parameters and multiple triggers in workflow definitions,

+> are available only in JSON, not the workflow designer.

+ your workflow definition in JSON format.

+Before you can work on your workflow definition

+2. Find and open your workflow definition,

+workflow definition and template.

+4. At the bottom of the workflow designer, choose **Code View**.

+ your workflow definition in JSON format.

+Azure Logic Apps has various functions for working with strings.

+the company name because the first five characters aren't used.

+You can create your own APIs that provide actions and triggers to use in workflows.

+that you can call from workflows:

+that communicate through HTTP endpoints, you can use any language to build connectors,

+such as .NET, Java, Python, or Node.js.

+For custom APIs to work with logic app workflow, your API can provide

+that perform specific tasks in workflows. Your API can also act as a

+that starts a workflow run when new data or an event meets a specified condition.

+> APIs--just deploy your code to an API app. For example, learn how to

+* Available only to the connectors' authors and logic app resource users who have the same

+For more information, review the following documentation:

+So for example, a workflow sends an HTTP request to your web app or API app.

+Your app then returns an HTTP response, along with content that the workflow can process.

+To make a workflow wait while your API finishes longer-running tasks,

+but keep an active connection to the Azure Logic Apps engine.

+That way, the workflow doesn't time out or continue with

+1. When the engine makes subsequent requests for job status, let the engine know when your API finishes the task.

+1. Return relevant data to the engine so that the workflow can continue.

+while you, the cake customer, represent the Azure Logic Apps engine.

+This response lets the Azure Logic Apps engine know that your API got the request,

+ to a URL where the Azure Logic Apps engine can check your API's job status

+2. After the specified time passes, the Azure Logic Apps engine polls

+workflow definition to continue checking job status.

+valid `location` header, the engine respects the asynchronous pattern,

+This pattern pauses the workflow and waits for a "callback"

+while you, the cake customer, represent the Azure Logic Apps engine.

+the Azure Logic Apps engine calls the `subscribe` endpoint. This step causes the

+workflow to create a callback URL that your API stores and then wait for the

+* `unsubscribe` endpoint: If the workflow run is canceled, the Azure Logic Apps engine calls the `unsubscribe` endpoint. Your API can then unregister the callback URL and stop any processes as necessary.

+Currently, the workflow designer doesn't support discovering webhook endpoints through Swagger. So for this pattern, you have to add a [**Webhook** action](../connectors/connectors-native-webhook.md) and specify the URL, headers, and body for your request. See also [Workflow actions and triggers](logic-apps-workflow-actions-triggers.md#apiconnection-webhook-action). For an example webhook pattern, review this [webhook trigger sample in GitHub](https://github.com/logicappsio/LogicAppTriggersExample/blob/master/LogicAppTriggers/Controllers/WebhookTriggerController.cs).

+* If you own both the logic app resource and the subscribed service, you don't have to call the `unsubscribe` endpoint after the callback URL is called. Otherwise, the Azure Logic Apps runtime needs to call the `unsubscribe` endpoint to signal that no more calls are expected and to allow resource cleanup on the server side.

+that starts a workflow run when new data or an event meets a specified condition.

+previously described in this topic. The Azure Logic Apps engine periodically

+the trigger fires. Then, the engine creates a workflow instance that processes the data as input.

+> Each polling request counts as an action execution, even when no workflow instance is created.

+| Found | Return an HTTP `200 OK` status with the response payload (input for next step). <br/>This response creates a workflow instance and starts the workflow. |

+| Not found | Return an HTTP `202 ACCEPTED` status with a `location` header and a `retry-after` header. <br/>For triggers, the `location` header should also contain a `triggerState` query parameter, which is usually a "timestamp." Your API can use this identifier to track the last time that the workflow was triggered. |

+the trigger fires and creates a workflow instance, which then processes the data as input.

+the Azure Logic Apps engine calls the `subscribe` endpoint. This step causes

+the workflow to create a callback URL that your API stores.

+* `unsubscribe` endpoint: If the webhook trigger or entire logic app resource is deleted, the Azure Logic Apps engine calls the `unsubscribe` endpoint.

+Currently, the workflow designer doesn't support discovering webhook endpoints through Swagger. So for this pattern, you have to add a [**Webhook** trigger](../connectors/connectors-native-webhook.md) and specify the URL, headers, and body for your request. See also [HTTPWebhook trigger](logic-apps-workflow-actions-triggers.md#httpwebhook-trigger). For an example webhook pattern, review this [webhook trigger controller sample in GitHub](https://github.com/logicappsio/LogicAppTriggersExample/blob/master/LogicAppTriggers/Controllers/WebhookTriggerController.cs).

+* If you own both the logic app resource and the subscribed service, you don't have to call the `unsubscribe` endpoint after the callback URL is called. Otherwise, the Logic Apps runtime needs to call the `unsubscribe` endpoint to signal that no more calls are expected and to allow resource cleanup on the server side.

+To make your custom APIs available for other Azure Logic Apps users,

+you must add security and register them as Azure Logic Apps connectors.

+register your APIs as Azure Logic Apps connectors, and nominate your connectors for the

+ 1. Under the `configuration` root node, add a `configSections` element, if none exists.

+ 1. Under the `configSections` node, add a `section` element with the following attributes, if none exist: `name="SapAdapterSection" type="Microsoft.Adapters.SAP.Common.SapAdapterSection, Microsoft.Adapters.SAP.Common"`

+ > [!IMPORTANT]

+ > Don't change the attributes in existing `section` elements, if such elements already exist.

+ Your `configSections` element looks like the following version, if no other section or section group is declared in the gateway service configuration:

+ ```xml

+ <configSections>

+ <section name="SapAdapterSection" type="Microsoft.Adapters.SAP.Common.SapAdapterSection, Microsoft.Adapters.SAP.Common"/>

+ </configSections>

+ ```

+ 1. Under the `configuration` root node, add an `SapAdapterSection` element, if none exists.

+ 1. Under the `SapAdapterSection` node, add a `Broker` element with the following attributes, if none exist: `WebhookRetryDefaultDelay="00:00:00.10" WebhookRetryMaximumCount="2"`

+ > [!IMPORTANT]

+ > Change the attributes for the `Broker` element, even if the element already exists.

+ The `SapAdapterSection` element looks like the following version, if no other element or attribute is declared in the SAP adapter configuration:

+ ```xml

+ <SapAdapterSection>

+ <Broker WebhookRetryDefaultDelay="00:00:00.10" WebhookRetryMaximumCount="2" />

+ </SapAdapterSection>

+ ```

+ The retry count setting looks like `WebhookRetryMaximumCount="2"`. The retry interval setting looks like `WebhookRetryDefaultDelay="00:00:00.10"` where the timespan format is `HH:mm:ss.ff`.

+ > [!NOTE]

+ > For more information about the configuration file,

+ > review [Configuration file schema for .NET Framework](/dotnet/framework/configure-apps/file-schema/).

+# Support non-Unicode character encoding in Azure Logic Apps

+Before you [base64 encode](workflow-definition-language-functions-reference.md#base64) content to a string, make sure that you [converted the text to UTF-8](#convert-payload-encoding). Otherwise, characters might return corrupted.

+In this example, the base64-encoded sample input string is a personal name that contains accented characters: *H&eacute;lo&iuml;se*

+* [Where and how to deploy](how-to-deploy-managed-online-endpoints.md)

+- [Deploy using Azure ML CLI/SDK (v2)](#deploy-using-azure-ml-clisdk-v2)

+## Deploy using Azure ML CLI/SDK (v2)

+You can use Azure ML CLI/SDK v2 to deploy models trained and logged with MLflow to [managed endpoints (Online/batch)](concept-endpoints.md). Deployment of MLflow models support no-code-deployment, so you don't have to provide a scoring script or an environment, but you can if needed.

+1. Connect to Azure Machine Learning workspace

+ # [Azure ML CLI (v2)](#tab/cli)

+

+ ```bash

+ az account set --subscription <subscription>

+ az configure --defaults workspace=<workspace> group=<resource-group> location=<location>

+ ```

+

+ # [Azure ML SDK for Python (v2)](#tab/sdk)

+

+ The workspace is the top-level resource for Azure Machine Learning, providing a centralized place to work with all the artifacts you create when you use Azure Machine Learning. In this section, we'll connect to the workspace in which you'll perform deployment tasks.

+

+ 1. Import the required libraries:

+

+ ```python

+ from azure.ai.ml import MLClient

+ from azure.ai.ml.entities import ManagedOnlineEndpoint, ManagedOnlineDeployment, Model

+ from azure.ai.ml.constants import AssetType

+ from azure.identity import DefaultAzureCredential

+ ```

+

+ 2. Configure workspace details and get a handle to the workspace:

+

+ ```python

+ subscription_id = "<subscription>"

+ resource_group = "<resource-group>"

+ workspace = "<workspace>"

+

+ ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group, workspace)

+ ```

+

+1. The following example configures the name and authentication mode of the endpoint:

+

+ # [Azure ML CLI (v2)](#tab/cli)

+

+ Create a YAML configuration file for your endpoint:

+

+ __create-endpoint.yaml__

+ :::code language="yaml" source="~/azureml-examples-main/cli/endpoints/online/mlflow/create-endpoint.yaml":::

+

+ # [Azure ML SDK for Python (v2)](#tab/sdk)

+

+ Create an endpoint using the SDK:

+

+ ```python

+ endpoint = ManagedOnlineEndpoint(

+ name="my-endpoint",

+ description="this is a sample local endpoint",

+ auth_mode="key"

+ )

+ ```

+1. Execute the endpoint creation. This operation will create the endpoint in the Azure Machine Learning workspace:

+

+ # [Azure ML CLI (v2)](#tab/cli)

+

+ To create a new endpoint using the YAML configuration, use the following command:

+ :::code language="azurecli" source="~/azureml-examples-main/cli/deploy-managed-online-endpoint-mlflow.sh" ID="create_endpoint":::

+ # [Azure ML SDK for Python (v2)](#tab/sdk)

+

+ To create a new endpoint using the endpoint configuration just created, use the following command:

+

+ ```python

+ ml_client.online_endpoints.begin_create_or_update(endpoint)

+ ```

+1. Before going further, we need to register the model we want to deploy. Deployment of unregistered models is not supported in Azure Machine Learning.

+ # [Azure ML CLI (v2)](#tab/cli)

+ We first need to register the model we want to deploy. Deployment of unregistered models is not supported in Azure Machine Learning.

+ #### From a training job

+ In this example, the model is registered from a job previously run. Assuming that your model was registered with an instruction similar like this:

+ ```python

+ mlflow.sklearn.log_model(scikit_model, "model")

+ ```

+ To register the model from a previous run we would need the job name/run ID in question. For simplicity, let's assume that we are looking to register the model trained in the last run submitted to the workspace:

+ Then, let's register the model in the registry.

+ ```bash

+ az ml model create --name "mir-sample-sklearn-mlflow-model" \

+ --type "mlflow_model" \

+ --path "azureml://jobs/$JOB_NAME/outputs/artifacts/model"

+ ```

+

+ #### From a local model

+ If your model is located in the local file system or compute, then you can register it as follows:

+ --path "sklearn-diabetes/model"

+

+ # [Azure ML SDK for Python (v2)](#tab/sdk)

+ We first need to register the model we want to deploy. Deployment of unregistered models is not supported in Azure Machine Learning.

+ #### From a training job

+ In this example, the model is registered from a job previously run. Assuming that your model was registered with an instruction similar like this:

+ ```python

+ mlflow.sklearn.log_model(scikit_model, "model)

+ ```

+ To register the model from a previous run we would need the job name/run ID in question. For simplicity, let's assume that we are looking to register the model trained in the last run submitted to the workspace:

+ ```python

+ job_name = ml_client.jobs.list()[0].name

+ ```

+ Then, let's register the model in the registry.

+ ```python

+ model = Model(name="mir-sample-sklearn-mlflow-model",

+ path=f"azureml://jobs/{job_name}/outputs/artifacts/model",

+ type=AssetType.MLFLOW_MODEL)

+ ml_client.models.create_or_update(model)

+ ```

+

+ #### From a local model

+ If your model is located in the local file system or compute, then you can register it as follows:

+ ```

+ model = Model(name="mir-sample-sklearn-mlflow-model",

+ path="sklearn-diabetes/model",

+ type=AssetType.MLFLOW_MODEL)

+ ml_client.models.create_or_update(model)

+ ```

+

+1. Once the endpoint is created, we need to create a deployment on it. Remember that endpoints can contain one or multiple deployments and traffic can be configured for each of them. In this example, we are going to create only one deployment to serve all the traffic, named `sklearn-deployment`.

+ # [Azure ML CLI (v2)](#tab/cli)

+ Create the deployment `YAML` file:

+ __sklearn-deployment.yaml__

+ # [Azure ML SDK for Python (v2)](#tab/sdk)

+

+ ```python

+ blue_deployment = ManagedOnlineDeployment(

+ name="sklearn-deployment",

+ endpoint_name="my-endpoint",

+ model=model,

+ instance_type="Standard_F2s_v2",

+ instance_count=1,

+ )

+ ```

+

+

+1. Create the deployment and assign all the traffic to it.

+ # [Azure ML CLI (v2)](#tab/cli)

+ :::code language="azurecli" source="~/azureml-examples-main/cli/deploy-managed-online-endpoint-mlflow.sh" ID="create_sklearn_deployment":::

+ # [Azure ML SDK for Python (v2)](#tab/sdk)

+

+ ```python

+ ml_client.begin_create_or_update(blue_deployment)

+ endpoint.traffic = {"sklearn-deployment": 100}

+ ml_client.begin_create_or_update(endpoint)

+ ```

+

+1. Once the deployment is completed, the service is ready to receive requests. If you are not sure about how to submit requests to the service, see [Creating requests](#creating-requests).

+2. From [studio](https://ml.azure.com), select your workspace and then use either the __endpoints__ page to create the endpoint deployment:

+ a. From the __Endpoints__ page, Select **+Create**.

+ :::image type="content" source="media/how-to-deploy-mlflow-models-online-endpoints/create-from-endpoints.png" lightbox="media/how-to-deploy-mlflow-models-online-endpoints/create-from-endpoints.png" alt-text="Screenshot showing create option on the Endpoints UI page.":::

+ b. Provide a name and authentication type for the endpoint, and then select __Next__.

+ c. When selecting a model, select the MLflow model registered previously. Select __Next__ to continue.

+ d. When you select a model registered in MLflow format, in the Environment step of the wizard, you don't need a scoring script or an environment.

+ :::image type="content" source="media/how-to-deploy-mlflow-models-online-endpoints/ncd-wizard.png" lightbox="media/how-to-deploy-mlflow-models-online-endpoints/ncd-wizard.png" alt-text="Screenshot showing no code and environment needed for MLflow models.":::

+ e. Complete the wizard to deploy the model to the endpoint.

+ :::image type="content" source="media/how-to-deploy-mlflow-models-online-endpoints/review-screen-ncd.png" lightbox="media/how-to-deploy-mlflow-models-online-endpoints/review-screen-ncd.png" alt-text="Screenshot showing NCD review screen.":::

+Wrapping your model may be simple, but sometimes your model is composed by multiple pieces that need to be loaded or it can't just be serialized as a Pickle file. In those cases, the `PythonModel` supports indicating an arbitrary list of **artifacts**. Each artifact will be packaged along with your model.

+Sometimes your model logic is complex and there are several source files that your model loads on inference time. This would be the case when you have a Python library for your model for instance. In this scenario, you want to package the library all along with your model so it can move as a single piece.

+> * Your model artifacts can be stored in a folder where all the requiered artifacts are placed.

+> * Your model source code is complex and it requires multiple Python files. Potentially, there is a library that supports your model.

+ code_path=['src'],

+> * `loader_module` is the Python module where the function `_load_pyfunc` is defined.

+The folder `src` contains a file called `loader_module.py` (which is the loader module):

+__src/loader_module.py__

+* [Where and how to deploy](how-to-deploy-managed-online-endpoints.md)

+ Title: Secure data access in the cloud v1

+description: Learn how to securely connect to your data storage on Azure with Azure Machine Learning datastores and datasets v1

+# Data in Azure Machine Learning v1

+ Title: Network data access in studio

+description: Learn how data access works with Azure Machine Learning studio when your workspace or storage is in a virtual network.

+# Network data access with Azure Machine Learning studio

+Data access is complex and it's important to recognize that there are many pieces to it. For example, accessing data from Azure Machine Learning studio is different than using the SDK. When using the SDK on your local development environment, you're directly accessing data in the cloud. When using studio, you aren't always directly accessing the data store from your client. Studio relies on the workspace to access data on your behalf.

+> [!IMPORTANT]

+> The information in this article is intended for Azure administrators who are creating the infrastructure required for an Azure Machine Learning solution.

+> [!TIP]

+> Studio only supports reading data from the following datastore types in a VNet:

+>

+> * Azure Storage Account (blob & file)

+> * Azure Data Lake Storage Gen1

+> * Azure Data Lake Storage Gen2

+> * Azure SQL Database

+## Data access

+In general, data access from studio involves the following checks:

+1. Who is accessing?

+ - There are multiple different types of authentication depending on the storage type. For example, account key, token, service principal, managed identity, and user identity.

+ - If authentication is made using a user identity, then it's important to know *which* user is trying to access storage. Learn more about [identity-based data access](how-to-identity-based-data-access.md).

+2. Do they have permission?

+ - Are the credentials correct? If so, does the service principal, managed identity, etc., have the necessary permissions on the storage? Permissions are granted using Azure role-based access controls (Azure RBAC).

+ - [Reader](../../role-based-access-control/built-in-roles.md#reader) of the storage account reads metadata of the storage.

+ - [Storage Blob Data Reader](../../role-based-access-control/built-in-roles.md#storage-blob-data-reader) reads data within a blob container.

+ - [Contributor](../../role-based-access-control/built-in-roles.md#contributor) allows write access to a storage account.

+ - More roles may be required depending on the type of storage.

+3. Where is access from?

+ - User: Is the client IP address in the VNet/subnet range?

+ - Workspace: Is the workspace public or does it have a private endpoint in a VNet/subnet?

+ - Storage: Does the storage allow public access, or does it restrict access through a service endpoint or a private endpoint?

+4. What operation is being performed?

+ - Create, read, update, and delete (CRUD) operations on a data store/dataset are handled by Azure Machine Learning.

+ - Data Access calls (such as preview or schema) go to the underlying storage and need extra permissions.

+5. Where is this operation being run; compute resources in your Azure subscription or resources hosted in a Microsoft subscription?

+ - All calls to dataset and datastore services (except the "Generate Profile" option) use resources hosted in a __Microsoft subscription__ to run the operations.

+ - Jobs, including the "Generate Profile" option for datasets, run on a compute resource in __your subscription__, and access the data from there. So the compute identity needs permission to the storage rather than the identity of the user submitting the job.

+The following diagram shows the general flow of a data access call. In this example, a user is trying to make a data access call through a machine learning workspace, without using any compute resource.

+### Scenarios and identities

+The following table lists what identities should be used for specific scenarios:

+| Scenario | Use workspace</br>Managed Service Identity (MSI) | Identity to use |

+|--|--|--|

+| Access from UI | Yes | Workspace MSI |

+| Access from UI | No | User's Identity |

+| Access from Job | Yes/No | Compute MSI |

+| Access from Notebook | Yes/No | User's identity |

+> [!TIP]

+> If you need to access data from outside Azure Machine Learning, such as using Azure Storage Explorer, _user_ identity is probably what is used. Consult the documentation for the tool or service you are using for specific information. For more information on how Azure Machine Learning works with data, see [Identity-based data access to storage services on Azure](how-to-identity-based-data-access.md).

+## Azure Storage Account

+When using an Azure Storage Account from Azure Machine Learning studio, you must add the managed identity of the workspace to the following Azure RBAC roles for the storage account:

+* [Blob Data Reader](../../role-based-access-control/built-in-roles.md#storage-blob-data-reader)

+* If the storage account uses a private endpoint to connect to the VNet, you must grant the managed identity the [Reader](../../role-based-access-control/built-in-roles.md#reader) role for the storage account private endpoint.

+For more information, see [Use Azure Machine Learning studio in an Azure Virtual Network](../how-to-enable-studio-virtual-network.md).

+See the following sections for information on limitations when using Azure Storage Account with your workspace in a VNet.

+### Secure communication with Azure Storage Account

+To secure communication between Azure Machine Learning and Azure Storage Accounts, configure storage to [Grant access to trusted Azure services](../../storage/common/storage-network-security.md#grant-access-to-trusted-azure-services).

+### Azure Storage firewall

+When an Azure Storage account is behind a virtual network, the storage firewall can normally be used to allow your client to directly connect over the internet. However, when using studio it isn't your client that connects to the storage account; it's the Azure Machine Learning service that makes the request. The IP address of the service isn't documented and changes frequently. __Enabling the storage firewall will not allow studio to access the storage account in a VNet configuration__.

+### Azure Storage endpoint type

+When the workspace uses a private endpoint and the storage account is also in the VNet, there are extra validation requirements when using studio:

+* If the storage account uses a __service endpoint__, the workspace private endpoint and storage service endpoint must be in the same subnet of the VNet.

+* If the storage account uses a __private endpoint__, the workspace private endpoint and storage service endpoint must be in the same VNet. In this case, they can be in different subnets.

+## Azure Data Lake Storage Gen1

+When using Azure Data Lake Storage Gen1 as a datastore, you can only use POSIX-style access control lists. You can assign the workspace's managed identity access to resources just like any other security principal. For more information, see [Access control in Azure Data Lake Storage Gen1](../../data-lake-store/data-lake-store-access-control.md).

+## Azure Data Lake Storage Gen2

+When using Azure Data Lake Storage Gen2 as a datastore, you can use both Azure RBAC and POSIX-style access control lists (ACLs) to control data access inside of a virtual network.

+**To use Azure RBAC**, follow the steps in the [Datastore: Azure Storage Account](../how-to-enable-studio-virtual-network.md#datastore-azure-storage-account) section of the 'Use Azure Machine Learning studio in an Azure Virtual Network' article. Data Lake Storage Gen2 is based on Azure Storage, so the same steps apply when using Azure RBAC.

+**To use ACLs**, the managed identity of the workspace can be assigned access just like any other security principal. For more information, see [Access control lists on files and directories](../../storage/blobs/data-lake-storage-access-control.md#access-control-lists-on-files-and-directories).

+## Azure SQL Database

+To access data stored in an Azure SQL Database with a managed identity, you must create a SQL contained user that maps to the managed identity. For more information on creating a user from an external provider, see [Create contained users mapped to Azure AD identities](/azure/azure-sql/database/authentication-aad-configure#create-contained-users-mapped-to-azure-ad-identities).

+After you create a SQL contained user, grant permissions to it by using the [GRANT T-SQL command](/sql/t-sql/statements/grant-object-permissions-transact-sql).

+### Secure communication with Azure SQL Database

+To secure communication between Azure Machine Learning and Azure SQL Database, there are two options:

+> [!IMPORTANT]

+> Both options allow the possibility of services outside your subscription connecting to your SQL Database. Make sure that your SQL login and user permissions limit access to authorized users only.

+* __Allow Azure services and resources to access the Azure SQL Database server__. Enabling this setting _allows all connections from Azure_, including __connections from the subscriptions of other customers__, to your database server.

+ For information on enabling this setting, see [IP firewall rules - Azure SQL Database and Synapse Analytics](/azure/azure-sql/database/firewall-configure).

+* __Allow the IP address range of the Azure Machine Learning service in Firewalls and virtual networks__ for the Azure SQL Database. Allowing the IP addresses through the firewall limits __connections to the Azure Machine Learning service for a region__.

+ > [!WARNING]

+ > The IP ranges for the Azure Machine Learning service may change over time. There is no built-in way to automatically update the firewall rules when the IPs change.

+ To get a list of the IP addresses for Azure Machine Learning, download the [Azure IP Ranges and Service Tags](https://www.microsoft.com/download/details.aspx?id=56519) and search the file for `AzureMachineLearning.<region>`, where `<region>` is the Azure region that contains your Azure Machine Learning workspace.

+ To add the IP addresses to your Azure SQL Database, see [IP firewall rules - Azure SQL Database and Synapse Analytics](/azure/azure-sql/database/firewall-configure).

+## Next steps

+For information on enabling studio in a network, see [Use Azure Machine Learning studio in an Azure Virtual Network](../how-to-enable-studio-virtual-network.md).

+# Create and manage private offers via API

+`GET https://graph.microsoft.com/rp/product-ingestion/product?$version=2022-07-01`

+ "$schema": "https://schema.mp.microsoft.com/schema/product/2022-07-01",

+`GET https://graph.microsoft.com/rp/product-ingestion/plan?product=<product-id>&$version=2022-07-01`

+ "$schema": "https://schema.mp.microsoft.com/schema/plan/2022-07-01",

+`GET https://graph.microsoft.com/rp/product-ingestion/private-offer/query?$version=2022-07-01`

+`POST https://graph.microsoft.com/rp/product-ingestion/configure?$version=2022-07-01`

+$version - required. This is the version of the schema that is being used in the request

+ "$schema": "https://schema.mp.microsoft.com/schema/configure/2022-07-01",

+ "$schema": "https://schema.mp.microsoft.com/schema/private-offer/2022-07-01",

+`GET https://graph.microsoft.com/rp/product-ingestion/price-and-availability-private-offer-plan/{productId}?plan={planId}&$version=2022-07-01`

+ "$schema": "https://schema.mp.microsoft.com/schema/price-and-availability-private-offer-plan/2022-07-01",

+ "$schema": "https://schema.mp.microsoft.com/schema/configure-status/2022-07-01",

+`POST https://graph.microsoft.com/rp/product-ingestion/configure?$version=2022-07-01`

+$version - required. This is the version of the schema that is being used in the request

+ "$schema": "https://schema.mp.microsoft.com/schema/configure/2022-07-01",

+ "$schema": "https://schema.mp.microsoft.com/schema/private-offer/2022-07-01",

+ "$schema": "https://schema.mp.microsoft.com/schema/configure-status/2022-07-01",

+`POST https://graph.microsoft.com/rp/product-ingestion/configure?$version=2022-07-01`

+$version - required. This is the version of the schema that is being used in the request

+ "$schema": "https://schema.mp.microsoft.com/schema/configure/2022-07-01"

+ "$schema": "https://schema.mp.microsoft.com/schema/private-offer/2022-07-01",

+ "$schema": "https://schema.mp.microsoft.com/schema/configure-status/2022-07-01",

+`POST https://graph.microsoft.com/rp/product-ingestion/configure?$version=2022-07-01`

+$version - required. This is the version of the schema that is being used in the request

+ "$schema": "https://schema.mp.microsoft.com/schema/configure/2022-07-01"

+ "$schema": "https://schema.mp.microsoft.com/schema/private-offer/2022-07-01",

+ "$schema": "https://schema.mp.microsoft.com/schema/configure-status/2022-07-01",

+`POST https://graph.microsoft.com/rp/product-ingestion/configure?$version=2022-07-01`

+$version - required. This is the version of the schema that is being used in the request

+ "$schema": "https://schema.mp.microsoft.com/schema/configure/2022-07-01",

+ "$schema": "https://schema.mp.microsoft.com/schema/private-offer/2022-07-01",

+ "$schema": "https://schema.mp.microsoft.com/schema/configure-status/2022-07-01",

+`GET https://graph.microsoft.com/rp/product-ingestion/configure/<jobId>/status?$version=2022-07-01`

+$version - required. This is the version of the schema that is being used in the request

+ "$schema": "https://schema.mp.microsoft.com/schema/configure-status/2022-07-01",

+ "$schema": " https://schema.mp.microsoft.com/schema/configure-status/2022-07-01",

+ "$schema": " https://schema.mp.microsoft.com/schema/configure-status/2022-07-01",

+`GET https://graph.microsoft.com/rp/product-ingestion/private-offer/<id>?$version=2022-07-01`

+`GET https://graph.microsoft.com/rp/product-ingestion/configure/<jobId>?$version=2022-07-01`

+$version - required. This is the version of the schema that is being used in the request

+ "$schema": "https://schema.mp.microsoft.com/schema/configure/2022-07-01",

+Flexible Server supports two types of backups to provide an enhanced flexibility towards maintaining backups of the business-critical data.

+### Automated Backup

+### On-Demand Backup

+Flexible server also allows you to trigger on-demand backups of the production workload, in addition to the automated backups taken by the Azure Database for MySQL Flexible service and store it in alignment with serverΓÇÖs backup retention policy. You can use these backups as a fastest restore point to perform a point-in-time restore to reduce restore times by up to 90%. The default backup retention period is seven days. You can optionally configure the database backup from 1 to 35 days. You can trigger a total of 50 on-demand backups from the portal. All backups are encrypted using AES 256-bit encryption for the data stored at rest.

+The Backup and Restore blade in the Azure portal provides a complete list of the full backups available to you at any given point in time. This includes automated backups as well as the On-Demand backups. One can use this blade to view the completion timestamps for all available full backups within the serverΓÇÖs retention period and to perform restore operations using these full backups. The list of available backups includes all full backups within the retention period, a timestamp showing the successful completion, a timestamp indicating how long a backup will be retained, and a restore action.

+By default, Azure Database for MySQL enables automated backups of your entire server (encompassing all databases created) with a default 7-day retention period. You can also trigger a manual backup using On-Demand backup feature. The other way to manually take a backup is by using community tools such as mysqldump as documented [here](../concepts-migrate-dump-restore.md#dump-and-restore-using-mysqldump-utility) or mydumper as documented [here](../concepts-migrate-mydumper-myloader.md#create-a-backup-using-mydumper). If you wish to backup Azure Database for MySQL to a Blob storage, refer to our tech community blog [Backup Azure Database for MySQL to a Blob Storage](https://techcommunity.microsoft.com/t5/azure-database-for-mysql/backup-azure-database-for-mysql-to-a-blob-storage/ba-p/803830).

+3. View Available Backups page will be shown with the option to restore from available full automated backups and on-demand backups taken for the server within the retention period.

+ Title: Trigger On-Demand Backup for Azure Database for MySQL Flexible Server with Azure portal.

+description: This article describes how to trigger On-Demand backup from Azure portal

+# Trigger On-Demand Backup of an Azure Database for MySQL Flexible Server using Azure portal

+This article provides step-by-step procedure to trigger On-Demand backup from the portal.

+## Prerequisites

+To complete this how-to guide, you need:

+- You must have an Azure Database for MySQL Flexible Server.

+## Trigger On-Demand Backup

+Follow these steps to trigger back up on demand:

+1. In the [Azure portal](https://portal.azure.com/), choose your flexible server that you want to take backup of.

+2. Select **Backup** and Restore from the left panel.

+3. From the Backup and Restore page, Select **Backup Now**.

+4. Take backup page is shown. Provide a custom name for the backup in the Backup name field.

+ :::image type="content" source="./media/how-to-trigger-on-demand-backup/trigger-ondemand-backup.png" alt-text="Screenshot showing how to trigger On-demand backup.":::

+5. Select **Trigger**

+6. A notification shows that a backup has been initiated.

+7. Once completed, the on demand backup is seen listed along with the automated backups in the View Available Backups page.

+## Restore from an On-Demand full backup

+Learn more about [Restore a server](how-to-restore-server-portal.md)

+## Next steps

+Learn more about [business continuity](concepts-business-continuity.md)

+[Azure Database for MySQL - Flexible Server](./overview.md) is a deployment mode designed to provide more granular control and flexibility over database management functions and configuration settings than the Single Server deployment mode. The service currently supports the community version of MySQL 5.7 and 8.0.

+- **Server logs for Azure Database for MySQL - Flexible Server**

+ Server Logs will help customers to emit the server logs to server storage space in file format, which you can later download. Slow query logs are supported with server logs, which can help customers in performance troubleshooting and query tuning. Customers can store logs for up to a week or up to 7 GB. You can configure or download them from [Azure portal](./how-to-server-logs-portal.md) or [Azure CLI](./how-to-server-logs-cli.md).[Learn more](./concepts-monitoring.md#server-logs)

+- **On-Demand Backup for Azure Database for MySQL - Flexible Server**

+ The on-Demand backup feature allows customers to trigger On-Demand backups of their production workload, in addition to the automated backups taken by Azure Database for MySQL Flexible service, and store it in alignment with the serverΓÇÖs backup retention policy. These backups can be used as the fastest restore point to perform a point-in-time restore for faster and more predictable restore times. [**Learn more**](how-to-trigger-on-demand-backup.md#trigger-on-demand-backup)

+Server parameter aad_auth_only was exposed in this month's deployment. Enabling server parameter aad_auth_only will block all non Azure Active Directory MySQL connections to your Azure Database for MySQL Flexible server. When you try to connect to the server, you will receive error "ERROR 9107 (HY000): Only Azure Active Directory accounts are allowed to connect to server".

+We are currently working on additional configurations required for AAD authentication to be fully functional, and the feature will be available in the upcoming deployments. Do not enable the aad_auth_only parameter until then.

+## June 2022

+- **Known Issues**

+On a few servers where audit or slow logs are enabled, you may no longer see logs uploaded to data sinks configured under diagnostics settings. Verify whether your logs have the latest updated timestamp for the events based on the [data sink](./tutorial-query-performance-insights.md#set-up-diagnostics) you've configured. If your server is affected by this issue, open a [support ticket](https://azure.microsoft.com/support/create-ticket/) so that we can apply a quick fix on the server to resolve the issue.

+ Azure Database for MySQL ΓÇô Flexible Server Business Critical service tier is generally available. The Business Critical service tier is ideal for Tier 1 production workloads that require low latency, high concurrency, fast failover, and high scalability, such as gaming, e-commerce, and Internet-scale applications, to learn more about [Business Critical service Tier](https://techcommunity.microsoft.com/t5/azure-database-for-mysql-blog/announcing-azure-database-for-mysql-flexible-server-for-business/ba-p/3361718).

+ - The Reserved instances (RI) feature in Azure Database for MySQL ΓÇô Flexible server isn't working properly for the Business Critical service tier after its rebranding from the Memory Optimized service tier. Specifically, instance reservation has stopped working, and we're currently working to fix the issue.

+ - Private DNS integration details aren't displayed on a few Azure Database for MySQL Database flexible servers, which have HA option enabled. This issue doesn't have any impact on availability of the server or name resolution. We're working on a permanent fix to resolve the issue, and it will be available in the next deployment. Meanwhile, if you want to view the Private DNS Zone details, you can either search under [Private DNS zones](../../dns/private-dns-getstarted-portal.md) in the Azure portal or you can perform a [manual failover](concepts-high-availability.md#planned-forced-failover) of the HA enabled flexible server and refresh the Azure portal.

+ Azure Database for MySQL - Flexible Server 5.7 is now running on minor version 5.7.37*, to learn more about changes coming in this minor version [visit Changes in MySQL 5.7.37 (2022-01-18, General Availability](https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-37.html)

+ > [!Note]

+ > Please note that some regions are still running older minor versions of the Azure Database for MySQL and will be patched by end of April 2022.

+ Starting version 8.0.28, the MySQL community edition supports TLS protocol TLSv1.2 or TLSv1.3 only. Azure Database for MySQL ΓÇô Flexible Server will also stop supporting TLSv1 and TLSv1.1 protocols to align with modern security standards. You'll no longer be able to configure TLSv1 or TLSv1.1 from the server parameter pane for newly created resources and previously created resources. The default will be TLSv1.2. Resources created before the upgrade will still support communication through TLS protocol TLSv1 or TLSv1.1 through May 1, 2022.

+ Azure Database for MySQL - Flexible Server now provides the added flexibility to migrate to geo-redundant backup storage from locally redundant backup storage post server-create to provide higher data resiliency. Enabling geo-redundancy via the server's Compute + Storage blade empowers customers to recover their existing flexible servers from a geographic disaster or regional failure when they canΓÇÖt access the server in the primary region. With this feature enabled for their existing servers, customers can perform geo-restore and deploy a new server to the geo-paired Azure region using the original serverΓÇÖs latest available geo-redundant backup. [Learn more](concepts-backup-restore.md)

+ Azure Database for MySQL - Flexible Server now provides the ability to perform geo-restore on stopped servers helping users simulate disaster recovery drills for their workloads to estimate impact and recovery time.This will help users plan better to meet their disaster recovery and business continuity objectives by using geo-redundancy feature offered by Azure Database for MySQL Flexible Server. [Learn more](how-to-restore-server-cli.md)

+ We're adding 36 IOPs and reserving it for supporting standby failover operation on the servers, which has High Availability enabled. This IOPs is in addition to the configured IOPs on your servers, so more charges per month would apply based on your Azure region. The extra IOPS help us ensure our commitment to providing smooth failover experience from primary to standby replica.The extra charge can be estimated by navigating to the [Azure Database for MySQL ΓÇô Flexible Server pricing page](https://azure.microsoft.com/pricing/details/mysql/flexible-server), choosing the Azure region for your server, and multiplying IOPs/month cost by 36 IOPs. For example: if your server is hosted in East US, the extra IO costs, which you can expect are $0.05*36 = $1.8 USD per month.

+ Restart workflow struck issue with servers with HA, and Geo-redundant backup option enabled is fixed.

+ - When you're using ARM templates for provisioning or configuration changes for HA enabled servers, if a single deployment is made to enable/disable HA and along with other server properties like backup redundancy, storage etc., then deployment would fail. You can mitigate it by submitting the deployment request separately to enable\disable and configuration changes. You wouldnΓÇÖt have an issue with Portal or Azure CLI, as these requests are already separated.

+ - When you're viewing automated backups for a HA enabled server in Backup and Restore blade, if at some point in time a forced or automatic failover is performed, you may lose viewing rights to the server's backups on the Backup and Restore blade. Despite the invisibility of information regarding backups on the portal, the flexible server is successfully taking daily automated backups for the server in the backend. The server can be restored to any point within the retention period.

+ With the fastest restore point option, you can restore a Flexible Server instance in the fastest time possible on a given day within the serverΓÇÖs retention period. This restore operation restores the full snapshot backup without requiring restore or recovery of logs. With fastest restore point, customers will see three options while performing point in time restores from Azure portal viz latest restore point, custom restore point and fastest restore point. [Learn more](concepts-backup-restore.md#point-in-time-restore)

+ The service now allows you to recover a deleted MySQL flexible server resource within five days from the time of server deletion. For a detailed guide on how to restore a deleted server, [refer documented steps](../flexible-server/how-to-restore-dropped-server.md). To protect server resources post deployment from accidental deletion or unexpected changes, we recommend administrators to use [management locks](../../azure-resource-manager/management/lock-resources.md).

+ The service now provides the added flexibility to choose geo-redundant backup storage to provide higher data resiliency. Enabling geo-redundancy empowers customers to recover from a geographic disaster or regional failure when they canΓÇÖt access the server in the primary region. With this feature enabled, customers can perform geo-restore and deploy a new server to the geo-paired geographic region using the original serverΓÇÖs latest available geo-redundant backup. [Learn more](../flexible-server/concepts-backup-restore.md).

+- **Availability Zones Selection when creating Read replicas**

+ You wonΓÇÖt be able to create new or maintain existing read replicas on the Burstable tier server. In the interest of providing a good query and development experience for Burstable SKU tiers, the support for creating and maintaining read replica for servers in the Burstable pricing tier will be discontinued.

+- **Monitoring Azure Database for MySQL - Flexible Server with Azure Monitor Workbooks**

+ - UK West

+ - Canada East

+ - Japan West

+ Same-zone HA creation is fixed in the following regions:

+ - Central India

+ - East Asia

+ - Korea Central

+ - South Africa North

+ - Switzerland North

+ The public preview of Azure Database for MySQL - Flexible Server is now available in the following Azure regions:

+ - Australia Southeast

+ - South Africa North

+ - East Asia (Hong Kong)

+ - Central India

+ - Right after Zone-Redundant high availability server failover, clients fail to connect to the server if using SSL with ssl_mode VERIFY_IDENTITY. This issue can be mitigated by using ssl_mode as VERIFY_CA.

+ - Unable to create Same-Zone High availability server in the following regions: Central India, East Asia, Korea Central, South Africa North, Switzerland North.

+ - In a rare scenario and after HA failover, the primary server will be in read_only mode. Resolve the issue by updating ΓÇ£read_onlyΓÇ¥ value from the server parameters blade to OFF.

+ - After successfully scaling Compute in the Compute+Storage blade, IOPS are reset to the SKU default. Customers can work around the issue by rescaling IOPs in the Compute+Storage blade to desired value (previously set) post the compute deployment and consequent IOPS reset.

+ This release includes fixes for known issues related to forced failover to ensure that server parameters and more IOPS changes are persisted across failovers.

+ - Trying to perform a compute scale up or scale down operation on an existing server with less than 20 GB of storage provisioned won't complete successfully. Resolve the issue by scaling up the provisioned storage to 20 GB and retrying the compute scaling operation.

+ Azure Database for MySQL - Flexible Server now offers zone-redundant high availability in two more regions: UK South and Japan East. [Learn more](overview.md#azure-regions).

+ - Additional IOPs changes donΓÇÖt take effect in zone redundant HA enabled servers. Customers can work around the issue by disabling HA, scaling IOPs, and the re-enabling zone redundant HA.

+ - After force failover, the standby availability zone is inaccurately reflected in the portal. (No workaround)

+ - Server parameter changes don't take effect in zone redundant HA enabled server after forced failover. (No workaround)

+ Customers can now manually force a failover to test functionality with their application scenarios, which can help them to prepare for any outages. [Learn more](https://techcommunity.microsoft.com/t5/azure-database-for-mysql/forced-failover-for-azure-database-for-mysql-flexible-server/ba-p/2280671).

+ - SSL\TLS 1.2 is enforced and canΓÇÖt be disabled. (No workarounds)

+ - There are intermittent provisioning failures for servers provisioned in a VNet. The workaround is to retry the server provisioning until it succeeds.

+ Azure Database for MySQL - Flexible Server supports provisioning more [IOPS](concepts-compute-storage.md#iops) independent of the storage provisioned. Customers can use this feature to increase or decrease the number of IOPS anytime based on their workload requirements.

+- Review details on [troubleshooting common migration errors](../howto-troubleshoot-common-errors.md).

+The [psycopg2](https://pypi.python.org/pypi/psycopg2/) module enables connecting to and querying a PostgreSQL database, and is available as a Linux, macOS, or Windows [wheel](https://pythonwheels.com/) package. Install the binary version of the module, including all the dependencies.

+The following code example connects to your Azure Database for PostgreSQL - Flexible Server database using the psycopg2.connect function, and loads data with a SQL **INSERT** statement. The cursor.execute function executes the SQL query against the database.

+The following code example connects to your Azure Database for PostgreSQL - Flexible Server database and uses cursor.execute with the SQL **SELECT** statement to read data. This function accepts a query and returns a result set to iterate over by using cursor.fetchall()

+The following code example connects to your Azure Database for PostgreSQL - Flexible Server database and uses cursor.execute with the SQL **UPDATE** statement to update data.

+The following code example connects to your Azure Database for PostgreSQL - Flexible Server database and uses cursor.execute with the SQL **DELETE** statement to delete an inventory item that you previously inserted.

+| Python | [psycopg](https://www.psycopg.org/) | DB API 2.0-compliant | [Download](https://sourceforge.net/projects/adodbapi/) |

+ Title: Microsoft Purview data owner policies concepts

+description: Understand Microsoft Purview data owner policies

+# Concepts for Microsoft Purview data owner policies

+This article discusses concepts related to managing access to data sources in your data estate from within the Microsoft Purview governance portal.

+> [!Note]

+> This capability is different from access control for Microsoft Purview itself, which is described in [Access control in Microsoft Purview](catalog-permissions.md).

+## Overview

+Access policies in Microsoft Purview enable you to manage access to different data systems across your entire data estate. For example:

+A user needs read access to an Azure Storage account that has been registered in Microsoft Purview. You can grant this access directly in Microsoft Purview by creating a data access policy through the **Policy management** app in the Microsoft Purview governance portal.

+Data access policies can be enforced through Purview on data systems that have been registered for policy.

+## Microsoft Purview policy concepts

+### Microsoft Purview policy

+A **policy** is a named collection of policy statements. When a policy is published to one or more data systems under PurviewΓÇÖs governance, it's then enforced by them. A policy definition includes a policy name, description, and a list of one or more policy statements.

+### Policy statement

+A **policy statement** is a human readable instruction that dictates how the data source should handle a specific data operation. The policy statement comprises **Effect**, **Action, Data Resource** and **Subject**.

+#### Action

+An **action** is the operation being permitted or denied as part of this policy. For example: Read or Modify. These high-level logical actions map to one (or more) data actions in the data system where they are enforced.

+#### Effect

+The **effect** indicates what should be resultant effect of this policy. Currently, the only supported value is **Allow**.

+#### Data resource

+The **data resource** is the fully qualified data asset path to which a policy statement is applicable. It conforms to the following format:

+*/subscription/\<subscription-id>/resourcegroups/\<resource-group-name>/providers/\<provider-name>/\<data-asset-path>*

+Azure Storage data-asset-path format:

+*Microsoft.Storage/storageAccounts/\<account-name>/blobservice/default/containers/\<container-name>*

+Azure SQL DB data-asset-path format:

+*Microsoft.Sql/servers/\<server-name>*

+#### Subject

+The end-user identity from Azure Active Directory for whom this policy statement is applicable. This identity can be a service principal, an individual user, a group, or a managed service identity (MSI).

+### Example

+Deny Read on Data Asset:

+*/subscription/finance/resourcegroups/prod/providers/Microsoft.Storage/storageAccounts/finDataLake/blobservice/default/containers/FinData to group Finance-analyst*

+In the above policy statement, the effect is *Deny*, the action is *Read*, the data resource is Azure Storage container *FinData*, and the subject is Azure Active Directory group *Finance-analyst*. If any user that belongs to this group attempts to read data from the storage container *FinData*, the request will be denied.

+### Hierarchical enforcement of policies

+The data resource specified in a policy statement is hierarchical by default. This means that the policy statement applies to the data object itself and to **all** the child objects contained by the data object. For example, a policy statement on Azure storage container applies to all the blobs contained within it.

+### Policy combining algorithm

+Microsoft Purview can have different policy statements that refer to the same data asset. When evaluating a decision for data access, Microsoft Purview combines all the applicable policies and provides a consolidated decision. The combining strategy picks the most restrictive policy.

+For example, letΓÇÖs assume two different policies on an Azure Storage container *FinData* as follows,

+Policy 1 - *Allow Read on Data Asset /subscription/…./containers/FinData

+To group Finance-analyst*

+Policy 2 - *Deny Read on Data Asset /subscription/…./containers/FinData

+To group Finance-contractors*

+Then letΓÇÖs assume that user ΓÇÿuser1ΓÇÖ, who is part of two groups:

+*Finance-analyst* and *Finance-contractors*, executes a call to blob read API. Since both policies will be applicable, Microsoft Purview will choose the most restrictive one, which is *Deny* of *Read*. Thus, the access request will be denied.

+> [!Note]

+> Currently, the only supported effect is **Allow**.

+## Policy publishing

+A newly created policy exists in the draft mode state, only visible in Microsoft Purview. The act of publishing initiates enforcement of a policy in the specified data systems. It's an asynchronous action that can take between 5 minutes and 2 hours to be effective, depending on the enforcement code in the underlying data sources. For more information, consult the tutorials related to each data source

+A policy published to a data source could contain references to an asset belonging to a different data source. Such references will be ignored since the asset in question does not exist in the data source where the policy is applied.

+## Next steps

+Check the tutorials on how to create policies in Microsoft Purview that work on specific data systems such as Azure Storage:

+* [Access provisioning by data owner to Azure Storage datasets](how-to-policies-data-owner-storage.md)

+* [Enable Microsoft Purview data owner policies on all data sources in a subscription or a resource group](./how-to-policies-data-owner-resource-group.md)

+* [Use policies](concept-policies-data-owner.md) to manage access to data assets through the Microsoft Purview governance portal.

+Master data management (MDM) is a key pillar of any unified data governance solution. Microsoft Purview supports master data management with our partner [Profisee](https://profisee.com/solutions/microsoft-enterprise/azure/). This tutorial compiles reference and integration deployment materials in one place; firstly to put Microsoft Purview Unified Data Governance and MDM in the context of an Azure data estate; and more importantly, to get you started on your MDM journey with Microsoft Purview through our integration with Profisee.

+ >[!TIP]

+ > **Leverage ProfiseeΓÇÖs [MDS Migration Utility](https://profisee.com/solutions/microsoft-enterprise/master-data-services/) to upgrade from Microsoft MDS (Master Data Services) in a single click**

+More Details on [Profisee MDM Benefits On Modern Cloud Architecture](https://profisee.com/our-technology/modern-cloud-architecture/), [Profisee MDM on Azure](https://profisee.com/solutions/microsoft-enterprise/azure/), and why it fits best with [Microsoft Azure](https://azure.microsoft.com/) deployments!

+6. Transactional and unstructured data is loaded to downstream analytics solution ΓÇô All ΓÇÿrawΓÇÖ source data can be loaded to analytics database such as Synapse (Synapse is generally the preferred analytic database but others such as Snowflake are also common). Analysis on this raw information without proper master (ΓÇÿgoldenΓÇÖ) data will be subject to inaccuracy as data overlaps, mismatches and conflicts won't yet have been resolved.

+* [Data owner access policies](concept-policies-data-owner.md) - access policies authored via Microsoft Purview data policy experience.

+- [Create data owner policies for your resources](how-to-policies-data-owner-authoring-generic.md)

+- [Enable Microsoft Purview data owner policies on all data sources in a subscription or a resource group](./how-to-policies-data-owner-resource-group.md)

+- [Enable Microsoft Purview data owner policies on an Azure Storage account](./how-to-policies-data-owner-storage.md)

+>

+> Your data factory needs to have system assigned managed identity enabled.

+ Title: Provision access by data owner for SQL Server on Azure Arc-enabled servers (preview)

+description: Step-by-step guide on how data owners can configure access to Arc-enabled SQL servers through Microsoft Purview access policies.

+# Provision access by data owner for SQL Server on Azure Arc-enabled servers (preview)

+[Access policies](concept-policies-data-owner.md) allow you to manage access from Microsoft Purview to data sources that have been registered for *Data Use Management*.

+This how-to guide describes how a data owner can delegate authoring policies in Microsoft Purview to enable access to SQL Server on Azure Arc-enabled servers. The following actions are currently enabled: *SQL Performance Monitoring*, *SQL Security Auditing* and *Read*. These 3 actions are only supported for policies at server level. *Modify* is not supported at this point.

+## Prerequisites

+- SQL server version 2022 CTP 2.0 or later running on Windows. [Follow this link](https://www.microsoft.com/sql-server/sql-server-2022)

+- Complete process to onboard that SQL server with Azure Arc and enable Azure AD Authentication. [Follow this guide to learn how](https://aka.ms/sql-on-arc-AADauth).

+**Enforcement of policies for this data source is available only in the following regions for Microsoft Purview**

+- East US

+- East US 2

+- South Central US

+- West US 3

+- Canada Central

+- West Europe

+- North Europe

+- UK South

+- France Central

+- UAE North

+- Central India

+- Korea Central

+- Japan East

+- Australia East

+## Security considerations

+- The Server admin can turn off the Microsoft Purview policy enforcement.

+- Arc Admin/Server admin permissions empower the Arc admin or Server admin with the ability to change the ARM path of the given server. Given that mappings in Microsoft Purview use ARM paths, this can lead to wrong policy enforcements.

+- SQL Admin (DBA) can gain the power of Server admin and can tamper with the cached policies from Microsoft Purview.

+- The recommended configuration is to create a separate App Registration per SQL server instance. This prevents SQL server2 from reading the policies meant for SQL server1, in case a rogue admin in SQL server2 tampers with the ARM path.

+## Configuration

+> [!Important]

+> You can assign the data source side permission (i.e., *IAM Owner*) **only** by entering Azure portal through this [special link](https://portal.azure.com/?feature.canmodifystamps=true&Microsoft_Azure_HybridData_Platform=sqlrbacmain#blade/Microsoft_Azure_HybridCompute/AzureArcCenterBlade/sqlServers). Alternatively, you can configure this permission at the parent resource group level so that it gets inherited by the "SQL Server - Azure Arc" data source.

+### SQL Server on Azure Arc-enabled server configuration

+This section describes the steps to configure the SQL Server on Azure Arc to use Microsoft Purview.

+1. Sign in to Azure portal with a [special link](https://portal.azure.com/?feature.canmodifystamps=true&Microsoft_Azure_HybridData_Platform=sqlrbacmain#blade/Microsoft_Azure_HybridCompute/AzureArcCenterBlade/sqlServers) that contains feature flags to list SQL Servers on Azure Arc

+1. Navigate to a SQL Server you want to configure

+1. Navigate to **Azure Active Directory** feature on the left pane

+1. Verify that Azure Active Directory Authentication is configured and scroll down.

+

+1. Set **External Policy Based Authorization** to enabled

+1. Enter **Microsoft Purview Endpoint** in the format *https://\<purview-account-name\>.purview.azure.com*. You can see the names of Microsoft Purview accounts in your tenant through [this link](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Purview%2FAccounts). Optionally, you can confirm the endpoint by navigating to the Microsoft Purview account, then to the Properties section on the left menu and scrolling down until you see "Scan endpoint". The full endpoint path will be the one listed without the "/Scan" at the end.

+1. Make a note of the **App registration ID**, as you will need it when you register and enable this data source for *Data use Management* in Microsoft Purview.

+

+1. Select the **Save** button to save the configuration.

+### Register data sources in Microsoft Purview

+Register each data source with Microsoft Purview to later define access policies.

+1. Sign in to Microsoft Purview Studio.

+1. Navigate to the **Data map** feature on the left pane, select **Sources**, then select **Register**. Type "Azure Arc" in the search box and select **SQL Server on Azure Arc**. Then select **Continue**

+

+1. Enter a **Name** for this registration. It is best practice to make the name of the registration the same as the server name in the next step.

+1. select an **Azure subscription**, **Server name** and **Server endpoint**.

+1. **Select a collection** to put this registration in.

+1. Enable Data Use Management. Data Use Management needs certain permissions and can affect the security of your data, as it delegates to certain Microsoft Purview roles to manage access to the data sources. **Go through the secure practices related to Data Use Management in this guide**: [How to enable Data Use Management]

+(./how-to-enable-data-use-management.md)

+1. Upon enabling Data Use Management, Microsoft Purview will automatically capture the **Application ID** of the App Registration related to this Arc-enabled SQL server. Come back to this screen and hit the refresh button on the side of it to refresh, in case the association between the Arc-enabled SQL server and the App Registration changes in the future.

+1. Select **Register** or **Apply** at the bottom

+Once your data source has the **Data Use Management** toggle *Enabled*, it will look like this picture.

+

+> [!Note]

+> - If you want to create a policy on a resource group or subscription and have it enforced in Arc-enabled SQL servers, you will need to also register those servers independently for *Data use management* to provide their App ID. See this document on how to create policies at resource group or subscription level: [Enable Microsoft Purview data owner policies on all data sources in a subscription or a resource group](./how-to-policies-data-owner-resource-group.md).

+## Create and publish a data owner policy

+Execute the steps in the **Create a new policy** and **Publish a policy** sections of the [data-owner policy authoring tutorial](./how-to-policies-data-owner-authoring-generic.md#create-a-new-policy). The result will be a data owner policy similar to one of the examples shown in the images.

+**Example #1: SQL Performance Monitor policy**. This policy assigns the Azure AD principal 'Christie Cline' to the *SQL Performance monitoring* action, in the scope of Arc-enabled SQL server *DESKTOP-xxx*. This policy has also been published to that server. Note: Policies related to this action are not supported below server level.

+

+**Example #2: SQL Security Auditor policy**. Similar to example 1, but choose the *SQL Security auditing* action (instead of *SQL Performance monitoring*), when authoring the policy. Note: Policies related to this action are not supported below server level.

+**Example #3: Read policy**. This policy assigns the Azure AD principal 'sg-Finance' to the *SQL Data reader* action, in the scope of SQL server *DESKTOP-xxx*. This policy has also been published to that server. Note: Policies related to this action are not supported below server level.

+

+> [!Note]

+> - Given that scan is not currently available for this data source, data reader policies can only be created at server level. Use the **Data sources** box instead of the Asset box when authoring the **data resources** part of the policy.

+> - There is a know issue with SQL Server Management Studio that prevents right-clicking on a table and choosing option ΓÇ£Select Top 1000 rowsΓÇ¥.

+>[!Important]

+> - Publish is a background operation. It can take up to **5 minutes** for the changes to be reflected in this data source.

+> - Changing a policy does not require a new publish operation. The changes will be picked up with the next pull.

+### Test the policy

+The Azure AD Accounts referenced in the access policies should now be able to connect to any database in the server to which the policies are published.

+#### Force policy download

+It is possible to force an immediate download of the latest published policies to the current SQL database by running the following command. The minimal permission required to run it is membership in ##MS_ServerStateManager##-server role.

+```sql

+-- Force immediate download of latest published policies

+exec sp_external_policy_refresh reload

+```

+#### Analyze downloaded policy state from SQL

+The following DMVs can be used to analyze which policies have been downloaded and are currently assigned to Azure AD accounts. The minimal permission required to run them is VIEW DATABASE SECURITY STATE - or assigned Action Group *SQL Security Auditor*.

+```sql

+-- Lists generally supported actions

+SELECT * FROM sys.dm_server_external_policy_actions

+-- Lists the roles that are part of a policy published to this server

+SELECT * FROM sys.dm_server_external_policy_roles

+-- Lists the links between the roles and actions, could be used to join the two

+SELECT * FROM sys.dm_server_external_policy_role_actions

+-- Lists all Azure AD principals that were given connect permissions

+SELECT * FROM sys.dm_server_external_policy_principals

+-- Lists Azure AD principals assigned to a given role on a given resource scope

+SELECT * FROM sys.dm_server_external_policy_role_members

+-- Lists Azure AD principals, joined with roles, joined with their data actions

+SELECT * FROM sys.dm_server_external_policy_principal_assigned_actions

+```

+## Additional information

+### Policy action mapping

+This section contains a reference of how actions in Microsoft Purview data policies map to specific actions in SQL Server on Azure Arc-enabled servers.

+| **Microsoft Purview policy action** | **Data source specific actions** |

+|-|--|

+| | |

+| *Read* |Microsoft.Sql/sqlservers/Connect |

+||Microsoft.Sql/sqlservers/databases/Connect |

+||Microsoft.Sql/Sqlservers/Databases/Schemas/Tables/Rows|

+||Microsoft.Sql/Sqlservers/Databases/Schemas/Views/Rows |

+|||

+| *SQL Performance Monitor* |Microsoft.Sql/sqlservers/Connect |

+||Microsoft.Sql/sqlservers/databases/Connect |

+||Microsoft.Sql/sqlservers/SystemViewsAndFunctions/ServerMetadata/rows/select |

+||Microsoft.Sql/sqlservers/databases/SystemViewsAndFunctions/DatabaseMetadata/rows/select |

+||Microsoft.Sql/sqlservers/SystemViewsAndFunctions/ServerState/rows/select |

+||Microsoft.Sql/sqlservers/databases/SystemViewsAndFunctions/DatabaseState/rows/select |

+|||

+| *SQL Security Auditor* |Microsoft.Sql/sqlservers/Connect |

+||Microsoft.Sql/sqlservers/databases/Connect |

+||Microsoft.Sql/sqlservers/SystemViewsAndFunctions/ServerSecurityState/rows/select |

+||Microsoft.Sql/sqlservers/databases/SystemViewsAndFunctions/DatabaseSecurityState/rows/select |

+||Microsoft.Sql/sqlservers/SystemViewsAndFunctions/ServerSecurityMetadata/rows/select |

+||Microsoft.Sql/sqlservers/databases/SystemViewsAndFunctions/DatabaseSecurityMetadata/rows/select |

+|||

+## Next steps

+Check blog, demo and related how-to guides

+* [Demo of access policy for Azure Storage](https://learn-video.azurefd.net/vod/player?id=caa25ad3-7927-4dcc-88dd-6b74bcae98a2)

+* [Concepts for Microsoft Purview data owner policies](./concept-policies-data-owner.md)

+* Blog: [Private preview: controlling access to Azure SQL at scale with policies in Purview](https://techcommunity.microsoft.com/t5/azure-sql-blog/private-preview-controlling-access-to-azure-sql-at-scale-with/ba-p/2945491)

+* [Enable Microsoft Purview data owner policies on all data sources in a subscription or a resource group](./how-to-policies-data-owner-resource-group.md)

+* [Enable Microsoft Purview data owner policies on an Azure SQL DB](./how-to-policies-data-owner-azure-sql-db.md)

+ Title: Authoring and publishing data owner access policies (preview)

+description: Step-by-step guide on how a data owner can author and publish access policies in Microsoft Purview

+# Authoring and publishing data owner access policies (Preview)

+Access policies allow a data owner to delegate in Microsoft Purview access management to a data source. These policies can be authored directly in the Microsoft Purview governance portal, and after publishing, they get enforced by the data source. This tutorial describes how to create, update, and publish access policies in the Microsoft Purview governance portal.

+## Prerequisites

+## Configuration

+### Data source configuration

+Before authoring data policies in the Microsoft Purview governance portal, you'll need to configure the data sources so that they can enforce those policies.

+1. Follow any policy-specific prerequisites for your source. Check the [Microsoft Purview supported data sources table](microsoft-purview-connector-overview.md) and select the link in the **Access Policy** column for sources where access policies are available. Follow any steps listed in the Access policy or Prerequisites sections.

+1. Register the data source in Microsoft Purview. Follow the **Prerequisites** and **Register** sections of the [source pages](microsoft-purview-connector-overview.md) for your resources.

+1. [Enable the Data Use Management toggle on the data source](how-to-enable-data-use-management.md#enable-data-use-management). Additional permissions for this step are described in the linked document.

+## Create a new policy

+This section describes the steps to create a new policy in Microsoft Purview.

+Ensure you have the *Policy Author* permission as described [here](#permissions-for-policy-authoring-and-publishing)

+1. Sign in to the [Microsoft Purview governance portal](https://web.purview.azure.com/resource/).

+1. Navigate to the **Data policy** feature using the left side panel. Then select **Data policies**.

+1. Select the **New Policy** button in the policy page.

+ :::image type="content" source="./media/access-policies-common/policy-onboard-guide-1.png" alt-text="Data owner can access the Policy functionality in Microsoft Purview when it wants to create policies.":::

+1. The new policy page will appear. Enter the policy **Name** and **Description**.

+1. To add policy statements to the new policy, select the **New policy statement** button. This will bring up the policy statement builder.

+ :::image type="content" source="./media/access-policies-common/create-new-policy.png" alt-text="Data owner can create a new policy statement.":::

+1. Select the **Effect** button and choose *Allow* from the drop-down list.

+1. Select the **Action** button and choose *Read* or *Modify* from the drop-down list.

+1. Select the **Data Resources** button to bring up the window to enter Data resource information, which will open to the right.

+1. Under the **Data Resources** Panel do **one of two things** depending on the granularity of the policy:

+ - To create a broad policy statement that covers an entire data source, resource group, or subscription that was previously registered, use the **Data sources** box and select its **Type**.

+ - To create a fine-grained policy, use the **Assets** box instead. Enter the **Data Source Type** and the **Name** of a previously registered and scanned data source. See example in the image.

+ :::image type="content" source="./media/access-policies-common/select-data-source-type.png" alt-text="Data owner can select a Data Resource when editing a policy statement.":::

+1. Select the **Continue** button and transverse the hierarchy to select and underlying data-object (for example: folder, file, etc.). Select **Recursive** to apply the policy from that point in the hierarchy down to any child data-objects. Then select the **Add** button. This will take you back to the policy editor.

+ :::image type="content" source="./media/access-policies-common/select-asset.png" alt-text="Data owner can select the asset when creating or editing a policy statement.":::

+1. Select the **Subjects** button and enter the subject identity as a principal, group, or MSI. Then select the **OK** button. This will take you back to the policy editor

+ :::image type="content" source="./media/access-policies-common/select-subject.png" alt-text="Data owner can select the subject when creating or editing a policy statement.":::

+1. Repeat the steps #5 to #11 to enter any more policy statements.

+1. Select the **Save** button to save the policy.

+Now that you have created your policy, you will need to publish it for it to become active.

+## Publish a policy

+A newly created policy is in the **draft** state. The process of publishing associates the new policy with one or more data sources under governance. This is called "binding" a policy to a data source.

+Ensure you have the *Data Source Admin* permission as described [here](#permissions-for-policy-authoring-and-publishing)

+The steps to publish a policy are as follows:

+1. Sign in to the [Microsoft Purview governance portal](https://web.purview.azure.com/resource/).

+1. Navigate to the **Data policy** feature using the left side panel. Then select **Data policies**.

+ :::image type="content" source="./media/access-policies-common/policy-onboard-guide-2.png" alt-text="Data owner can access the Policy functionality in Microsoft Purview when it wants to update a policy by selecting 'Data policies'.":::

+1. The Policy portal will present the list of existing policies in Microsoft Purview. Locate the policy that needs to be published. Select the **Publish** button on the right top corner of the page.

+ :::image type="content" source="./media/access-policies-common/publish-policy.png" alt-text="Data owner can publish a policy.":::

+1. A list of data sources is displayed. You can enter a name to filter the list. Then, select each data source where this policy is to be published and then select the **Publish** button.

+ :::image type="content" source="./media/access-policies-common/select-data-sources-publish-policy.png" alt-text="Data owner can select the data source where the policy will be published.":::

+>[!Note]

+> After making changes to a policy, there is no need to publish it again for it to take effect if the data source(s) continues to be the same.

+## Update or delete a policy

+Steps to update or delete a policy in Microsoft Purview are as follows.

+Ensure you have the *Policy Author* permission as described [here](#permissions-for-policy-authoring-and-publishing)

+1. Sign in to the [Microsoft Purview governance portal](https://web.purview.azure.com/resource/).

+1. Navigate to the **Data policy** feature using the left side panel. Then select **Data policies**.

+ :::image type="content" source="./media/access-policies-common/policy-onboard-guide-2.png" alt-text="Data owner can access the Policy functionality in Microsoft Purview when it wants to update a policy.":::

+1. The Policy portal will present the list of existing policies in Microsoft Purview. Select the policy that needs to be updated.

+1. The policy details page will appear, including Edit and Delete options. Select the **Edit** button, which brings up the policy statement builder. Now, any parts of the statements in this policy can be updated. To delete the policy, use the **Delete** button.

+ :::image type="content" source="./media/access-policies-common/edit-policy.png" alt-text="Data owner can edit or delete a policy statement.":::

+## Next steps

+For specific guides on creating policies, you can follow these tutorials:

+- [Enable Microsoft Purview data owner policies on all data sources in a subscription or a resource group](./how-to-policies-data-owner-resource-group.md)

+- [Enable Microsoft Purview data owner policies on an Azure Storage account](./how-to-policies-data-owner-storage.md)

+ Title: Provision access by data owner for Azure SQL DB (preview)

+description: Step-by-step guide on how data owners can configure access for Azure SQL DB through Microsoft Purview access policies.

+# Provision access by data owner for Azure SQL DB (preview)

+[Access policies](concept-policies-data-owner.md) allow you to manage access from Microsoft Purview to data sources that have been registered for *Data Use Management*.

+This how-to guide describes how a data owner can delegate authoring policies in Microsoft Purview to enable access to Azure SQL DB. The following actions are currently enabled: *SQL Performance Monitoring*, *SQL Security Auditing* and *Read*. The first two actions are supported only at server level. *Modify* is not supported at this point.

+## Prerequisites

+## Microsoft Purview Configuration

+### Register the data sources in Microsoft Purview

+The Azure SQL DB resources need to be registered first with Microsoft Purview to later define access policies. You can follow these guides:

+[Register and scan Azure SQL DB](./register-scan-azure-sql-database.md)

+After you've registered your resources, you'll need to enable Data Use Management. Data Use Management can affect the security of your data, as it delegates to certain Microsoft Purview roles to manage access to the data sources. **Go through the secure practices related to Data Use Management in this guide**:

+[How to enable Data Use Management](./how-to-enable-data-use-management.md)

+Once your data source has the **Data Use Management** toggle *Enabled*, it will look like this picture. This will enable the access policies to be used with the given SQL server and all its contained databases.

+

+## Create and publish a data owner policy

+Execute the steps in the **Create a new policy** and **Publish a policy** sections of the [data-owner policy authoring tutorial](./how-to-policies-data-owner-authoring-generic.md#create-a-new-policy). The result will be a data owner policy similar to one of the examples shown in the images.

+**Example #1: SQL Performance Monitor policy**. This policy assigns the Azure AD principal 'Mateo Gomez' to the *SQL Performance monitoring* action, in the scope of SQL server *relecloud-sql-srv2*. This policy has also been published to that server. Note: Policies related to this action are not supported below server level.

+

+**Example #2: SQL Security Auditor policy**. Similar to example 1, but choose the *SQL Security auditing* action (instead of *SQL Performance monitoring*), when authoring the policy. Note: Policies related to this action are not supported below server level.

+**Example #3: Read policy**. This policy assigns the Azure AD principal 'Robert Murphy' to the *SQL Data reader* action, in the scope of SQL server *relecloud-sql-srv2*. This policy has also been published to that server. Note: Policies related to this action are supported below server level (e.g., database, table)

+

+>[!Important]

+> - Publish is a background operation. It can take up to **5 minutes** for the changes to be reflected in this data source.

+> - Changing a policy does not require a new publish operation. The changes will be picked up with the next pull.

+### Test the policy

+The Azure AD Accounts referenced in the access policies should now be able to connect to any database in the server to which the policies are published.

+#### Force policy download

+It is possible to force an immediate download of the latest published policies to the current SQL database by running the following command. The minimal permission required to run it is membership in ##MS_ServerStateManager##-server role.

+```sql

+-- Force immediate download of latest published policies

+exec sp_external_policy_refresh reload

+```

+#### Analyze downloaded policy state from SQL

+The following DMVs can be used to analyze which policies have been downloaded and are currently assigned to Azure AD accounts. The minimal permission required to run them is VIEW DATABASE SECURITY STATE - or assigned Action Group *SQL Security Auditor*.

+```sql

+-- Lists generally supported actions

+SELECT * FROM sys.dm_server_external_policy_actions

+-- Lists the roles that are part of a policy published to this server

+SELECT * FROM sys.dm_server_external_policy_roles

+-- Lists the links between the roles and actions, could be used to join the two

+SELECT * FROM sys.dm_server_external_policy_role_actions

+-- Lists all Azure AD principals that were given connect permissions

+SELECT * FROM sys.dm_server_external_policy_principals

+-- Lists Azure AD principals assigned to a given role on a given resource scope

+SELECT * FROM sys.dm_server_external_policy_role_members

+-- Lists Azure AD principals, joined with roles, joined with their data actions

+SELECT * FROM sys.dm_server_external_policy_principal_assigned_actions

+```

+## Additional information

+### Policy action mapping

+This section contains a reference of how actions in Microsoft Purview data policies map to specific actions in Azure SQL DB.

+| **Microsoft Purview policy action** | **Data source specific actions** |

+|-|--|

+| | |

+| *Read* |Microsoft.Sql/sqlservers/Connect |

+||Microsoft.Sql/sqlservers/databases/Connect |

+||Microsoft.Sql/Sqlservers/Databases/Schemas/Tables/Rows|

+||Microsoft.Sql/Sqlservers/Databases/Schemas/Views/Rows |

+|||

+| *SQL Performance Monitor* |Microsoft.Sql/sqlservers/Connect |

+||Microsoft.Sql/sqlservers/databases/Connect |

+||Microsoft.Sql/sqlservers/SystemViewsAndFunctions/ServerMetadata/rows/select |

+||Microsoft.Sql/sqlservers/databases/SystemViewsAndFunctions/DatabaseMetadata/rows/select |

+||Microsoft.Sql/sqlservers/SystemViewsAndFunctions/ServerState/rows/select |

+||Microsoft.Sql/sqlservers/databases/SystemViewsAndFunctions/DatabaseState/rows/select |

+|||

+| *SQL Security Auditor* |Microsoft.Sql/sqlservers/Connect |

+||Microsoft.Sql/sqlservers/databases/Connect |

+||Microsoft.Sql/sqlservers/SystemViewsAndFunctions/ServerSecurityState/rows/select |

+||Microsoft.Sql/sqlservers/databases/SystemViewsAndFunctions/DatabaseSecurityState/rows/select |

+||Microsoft.Sql/sqlservers/SystemViewsAndFunctions/ServerSecurityMetadata/rows/select |

+||Microsoft.Sql/sqlservers/databases/SystemViewsAndFunctions/DatabaseSecurityMetadata/rows/select |

+|||

+## Next steps

+Check blog, demo and related how-to guides

+* [Demo of access policy for Azure Storage](https://learn-video.azurefd.net/vod/player?id=caa25ad3-7927-4dcc-88dd-6b74bcae98a2)

+* [Concepts for Microsoft Purview data owner policies](./concept-policies-data-owner.md)

+* Blog: [Microsoft Purview Data Policy for SQL DevOps access provisioning now in public preview](https://techcommunity.microsoft.com/t5/microsoft-purview-blog/microsoft-purview-data-policy-for-sql-devops-access-provisioning/ba-p/3403174)

+* Blog: [Controlling access to Azure SQL at scale with policies in Purview](https://techcommunity.microsoft.com/t5/azure-sql-blog/private-preview-controlling-access-to-azure-sql-at-scale-with/ba-p/2945491)

+* [Enable Microsoft Purview data owner policies on all data sources in a subscription or a resource group](./how-to-policies-data-owner-resource-group.md)

+* [Enable Microsoft Purview data owner policies on an Arc-enabled SQL Server](./how-to-policies-data-owner-arc-sql-server.md)

+ Title: Resource group and subscription access provisioning by data owner (preview)

+description: Step-by-step guide showing how a data owner can create access policies to resource groups or subscriptions.

+# Resource group and subscription access provisioning by data owner (Preview)

+[Access policies](concept-policies-data-owner.md) allow you to manage access from Microsoft Purview to data sources that have been registered for *Data Use Management*.

+You can also [register an entire resource group or subscription](register-scan-azure-multiple-sources.md), and create a single policy that will manage access to **all** data sources in that resource group or subscription. That single policy will cover all existing data sources and any data sources that are created afterwards. This article describes how this is done.

+## Prerequisites

+**Only these data sources are enabled for access policies on resource group or subscription**. Follow the **Prerequisites** section that is specific to the data source(s) in these guides:

+* [Data owner policies on an Azure Storage account](./how-to-policies-data-owner-storage.md#prerequisites)

+* [Data owner policies on an Azure SQL Database](./how-to-policies-data-owner-azure-sql-db.md#prerequisites)*

+* [Data owner policies on an Arc-enabled SQL Server](./how-to-policies-data-owner-arc-sql-server.md#prerequisites)*

+(*) Only the *SQL Performance monitoring* and *Security auditing* actions are fully supported for SQL-type data sources. The *Read* action needs a workaround described later in this guide. The *Modify* action is not currently supported for SQL-type data sources.

+## Configuration

+### Register the subscription or resource group for Data Use Management

+The subscription or resource group needs to be registered with Microsoft Purview to later define access policies.

+To register your subscription or resource group, follow the **Prerequisites** and **Register** sections of this guide:

+- [Register multiple sources in Microsoft Purview](register-scan-azure-multiple-sources.md#prerequisites)

+After you've registered your resources, you'll need to enable Data Use Management. Data Use Management needs certain permissions and can affect the security of your data, as it delegates to certain Microsoft Purview roles to manage access to the data sources. **Go through the secure practices related to Data Use Management in this guide**: [How to enable Data Use Management](./how-to-enable-data-use-management.md)

+In the end, your resource will have the **Data Use Management** toggle **Enabled**, as shown in the picture:

+

+>[!Important]

+> - If you want to create a policy on a resource group or subscription and have it enforced in Arc-enabled SQL servers, you will need to also register those servers independently for *Data use management* to provide their App ID.

+## Create and publish a data owner policy

+Execute the steps in the **Create a new policy** and **Publish a policy** sections of the [data-owner policy authoring tutorial](./how-to-policies-data-owner-authoring-generic.md#create-a-new-policy). The result will be a data owner policy similar to the example shown in the image: a policy that provides security group *sg-Finance* *modify* access to resource group *finance-rg*. Use the Data source box in the Policy user experience.

+

+>[!Important]

+> - Publish is a background operation. For example, Azure Storage accounts can take up to **2 hours** to reflect the changes.

+> - Changing a policy does not require a new publish operation. The changes will be picked up with the next pull.

+>[!Warning]

+> **Known Issues**

+> - No implicit connect permission is provided to SQL type data sources (e.g.: Azure SQL DB, SQL server on Azure Arc-enabled servers) when creating a policy with *Read* action on a resource group or subscription. To support this scenario, provide the connect permission to the Azure AD principals locally, i.e. directly in the SQL-type data sources.

+## Additional information

+- Creating a policy at subscription or resource group level will enable the Subjects to access Azure Storage system containers, for example, *$logs*. If this is undesired, first scan the data source and then create finer-grained policies for each (that is, at container or sub-container level).

+### Limits

+The limit for Microsoft Purview policies that can be enforced by Storage accounts is 100 MB per subscription, which roughly equates to 5000 policies.

+## Next steps

+Check blog, demo and related tutorials:

+* [Concepts for Microsoft Purview data owner policies](./concept-policies-data-owner.md)

+* [Blog: resource group-level governance can significantly reduce effort](https://techcommunity.microsoft.com/t5/azure-purview-blog/data-policy-features-resource-group-level-governance-can/ba-p/3096314)

+* [Video: Demo of data owner access policies for Azure Storage](https://learn-video.azurefd.net/vod/player?id=caa25ad3-7927-4dcc-88dd-6b74bcae98a2)

+ Title: Access provisioning by data owner to Azure Storage datasets (preview)

+description: Step-by-step guide showing how data owners can create access policies to datasets in Azure Storage

+# Access provisioning by data owner to Azure Storage datasets (Preview)

+[Access policies](concept-policies-data-owner.md) allow you to manage access from Microsoft Purview to data sources that have been registered for *Data Use Management*.

+This article describes how a data owner can delegate in Microsoft Purview management of access to Azure Storage datasets. Currently, these two Azure Storage sources are supported:

+- Blob storage

+- Azure Data Lake Storage (ADLS) Gen2

+## Prerequisites

+## Configuration

+### Register the data sources in Microsoft Purview for Data Use Management

+The Azure Storage resources need to be registered first with Microsoft Purview to later define access policies.

+To register your resources, follow the **Prerequisites** and **Register** sections of these guides:

+- [Register and scan Azure Storage Blob - Microsoft Purview](register-scan-azure-blob-storage-source.md#prerequisites)

+- [Register and scan Azure Data Lake Storage (ADLS) Gen2 - Microsoft Purview](register-scan-adls-gen2.md#prerequisites)

+After you've registered your resources, you'll need to enable Data Use Management. Data Use Management needs certain permissions and can affect the security of your data, as it delegates to certain Microsoft Purview roles to manage access to the data sources. **Go through the secure practices related to Data Use Management in this guide**: [How to enable Data Use Management](./how-to-enable-data-use-management.md)

+Once your data source has the **Data Use Management** toggle **Enabled**, it will look like this picture:

+## Create and publish a data owner policy

+Execute the steps in the **Create a new policy** and **Publish a policy** sections of the [data-owner policy authoring tutorial](./how-to-policies-data-owner-authoring-generic.md#create-a-new-policy). The result will be a data owner policy similar to the example shown in the image: a policy that provides group *Contoso Team* *read* access to Storage account *marketinglake1*:

+>[!Important]

+> - Publish is a background operation. Azure Storage accounts can take up to **2 hours** to reflect the changes.

+## Data Consumption

+- Data consumer can access the requested dataset using tools such as PowerBI or Azure Synapse Analytics workspace.

+- Sub-container access: Policy statements set below container level on a Storage account are supported. However, users will not be able to browse to the data asset using Azure Portal's Storage Browser or Microsoft Azure Storage Explorer tool if access is granted only at file or folder level of the Azure Storage account. This is because these apps attempt to crawl down the hierarchy starting at container level, and the request fails because no access has been granted at that level. Instead, the App that requests the data must execute a direct access by providing a fully qualified name to the data object. The following documents show examples of how to perform a direct access. See also the blogs in the *Next steps* section of this how-to-guide.

+ - [*abfs* for ADLS Gen2](../hdinsight/hdinsight-hadoop-use-data-lake-storage-gen2.md#access-files-from-the-cluster)

+ - [*az storage blob download* for Blob Storage](../storage/blobs/storage-quickstart-blobs-cli.md#download-a-blob)

+## Additional information

+- Creating a policy at Storage account level will enable the Subjects to access system containers, for example *$logs*. If this is undesired, first scan the data source(s) and then create finer-grained policies for each (that is, at container or subcontainer level).

+- The root blob in a container will be accessible to the Azure AD principals in a Microsoft Purview *allow*-type RBAC policy if the scope of such policy is either subscription, resource group, Storage account or container in Storage account.

+- The root container in a Storage account will be accessible to the Azure AD principals in a Microsoft Purview *allow*-type RBAC policy if the scope of such policy is either subscription, resource group, or Storage account.

+### Limits

+- The limit for Microsoft Purview policies that can be enforced by Storage accounts is 100 MB per subscription, which roughly equates to 5000 policies.

+### Known issues

+**Known issues** related to Policy creation

+- Do not create policy statements based on Microsoft Purview resource sets. Even if displayed in Microsoft Purview policy authoring UI, they are not yet enforced. Learn more about [resource sets](concept-resource-sets.md).

+### Policy action mapping

+This section contains a reference of how actions in Microsoft Purview data policies map to specific actions in Azure Storage.

+| **Microsoft Purview policy action** | **Data source specific actions** |

+||--|

+|||

+| *Read* |Microsoft.Storage/storageAccounts/blobServices/containers/read |

+| |Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read |

+|||

+| *Modify* |Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read |

+| |Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write |

+| |Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action |

+| |Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action |

+| |Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete |

+| |Microsoft.Storage/storageAccounts/blobServices/containers/read |

+| |Microsoft.Storage/storageAccounts/blobServices/containers/write |

+| |Microsoft.Storage/storageAccounts/blobServices/containers/delete |

+|||

+## Next steps

+Check blog, demo and related tutorials:

+* [Demo of access policy for Azure Storage](https://learn-video.azurefd.net/vod/player?id=caa25ad3-7927-4dcc-88dd-6b74bcae98a2)

+* [Concepts for Microsoft Purview data owner policies](./concept-policies-data-owner.md)

+* [Enable Microsoft Purview data owner policies on all data sources in a subscription or a resource group](./how-to-policies-data-owner-resource-group.md)

+* [Blog: What's New in Microsoft Purview at Microsoft Ignite 2021](https://techcommunity.microsoft.com/t5/azure-purview/what-s-new-in-azure-purview-at-microsoft-ignite-2021/ba-p/2915954)

+* [Blog: Accessing data when folder level permission is granted](https://techcommunity.microsoft.com/t5/azure-purview-blog/data-policy-features-accessing-data-when-folder-level-permission/ba-p/3109583)

+* [Blog: Accessing data when file level permission is granted](https://techcommunity.microsoft.com/t5/azure-purview-blog/data-policy-features-accessing-data-when-file-level-permission/ba-p/3102166)

+### Reassign requests

+You can reassign requests both approvals and tasks that are assigned to you to a different user.

+1. To reassign, select the request or task you're assigned and select **Reassign** in the following window.

+ :::image type="content" source="./media/how-to-workflow-manage-requests-approval/reassign-button.png" alt-text="Screenshot showing the task selected and the Respond page is open, with details, a status, and a place for comments and reassign button.":::

+1. You'll be presented with a list of all the users who are assigned to the request. Select **Assignee** where your user name or the group you're part of is displayed and change it from your user name to the new user name. Select **Save** to complete the reassignment.

+ :::image type="content" source="./media/how-to-workflow-manage-requests-approval/reassign-user.png" alt-text="Screenshot showing the request selected and the reassign user.":::

+You can cancel a submitted request and its underlying workflow by selecting **Cancel request and its underlying workflow run**.

+ > You can only cancel workflows that are in progress. When you cancel a request from the **requests and approvals** section, it will cancel the underlying workflow run.

+1. You can cancel a running workflow by selecting **Cancel workflow run**.

+ :::image type="content" source="./media/how-to-workflow-manage-runs/cancel-workflows-inline.png" alt-text="Screenshot of the workflow runs page, with the workflow details page overlaid and cancel button to cancel the workflow run." lightbox="./media/how-to-workflow-manage-runs/cancel-workflows.png":::

+ > You can only cancel workflows that are in progress.

+|| SQL Server on Azure-Arc| No |No | No |[Yes (Preview)](how-to-policies-data-owner-arc-sql-server.md) | No |

+ Title: 'Quickstart: Share data using the .NET SDK'

+description: This article will guide you through sharing and receiving data using Microsoft Purview Data Sharing account through the .NET SDK.

+ms.devlang: csharp

+# Quickstart: Share and receive data with the Microsoft Purview Data Sharing .NET SDK

+In this quickstart, you'll use the .NET SDK provides to share data and receive shares from Azure Data Lake Storage (ADLS Gen2) or Blob storage accounts. The article includes code snippets that will allow you to share and receive data using Microsoft Purview Data Sharing.

+For an overview of how data sharing works, watch this short [demo](https://aka.ms/purview-data-share/overview-demo).

+### Visual Studio

+The walkthrough in this article uses Visual Studio 2019. The procedures for Visual Studio 2013, 2015, or 2017 may differ slightly.

+### Azure .NET SDK

+Download and install [Azure .NET SDK](https://azure.microsoft.com/downloads/) on your machine.

+## Create an application in Azure Active Directory

+1. In [Create an Azure Active Directory application](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal), create an application that represents the .NET application you're creating in this tutorial. For the sign-on URL, you can provide a dummy URL as shown in the article (`https://contoso.org/exampleapp`).

+1. In [Get values for signing in](../active-directory/develop/howto-create-service-principal-portal.md#get-tenant-and-app-id-values-for-signing-in), get the **application ID**,**tenant ID**, and **object ID**, and note down these values that you use later in this tutorial.

+1. In [Certificates and secrets](../active-directory/develop/howto-create-service-principal-portal.md#authentication-two-options), get the **authentication key**, and note down this value that you use later in this tutorial.

+1. [assign the application to these roles:](../active-directory/develop/howto-create-service-principal-portal.md#assign-a-role-to-the-application)

+ | | Azure Storage Account Roles | Microsoft Purview Collection Roles |

+ |: |: |: |

+ | **Data Provider** |Owner OR Blob Storage Data Owner|Data Share Contributor|

+ | **Data Consumer** |Contributor OR Owner OR Storage Blob Data Contributor OR Blob Storage Data Owner|Data Share Contributor|

+## Create a Visual Studio project

+Next, create a C# .NET console application in Visual Studio:

+1. Launch **Visual Studio**.

+2. In the Start window, select **Create a new project** > **Console App (.NET Framework)**. .NET version 4.5.2 or above is required.

+3. In **Project name**, enter **PurviewDataSharingQuickStart**.

+4. Select **Create** to create the project.

+## Install NuGet packages

+1. Select **Tools** > **NuGet Package Manager** > **Package Manager Console**.

+2. In the **Package Manager Console** pane, run the following commands to install packages. For more information, see the [Microsoft.Azure.Analytics.Purview.Share NuGet package](https://www.nuget.org/packages/Azure.Analytics.Purview.Share/1.0.3-beta.20).

+ ```powershell

+ Install-Package Microsoft.Azure.Purview.Share.ManagementClient

+ Install-Package Microsoft.Azure.Management.ResourceManager -IncludePrerelease

+ Install-Package Microsoft.IdentityModel.Clients.ActiveDirectory

+ Install-Package Azure.Analytics.Purview.Share

+ Install-Package Azure.Analytics.Purview.Account

+ ```

+## Create a sent share

+The below code will create a data share that you can send to internal or external users.

+To use it, be sure to fill out these variables:

+- **endpoint** - "https://\<my-account-name>.purview.azure.com/share". Replace **\<my-account-name>** with the name of your Microsoft Purview instance

+- **sentShareName** - a name for your new data share

+- **description** - an optional description for your data share

+- **collectionName** - the name of the collection where your share will be housed.

+```C# Snippet:Azure_Analytics_Purview_Share_Samples_01_Namespaces

+using Azure.Core;

+using Azure.Identity;

+var credential = new DefaultAzureCredential();

+var endPoint = "https://<my-account-name>.purview.azure.com/share";

+var sentShareClient = new SentSharesClient(endPoint, credential);

+var collectionName = "<name of your collection>";

+// Get collection internal reference name

+// Collections that are not the root collection have a friendlyName (the name you see in the Microsoft Purview Data Map) and an internal reference name used to access the collection programmatically.

+var collectionsResponse = await accountClient.GetCollectionsAsync();

+var collectionsResponseDocument = JsonDocument.Parse(collectionsResponse.Content);

+var collections = collectionsResponseDocument.RootElement.GetProperty("value");

+foreach (var collection in collections.EnumerateArray())

+{

+ if (String.Equals(collectionName, collection.GetProperty("friendlyName").ToString(), StringComparison.OrdinalIgnoreCase))

+ {

+ collectionName = collection.GetProperty("name").ToString();

+ }

+}

+// Create sent share

+var sentShareName = "sample-Share";

+var inPlaceSentShareDto = new

+{

+ shareKind = "InPlace",

+ properties = new

+ {

+ description = "demo share",

+ collection = new

+ {

+ referenceName = collectionName,

+ type = "CollectionReference"

+ }

+ }

+};

+var sentShare = await sentShareClient.CreateOrUpdateAsync(sentShareName, RequestContent.Create(inPlaceSentShareDto));

+```

+## Add an asset to a sent share

+The below code will add a data asset to a share you're sending.

+To use it, be sure to fill out these variables:

+- **endpoint** - "https://\<my-account-name>.purview.azure.com/share". Replace **\<my-account-name>** with the name of your Microsoft Purview instance

+- **sentShareName** - the name of the data share where you'll add the asset

+- **assetName** - a name for the asset you'll be adding

+- **senderStorageResourceId** - the [resource ID for the storage account](../storage/common/storage-account-get-info.md#get-the-resource-id-for-a-storage-account) where the data asset is stored

+- **senderStorageContainer** - the name of container where your asset is housed in your storage account

+- **senderPathToShare** - the folder and file path for the asset you'll be sharing

+- **pathNameForReceiver** - a (path compliant) name that for the share that will be visible to the data receiver

+```C# Snippet:Azure_Analytics_Purview_Share_Samples_02_Namespaces

+using Azure.Core;

+using Azure.Identity;

+var credential = new DefaultAzureCredential();

+var endPoint = "https://<my-account-name>.purview.azure.com/share";

+// Add asset to sent share

+var sentShareName = "sample-Share";

+var assetName = "fabrikam-blob-asset";

+var assetNameForReceiver = "receiver-visible-asset-name";

+var senderStorageResourceId = "<SENDER_STORAGE_ACCOUNT_RESOURCE_ID>";

+var senderStorageContainer = "fabrikamcontainer";

+var senderPathToShare = "folder/sample.txt";

+var pathNameForReceiver = "from-fabrikam";

+var assetData = new

+{

+ // For Adls Gen2 asset use "AdlsGen2Account"

+ kind = "blobAccount",

+ properties = new

+ {

+ storageAccountResourceId = senderStorageResourceId,

+ receiverAssetName = assetNameForReceiver,

+ paths = new[]

+ {

+ new

+ {

+ containerName = senderStorageContainer,

+ senderPath = senderPathToShare,

+ receiverPath = pathNameForReceiver

+ }

+ }

+ }

+};

+var assetsClient = new AssetsClient(endPoint, credential);

+await assetsClient.CreateAsync(WaitUntil.Started, sentShareName, assetName, RequestContent.Create(assetData));

+```

+## Send invitation

+The below code will send an invitation to a data share.

+To use it, be sure to fill out these variables:

+- **endpoint** - "https://\<my-account-name>.purview.azure.com/share". Replace **\<my-account-name>** with the name of your Microsoft Purview instance

+- **sentShareName** - the name of the data share you're sending

+- **assetName** - a name for your invitation

+- **targetEmail** or **targetActiveDirectoryId and targetObjectId** - the email address **or** objectId and tenantId for the user or service principal that will receive the data share. TenantId is optional.

+```C# Snippet:Azure_Analytics_Purview_Share_Samples_03_Namespaces

+using Azure.Core;

+using Azure.Identity;

+var credential = new DefaultAzureCredential();

+var endPoint = "https://<my-account-name>.purview.azure.com/share";

+// Send invitation

+var sentShareName = "sample-Share";

+var invitationName = "invitation-to-fabrikam";

+var invitationData = new

+{

+ invitationKind = "User",

+ properties = new

+ {

+ targetEmail = "user@domain.com"

+ }

+};

+// Instead of sending invitation to Azure login email of the user, you can send invitation to object ID of a service principal and tenant ID.

+// Tenant ID is optional. To use this method, comment out the previous declaration, and uncomment the next one.

+//var invitationData = new

+//{

+// invitationKind = "Application",

+// properties = new

+// {

+// targetActiveDirectoryId = "<targetActiveDirectoryId>",

+// targetObjectId = "<targetObjectId>"

+// }

+//};

+var sentShareInvitationsClient = new SentShareInvitationsClient(endPoint, credential);

+await sentShareInvitationsClient.CreateOrUpdateAsync(sentShareName, invitationName, RequestContent.Create(invitationData));

+```

+## View sent share invitations

+The below code will allow you to view your sent invitations.

+To use it, be sure to fill out these variables:

+- **endpoint** - "https://\<my-account-name>.purview.azure.com/share". Replace **\<my-account-name>** with the name of your Microsoft Purview instance

+- **sentShareName** - the name share that an invitation was sent for

+```C# Snippet:Azure_Analytics_Purview_Share_Samples_04_Namespaces

+using System.Linq;

+using System.Text.Json;

+using Azure.Identity;

+var credential = new DefaultAzureCredential();

+var endPoint = "https://<my-account-name>.purview.azure.com/share";

+var sentShareName = "sample-Share";

+// View sent share invitations. (Pending/Rejected)

+var sentShareInvitationsClient = new SentShareInvitationsClient(endPoint, credential);

+var sentShareInvitations = sentShareInvitationsClient.GetSentShareInvitations(sentShareName);

+var responseInvitation = sentShareInvitations.FirstOrDefault();

+if (responseInvitation == null)

+{

+ //No invitations

+ return;

+}

+var responseInvitationDocument = JsonDocument.Parse(responseInvitation);

+var targetEmail = responseInvitationDocument.RootElement.GetProperty("properties").GetProperty("targetEmail");

+```

+## View received invitations

+The below code will allow you to view your received invitations.

+To use it, be sure to fill out these variables:

+- **endpoint** - "https://\<my-account-name>.purview.azure.com/share". Replace **\<my-account-name>** with the name of your Microsoft Purview instance

+```C# Snippet:Azure_Analytics_Purview_Share_Samples_05_Namespaces

+using Azure.Identity;

+var credential = new DefaultAzureCredential();

+var endPoint = "https://<my-account-name>.purview.azure.com/share";

+// View received invitations

+var receivedInvitationsClient = new ReceivedInvitationsClient(endPoint, credential);

+var receivedInvitations = receivedInvitationsClient.GetReceivedInvitations();

+```

+## Create a received share

+The below code will allow you to receive a data share.

+To use it, be sure to fill out these variables:

+- **endpoint** - "https://\<my-account-name>.purview.azure.com/share". Replace **\<my-account-name>** with the name of your Microsoft Purview instance

+- **receivedShareName** - a name for the share that is being received

+- **sentShareLocation** - the region where the share is housed. It should be the same region as the sent share and will be one of [Microsoft Purview's available regions](https://azure.microsoft.com/global-infrastructure/services/?products=purview&regions=all).

+- **collectionName** - the name of the collection where your share will be housed.

+```C# Snippet:Azure_Analytics_Purview_Share_Samples_06_Namespaces

+using System.Linq;

+using System.Text.Json;

+using Azure.Core;

+using Azure.Identity;

+var credential = new DefaultAzureCredential();

+var endPoint = "https://<my-account-name>.purview.azure.com/share";

+var collectionName = "<name of your collection>"

+// Create received share

+var receivedInvitationsClient = new ReceivedInvitationsClient(endPoint, credential);

+var receivedInvitations = receivedInvitationsClient.GetReceivedInvitations();

+var receivedShareName = "fabrikam-received-share";

+var receivedInvitation = receivedInvitations.LastOrDefault();

+// Get collection internal reference name

+// Collections that are not the root collection have a friendlyName (the name you see in the Microsoft Purview Data Map) and an internal reference name used to access the collection programmatically.

+var collectionsResponse = await accountClient.GetCollectionsAsync();

+var collectionsResponseDocument = JsonDocument.Parse(collectionsResponse.Content);

+var collections = collectionsResponseDocument.RootElement.GetProperty("value");

+foreach (var collection in collections.EnumerateArray())

+{

+ if (collection.Equals(collection.GetProperty("friendlyName").ToString(), StringComparison.OrdinalIgnoreCase))

+ {

+ collectionName = collection.GetProperty("name").ToString();

+ }

+}

+if (receivedInvitation == null)

+{

+ //No received invitations

+ return;

+}

+var receivedInvitationDocument = JsonDocument.Parse(receivedInvitation).RootElement;

+var receivedInvitationId = receivedInvitationDocument.GetProperty("name");

+var receivedShareData = new

+{

+ shareKind = "InPlace",

+ properties = new

+ {

+ invitationId = receivedInvitationId,

+ sentShareLocation = "eastus",

+ collection = new

+ {

+ referenceName = collectionName,

+ type = "CollectionReference"

+ }

+ }

+};

+var receivedShareClient = new ReceivedSharesClient(endPoint, credential);

+var receivedShare = await receivedShareClient.CreateAsync(receivedShareName, RequestContent.Create(receivedShareData));

+```

+## View accepted shares

+The below code will allow you to view your accepted shares.

+To use it, be sure to fill out these variables:

+- **endpoint** - "https://\<my-account-name>.purview.azure.com/share". Replace **\<my-account-name>** with the name of your Microsoft Purview instance

+- **sentShareName** - the name of the share you would like to view

+```C# Snippet:Azure_Analytics_Purview_Share_Samples_07_Namespaces

+using System.Linq;

+using System.Text.Json;

+using Azure.Identity;

+var credential = new DefaultAzureCredential();

+var endPoint = "https://<my-account-name>.purview.azure.com/share";

+var sentShareName = "sample-Share";

+// View accepted shares

+var acceptedSentSharesClient = new AcceptedSentSharesClient(endPoint, credential);

+var acceptedSentShares = acceptedSentSharesClient.GetAcceptedSentShares(sentShareName);

+var acceptedSentShare = acceptedSentShares.FirstOrDefault();

+if (acceptedSentShare == null)

+{

+ //No accepted sent shares

+ return;

+}

+var receiverEmail = JsonDocument.Parse(acceptedSentShare).RootElement.GetProperty("properties").GetProperty("receiverEmail").GetString();

+```

+## Get received assets

+The below code will allow you to see the assets received from a share.

+To use it, be sure to fill out these variables:

+- **endpoint** - "https://\<my-account-name>.purview.azure.com/share". Replace **\<my-account-name>** with the name of your Microsoft Purview instance

+- **receivedShareName** - the name of the share you would like to view the assets from

+- **assetMappingName** - consumer provided input that is used as identifier for the created asset mapping

+- **receiverContainerName** - the name of the container where the assets were housed

+- **receiverFolderName** - the name of the folder where the assets were housed

+- **receiverMountPath** - an optional input path parameter for destination mapping location

+- **receiverStorageResourceId** - the [resource ID for the storage account](../storage/common/storage-account-get-info.md#get-the-resource-id-for-a-storage-account) where the data asset is stored

+```C# Snippet:Azure_Analytics_Purview_Share_Samples_08_Namespaces

+using System;

+using System.Linq;

+using System.Text.Json;

+using Azure.Core;

+using Azure.Identity;

+var credential = new DefaultAzureCredential();

+var endPoint = "https://<my-account-name>.purview.azure.com/share";

+// Get received assets

+var receivedShareName = "fabrikam-received-share";

+var receivedAssetsClient = new ReceivedAssetsClient(endPoint, credential);

+var receivedAssets = receivedAssetsClient.GetReceivedAssets(receivedShareName);

+var receivedAssetName = JsonDocument.Parse(receivedAssets.First()).RootElement.GetProperty("name").GetString();

+string assetMappingName = "receiver-asset-mapping";

+string receiverContainerName = "receivedcontainer";

+string receiverFolderName = "receivedfolder";

+string receiverMountPath = "receivedmountpath";

+string receiverStorageResourceId = "<RECEIVER_STORAGE_ACCOUNT_RESOURCE_ID>";

+var assetMappingData = new

+{

+ // For Adls Gen2 asset use "AdlsGen2Account"

+ kind = "BlobAccount",

+ properties = new

+ {

+ assetId = Guid.Parse(receivedAssetName),

+ storageAccountResourceId = receiverStorageResourceId,

+ containerName = receiverContainerName,

+ folder = receiverFolderName,

+ mountPath = receiverMountPath

+ }

+};

+var assetMappingsClient = new AssetMappingsClient(endPoint, credential);

+var assetMapping = await assetMappingsClient.CreateAsync(WaitUntil.Completed, receivedShareName, assetMappingName, RequestContent.Create(assetMappingData));

+```

+## Clean up resources

+To clean up the resources created for the quick start, follow the steps below:

+1. Within [Microsoft Purview governance portal](https://web.purview.azure.com/), [delete the sent share](how-to-share-data.md#delete-a-sent-share).

+1. Also [delete your received share](how-to-receive-share.md#delete-received-share).

+1. Once the shares are successfully deleted, delete the target container and folder Microsoft Purview created in your target storage account when you received shared data.

+## Next steps

+* [FAQ for data sharing](how-to-data-share-faq.md)

+* [How to share data](how-to-share-data.md)

+* [How to receive share](how-to-receive-share.md)

+* [REST API reference](/rest/api/purview/)

+1. Provide a suitable **Name** for the data source, select the relevant **Azure subscription**, existing **Data Lake Store account name** and the **collection** and select **Apply**. Leave the **Data Use Management** toggle on the **disabled** position until you have a chance to carefully go over this [document](./how-to-policies-data-owner-storage.md).

+* [Single storage account](./how-to-policies-data-owner-storage.md) - This guide will allow you to enable access policies on a single Azure Storage account in your subscription.

+* [All sources in a subscription or resource group](./how-to-policies-data-owner-resource-group.md) - This guide will allow you to enable access policies on all enabled and available sources in a resource group, or across an Azure subscription.

+1. Provide a suitable **Name** for the data source, select the relevant **Azure subscription**, existing **Azure Blob Storage account name** and the **collection** and select **Apply**. Leave the **Data Use Management** toggle on the **disabled** position until you have a chance to carefully go over this [document](./how-to-policies-data-owner-storage.md).

+* [Single storage account](./how-to-policies-data-owner-storage.md) - This guide will allow you to enable access policies on a single Azure Storage account in your subscription.

+* [All sources in a subscription or resource group](./how-to-policies-data-owner-resource-group.md) - This guide will allow you to enable access policies on all enabled and available sources in a resource group, or across an Azure subscription.

+| [Yes](#register) | [Yes](#scan) | [Yes](#scan) | [Yes](#scan)| [Yes](#scan)| [Yes](how-to-policies-data-owner-resource-group.md) | [Source Dependant](catalog-lineage-user-guide.md)| No |

+* [Single SQL account](./how-to-policies-data-owner-azure-sql-db.md) - This guide will allow you to enable access policies on a single Azure SQL Database account in your subscription.

+* [All data sources in a subscription or resource group](./how-to-policies-data-owner-resource-group.md) - This guide will allow you to enable access policies on all enabled and available sources in a resource group, or across an Azure subscription.

+[Policies](concept-policies-data-owner.md) in Microsoft Purview allow you to enable access to data sources that have been registered to a collection. This tutorial describes how a data owner can use Microsoft Purview to enable access to datasets in Azure Storage through Microsoft Purview.

+> [Concepts for Microsoft Purview data owner policies](./concept-policies-data-owner.md)

+> [Enable Microsoft Purview data owner policies on all data sources in a subscription or a resource group](./how-to-policies-data-owner-resource-group.md)

+ "transparencyWritesDepth": {"type" : "boolean" }

+1. Discover legacy authentication in your organization with Azure AD Sign-In logs and Log Analytic workbooks.

+1. If you have Azure AD Premium licenses, use Conditional Access policies to block legacy authentication. For Azure AD free tier, use Azure AD Security Defaults.

+1. Block legacy authentication if you use AD FS.

+1. Block Legacy Authentication with Exchange Server 2019.

+1. Disable legacy authentication in Exchange Online.

+For more information, see the article [Blocking legacy authentication protocols in Azure AD](../../active-directory/conditional-access/block-legacy-authentication.md).

+### Current versions

+| Service Fabric runtime |Can upgrade directly from|Can downgrade to*|Compatible SDK or NuGet package version|Supported .NET runtimes** |OS Version |End of support |

+| | | | | | | |

+### Current versions

+| Service Fabric runtime | Can upgrade directly from |Can downgrade to*|Compatible SDK or NuGet package version | Supported .NET runtimes** | OS version | End of support |

+| | | | | | | |

+| 9.0 CU2.1<br>9.0.1086.1 | 8.0 CU3<br>8.0.527.1 | 8.2 CU 5.1<br>8.2.1483.1 | Less than or equal to version 6.0 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | Current version |

+| 8.2 CU5.1<br>8.2.1483.1 | 8.0 CU3<br>8.0.527.1 | N/A | Less than or equal to version 5.2 | >= .NET Core 2.1 | [See supported OS version](#supported-linux-versions-and-support-end-date) | December 1, 2022 |

+| 8.2 CU5.1 | Not applicable | 8.2.1483.1 |

+Before you run a test failover, verify the VM properties, and make sure that the [VMware vSphere VM](vmware-physical-azure-support-matrix.md#replicated-machines) complies with Azure requirements.

+* VMware vSphere VMs running a Mobility service version older than 9.8.

+* VMware vSphere Linux VMs.

+* VMware vSphere VMs that don't have the DHCP service enabled.

+* VMware vSphere VMs that don't have the following boot drivers: storvsc, vmbus, storflt, intelide, atapi.

+> * Prepare an account on the vCenter Server to automate VM discovery.

+> * Prepare an account for automatic installation of the Mobility service on VMware vSphere VMs.

+> * Review VMware vCenter Server and VM requirements and support.

+1. To use a dedicated account, create a role at the vCenter Server level. Give the role a name such as

+3. Create a user on the vCenter Server. Assign the role to the user.

+The Mobility service must be installed on machines you want to replicate. Azure Site Recovery can do a push installation of this service when you enable replication for a machine, or you can install it manually, or using installation tools.

+- For this push installation, you need to prepare an account that Azure Site Recovery can use to access the VM. You specify this account

+- Prepare a domain or local account with permissions to install on the VM.

+## Check Azure VMware Solution requirements

+Make sure VMware vCenter Server and VMs comply with requirements.

+1. Verify Azure VMware Solution [software versions](../azure-vmware/concepts-private-clouds-clusters.md#vmware-software-versions).

+2. Verify [VMware vCenter Server requirements](vmware-physical-azure-support-matrix.md#on-premises-virtualization-servers).

+> * Set up the source replication settings, and an Azure Site Recovery configuration server in Azure VMware Solution private cloud

+> * Enable replication for a VMware vSphere VM.

+ - The tutorial uses an OVA template to create the configuration server VMware vSphere VM. If you can't do this for some reason, follow [these instructions](physical-manage-configuration-server.md) to set up the configuration server manually.

+All of these components are installed together on a single Azure VMware Solution machine that's known as the *configuration server*. By default, for Azure VMware Solution disaster recovery, we set up the configuration server as a highly available VMware vSphere VM. To do this, you download a prepared Open Virtualization Application (OVA) template, and import the template into VMware vCenter Server to create the VM.

+1. Sign in to the VMware vCenter Server with the VMware vSphere Client.

+ 

+After the configuration server is setup, you register it in the vault.

+5. Enter a name that's used to register the configuration server with Azure Site Recovery. Then select **Next**.

+### Configure settings and add the VMware vCenter Server

+5. In **Configure vCenter Server/vSphere ESXi server**, enter the FQDN or IP address of the vCenter Server, where the VMs you want to replicate are located. Enter the port on which the server is listening. Enter a friendly name to be used for the VMware vCenter Server in the vault.

+6. Enter user credentials to be used by the configuration server to connect to the VMware vCenter Server. Ensure that the user name and password are correct and is a part of the Administrators group of the virtual machine to be protected. Azure Site Recovery uses these credentials to automatically discover VMware vSphere VMs that are available for replication. Select **Add**, and then select **Continue**.

+After the configuration server is registered, Site Recovery connects to VMware vCenter Server by using the specified settings, and discovers VMs.

+2. Azure Site Recovery checks that you have one or more virtual networks. You should have these when you set up the Azure components in the [first tutorial](tutorial-prepare-azure.md) in this tutorial series.

+Note: In VMware vSphere-to-Azure scenario the crash-consistent snapshot is taken at 5 min interval.

+4. In **vCenter/vSphere Hypervisor**, select the vCenter Server that manages the host.

+7. If a vCenter Server manages the VMs to which you'll fail back, make sure that you have the required permissions. If you perform a read-only user vCenter Server discovery and protect virtual machines, protection succeeds, and failover works. However, during reprotection, failover is unsuccessful because the datastores can't be discovered, and aren't listed during reprotection. To resolve this problem, you can update the vCenter Server credentials with an [appropriate account/permissions](avs-tutorial-prepare-avs.md#prepare-an-account-for-automatic-discovery), and then retry the job.

+ - VMware vSphere VMs can't fail back to Hyper-V.

+ [  ](media/spring-cloud-access-app-vnet/create-dns-record.png#lightbox)

+ [ ](media/spring-cloud-resilience4j/resilience4J-0.png#lightbox)

+ [ ](media/spring-cloud-resilience4j/resilience4J-1.png#lightbox)

+ [ ](media/spring-cloud-resilience4j/resilience4J-2.png#lightbox)

+ [ ](media/spring-cloud-resilience4j/resilience4J-3.png#lightbox)

+ [ ](media/spring-cloud-resilience4j/resilience4J-4.png#lightbox)

+ [ ](media/spring-cloud-resilience4j/resilience4j-5.png#lightbox)

+ --artifact-path spring-petclinic-api-gateway/target/spring-petclinic-api-gateway-2.5.1.jar \

+ --artifact-path spring-petclinic-customers-service/target/spring-petclinic-customers-service-2.5.1.jar \

+This example prints the names of each file that is located in a directory named `my-directory`.

+When you deactivate a device, any data that was stored locally on the device is no longer accessible. Only the data associated with the device that was stored in the cloud can be recovered. When you deactivate a device, any data that was stored locally on the device is no longer accessible. Only the data associated with the device that was stored in the cloud can be recovered. After you have deactivated the device, if you would like to keep it, go to [Keep my StorSimple 8000 series appliance](storsimple-8000-migration-from-8000-options.md#q-what-happens-if-i-want-to-keep-my-storsimple-8000-series-appliancebeyond-the-end-of-life-date).

+* After you have deactivated the device, if you would like to keep it, go to [Keep my StorSimple 8000 series appliance](storsimple-8000-migration-from-8000-options.md#q-what-happens-if-i-want-to-keep-my-storsimple-8000-series-appliancebeyond-the-end-of-life-date).