+ Title: Check fleet metrics of Azure Active Directory Domain Services | Microsoft Docs

+description: Learn how to check fleet metrics of an Azure Active Directory Domain Services (Azure AD DS) managed domain.

+ms.assetid: 8999eec3-f9da-40b3-997a-7a2587911e96

+# Check fleet metrics of Azure Active Directory Domain Services

+Administrators can use Azure Monitor Metrics to configure a scope for Azure Active Directory Domain Services (Azure AD DS) and gain insights into how the service is performing.

+You can access Azure AD DS metrics from two places:

+- In Azure Monitor Metrics, click **New chart** > **Select a scope** and select the Azure AD DS instance:

+ :::image type="content" border="true" source="media/fleet-metrics/select.png" alt-text="Screenshot of how to select Azure AD DS for fleet metrics.":::

+- In Azure AD DS, under **Monitoring**, click **Metrics**:

+ :::image type="content" border="true" source="media/fleet-metrics/metrics-scope.png" alt-text="Screenshot of how to select Azure AD DS as scope in Azure Monitor Metrics.":::

+ The following screenshot shows how to select combined metrics for Total Processor Time and LDAP searches:

+ :::image type="content" border="true" source="media/fleet-metrics/combined-metrics.png" alt-text="Screenshot of combined metrics in Azure Monitor Metrics.":::

+ You can also view metrics for a fleet of Azure AD DS instances:

+ :::image type="content" border="true" source="media/fleet-metrics/metrics-instance.png" alt-text="Screenshot of how to select an Azure AD DS instance as the scope for fleet metrics.":::

+ The following screenshot shows combined metrics for Total Processor Time, DNS Queries, and LDAP searches by role instance:

+ :::image type="content" border="true" source="media/fleet-metrics/combined-metrics-instance.png" alt-text="Screenshot of combined metrics for an Azure AD DS instance.":::

+## Metrics definitions and descriptions

+You can select a metric for more details about the data collection.

+The following table describes the metrics that are available for Azure AD DS.

+| Metric | Description |

+|--|-|

+|DNS - Total Query Received/sec |The average number of queries received by DNS server in each second. It's backed by performance counter data from the domain controller, and can be filtered or split by role instance.|

+|Total Response Sent/sec |The average number of responses sent by DNS server in each second. It's backed by performance counter data from the domain controller, and can be filtered or split by role instance.|

+|NTDS - LDAP Successful Binds/sec|The number of LDAP successful binds per second for the NTDS object. It's backed by performance counter data from the domain controller, and can be filtered or split by role instance.|

+|% Committed Bytes In Use |The ratio of Memory\\\Committed Bytes to the Memory\\\Commit Limit. Committed memory is the physical memory in use for which space has been reserved in the paging file should it need to be written to disk. The commit limit is determined by the size of the paging file. If the paging file is enlarged, the commit limit increases, and the ratio is reduced. This counter displays the current percentage value only; it isn't an average. It's backed by performance counter data from the domain controller, and can be filtered or split by role instance.|

+|Total Processor Time |The percentage of elapsed time that the processor spends to execute a non-Idle thread. It's calculated by measuring the percentage of time that the processor spends executing the idle thread and then subtracting that value from 100%. (Each processor has an idle thread that consumes cycles when no other threads are ready to run). This counter is the primary indicator of processor activity, and displays the average percentage of busy time observed during the sample interval. It should be noted that the accounting calculation of whether the processor is idle is performed at an internal sampling interval of the system clock (10ms). On today's fast processors, % Processor Time can therefore underestimate the processor utilization as the processor may be spending much time servicing threads between the system clock sampling interval. Workload-based timer applications are one type application that is more likely to be measured inaccurately because timers are signaled just after the sample is taken. It's backed by performance counter data from the domain controller, and can be filtered or split by role instance.|

+|Kerberos Authentications |The number of times that clients use a ticket to authenticate to this computer per second. It's backed by performance counter data from the domain controller, and can be filtered or split by role instance.|

+|NTLM Authentications|The number of NTLM authentications processed per second for the Active Directory on this domain controller or for local accounts on this member server. It's backed by performance counter data from the domain controller, and can be filtered or split by role instance.|

+|% Processor Time (dns)|The percentage of elapsed time that all of dns process threads used the processor to execute instructions. An instruction is the basic unit of execution in a computer, a thread is the object that executes instructions, and a process is the object created when a program is run. Code executed to handle some hardware interrupts and trap conditions are included in this count. It's backed by performance counter data from the domain controller, and can be filtered or split by role instance.|

+|% Processor Time (lsass)|The percentage of elapsed time that all of lsass process threads used the processor to execute instructions. An instruction is the basic unit of execution in a computer, a thread is the object that executes instructions, and a process is the object created when a program is run. Code executed to handle some hardware interrupts and trap conditions are included in this count. It's backed by performance counter data from the domain controller, and can be filtered or split by role instance.|

+|NTDS - LDAP Searches/sec |The average number of searches per second for the NTDS object. It's backed by performance counter data from the domain controller, and can be filtered or split by role instance.|

+## Azure Monitor alert

+You can configure metric alerts for Azure AD DS to be notified of possible problems. Metric alerts are one type of alert for Azure Monitor. For more information about other types of alerts, see [What are Azure Monitor Alerts?](/azure/azure-monitor/alerts/alerts-overview).

+To view and manage Azure Monitor alert, a user needs to be assigned [Azure Monitor roles](/azure/azure-monitor/roles-permissions-security).

+

+In Azure Monitor or Azure AD DS Metrics, click **New alert** and configure an Azure AD DS instance as the scope. Then choose the metrics you want to measure from the list of available signals:

+ :::image type="content" border="true" source="media/fleet-metrics/available-alerts.png" alt-text="Screenshot of available alerts.":::

+The following screenshot shows how to define a metric alert with a threshold for **Total Processor Time**:

+You can also configure an alert notification, which can be email, SMS, or voice call:

+The following screenshot shows a metrics alert triggered for **Total Processor Time**:

+In this case, an email notification is sent after an alert activation:

+Another email notification is sent after deactivation of the alert:

+## Select multiple resources

+You can upvote to enable multiple resource selection to correlate data between resource types.

+## Next steps

+- [Check the health of an Azure Active Directory Domain Services managed domain](check-health.md)

+* Any supported AD DS domain or forest functional level can be used.

+ $domain = $env:USERDNSDOMAIN

+ $domain = $env:USERDNSDOMAIN

+ $domain = $env:USERDNSDOMAIN

+ > - Replace `administrator@contoso.onmicrosoft.com` in the following example with the UPN of a global administrator.

+ $domain = $env:USERDNSDOMAIN

+* Machines where the Azure AD Password Protection DC agent software will be installed can run any supported version of Windows Server, including Windows Server Core editions.

+ * The Active Directory domain or forest can be any supported functional level.

+For public preview, you need to enable password writeback in Azure AD Connect cloud sync by running `Set-AADCloudSyncPasswordWritebackConfiguration` on any server with the provisioning agent. You will need global administrator credentials:

+This article describes how to onboard a Microsoft Azure subscription or subscriptions on Permissions Management. Onboarding a subscription creates a new authorization system to represent the Azure subscription in Permissions Management.

+ - In the Permissions Management home page, select **Settings** (the gear icon, top right), and then select the **Data Collectors** subtab.

+This option allows subscriptions to be automatically detected and monitored without extra configuration.A key benefit of automatic management is that any current or future subscriptions found get onboarded automatically. Steps to detect list of subscriptions and onboard for collection:

+- Firstly, grant Reader role to Cloud Infrastructure Entitlement Management application at management group or subscription scope.

+1. In the EPM portal, left-click the cog on the top right-hand side.

+1. Navigate to data collectors tab

+1. Ensure 'Azure' is selected

+The steps listed on the screen outline how to create the role assignment for the Cloud Infrastructure Entitlements Management application. This can be performed manually in the Entra console, or programatically with PowerShell or the Azure CLI.

+Lastly, Click ΓÇÿVerify Now & SaveΓÇÖ

+To view status of onboarding after saving the configuration:

+1. In the EPM portal, click the cog on the top right-hand side.

+1. Ensure 'Azure' is selected

+- Firstly, grant Reader role to Cloud Infrastructure Entitlement Management application at management group or subscription scope.

+1. In the EPM portal, click the cog on the top right-hand side.

+1. Navigate to data collectors tab

+1. Ensure 'Azure' is selected

+1. Click ΓÇÿCreate ConfigurationΓÇÖ

+1. For onboarding mode, select ΓÇÿAutomatically ManageΓÇÖ

+The steps listed on the screen outline how to create the role assignment for the Cloud Infrastructure Entitlements Management application. You can do this manually in the Entra console, or programatically with PowerShell or the Azure CLI.

+Lastly, Click ΓÇÿVerify Now & SaveΓÇÖ

+To view status of onboarding after saving the configuration:

+Firstly, grant Viewer and Security Reviewer role to service account created in previous step at organization, folder or project scope.

+Once done, the steps are listed in the screen to do this manually in the GPC console, or programatically with the gcloud CLI.

+Once this has been configured, click next, then 'Verify Now & Save'.

+- Navigate to data collectors tab

+- Click on the status of the data collector

+- Firstly, grant Viewer and Security Reviewer role to service account created in previous step at organization, folder or project scope

+- Once done, the steps are listed in the screen to do this manually in the GPC console, or programatically with the gcloud CLI

+- Click Next

+- Click 'Verify Now & Save'

+- Navigate to newly create Data Collector row under GCP data collectors

+- To onboard and start collection, choose specific ones from the detected list and consent for collection

+Permissions Management has been designed in such a way that we recommended your organization sequentially 'step-through' each of the below phases in order to gain insights into permissions across the organization. This is because you generally cannot action what is yet to be discovered, likewise you cannot continually evaluate what is yet to be remediated.

+Once your organization has explored and implemented the discover, remediation and monitor phases, you have established one of the core pillars of a modern zero-trust security strategy.

+## Before you begin

+You'll need to have attributes populated on the users who will be in scope for being assigned access. The attributes you can use in the rules criteria of an access package assignment policy are those attributes listed in [supported properties](../enterprise-users/groups-dynamic-membership.md#supported-properties), along with [extension attributes and custom extension properties](../enterprise-users/groups-dynamic-membership.md#extension-properties-and-custom-extension-properties). These attributes can be brought into Azure AD from [Graph](/graph/api/resources/user?view=graph-rest-beta), an HR system such as [SuccessFactors](../app-provisioning/sap-successfactors-integration-reference.md), [Azure AD Connect cloud sync](../cloud-sync/how-to-attribute-mapping.md) or [Azure AD Connect sync](../hybrid/how-to-connect-sync-feature-directory-extensions.md).

+ > The rule builder might not be able to display some rules constructed in the text box, and validating a rule currently requires the you to be in the Global administrator role. For more information, see [rule builder in the Azure portal](/enterprise-users/groups-create-rule.md#rule-builder-in-the-azure-portal).

+- (Preview) Microsoft 365 or Azure AD Security Group owner of the group to be reviewed

+5. You can automatically delete the guest users Azure AD B2B accounts as part of an access review when you are configuring an Access review for **Select Team + Groups**. This option is not available for **All Microsoft 365 groups with guest users**.

+

+To do so, select **Auto apply results to resource** as this will automatically remove the user from the resource. **If reviewer don't respond** should be set to **Remove access** and **Action to apply on denied guest users** should also be set to **Block from signing in for 30 days then remove user from the tenant**.

+This will immediately block sign in to the guest user account and then automatically delete their Azure AD B2B account after 30 days.

+Identity Protection detects compromised credentials for Azure AD users. If your credential is detected as compromised, it means that someone else may have your password and be using it illegitimately. To prevent further risk to your account, it's important to securely reset your password so that the bad actor can no longer use your compromised password. Identity Protection marks accounts that may be compromised as "at risk."

+You can use your organizational credentials to sign-in to another organization as a guest. This process is referred to [business-to-business or B2B collaboration](../external-identities/what-is-b2b.md). Organizations can configure policies to block users from signing-in if their credentials are considered [at risk](concept-identity-protection-risks.md). If your account is at risk and you're blocked from signing-in to another organization as a guest, you may be able to self-remediate your account using the following steps. If your organization hasn't enabled self-service password reset, your administrator will need to manually remediate your account.

+If you're attempting to sign-in to another organization as a guest and are blocked due to risk, you'll see the following block message: "Your account is blocked. We've detected suspicious activity on your account."

+1. Go to the [Password reset portal](https://passwordreset.microsoftonline.com/) and initiate the password reset. If self-service password reset isn't enabled for your account and you can't proceed, reach out to your IT administrator with the information [below](#how-to-remediate-a-users-risk-as-an-administrator).

+2. If self-service password reset is enabled for your account, you'll be prompted to verify your identity using security methods prior to changing your password. For assistance, see the [Reset your work or school password](https://support.microsoft.com/account-billing/reset-your-work-or-school-password-using-security-info-23dde81f-08bb-4776-ba72-e6b72b9dda9e) article.

+If after resetting your password you're still blocked as a guest due to risk, reach out to your organization's IT administrator.

+Identity Protection automatically detects risky users for Azure AD tenants. If you haven't previously checked the Identity Protection reports, there may be a large number of users with risk. Since resource tenants can apply user risk policies to guest users, your users can be blocked due to risk even if they were previously unaware of their risky state. If your user reports they've been blocked as a guest user in another tenant due to risk, it's important to remediate the user to protect their account and enable collaboration.

+From the [Risky users report](https://portal.azure.com/#blade/Microsoft_AAD_IAM/SecurityMenuBlade/RiskyUsers) in the Azure AD Security menu, search for the impacted user using the 'User' filter. Select the impacted user in the report and select "Reset password" in the top toolbar. The user will be assigned a temporary password that must be changed on the next sign-in. This process will remediate their user risk and bring their credentials back to a safe state.

+If password reset isn't an option for you from the Azure AD portal, you can choose to manually dismiss user risk. Dismissing user risk doesn't have any impact on the user's existing password, but this process will change the user's Risk State from At Risk to Dismissed. It's important that you change the user's password using whatever means are available to you in order to bring the identity back to a safe state.

+To dismiss user risk, go to the [Risky users report](https://portal.azure.com/#blade/Microsoft_AAD_IAM/SecurityMenuBlade/RiskyUsers) in the Azure AD Security menu. Search for the impacted user using the 'User' filter and select the user. Select the "dismiss user risk" option from the top toolbar. This action may take a few minutes to complete and update the user risk state in the report.

+- Administrators can configure the built-in Identity Protection risk-based policies, that apply to all apps, and include guest users.

+- Administrators can configure their Conditional Access policies, using sign-in risk as a condition, and includes guest users.

+There are limitations in the implementation of Identity Protection for B2B collaboration users in a resource directory, due to their identity existing in their home directory. The main limitations are as follows:

+The risk evaluation and remediation for B2B users occurs in their home directory. Due to this fact, the guest users don't appear in the risky users report in the resource directory and admins in the resource directory can't force a secure password reset for these users.

+If a risky B2B user in your directory is blocked by your risk-based policy, the user will need to remediate that risk in their home directory. Users can remediate their risk by performing a secure password reset in their home directory [as outlined above](#how-to-unblock-your-account). If they don't have self-service password reset enabled in their home directory, they'll need to contact their own organization's IT Staff to have an administrator manually dismiss their risk or reset their password.

+Identity Protection can help organizations roll out Azure AD Multifactor Authentication (MFA) using a Conditional Access policy requiring registration at sign-in. Enabling this policy is a great way to ensure new users in your organization have registered for MFA on their first day. Multifactor authentication is one of the self-remediation methods for risk events within Identity Protection. Self-remediation allows your users to take action on their own to reduce helpdesk call volume.

+More information about Azure AD Multifactor Authentication can be found in the article, [How it works: Azure AD Multifactor Authentication](../authentication/concept-mfa-howitworks.md).

+Identity Protection analyzes signals from each sign-in, both real-time and offline, and calculates a risk score based on the probability that the sign-in wasn't really the user. Administrators can make a decision based on this risk score signal to enforce organizational requirements like:

+- Block access

+- Allow access

+- Require multifactor authentication

+If risk is detected, users can perform multifactor authentication to self-remediate and close the risky sign-in event to prevent unnecessary noise for administrators.

+> Users must have previously registered for Azure AD Multifactor Authentication before triggering the sign-in risk policy.

+- [Enable Azure AD Multifactor Authentication](../authentication/howto-mfa-getstarted.md)

+- [Enable Azure AD Multifactor Authentication registration policy](howto-identity-protection-configure-mfa-policy.md)

+You can find the security overview page in the **Azure portal** > **Azure Active Directory** > **Security** > **Identity Protection** > **Overview**.

+This chart shows the number of new risky users that were detected over the chosen time period. You can filter the view of this chart by user risk level (low, medium, high). Hover over the UTC date increments to see the number of risky users detected for that day. Selecting this chart will bring you to the ΓÇÿRisky usersΓÇÖ report. To remediate users that are at risk, consider changing their password.

+This chart shows the number of risky sign-ins detected over the chosen time period. You can filter the view of this chart by the sign-in risk type (real-time or aggregate) and the sign-in risk level (low, medium, high). Unprotected sign-ins are successful real-time risk sign-ins that weren't MFA challenged. (Note: Sign-ins that are risky because of offline detections can't be protected in real-time by sign-in risk policies). Hover over the UTC date increments to see the number of sign-ins detected at risk for that day. Selecting this chart will bring you to the ΓÇÿRisky sign-insΓÇÖ report.

+The ΓÇÿHigh risk usersΓÇÖ tile shows the latest count of users with high probability of identity compromise. These users should be a top priority for investigation. Selecting the ΓÇÿHigh risk usersΓÇÖ tile will redirect to a filtered view of the ΓÇÿRisky usersΓÇÖ report showing only users with a risk level of high. Using this report, you can learn more and remediate these users with a password reset.

+The ΓÇÿMedium risk usersΓÇÖ tile shows the latest count of users with medium probability of identity compromise. Selecting the ΓÇÿMedium risk usersΓÇÖ tile will take you to a view of the ΓÇÿRisky usersΓÇÖ report showing only users with a risk level of medium. Using this report, you can further investigate and remediate these users.

+The ΓÇÿUnprotected risky sign-ins' tile shows the last weekΓÇÖs count of successful, real-time risky sign-ins that weren't blocked or MFA challenged by a Conditional Access policy, Identity Protection risk policy, or per-user MFA. These successful sign-ins are potentially compromised and not challenged for MFA. To protect such sign-ins in future, apply a sign-in risk policy. Selecting the ΓÇÿUnprotected risky sign-ins' tile will take you to the sign-in risk policy configuration blade where you can configure the sign-in risk policy.

+The ΓÇÿLegacy authenticationΓÇÖ tile shows the last weekΓÇÖs count of legacy authentications with risk present in your organization. Legacy authentication protocols don't support modern security methods such as an MFA. To prevent legacy authentication, you can apply a Conditional Access policy. Selecting the ΓÇÿLegacy authenticationΓÇÖ tile will redirect you to the ΓÇÿIdentity Secure ScoreΓÇÖ.

+The Identity Secure Score measures and compares your security posture to industry patterns. If you select the **Identity Secure Score** tile, it will redirect to [Identity Secure Score](../fundamentals/identity-secure-score.md) where you can learn more about improving your security posture.

+description: Learn how to configure the Azure AD Identity Protection multifactor authentication registration policy.

+# How To: Configure the Azure AD Multifactor Authentication registration policy

+Azure Active Directory (Azure AD) Identity Protection helps you manage the roll-out of Azure AD Multifactor Authentication (MFA) registration by configuring a Conditional Access policy to require MFA registration no matter what modern authentication app you're signing in to.

+## What is the Azure AD Multifactor Authentication registration policy?

+Azure AD Multifactor Authentication provides a means to verify who you are using more than just a username and password. It provides a second layer of security to user sign-ins. In order for users to be able to respond to MFA prompts, they must first register for Azure AD Multifactor Authentication.

+We recommend that you require Azure AD Multifactor Authentication for user sign-ins because it:

+For more information on Azure AD Multifactor Authentication, see [What is Azure AD Multifactor Authentication?](../authentication/howto-mfa-getstarted.md)

+1. **Enforce Policy** - **On**

+1. **Save**

+Azure AD Identity Protection will prompt your users to register the next time they sign in interactively and they'll have 14 days to complete registration. During this 14-day period, they can bypass registration if MFA isn't required as a condition, but at the end of the period they'll be required to register before they can complete the sign-in process.

+- [Enable Azure AD Multifactor Authentication](../authentication/howto-mfa-getstarted.md)

+1. Under **Assignments**, select **Users or workload identities**.

+1. Under **Assignments**, select **Users or workload identities**.

+description: Query Microsoft Graph risk detections and associated information from Azure Active Directory

+1. [Create a certificate](#create-a-certificate)

+1. [Create a new app registration](#create-a-new-app-registration)

+1. [Configure API permissions](#configure-api-permissions)

+1. [Configure a valid credential](#configure-a-valid-credential)

+In a production environment you would use a certificate from your production Certificate Authority, but in this sample we'll use a self-signed certificate. Create and export the certificate using the following PowerShell commands.

+1. Take note of the **Application (client) ID** and **Directory (tenant) ID** as you'll need these items later.

+1. Take note of the **Thumbprint** of the certificate as you'll need this information in the next step.

+* Sign-in risk represents the probability a sign-in is compromised (for example, the sign-in isn't authorized by the identity owner).

+| **Sign-in not compromised (False positive)** <br> ΓÇÿRisky sign-insΓÇÖ report shows an at-risk sign-in [Risk state = At risk] but that sign-in wasn't compromised. | Select the sign-in and then ΓÇÿConfirm sign-in safeΓÇÖ. | Azure AD will move the sign-inΓÇÖs aggregate risk to none [Risk state = Confirmed safe; Risk level (Aggregate) = -] and will reverse its impact on the user risk. | Currently, the ΓÇÿConfirm sign-in safeΓÇÖ option is only available in ΓÇÿRisky sign-insΓÇÖ report. |

+| **Sign-in compromised (True positive)** <br> ΓÇÿRisky sign-insΓÇÖ report shows an at-risk sign-in [Risk state = At risk] with low risk [Risk level (Aggregate) = Low] and that sign-in was indeed compromised. | Select the sign-in and then ΓÇÿConfirm sign-in compromisedΓÇÖ. | Azure AD will move the sign-inΓÇÖs aggregate risk and the user risk to High [Risk state = Confirmed compromised; Risk level = High]. | Currently, the ΓÇÿConfirm sign-in compromisedΓÇÖ option is only available in ΓÇÿRisky sign-insΓÇÖ report. |

+| **User compromised (True positive)** <br> ΓÇÿRisky usersΓÇÖ report shows an at-risk user [Risk state = At risk] with low risk [Risk level = Low] and that user was indeed compromised. | Select the user and then ΓÇÿConfirm user compromisedΓÇÖ. | Azure AD will move the user risk to High [Risk state = Confirmed compromised; Risk level = High] and will add a new detection ΓÇÿAdmin confirmed user compromisedΓÇÖ. | Currently, the ΓÇÿConfirm user compromisedΓÇÖ option is only available in ΓÇÿRisky usersΓÇÖ report. <br> The detection ΓÇÿAdmin confirmed user compromisedΓÇÖ is shown in the tab ΓÇÿRisk detections not linked to a sign-inΓÇÖ in the ΓÇÿRisky usersΓÇÖ report. |

+| **User remediated outside of Azure AD Identity Protection (True positive + Remediated)** <br> ΓÇÿRisky usersΓÇÖ report shows an at-risk user and I've then remediated the user outside of Azure AD Identity Protection. | 1. Select the user and then ΓÇÿConfirm user compromisedΓÇÖ. (This process confirms to Azure AD that the user was indeed compromised.) <br> 2. Wait for the userΓÇÖs ΓÇÿRisk levelΓÇÖ to go to High. (This time gives Azure AD the needed time to take the above feedback to the risk engine.) <br> 3. Select the user and then ΓÇÿDismiss user riskΓÇÖ. (This process confirms to Azure AD that the user is no longer compromised.) | Azure AD moves the user risk to none [Risk state = Dismissed; Risk level = -] and closes the risk on all existing sign-ins having active risk. | Clicking ΓÇÿDismiss user riskΓÇÖ will close all risk on the user and past sign-ins. This action can't be undone. |

+| **User not compromised (False positive)** <br> ΓÇÿRisky usersΓÇÖ report shows at at-risk user but the user isn't compromised. | Select the user and then ΓÇÿDismiss user riskΓÇÖ. (This process confirms to Azure AD that the user isn't compromised.) | Azure AD moves the user risk to none [Risk state = Dismissed; Risk level = -]. | Clicking ΓÇÿDismiss user riskΓÇÖ will close all risk on the user and past sign-ins. This action can't be undone. |

+| I want to close the user risk but I'm not sure whether the user is compromised / safe. | Select the user and then ΓÇÿDismiss user riskΓÇÖ. (This process confirms to Azure AD that the user is no longer compromised.) | Azure AD moves the user risk to none [Risk state = Dismissed; Risk level = -]. | Clicking ΓÇÿDismiss user riskΓÇÖ will close all risk on the user and past sign-ins. This action can't be undone. We recommend you remediate the user by clicking on ΓÇÿReset passwordΓÇÖ or request the user to securely reset/change their credentials. |

+Other risk detections can't be simulated in a secure manner.

+- A test account that isn't yet registered for Azure AD Multi-Factor Authentication.

+To simulate unfamiliar locations, you have to sign in from a location and device your test account hasn't signed in from before.

+Simulating the atypical travel condition is difficult because the algorithm uses machine learning to weed out false-positives such as atypical travel from familiar devices, or sign-ins from VPNs that are used by other users in the directory. Additionally, the algorithm requires a sign-in history of 14 days and 10 logins of the user before it begins generating risk detections. Because of the complex machine learning models and above rules, there's a chance that the following steps won't lead to a risk detection. You might want to replicate these steps for multiple Azure AD accounts to simulate this detection.

+3. Select **New registration** to register a new application or reuse an existing stale application.

+4. Select **Certificates & Secrets** > **New client Secret** , add a description of your client secret and set an expiration for the secret or specify a custom lifetime and select **Add**. Record the secret's value for later use for your GitHub Commit.

+7. In about 8 hours, you'll be able to view a leaked credential detection under **Azure Active Directory** > **Security** > **Risk Detection** > **Workload identity detections** where the additional info will contain the URL of your GitHub commit.

+To test a sign-in risk policy, perform the following steps:

+1. Select **Assignments**.

+ >[!NOTE]

+ > Approver doesn't have to be member of the group, owner of the group or have Azure AD role assigned.

+ >[!NOTE]

+ > Approver doesn't have to have any Azure or Azure AD role assigned.

+1. Log in to Ideagen. Click on the **Administration** icon to show the left hand side menu.

+Data skew can cause unnecessary data movement or resource bottlenecks when you run your workload. Advisor detects distribution data skew of greater than 15%. It recommends that you redistribute your data and revisit your table distribution key selections. To learn more about identifying and removing skew, see [troubleshooting skew](../synapse-analytics/sql-data-warehouse/sql-data-warehouse-tables-distribute.md#how-to-tell-if-your-distribution-is-a-good-choice).

+2. On the Advisor dashboard, select the **Performance** tab.

+ * [Network policies](use-network-policies.md#differences-between-azure-npm-and-calico-network-policy-and-their-capabilities)

+This article shows you how to install the Network Policy engine and create Kubernetes network policies to control the flow of traffic between pods in AKS. Network Policy could be used for Linux-based or Windows-based nodes and pods in AKS.

+## Overview of Network Policy

+Network Policy is a Kubernetes specification that defines access policies for communication between Pods. Using network policies, you define an ordered set of rules to send and receive traffic and apply them to a collection of pods that match one or more label selectors.

+These Network Policy rules are defined as YAML manifests. Network policies can be included as part of a wider manifest that also creates a deployment or service.

+## Network policy options in AKS

+Azure provides two ways to implement Network Policy. You choose a Network Policy option when you create an AKS cluster. The policy option can't be changed after the cluster is created:

+* Azure's own implementation, called *Azure Network Policy Manager (NPM)*.

+Azure NPM for Linux uses Linux *IPTables* and Azure NPM for Windows uses *Host Network Service (HNS) ACLPolicies* to enforce the specified policies. Policies are translated into sets of allowed and disallowed IP pairs. These pairs are then programmed as IPTable/HNS ACLPolicy filter rules.

+## Differences between Azure NPM and Calico Network Policy and their capabilities

+| Capability | Azure NPM | Calico Network Policy |

+| Supported platforms | Linux, Windows Server 2022 | Linux, Windows Server 2019 and 2022 |

+| Logging | Logs available with **kubectl log -n kube-system <network-policy-pod>** command | For more information, see [Calico component logs][calico-logs] |

+## Limitations:

+Azure Network Policy Manager(NPM) does not support IPv6. Otherwise, Azure NPM fully supports the network policy spec in Linux.

+* In Windows, Azure NPM does not support the following:

+ * named ports

+ * SCTP protocol

+ * negative match label or namespace selectors (e.g. all labels except "debug=true")

+ * "except" CIDR blocks (a CIDR with exceptions)

+>[!NOTE]

+> * Azure NPM pod logs will record an error if an unsupported policy is created.

+## Create an AKS cluster and enable Network Policy

+To see network policies in action, let's create an AKS cluster that supports network policy and then work on adding policies.

+To use Azure NPM, you must use the [Azure CNI plug-in][azure-cni]. Calico Network Policy could be used with either this same Azure CNI plug-in or with the Kubenet CNI plug-in.

+* Creates an AKS cluster with system-assigned identity and enables Network Policy.

+ * The _Azure NPM_ option is used. To use Calico as the Network Policy option instead, use the `--network-policy calico` parameter. Note: Calico could be used with either `--network-plugin azure` or `--network-plugin kubenet`.

+### Create an AKS cluster with Azure NPM enabled - Linux only

+In this section, we will work on creating a cluster with Linux node pools and Azure NPM enabled.

+To begin, you should replace the values for *$RESOURCE_GROUP_NAME* and *$CLUSTER_NAME* variables.

+$RESOURCE_GROUP_NAME=myResourceGroup-NP

+$CLUSTER_NAME=myAKSCluster

+$LOCATION=canadaeast

+```

+Create the AKS cluster and specify *azure* for the `network-plugin` and `network-policy`.

+Use the following command to create a cluster:

+### Create an AKS cluster with Azure NPM enabled - Windows Server 2022 (Preview)

+In this section, we will work on creating a cluster with Windows node pools and Azure NPM enabled.

+Please execute the following commands prior to creating a cluster:

+```azurecli

+ az extension add --name aks-preview

+ az extension update --name aks-preview

+ az feature register --namespace Microsoft.ContainerService --name AKSWindows2022Preview

+ az feature register --namespace Microsoft.ContainerService --name WindowsNetworkPolicyPreview

+ az provider register -n Microsoft.ContainerService

+```

+> [!NOTE]

+> At this time, Azure NPM with Windows nodes is available on Windows Server 2022 only

+Now, you should replace the values for *$RESOURCE_GROUP_NAME*, *$CLUSTER_NAME* and *$WINDOWS_USERNAME* variables.

+```azurecli-interactive

+$RESOURCE_GROUP_NAME=myResourceGroup-NP

+$CLUSTER_NAME=myAKSCluster

+$WINDOWS_USERNAME=myWindowsUserName

+$LOCATION=canadaeast

+```

+Create a username to use as administrator credentials for your Windows Server containers on your cluster. The following command prompts you for a username. Set it to `$WINDOWS_USERNAME`(remember that the commands in this article are entered into a BASH shell).

+Use the following command to create a cluster :

+ --network-policy azure

+### Create an AKS cluster for Calico network policies

+Create the AKS cluster and specify *azure* for the network plugin, and *calico* for the Network Policy. Using *calico* as the Network Policy enables Calico networking on both Linux and Windows node pools.

+If you plan on adding Windows node pools to your cluster, include the `windows-admin-username` and `windows-admin-password` parameters with that meet the [Windows Server password requirements][windows-server-password].

+> [!IMPORTANT]

+> At this time, using Calico network policies with Windows nodes is available on new clusters using Kubernetes version 1.20 or later with Calico 3.17.2 and requires using Azure CNI networking. Windows nodes on AKS clusters with Calico enabled also have [Direct Server Return (DSR)][dsr] enabled by default.

+>

+> For clusters with only Linux node pools running Kubernetes 1.20 with earlier versions of Calico, the Calico version will automatically be upgraded to 3.17.2.

+Create a username to use as administrator credentials for your Windows Server containers on your cluster. The following command prompts you for a username. Set it to `$WINDOWS_USERNAME`(remember that the commands in this article are entered into a BASH shell).

+```azurecli-interactive

+echo "Please enter the username to use as administrator credentials for Windows Server containers on your cluster: " && read WINDOWS_USERNAME

+```azurecli

+az aks create \

+ --resource-group $RESOURCE_GROUP_NAME \

+ --name $CLUSTER_NAME \

+ --node-count 1 \

+ --windows-admin-username $WINDOWS_USERNAME \

+ --network-plugin azure \

+ --network-policy calico

+It takes a few minutes to create the cluster. By default, your cluster is created with only a Linux node pool. If you would like to use Windows node pools, you can add one. For example:

+```azurecli

+az aks nodepool add \

+ --resource-group $RESOURCE_GROUP_NAME \

+ --cluster-name $CLUSTER_NAME \

+ --os-type Windows \

+ --name npwin \

+ --node-count 1

+## Verify Network Policy setup

+When the cluster is ready, configure `kubectl` to connect to your Kubernetes cluster by using the [az aks get-credentials][az-aks-get-credentials] command. This command downloads credentials and configures the Kubernetes CLI to use them:

+```azurecli-interactive

+az aks get-credentials --resource-group $RESOURCE_GROUP_NAME --name $CLUSTER_NAME

+To begin verification of Network Policy, we will create a sample application and set traffic rules.

+Firstly, let's create a namespace called *demo* to run the example pods:

+kubectl create namespace demo

+We will now create two pods in the cluster named *client* and *server*.

+>[!NOTE]

+> If you want to schedule the *client* or *server* on a particular node, add the following bit before the *--command* argument in the pod creation [kubectl run][kubectl-run] command:

+> ```console

+>--overrides='{"spec": { "nodeSelector": {"kubernetes.io/os": "linux|windows"}}}'

+Create a *server* pod. This pod will serve on TCP port 80:

+kubectl run server -n demo --image=k8s.gcr.io/e2e-test-images/agnhost:2.33 --labels="app=server" --port=80 --command -- /agnhost serve-hostname --tcp --http=false --port "80"

+Create a *client* pod. The below command will run bash on the client pod:

+kubectl run -it client -n demo --image=k8s.gcr.io/e2e-test-images/agnhost:2.33 --command -- bash

+Now, in a separate window, run the following command to get the server IP:

+kubectl get pod --output=wide

+The output should look like:

+NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES

+server 1/1 Running 0 30s 10.224.0.72 akswin22000001 <none> <none>

+### Test Connectivity without Network Policy

+In the client's shell, verify connectivity with the server by executing the following command. Replace *server-ip* by IP found in the output from executing previous command. There will be no output if the connection is successful:

+/agnhost connect <server-ip>:80 --timeout=3s --protocol=tcp

+### Test Connectivity with Network Policy

+Create a file named demo-policy.yaml and paste the following YAML manifest to add network policies:

+kind: NetworkPolicy

+ name: demo-policy

+ namespace: demo

+ app: server

+ - podSelector:

+ app: client

+ ports:

+ - port: 80

+ protocol: TCP

+Specify the name of your YAML manifest and apply it using [kubectl apply][kubectl-apply]:

+kubectl apply ΓÇôf demo-policy.yaml

+Now, in the client's shell, verify connectivity with the server by executing the following `/agnhost` command:

+/agnhost connect <server-ip>:80 --timeout=3s --protocol=tcp

+Connectivity with traffic will be blocked since the server is labeled with app=server, but the client is not labeled. The connect command above will yield this output:

+TIMEOUT

+Run the following command to label the *client* and verify connectivity with the server (output should return nothing).

+kubectl label pod client -n demo app=client

+In this article, we created a namespace and two pods and applied a Network Policy. To clean up these resources, use the [kubectl delete][kubectl-delete] command and specify the resource name:

+kubectl delete namespace demo

+[kubectl-run]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#run

+> Backend entities can be managed via [Azure portal](how-to-configure-service-fabric-backend.md), management [API](/rest/api/apimanagement), and [PowerShell](https://www.powershellgallery.com/packages?q=apimanagement). Currently, if you define a base `set-backend-service` policy using the `backend-id` attribute and inherit the base policy using `<base />` within the scope, then it can be only overridden with a policy using the `backend-id` attribute, not the `base-url` attribute.

+>**Note**: This article contains current instructions on deploying a Python web app using Azure App Service. Python on Windows is no longer supported.

+ New-AzConnectedMachineExtension -ResourceGroupName $resourceGroup -Location $location -MachineName $machineName -Name "KeyVaultForWindows or KeyVaultforLinux" -Publisher "Microsoft.Azure.KeyVault" -ExtensionType "KeyVaultforWindows or KeyVaultforLinux" -Setting $settings

+|Azure Automation Hybrid Runbook Worker extension (preview) |Microsoft.Compute | HybridWorkerForWindows|

+|Azure Automation Hybrid Runbook Worker extension (preview) | Microsoft.Compute | HybridWorkerForLinux|

+- App teams and administrators can install extensions such as the Log Analytics agent, Custom Script Extension, Dependency Agent, and Azure Automation Hybrid Runbook Worker extension on the virtual machines and do operations supported by the extensions.

+ ## Post-recovery considerations

+When it comes to building use cases around post-recovery scenarios, here are couple of considerations on what application might want do to get its remote collaborators all working on the same container again.

+If you are modeling your application data solely using fluid containers, the communication ΓÇ£linkΓÇ¥ is effectively broken when the container is corrupted. Similar real-world example may be video-call where the original author has shared the link with participants and that link is not working any more. With that perspective in mind, one option is to limit recovery permissions to original author and let them share new container link in the same way they shared original link, after recovering the copy of the original container.

+Alternatively, if you are using fluid framework for transient data only, you can always use your own source-of-truth data and supporting services to manage more autonomous recovery workflows. For example, multiple clients may kick off the recovery process until your app has a first recovered copy. Your app can then notify all participating clients to transition to a new container. This can be useful as any currently active client can unblock the participating group to proceed with collaboration. One consideration here is the incurred costs of redundancy.

+By default, this article shows you how to create C# functions that run on .NET 6 [in the same process as the Functions host](functions-dotnet-class-library.md). These _in-process_ C# functions are only supported on Long Term Support (LTS) versions of .NET, such as .NET 6. To create C# functions on .NET 6 that can also run on .NET 5.0 and .NET Framework 4.8 (in preview) [in an isolated process](dotnet-isolated-process-guide.md), see the [alternate version of this article](create-first-function-vs-code-csharp.md?tabs=isolated-process).

+To test locally, read [Local testing with viewer web app](../event-grid-how-tos.md#local-testing-with-viewer-web-app). You can also use the *ngrok* utility as shown in [this tutorial](../functions-event-grid-blob-trigger.md#start-local-debugging).

+## Event subscriptions

+To start receiving Event Grid HTTP requests, you need a subscription to events raised by Event Grid. Event subscriptions specify the endpoint URL that invokes the function. When you create an event subscription from your function's **Integration** tab in the [Azure portal](https://portal.azure.com), the URL is supplied for you. When you programmatically create an event subscription or when you create the event subscription from Event Grid, you'll need to provide the endpoint. The endpoint URL contains a system key, which you must obtain from Functions administrator REST APIs.

+### Webhook endpoint URL

+The URL endpoint for your Event Grid triggered function depends on the version of the Functions runtime. The following example shows the version-specific URL pattern:

+### System key

+The URL endpoint you construct includes the system key value. The system key is an authorization key that has to be included in the endpoint URL for an Event Grid trigger. The following section explains how to get the system key.

+This REST API is an administrator API, so it requires your function app [master key](functions-bindings-http-webhook-trigger.md#authorization-keys). Don't confuse the system key (for invoking an Event Grid trigger function) with the master key (for performing administrative tasks on the function app). When you subscribe to an Event Grid topic, be sure to use the system key.

+### <a name="create-a-subscription"></a>Create an event subscription

+You can create an event subscription either from the [Azure portal](https://portal.azure.com) or by using the Azure CLI.

+# [Portal](#tab/portal)

+For functions that you develop in the Azure portal with the Event Grid trigger, select **Integration** then choose the **Event Grid Trigger** and select **Create Event Grid subscription**.

+When you select this link, the portal opens the **Create Event Subscription** page with the current trigger endpoint already defined.

+For more information about how to create subscriptions by using the Azure portal, see [Create custom event - Azure portal](../event-grid/custom-event-quickstart-portal.md) in the Event Grid documentation.

+# [Azure CLI](#tab/azure-cli)

+To create a subscription by using [the Azure CLI](/cli/azure/get-started-with-azure-cli), use the [`az eventgrid event-subscription create`](/cli/azure/eventgrid/event-subscription#az-eventgrid-event-subscription-create) command. Examples use the v2.x+ version of the URL and are written to run in [Azure Cloud Shell](../cloud-shell/overview.md). You'll need to modify the examples to run from a Windows command prompt.

+This example creates a subscription to a blob storage account, with a placeholder for the [system key](#system-key):

+```azurecli-interactive

+az eventgrid resource event-subscription create -g myResourceGroup \

+ --provider-namespace Microsoft.Storage --resource-type storageAccounts \

+ --resource-name myblobstorage12345 --name myFuncSub \

+ --included-event-types Microsoft.Storage.BlobCreated \

+ --subject-begins-with /blobServices/default/containers/images/blobs/ \

+ --endpoint https://mystoragetriggeredfunction.azurewebsites.net/runtime/webhooks/eventgrid?functionName=imageresizefunc&code=<key>

+```

+For more information about how to create a subscription, see [the blob storage quickstart](../storage/blobs/storage-blob-event-quickstart.md#subscribe-to-your-storage-account) or the other Event Grid quickstarts.

+When you're done testing, you can use the same subscription for production by updating the endpoint. Use the [`az eventgrid event-subscription update`](/cli/azure/eventgrid/event-subscription#az-eventgrid-event-subscription-update) Azure CLI command.

+You can also use the *ngrok* utility to forward remote requests to your locally running functions. For more information, see [this tutorial](./functions-event-grid-blob-trigger.md#start-local-debugging).

+Use the function trigger to respond to an event sent by an [Event Grid source](../event-grid/overview.md). You must have an event subscription to the source to receive events. To learn how to create an event subscription, see [Create a subscription](event-grid-how-tos.md#create-a-subscription). For information on binding setup and configuration, see the [overview](./functions-bindings-event-grid.md).

+In the [Java functions runtime library](/java/api/overview/azure/functions/runtime), use the `EventGridTrigger` annotation on parameters whose value would come from Event Grid. Parameters with these annotations cause the function to run when an event arrives. This annotation can be used with native Java types, POJOs, or nullable values using `Optional<T>`.

+> Even though host.json supports custom ranges for `version`, you should use a version value from this table.

+There are several ways to execute your function code based on changes to blobs in a storage container. Use the following table to determine which function trigger best fits your needs:

+| | Blob Storage (standard) | Blob Storage (event-based) | Queue Storage | Event Grid |

+| -- | -- | -- | -- | - |

+| Latency | High (up to 10 min) | Low | Medium | Low |

+| [Storage account](../storage/common/storage-account-overview.md#types-of-storage-accounts) limitations | Blob-only accounts not supported┬╣ | general purpose v1 not supported | none | general purpose v1 not supported |

+| Extension version |Any | Storage v5.x+ |Any |Any |

+| Processes existing blobs | Yes | No | No | No |

+| Filters | [Blob name pattern](#blob-name-patterns) | [Event filters](../storage/blobs/storage-blob-event-overview.md#filtering-events) | n/a | [Event filters](../storage/blobs/storage-blob-event-overview.md#filtering-events) |

+| Requires [event subscription](../event-grid/concepts.md#event-subscriptions) | No | Yes | No | Yes |

+| Supports high-scale┬▓ | No | Yes | Yes | Yes |

+| Description | Default trigger behavior, which relies on polling the container for updates. For more information, see the [examples in this article](#example). | Consumes blob storage events from an event subscription. Requires a `Source` parameter value of `EventGrid`. For more information, see [Tutorial: Trigger Azure Functions on blob containers using an event subscription](./functions-event-grid-blob-trigger.md). | Blob name string is manually added to a storage queue when a blob is added to the container. This value is passed directly by a Queue Storage trigger to a Blob Storage input binding on the same function. | Provides the flexibility of triggering on events besides those coming from a storage container. Use when need to also have non-storage events trigger your function. For more information, see [How to work with Event Grid triggers and bindings in Azure Functions](event-grid-how-tos.md). |

+┬╣Blob Storage input and output bindings support blob-only accounts.

+┬▓High scale can be loosely defined as containers that have more than 100,000 blobs in them or storage accounts that have more than 100 blob updates per second.

+For information on setup and configuration details, see the [overview](./functions-bindings-storage-blob.md).

+## Polling and latency

+Polling works as a hybrid between inspecting logs and running periodic container scans. Blobs are scanned in groups of 10,000 at a time with a continuation token used between intervals. If your function app is on the Consumption plan, there can be up to a 10-minute delay in processing new blobs if a function app has gone idle.

+> [Storage logs are created on a "best effort"](/rest/api/storageservices/About-Storage-Analytics-Logging) basis. There's no guarantee that all events are captured. Under some conditions, logs may be missed.

+If you require faster or more reliable blob processing, you should instead implement one of the following strategies:

+ + Add the `source` parameter with a value of `EventGrid` to your binding definition and create an event subscription on the same container. For more information, see [Tutorial: Trigger Azure Functions on blob containers using an event subscription](./functions-event-grid-blob-trigger.md).

+ + Replace the Blob Storage trigger with an [Event Grid trigger](functions-bindings-event-grid-trigger.md) using an event subscription on the same container. For more information, see the [Image resize with Event Grid](../event-grid/resize-images-on-storage-blob-upload-event.md) tutorial.

+ | Select an OS. | Choose either Linux or Windows. Python apps must run on Linux. |

+ Title: 'Tutorial: Trigger Azure Functions on blob containers using an event subscription'

+description: In this tutorial, you learn how to use an Event Grid event subscription to create a low-latency, event-driven trigger on an Azure Blob Storage container.

+zone_pivot_groups: programming-languages-set-functions-lang-workers

+#Customer intent: As an Azure Functions developer, I want learn how to create an Event Grid-based trigger on a Blob Storage container so that I can get a more rapid response to changes in the container.

+# Tutorial: Trigger Azure Functions on blob containers using an event subscription

+Earlier versions of the Blob Storage trigger for Azure Functions polled the container for updates, which often resulted in delayed execution. By using the latest version of the extension, you can reduce latency by instead triggering on an event subscription to the same blob container. The event subscription uses Event Grid to forward changes in the blob container as events for your function to consume. This article demonstrates how to use Visual Studio Code to locally develop a function that runs based events raised when a blob is added to a container. You'll locally verify the function before deploying your project to Azure.

+> [!div class="checklist"]

+> * Create a general storage v2 account in Azure Storage.

+> * Create a container in blob storage.

+> * Create an event-driven Blob Storage triggered function.

+> * Create an event subscription to a blob container.

+> * Debug locally using ngrok by uploading files.

+> * Deploy to Azure and create a filtered event subscription.

+> [!NOTE]

+> The Storage Extension for Visual Studio Code is currently in preview.

+## Create a storage account

+Using an event subscription to Azure Storage requires you to use a general-purpose v2 storage account. With the Azure Storage extension installed, you can create this kind of storage account by default from your Visual Studio Code project.

+1. In Visual Studio Code, open the command palette (press F1), type `Azure Storage: Create Storage Account...`, and then provide the following information at the prompts:

+ |Prompt|Selection|

+ |--|--|

+ |**Enter the name of the new storage account**| Type a globally unique name. Storage account names must be between 3 and 24 characters in length and can contain numbers and lowercase letters only. We'll use the same name for the resource group and the function app name, to make it easier. |

+ |**Select a location for new resources**| For better performance, choose a [region](https://azure.microsoft.com/regions/) near you.|

+ The extension creates a new general-purpose v2 storage account with the name you provided. The same name is also used for the resource group in which the storage account is created.

+1. After the storage account is created, open the command palette (press F1) and type `Azure Storage: Create Blob Container...`, and then provide the following information at the prompts:

+ |Prompt|Selection|

+ |--|--|

+ |**Select a resource**| Choose the name of the storage account you created. |

+ |**Enter a name for the new blob container**| Type `samples-workitems`, which is the container name referenced in your code project.|

+Now that you have the blob container, you can create both the function that triggers on this container and the event subscription that delivers events to your function.

+## Create a Blob triggered function

+When you use Visual Studio Code to create a Blob Storage triggered function, you also create a new project. You'll then need to modify the function to consume an event subscription as the source instead of the regular polled container.

+1. Open your function app in Visual Studio Code.

+1. Open the command palette (press F1) and type `Azure Functions: Create Function...` and select **Create new project**.

+1. Choose the directory location for your project workspace and choose **Select**. You should either create a new folder or choose an empty folder for the project workspace. Don't choose a project folder that is already part of a workspace.

+1. Provide the following information at the prompts:

+ ::: zone pivot="programming-language-csharp"

+ |Prompt|Selection|

+ |--|--|

+ |**Select a language**|Choose `C#`.|

+ |**Select a .NET runtime**| Choose `.NET 6.0 LTS`. Event-driven blob triggers aren't yet supported when running in an isolated process. |

+ |**Select a template for your project's first function**|Choose `Azure Blob Storage trigger`.|

+ |**Provide a function name**|Type `BlobTriggerEventGrid`.|

+ |**Provide a namespace** | Type `My.Functions`. |

+ |**Select setting from "local.settings.json"**|Choose `Create new local app setting`.|

+ |**Select a storage account**|Choose the storage account you created from the list. |

+ |**This is the path within your storage account that the trigger will monitor**| Accept the default value `samples-workitems`. |

+ |**Select how you would like to open your project**|Choose `Add to workspace`.|

+ ::: zone-end

+ ::: zone pivot="programming-language-python"

+ |Prompt|Selection|

+ |--|--|

+ |**Select a language**|Choose `Python`.|

+ |**Select a Python interpreter to create a virtual environment**| Choose your preferred Python interpreter. If an option isn't shown, type in the full path to your Python binary.|

+ |**Select a template for your project's first function**|Choose `Azure Blob Storage trigger`.|

+ |**Provide a function name**|Type `BlobTriggerEventGrid`.|

+ |**Select setting from "local.settings.json"**|Choose `Create new local app setting`.|

+ |**Select a storage account**|Choose the storage account you created from the list. |

+ |**This is the path within your storage account that the trigger will monitor**| Accept the default value `samples-workitems`. |

+ |**Select how you would like to open your project**|Choose `Add to workspace`.|

+ ::: zone-end

+ ::: zone pivot="programming-language-java"

+ |Prompt|Selection|

+ |--|--|

+ |**Select a language**|Choose `Java`.|

+ |**Select a version of Java**| Choose `Java 11` or `Java 8`, the Java version on which your functions run in Azure. Choose a Java version that you've verified locally. |

+ | **Provide a group ID** | Choose `com.function`. |

+ | **Provide an artifact ID** | Choose `BlobTriggerEventGrid`. |

+ | **Provide a version** | Choose `1.0-SNAPSHOT`. |

+ | **Provide a package name** | Choose `com.function`. |

+ | **Provide an app name** | Accept the generated name starting with `BlobTriggerEventGrid`. |

+ | **Select the build tool for Java project** | Choose `Maven`. |

+ |**Select how you would like to open your project**|Choose `Add to workspace`.|

+ ::: zone-end

+ ::: zone pivot="programming-language-javascript"

+ |Prompt|Selection|

+ |--|--|

+ |**Select a language for your function project**|Choose `JavaScript`.|

+ |**Select a template for your project's first function**|Choose `Azure Blob Storage trigger`.|

+ |**Provide a function name**|Type `BlobTriggerEventGrid`.|

+ |**Select setting from "local.settings.json"**|Choose `Create new local app setting`.|

+ |**Select a storage account**|Choose the storage account you created from the list. |

+ |**This is the path within your storage account that the trigger will monitor**| Accept the default value `samples-workitems`. |

+ |**Select how you would like to open your project**|Choose `Add to workspace`.|

+ ::: zone-end

+ ::: zone pivot="programming-language-powershell"

+ |Prompt|Selection|

+ |--|--|

+ |**Select a language for your function project**|Choose `PowerShell`.|

+ |**Select a template for your project's first function**|Choose `Azure Blob Storage trigger`.|

+ |**Provide a function name**|Type `BlobTriggerEventGrid`.|

+ |**Select setting from "local.settings.json"**|Choose `Create new local app setting`.|

+ |**Select a storage account**|Choose the storage account you created from the list. |

+ |**This is the path within your storage account that the trigger will monitor**| Accept the default value `samples-workitems`. |

+ |**Select how you would like to open your project**|Choose `Add to workspace`.|

+ ::: zone-end

+1. When prompted, choose **Select storage account** and then **Add to workspace**.

+To simplify things, this tutorial reuses the same storage account with your function app. In production, you might want to use a separate storage account for your function app. For more information, see [Storage considerations for Azure Functions](storage-considerations.md).

+## Upgrade the Blob Storage extension

+To be able to use the Event Grid-based Blog Storage trigger, your function needs to be using version 5.x of the Blob Storage extension.

+To upgrade your project to use the latest extension, run the following [dotnet add package](/dotnet/core/tools/dotnet-add-package) command in the Terminal window.

+<!# [In-process](#tab/in-process) -->

+```bash

+dotnet add package Microsoft.Azure.WebJobs.Extensions.Storage --version 5.0.1

+```

+<!# [Isolated process](#tab/isolated-process)

+```bash

+dotnet add package Microsoft.Azure.Functions.Worker.Extensions.Storage --version 5.0.0

+```

+-->

+1. Open the host.json project file and inspect the `extensionBundle` element.

+1. If `extensionBundle.version` isn't at least `3.3.0 `, replace `extensionBundle` with the following version:

+ ```json

+ "extensionBundle": {

+ "id": "Microsoft.Azure.Functions.ExtensionBundle",

+ "version": "[3.3.0, 4.0.0)"

+ }

+## Update the function to use events

+Open the BlobTriggerEventGrid.cs file and, add `Source = BlobTriggerSource.EventGrid` to the parameters for the blob trigger attribute, as shown in the following example:

+```csharp

+[FunctionName("BlobTriggerCSharp")]

+public static void Run([BlobTrigger("samples-workitems/{name}", Source = BlobTriggerSource.EventGrid, Connection = "<NAMED_STORAGE_CONNECTION>")]Stream myBlob, string name, ILogger log)

+{

+ log.LogInformation($"C# Blob trigger function Processed blob\n Name:{name} \n Size: {myBlob.Length} Bytes");

+}

+```

+After the function is created add `"source": "EventGrid"` to the `myBlob` binding in the function.json configuration file, as shown in the following example:

+

+```json

+{

+ "scriptFile": "__init__.py",

+ "bindings": [

+ "name": "myblob",

+ "type": "blobTrigger",

+ "direction": "in",

+ "path": "samples-workitems/{name}",

+ "source": "EventGrid",

+ "connection": "<NAMED_STORAGE_CONNECTION>"

+ }

+ ]

+}

+```

+1. Replace contents of the generated `Function.java` file with the following code and rename the file to `BlobTriggerEventGrid.java`:

+ ```java

+ package com.function;

+ import com.microsoft.azure.functions.annotation.*;

+ import com.microsoft.azure.functions.*;

+ /**

+ * Azure Functions with Azure Blob trigger.

+ */

+ public class BlobTriggerEventGrid {

+ /**

+ * This function will be invoked when a new or updated blob is detected at the specified path. The blob contents are provided as input to this function.

+ */

+ @FunctionName("BlobTriggerEventGrid")

+ @StorageAccount("glengatesteventgridblob_STORAGE")

+ public void run(

+ @BlobTrigger(name = "content", path = "samples-workitems/{name}", dataType = "binary", source = "EventGrid" ) byte[] content,

+ @BindingName("name") String name,

+ final ExecutionContext context

+ ) {

+ context.getLogger().info("Java Blob trigger function processed a blob. Name: " + name + "\n Size: " + content.length + " Bytes");

+2. Remove the associated unit test file, which is no longer relevant to the new trigger type.

+After the function is created, add `"source": "EventGrid"` to the `myBlob` binding in the function.json configuration file, as shown in the following example:

+```json

+{

+ "bindings": [

+ "name": "myblob",

+ "type": "blobTrigger",

+ "direction": "in",

+ "path": "samples-workitems/{name}",

+ "source": "EventGrid",

+ "connection": "<NAMED_STORAGE_CONNECTION>"

+ ]

+}

+ ```

+## Start local debugging

+Event Grid validates the endpoint URL when you create an event subscription in the Azure portal. This validation means that before you can create an event subscription for local debugging, your function must be running locally with remote access enabled by the ngrok utility. If your local function code isn't running and accessible to Azure, you won't be able to create the event subscription.

+### Determine the blob trigger endpoint

+When your function runs locally, the default endpoint used for an event-driven blob storage trigger looks like the following URL:

+```http

+http://localhost:7071/runtime/webhooks/blobs?functionName=BlobTriggerEventGrid

+```

+```http

+http://localhost:7071/runtime/webhooks/blobs?functionName=Host.Functions.BlobTriggerEventGrid

+```

+Save this path, which you'll use later to create endpoint URLs for event subscriptions. If you used a different name for your Blob Storage triggered function, you need to change the `functionName` value in the query string.

+> [!NOTE]

+> Because the endpoint is handling events for a Blob Storage trigger, the endpoint path includes `blobs`. The endpoint URL for an Event Grid trigger would instead have `eventgrid` in the path.

+### Run ngrok

+To break into a function being debugged on your machine, you must provide a way for Azure Event Grid to communicate with functions running on your local computer.

+The [ngrok](https://ngrok.com/) utility forwards external requests to a randomly generated proxy server address to a specific address and port on your local computer. through to call the webhook endpoint of the function running on your machine.

+1. Start *ngrok* using the following command:

+ ```bash

+ ngrok.exe http http://localhost:7071

+ As the utility starts, the command window should look similar to the following screenshot:

+ 

+1. Copy the **HTTPS** URL generated when *ngrok* is run. This value is used to determine the webhook endpoint on your computer exposed using ngrok.

+> [!IMPORTANT]

+> At this point, don't stop `ngrok`. Every time you start `ngrok`, the HTTPS URL is regenerated with a different value. Because the endpoint of an event subscription can't be modified, you have to create a new event subscription every time you run `ngrok`.

+>

+> Unless you create an ngrok account, the maximum ngrok session time is limited to two hours.

+### Build the endpoint URL

+The endpoint used in the event subscription is made up of three different parts, a prefixed server name, a path, and a query string. The following table describes these parts:

+| URL part | Description |

+| | |

+| Prefix and server name | When your function runs locally, the server name with an `https://` prefix comes from the **Forwarding** URL generated by *ngrok*. In the localhost URL, the *ngrok* URL replaces `http://localhost:7071`. When running in Azure, you'll instead use the published function app server, which is usually in the form `https://<FUNCTION_APP_NAME>.azurewebsites.net`. |

+| Path | The path portion of the endpoint URL comes from the localhost URL copied earlier, and looks like `/runtime/webhooks/blobs` for a Blob Storage trigger. The path for an Event Grid trigger would be `/runtime/webhooks/EventGrid` |

+| Query string | The `functionName=BlobTriggerEventGrid` parameter in the query string sets the name of the function that handles the event. For functions other than C#, the function name is qualified by `Host.Functions.`. If you used a different name for your function, you'll need to change this value. An access key isn't required when running locally. When running in Azure, you'll also need to include a `code=` parameter in the URL, which contains a key that you can get from the portal. |

+The following screenshot shows an example of how the final endpoint URL should look when using a Blob Storage trigger named `BlobTriggerEventGrid`:

+ 

+ 

+### Start debugging

+With ngrok already running, start your local project as follows:

+1. Set a breakpoint in your function on the line that handles logging.

+1. Start a debugging session.

+ ::: zone pivot="programming-language-java"

+ Open a new terminal and run the following `mvn` command to start the debugging session.

+ ::: zone-end

+ ::: zone pivot="programming-language-javascript,programming-language-powershell,programming-language-python,programming-language-csharp"

+ Press **F5** to start a debugging session.

+ ::: zone-end

+With your code running and ngrok forwarding requests, it's time to create an event subscription to the blob container.

+## Create the event subscription

+An event subscription, powered by Azure Event Grid, raises events based on changes in the linked blob container. This event is then sent to the webhook endpoint on your function's trigger. After an event subscription is created, the endpoint URL can't be changed. This means that after you're done with local debugging (or if you restart ngrok), you'll need to delete and recreate the event subscription.

+1. In Visual Studio Code, choose the Azure icon in the Activity bar. In **Resources**, expand your subscription, expand **Storage accounts**, right-click the storage account you created earlier, and select **Open in portal**.

+1. Sign in to the [Azure portal](https://portal.azure.com) and make a note of the **Resource group** for your storage account. You'll create your other resources in the same group to make it easier to clean up resources when you're done.

+1. select the **Events** option from the left menu.

+ 

+1. In the **Events** window, select the **+ Event Subscription** button, and provide values from the following table into the **Basic** tab:

+ | Setting | Suggested value | Description |

+ | | - | -- |

+ | **Name** | *myBlobLocalNgrokEventSub* | Name that identifies the event subscription. You can use the name to quickly find the event subscription. |

+ | **Event Schema** | **Event Grid Schema** | Use the default schema for events. |

+ | **System Topic Name** | *samples-workitems-blobs* | Name for the topic, which represents the container. The topic is created with the first subscription, and you'll use it for future event subscriptions. |

+ | **Filter to Event Types** | *Blob Created*<br/>*Blob Deleted*|

+ | **Endpoint Type** | **Web Hook** | The blob storage trigger uses a web hook endpoint. You would use Azure Functions for an Event Grid trigger. |

+ | **Endpoint** | Your ngrok-based URL endpoint | Use the ngrok-based URL endpoint that you determined earlier. |

+1. Select **Confirm selection** to validate the endpoint URL.

+1. Select **Create** to create the event subscription.

+## Upload a file to the container

+With the event subscription in place and your code project and ngrok still running, you can now upload a file to your storage container to trigger your function. You can upload a file from your computer to your blob storage container using Visual Studio Code.

+1. In Visual Studio Code, open the command palette (press F1) and type `Azure Storage: Upload Files...`.

+1. In the **Open** dialog box, choose a file, preferably a binary image file that's not too large, select **Upload** .

+1. Provide the following information at the prompts:

+ | Setting | Suggested value | Description |

+ | | - | -- |

+ | **Select a resource** | Storage account name | Choose the name of the storage account you created in a previous step. |

+ | **Select a resource type** | **Blob Containers** | You're uploading to a blob container. |

+ | **Select Blob Container** | **samples-workitems** | This value is the name of the container you created in a previous step. |

+ | **Enter the destination directory of this upload** | default | Just accept the default value of `/`, which is the container root. |

+This command uploads a file from your computer to the storage container in Azure. At this point, your running ngrok instance should report that a request was forwarded. You'll also see in the func.exe output for your debugging session that your function has been started. Hopefully, at this point, your debug session is waiting for you where you set the breakpoint.

+## Publish the project to Azure

+Now that you've successfully validated your function code locally, it's time to publish the project to a new function app in Azure.

+### Create the function app

+The following steps create the resources you need in Azure and deploy your project files.

+1. In the command pallet, enter **Azure Functions: Create function app in Azure...(Advanced)**.

+1. Following the prompts, provide this information:

+ | Prompt | Selection |

+ | | -- |

+ | **Enter a globally unique name for the new function app.** | Type a globally unique name that identifies your new function app and then select Enter. Valid characters for a function app name are `a-z`, `0-9`, and `-`. Write down this name; you'll need it later when building the new endpoint URL. |

+ | **Select a runtime stack.** | Choose the language version on which you've been running locally. |

+ | **Select an OS.** | Choose either Linux or Windows. Python apps must run on Linux. |

+ | **Select a resource group for new resources.** | Choose the name of the resource group you created with your storage account, which you previously noted in the portal. |

+ | **Select a location for new resources.** | Select a location in a [region](https://azure.microsoft.com/regions/) near you or near other services that your functions access. |

+ | **Select a hosting plan.** | Choose **Consumption** for serverless [Consumption plan hosting](consumption-plan.md), where you're only charged when your functions run. |

+ | **Select a storage account.** | Choose the name of the existing storage account that you've been using. |

+ | **Select an Application Insights resource for your app.** | Choose **Create new Application Insights resource** and at the prompt, type a name for the instance used to store runtime data from your functions.|

+ A notification appears after your function app is created and the deployment package is applied. Select **View Output** in this notification to view the creation and deployment results, including the Azure resources that you created.

+### Deploy the function code

+### Publish application settings

+Because the local settings from local.settings.json aren't automatically published, you must upload them now so that your function run correctly in Azure.

+In the command pallet, enter **Azure Functions: Upload Local Settings...**, and in the **Select a resource.** prompt choose the name of your function app.

+## Recreate the event subscription

+Now that the function app is running in Azure, you need to create a new event subscription. This new event subscription uses the endpoint of your function in Azure. You'll also add a filter to the event subscription so that the function is only triggered when JPEG (.jpg) files are added to the container. In Azure, the endpoint URL also contains an access key, which helps to block actors other than Event Grid from accessing the endpoint.

+### Get the blob extension key

+1. In Visual Studio Code, choose the Azure icon in the Activity bar. In **Resources**, expand your subscription, expand **Function App**, right-click the function app you created, and select **Open in portal**.

+1. Under **Functions** in the left menu, select **App keys**.

+

+1. Under **System keys** select the key named **blobs_extension**, and copy the key **Value**.

+You'll include this value in the query string of new endpoint URL.

+### Build the endpoint URL

+Create a new endpoint URL for the Blob Storage trigger based on the following example:

+https://<FUNCTION_APP_NAME>.azurewebsites.net/runtime/webhooks/blobs?functionName=BlobTriggerEventGrid&code=<BLOB_EXTENSION_KEY>

+```http

+https://<FUNCTION_APP_NAME>.azurewebsites.net/runtime/webhooks/blobs?functionName=Host.Functions.BlobTriggerEventGrid&code=<BLOB_EXTENSION_KEY>

+```

+In this example, replace `<FUNCTION_APP_NAME>` with the name of your function app and replace `<BLOB_EXTENSION_KEY>` with the value you got from the portal. If you used a different name for your function, you'll also need to change the `functionName` query string as needed.

+### Create a filtered event subscription

+Because the endpoint URL of an event subscription can't be changed, you must create a new event subscription. You should also delete the old event subscription at this time, since it can't be reused.

+This time, you'll include the filter on the event subscription so that only JPEG files (*.jpg) trigger the function.

+1. In Visual Studio Code, choose the Azure icon in the Activity bar. In **Resources**, expand your subscription, expand **Storage accounts**, right-click the storage account you created earlier, and select **Open in portal**.

+1. In the [Azure portal](https://portal.azure.com), select the **Events** option from the left menu.

+1. In the **Events** window, select your old ngrok-based event subscription, select **Delete** > **Save**. This action removes the old event subscription.

+1. Select the **+ Event Subscription** button, and provide values from the following table into the **Basic** tab:

+ | Setting | Suggested value | Description |

+ | | - | -- |

+ | **Name** | *myBlobAzureEventSub* | Name that identifies the event subscription. You can use the name to quickly find the event subscription. |

+ | **Event Schema** | **Event Grid Schema** | Use the default schema for events. |

+ | **Filter to Event Types** | *Blob Created*<br/>*Blob Deleted*|

+ | **Endpoint Type** | **Web Hook** | The blob storage trigger uses a web hook endpoint. You would use Azure Functions for an Event Grid trigger. |

+ | **Endpoint** | Your new Azure-based URL endpoint | Use the URL endpoint that you built, which includes the key value. |

+1. Select **Confirm selection** to validate the endpoint URL.

+1. Select the **Filters** tab, under **Subject filters** check **Enable subject filtering**, type `.jpg` in **Subject ends with**. This filters events to only JPEG files.

+ 

+1. Select **Create** to create the event subscription.

+## Verify the function in Azure

+With the entire topology now running Azure, it's time to verify that everything is working correctly. Since you're already in the portal, it's easiest to just upload a file from there.

+1. In your storage account page in the portal, select **Containers** and select your **samples-workitems** container.

+1. Select the **Upload** button to open the upload page on the right, browse your local file system to find a `.jpg` file to upload, and then select the **Upload** button to upload the blob. Now, you can verify that your function ran based on the container upload event.

+1. In your storage account, return to the **Events** page, select **Event Subscriptions**, and you should see that an event was delivered.

+

+1. Back in your function app page in the portal, under **Functions** select **Functions**, choose your function and you should see a **Total Execution Count** of at least one.

+1. Under **Developer**, select **Monitor**, and you should see traces written from your successful function executions. There might be up a five-minute delay as events are processed by Application Insights.

+# Continuous delivery by using GitHub Actions

+ - name: 'Checkout GitHub action'

+ - name: 'Run Azure Functions action'

+ - name: 'Checkout GitHub action'

+ - name: 'Run Azure Functions action'

+ - name: 'Checkout GitHub action'

+ - name: 'Run Azure Functions action'

+ - name: 'Checkout GitHub action'

+ - name: 'Run Azure Functions action'

+ - name: 'Checkout GitHub action'

+ - name: 'Run Azure Functions action'

+ - name: 'Checkout GitHub action'

+ - name: 'Run Azure Functions action'

+ - name: 'Checkout GitHub action'

+ - name: 'Run Azure Functions action'

+- [Event Grid local testing with viewer web app](./event-grid-how-tos.md#local-testing-with-viewer-web-app)

+| | VM Insights | X (Public preview) | X | |

+| | Microsoft Defender for Cloud | X (Public preview) | X | |

+| | Update Management | X (Public preview, independent of monitoring agents) | X | |

+| | Change Tracking | | X | |

+| | Microsoft Sentinel | X ([View scope](#supported-services-and-features)) | X | |

+| | VM Insights | X (Public preview) | X | |

+| | Microsoft Defender for Cloud | X (Public preview) | X | |

+| | Update Management | X (Public preview, independent of monitoring agents) | X | |

+| | Change Tracking | | X | |

+| Operating system | Azure Monitor agent <sup>1</sup> | Log Analytics agent <sup>1</sup> | Diagnostics extension <sup>2</sup>|

+| AlmaLinux 8 | X | X | |

+| CentOS Linux 8 | X | X | |

+| Debian 11 | X | | |

+| Debian 10 | X | X | |

+| Oracle Linux 8 | X | X | |

+| Red Hat Enterprise Linux Server 8 | X | X | |

+| Rocky Linux 8 | X | X | |

+| SUSE Linux Enterprise Server 15 SP2 | X | | |

+<sup>2</sup> Requires Python 2 to be installed on the machine and aliased to the `python` command.<br>

+> Custom tables have a suffix of *_CL*; for example, *tablename_CL*. The *tablename_CL* in the DataFlows Streams must match the *tablename_CL* name in the Log Analytics workspace.

+ > Custom tables have a suffix of *_CL*; for example, *tablename_CL*. The *tablename_CL* in the DataFlows Streams must match the *tablename_CL* name in the Log Analytics workspace.

+ Title: Configure the webhook to get activity log alerts

+# Webhooks for activity log alerts

+ > [!NOTE]

+ > The **Failure Anomalies** smart detector is already created as an alert rule and therefore does not require migration, it is not covered in this document.

+

+A list of the latest [currently-supported modules](https://github.com/microsoft/node-diagnostic-channel/tree/master/src/diagnostic-channel-publishers) is maintained [here](https://github.com/microsoft/node-diagnostic-channel/tree/master/src/diagnostic-channel-publishers).

+ > - If you currently store Application Insights data for longer than the default 90 days and want to retain this larger retention period after migration, you will need to adjust your [workspace retention settings](https://docs.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#set-retention-and-archive-policy-by-table) from the default 90 days to the desired longer retention period.

+> * The Application Insights user can't have access to both workspaces. This can be done by setting the Log Analytics [Access control mode](/azure/azure-monitor/logs/log-analytics-workspace-overview#permissions) to **Requires workspace permissions** and ensuring through [Azure role-based access control (Azure RBAC)](./resources-roles-access-control.md) that the user only has access to the Log Analytics workspace the Application Insights resource is based on.

+>

+> These steps are necessary because Application Insights accesses telemetry across Application Insight resources (including Log Analytics workspaces) to provide complete end-to-end transaction operations and accurate application maps. Because diagnostic logs use the same table names, duplicate telemetry can be displayed if the user has access to multiple resources containing the same data.

+ Title: Application Insights custom metrics with .NET and .NET Core

+description: Learn how to use Application Insights to capture locally pre-aggregated metrics for .NET and .NET Core applications.

+ms.devlang: csharp

+# Capture Application Insights custom metrics with .NET and .NET Core

+In this article, you'll learn how to capture custom metrics with Application Insights in .NET and .NET Core apps.

+Insert a few lines of code in your application to find out what users are doing with it, or to help diagnose issues. You can send telemetry from device and desktop apps, web clients, and web servers. Use the [Application Insights](./app-insights-overview.md) core telemetry API to send custom events and metrics and your own versions of standard telemetry. This API is the same API that the standard Application Insights data collectors use.

+## ASP.NET Core applications

+### Prerequisites

+If you'd like to follow along with the guidance in this article, certain pre-requisites are needed.

+* Visual Studio 2022

+* Visual Studio Workloads: ASP.NET and web development, Data storage and processing, and Azure development

+* .NET 6.0

+* Azure subscription and user account (with the ability to create and delete resources)

+* Deploy the [completed sample application (`2 - Completed Application`)](./tutorial-asp-net-core.md) or an existing ASP.NET Core application with the [Application Insights for ASP.NET Core](https://nuget.org/packages/Microsoft.ApplicationInsights.AspNetCore) NuGet package installed and [configured to gather server-side telemetry](asp-net-core.md#enable-application-insights-server-side-telemetry-visual-studio).

+### Custom metrics overview

+The Application Insights .NET and .NET Core SDKs have two different methods of collecting custom metrics, `TrackMetric()`, and `GetMetric()`. The key difference between these two methods is local aggregation. `TrackMetric()` lacks pre-aggregation while `GetMetric()` has pre-aggregation. The recommended approach is to use aggregation, therefore, `TrackMetric()` is no longer the preferred method of collecting custom metrics. This article will walk you through using the GetMetric() method, and some of the rationale behind how it works.

+#### Pre-aggregating vs non pre-aggregating API

+`TrackMetric()` sends raw telemetry denoting a metric. It's inefficient to send a single telemetry item for each value. `TrackMetric()` is also inefficient in terms of performance since every `TrackMetric(item)` goes through the full SDK pipeline of telemetry initializers and processors. Unlike `TrackMetric()`, `GetMetric()` handles local pre-aggregation for you and then only submits an aggregated summary metric at a fixed interval of one minute. So if you need to closely monitor some custom metric at the second or even millisecond level you can do so while only incurring the storage and network traffic cost of only monitoring every minute. This behavior also greatly reduces the risk of throttling occurring since the total number of telemetry items that need to be sent for an aggregated metric are greatly reduced.

+In Application Insights, custom metrics collected via `TrackMetric()` and `GetMetric()` aren't subject to [sampling](./sampling.md). Sampling important metrics can lead to scenarios where alerting you may have built around those metrics could become unreliable. By never sampling your custom metrics, you can generally be confident that when your alert thresholds are breached, an alert will fire. But since custom metrics aren't sampled, there are some potential concerns.

+Trend tracking in a metric every second, or at an even more granular interval can result in:

+- Increased data storage costs. There's a cost associated with how much data you send to Azure Monitor. (The more data you send the greater the overall cost of monitoring.)

+- Increased network traffic/performance overhead. (In some scenarios this overhead could have both a monetary and application performance cost.)

+- Risk of ingestion throttling. (The Azure Monitor service drops ("throttles") data points when your app sends a high rate of telemetry in a short time interval.)

+Throttling is a concern as it can lead to missed alerts. The condition to trigger an alert could occur locally and then be dropped at the ingestion endpoint due to too much data being sent. We don't recommend using `TrackMetric()` for .NET and .NET Core unless you've implemented your own local aggregation logic. If you're trying to track every instance an event occurs over a given time period, you may find that [`TrackEvent()`](./api-custom-events-metrics.md#trackevent) is a better fit. Though keep in mind that unlike custom metrics, custom events are subject to sampling. You can still use `TrackMetric()` even without writing your own local pre-aggregation, but if you do so be aware of the pitfalls.

+In summary `GetMetric()` is the recommended approach since it does pre-aggregation, it accumulates values from all the Track() calls and sends a summary/aggregate once every minute. `GetMetric()` can significantly reduce the cost and performance overhead by sending fewer data points, while still collecting all relevant information.

+## Getting a TelemetryClient instance

+Get an instance of `TelemetryClient` from the dependency injection container in **HomeController.cs**:

+```csharp

+//... additional code removed for brevity

+using Microsoft.ApplicationInsights;

+namespace AzureCafe.Controllers

+{

+ public class HomeController : Controller

+ {

+ private readonly ILogger<HomeController> _logger;

+ private AzureCafeContext _cafeContext;

+ private BlobContainerClient _blobContainerClient;

+ private TextAnalyticsClient _textAnalyticsClient;

+ private TelemetryClient _telemetryClient;

+ public HomeController(ILogger<HomeController> logger, AzureCafeContext context, BlobContainerClient blobContainerClient, TextAnalyticsClient textAnalyticsClient, TelemetryClient telemetryClient)

+ {

+ _logger = logger;

+ _cafeContext = context;

+ _blobContainerClient = blobContainerClient;

+ _textAnalyticsClient = textAnalyticsClient;

+ _telemetryClient = telemetryClient;

+ }

+ //... additional code removed for brevity

+ }

+}

+```

+`TelemetryClient` is thread safe.

+## TrackMetric

+Application Insights can chart metrics that aren't attached to particular events. For example, you could monitor a queue length at regular intervals. With metrics, the individual measurements are of less interest than the variations and trends, and so statistical charts are useful.

+To send metrics to Application Insights, you can use the `TrackMetric(..)` API. We'll cover the recommended way to send a metric:

+* **Aggregation**. When you work with metrics, every single measurement is rarely of interest. Instead, a summary of what happened during a particular time period is important. Such a summary is called _aggregation_.

+ For example, the aggregate metric sum for that time period is `1` and the count of the metric values is `2`. When you use the aggregation approach, you invoke `TrackMetric` only once per time period and send the aggregate values. We recommend this approach because it can significantly reduce the cost and performance overhead by sending fewer data points to Application Insights, while still collecting all relevant information.

+### TrackMetric example

+1. From the Visual Studio Solution Explorer, locate and open the **HomeController.cs** file.

+2. Locate the `CreateReview` method and the following code.

+ ```csharp

+ if (model.Comments != null)

+ {

+ var response = _textAnalyticsClient.AnalyzeSentiment(model.Comments);

+ review.CommentsSentiment = response.Value.Sentiment.ToString();

+ }

+ ```

+3. Immediately following the previous code, insert the following to add a custom metric.

+ ```csharp

+ _telemetryClient.TrackMetric("ReviewPerformed", model.Rating);

+ ```

+4. Right-click the **AzureCafe** project in Solution Explorer and select **Publish** from the context menu.

+ 

+5. Select **Publish** to promote the new code to the Azure App Service.

+ 

+6. Once the publish has succeeded, a new browser window opens to the Azure Cafe web application.

+ 

+7. Perform various activities in the web application to generate some telemetry.

+ 1. Select **Details** next to a Cafe to view its menu and reviews.

+ 

+ 2. On the Cafe screen, select the **Reviews** tab to view and add reviews. Select the **Add review** button to add a review.

+ 

+ 3. On the Create a review dialog, enter a name, rating, comments, and upload a photo for the review. Once completed, select **Add review**.

+ 

+ 4. Repeat adding reviews as desired to generate more telemetry.

+### View metrics in Application Insights

+1. Go to the **Application Insights** resource in the [Azure portal](https://portal.azure.com).

+ :::image type="content" source="media/tutorial-asp-net-custom-metrics/application-insights-resource-group.png" alt-text="First screenshot of a resource group with the Application Insights resource highlighted." lightbox="media/tutorial-asp-net-custom-metrics/application-insights-resource-group.png":::

+2. From the left menu of the Application Insights resource, select **Logs** from beneath the **Monitoring** section. In the **Tables** pane, double-click on the **customMetrics** table, located under the **Application Insights** tree. Modify the query to retrieve metrics for the **ReviewPerformed** custom named metric as follows, then select **Run** to filter the results.

+ ```kql

+ customMetrics

+ | where name == "ReviewPerformed"

+ ```

+3. Observe the results display the rating value present in the Review.

+## GetMetric

+As referenced before, `GetMetric(..)` is the preferred method for sending metrics. In order to make use of this method, we'll be performing some changes to the existing code.

+When running the sample code, you'll see that no telemetry is being sent from the application right away. A single telemetry item will be sent by around the 60-second mark.

+> [!NOTE]

+> GetMetric does not support tracking the last value (i.e. "gauge") or tracking histograms/distributions.

+### GetMetric example

+1. From the Visual Studio Solution Explorer, locate and open the **HomeController.cs** file.

+2. Locate the `CreateReview` method and the code added in the previous [TrackMetric example](#trackmetric-example).

+3. Replace the previously added code in _Step 3_ with the following one.

+ ```csharp

+ var metric = _telemetryClient.GetMetric("ReviewPerformed");

+ metric.TrackValue(model.Rating);

+ ```

+4. Right-click the **AzureCafe** project in Solution Explorer and select **Publish** from the context menu.

+ 

+5. Select **Publish** to promote the new code to the Azure App Service.

+ 

+6. Once the publish has succeeded, a new browser window opens to the Azure Cafe web application.

+ 

+7. Perform various activities in the web application to generate some telemetry.

+ 1. Select **Details** next to a Cafe to view its menu and reviews.

+ 

+ 2. On the Cafe screen, select the **Reviews** tab to view and add reviews. Select the **Add review** button to add a review.

+ 

+ 3. On the Create a review dialog, enter a name, rating, comments, and upload a photo for the review. Once completed, select **Add review**.

+ 

+ 4. Repeat adding reviews as desired to generate more telemetry.

+### View metrics in Application Insights

+1. Go to the **Application Insights** resource in the [Azure portal](https://portal.azure.com).

+ 

+2. From the left menu of the Application Insights resource, select **Logs** from beneath the **Monitoring** section. In the **Tables** pane, double-click on the **customMetrics** table, located under the **Application Insights** tree. Modify the query to retrieve metrics for the **ReviewPerformed** custom named metric as follows, then select **Run** to filter the results.

+ ```kql

+ customMetrics

+ | where name == "ReviewPerformed"

+ ```

+3. Observe the results display the rating value present in the Review and the aggregated values.

+## Multi-dimensional metrics

+The examples in the previous section show zero-dimensional metrics. Metrics can also be multi-dimensional. We currently support up to 10 dimensions.

+By default multi-dimensional metrics within the Metric explorer experience aren't turned on in Application Insights resources.

+>[!NOTE]

+> This is a preview feature and additional billing may apply in the future.

+### Enable multi-dimensional metrics

+To enable multi-dimensional metrics for an Application Insights resource, Select **Usage and estimated costs** > **Custom Metrics** > **Send custom metrics to Azure Metric Store (With dimensions)** > **OK**.

+Once you have made that change and send new multi-dimensional telemetry, you'll be able to **Apply splitting**.

+> [!NOTE]

+> Only newly sent metrics after the feature was turned on in the portal will have dimensions stored.

+### Multi-dimensional metrics example

+1. From the Visual Studio Solution Explorer, locate and open the **HomeController.cs** file.

+2. Locate the `CreateReview` method and the code added in the previous [GetMetric example](#getmetric-example).

+3. Replace the previously added code in _Step 3_ with the following one.

+ ```csharp

+ var metric = _telemetryClient.GetMetric("ReviewPerformed", "IncludesPhoto");

+ ```

+4. Still in the `CreateReview` method, change to code to match the following one.

+ ```csharp

+ [HttpPost]

+ [ValidateAntiForgeryToken]

+ public ActionResult CreateReview(int id, CreateReviewModel model)

+ {

+ //... additional code removed for brevity

+ var metric = _telemetryClient.GetMetric("ReviewPerformed", "IncludesPhoto");

+ if ( model.ReviewPhoto != null )

+ {

+ using (Stream stream = model.ReviewPhoto.OpenReadStream())

+ {

+ //... additional code removed for brevity

+ }

+

+ metric.TrackValue(model.Rating, bool.TrueString);

+ }

+ else

+ {

+ metric.TrackValue(model.Rating, bool.FalseString);

+ }

+ //... additional code removed for brevity

+ }

+ ```

+5. Right-click the **AzureCafe** project in Solution Explorer and select **Publish** from the context menu.

+ 

+6. Select **Publish** to promote the new code to the Azure App Service.

+ 

+7. Once the publish has succeeded, a new browser window opens to the Azure Cafe web application.

+ 

+8. Perform various activities in the web application to generate some telemetry.

+ 1. Select **Details** next to a Cafe to view its menu and reviews.

+ 

+ 2. On the Cafe screen, select the **Reviews** tab to view and add reviews. Select the **Add review** button to add a review.

+ 

+ 3. On the Create a review dialog, enter a name, rating, comments, and upload a photo for the review. Once completed, select **Add review**.

+ 

+ 4. Repeat adding reviews as desired to generate more telemetry.

+### View logs in Application Insights

+1. Go to the **Application Insights** resource in the [Azure portal](https://portal.azure.com).

+ 

+2. From the left menu of the Application Insights resource, select **Logs** from beneath the **Monitoring** section. In the **Tables** pane, double-click on the **customMetrics** table, located under the **Application Insights** tree. Modify the query to retrieve metrics for the **ReviewPerformed** custom named metric as follows, then select **Run** to filter the results.

+ ```kql

+ customMetrics

+ | where name == "ReviewPerformed"

+ ```

+3. Observe the results display the rating value present in the Review and the aggregated values.

+4. In order to better observe the **IncludesPhoto** dimension, we can extract it into a separate variable (column) by using the following query.

+ ```kql

+ customMetrics

+ | extend IncludesPhoto = tobool(customDimensions.IncludesPhoto)

+ | where name == "ReviewPerformed"

+ ```

+5. Since we reused the same custom metric name has before, results with and without the custom dimension will be displayed. In order to avoid that, we'll update the query to match the following one.

+ ```kql

+ customMetrics

+ | extend IncludesPhoto = tobool(customDimensions.IncludesPhoto)

+ | where name == "ReviewPerformed" and isnotnull(IncludesPhoto)

+ ```

+### View metrics in Application Insights

+1. Go to the **Application Insights** resource in the [Azure portal](https://portal.azure.com).

+ 

+2. From the left menu of the Application Insights resource, select **Metrics** from beneath the **Monitoring** section.

+3. For **Metric Namespace**, select **azure.applicationinsights**.

+ 

+4. For **Metric**, select **ReviewPerformed**.

+ 

+5. However, you'll notice that you aren't able to split the metric by your new custom dimension, or view your custom dimension with the metrics view. Select **Apply Splitting**.

+ 

+6. For the custom dimension **Values** to use, select **IncludesPhoto**.

+ 

+## Next steps

+* [Metric Explorer](../essentials/metrics-getting-started.md)

+* How to enable Application Insights for [ASP.NET Core Applications](./asp-net-core.md)

+ Title: 'Azure Monitor best practices: Alerts and automated actions'

+# Deploy Azure Monitor: Alerts and automated actions

+This article is part of the scenario [Recommendations for configuring Azure Monitor](best-practices.md). It provides guidance on alerts in Azure Monitor. Alerts proactively notify you of important data or patterns identified in your monitoring data. You can view alerts in the Azure portal. You can create alerts that:

+- Send a proactive notification.

+- Initiate an automated action to attempt to remediate an issue.

+An alerting strategy defines your organization's standards for:

+- The types of alert rules that you'll create for different scenarios.

+- How you'll categorize and manage alerts after they're created.

+- Automated actions and notifications that you'll take in response to alerts.

+Defining an alert strategy assists you in defining the configuration of alert rules including alert severity and action groups.

+For factors to consider as you develop an alerting strategy, see [Successful alerting strategy](/azure/cloud-adoption-framework/manage/monitor/alerting#successful-alerting-strategy).

+Alerts in Azure Monitor are created by alert rules that you must create. For guidance on recommended alert rules, see the monitoring documentation for each Azure service. Azure Monitor doesn't have any alert rules by default.

+Multiple types of alert rules are defined by the type of data they use. Each has different capabilities and a different cost. The basic strategy is to use the alert rule type with the lowest cost that provides the logic you require.

+- [Activity log rules](alerts/activity-log-alerts.md). Creates an alert in response to a new activity log event that matches specified conditions. There's no cost to these alerts so they should be your first choice, although the conditions they can detect are limited. See [Create, view, and manage activity log alerts by using Azure Monitor](alerts/alerts-activity-log.md) for information on creating an activity log alert.

+- [Metric alert rules](alerts/alerts-metric-overview.md). Creates an alert in response to one or more metric values exceeding a threshold. Metric alerts are stateful, which means that the alert will automatically close when the value drops below the threshold, and it will only send out notifications when the state changes. There's a cost to metric alerts, but it's often much less than log alerts. See [Create, view, and manage metric alerts by using Azure Monitor](alerts/alerts-metric.md) for information on creating a metric alert.

+- [Log alert rules](alerts/alerts-unified-log.md). Creates an alert when the results of a schedule query match specified criteria. They're the most expensive of the alert rules, but they allow the most complex criteria. See [Create, view, and manage log alerts by using Azure Monitor](alerts/alerts-log.md) for information on creating a log query alert.

+- [Application alerts](app/monitor-web-app-availability.md). Performs proactive performance and availability testing of your web application. You can perform a ping test at no cost, but there's a cost to more complex testing. See [Monitor the availability of any website](app/monitor-web-app-availability.md) for a description of the different tests and information on creating them.

+Each alert rule defines the severity of the alerts that it creates based on the following table. Alerts in the Azure portal are grouped by level so that you can manage similar alerts together and quickly identify alerts that require the greatest urgency.

+| Sev 2 | Warning | A problem that doesn't include any current loss in availability or performance, although it has the potential to lead to more severe problems if unaddressed. |

+| Sev 3 | Informational | Doesn't indicate a problem but provides interesting information to an operator, such as successful completion of a regular process. |

+| Sev 4 | Verbose | Detailed information that isn't useful.

+Assess the severity of the condition each rule is identifying to assign an appropriate level. Define the types of issues you assign to each severity level and your standard response to each in your alerts strategy.

+Automated responses to alerts in Azure Monitor are defined in [action groups](alerts/action-groups.md). An action group is a collection of one or more notifications and actions that are fired when an alert is triggered. A single action group can be used with multiple alert rules and contain one or more of the following items:

+- **Notifications**: Messages that notify operators and administrators that an alert was created.

+- **Actions**: Automated processes that attempt to correct the detected issue.

+Notifications are messages sent to one or more users to notify them that an alert has been created. Because a single action group can be used with multiple alert rules, you should design a set of action groups for different sets of administrators and users who will receive the same sets of alerts. Use any of the following types of notifications depending on the preferences of your operators and your organizational standards:

+- Email Azure Resource Manager role

+Actions are automated responses to an alert. You can use the available actions for any scenario that they support, but the following sections describe how each action is typically used.

+Use the following actions to attempt automated remediation of the issue identified by the alert:

+- **Automation runbook**: Start a built-in runbook or a custom runbook in Azure Automation. For example, built-in runbooks are available to perform such functions as restarting or scaling up a virtual machine.

+- **Azure Functions**: Start an Azure function.

+- **IT service management (ITSM)**: Use the [ITSM Connector]() to create work items in your ITSM tool based on alerts from Azure Monitor. You first configure the connector and then use the **ITSM** action in alert rules.

+- **Webhooks**: Send the alert to an incident management system that supports webhooks such as PagerDuty and Splunk On-Call.

+- **Secure webhook**: Integrate ITSM with Azure Active Directory Authentication.

+## Minimize alert activity

+You want to create alerts for any important information in your environment. But you don't want to create excessive alerts and notifications for issues that don't warrant them. To minimize your alert activity to ensure that critical issues are surfaced while you don't generate excess information and notifications for administrators, follow these guidelines:

+- See [Successful alerting strategy](/azure/cloud-adoption-framework/manage/monitor/alerting#successful-alerting-strategy) to determine whether a symptom is an appropriate candidate for alerting.

+- Use the **Suppress alerts** option in log query alert rules to avoid creating multiple alerts for the same issue.

+- Ensure that you use appropriate severity levels for alert rules so that high-priority issues can be analyzed together.

+- Limit notifications for alerts with a severity of Warning or less because they don't require immediate attention.

+Typically, you'll want to alert on issues for all your critical Azure applications and resources. Use the following methods for creating alert rules at scale:

+- Azure Monitor supports monitoring multiple resources of the same type with one metric alert rule for resources that exist in the same Azure region. For a list of Azure services that are currently supported for this feature, see [Monitoring at scale using metric alerts in Azure Monitor](alerts/alerts-metric-overview.md#monitoring-at-scale-using-metric-alerts-in-azure-monitor).

+- For metric alert rules for Azure services that don't support multiple resources, use automation tools such as the Azure CLI and PowerShell with Resource Manager templates to create the same alert rule for multiple resources. For samples, see [Resource Manager template samples for metric alert rules in Azure Monitor](alerts/resource-manager-alerts-metric.md).

+- To return data for multiple resources, write queries in log query alert rules. Use the **Split by dimensions** setting in the rule to create separate alerts for each resource.

+> Resource-centric log query alert rules currently in public preview allow you to use all resources in a subscription or resource group as a target for a log query alert.

+[Define alerts and automated actions from Azure Monitor data](best-practices-alerts.md)

+ Title: 'Azure Monitor best practices: Cost management'

+# Azure Monitor best practices: Cost management

+This article provides guidance on reducing your cloud monitoring costs by implementing and managing Azure Monitor in the most cost-effective manner. It explains how to take advantage of cost-saving features to help ensure that you're not paying for data collection that provides little value. It also provides guidance for regularly monitoring your usage so that you can proactively detect and identify sources responsible for excessive usage.

+You can start using Azure Monitor with a single Log Analytics workspace by using default options. As your monitoring environment grows, you'll need to make decisions about whether to have multiple services share a single workspace or create multiple workspaces. You want to evaluate configuration options that allow you to reduce your monitoring costs.

+By default, workspaces will use pay-as-you-go pricing with no minimum data volume. If you collect enough amount of data, you can significantly decrease your cost by using a [commitment tier](logs/cost-logs.md#commitment-tiers). You commit to a daily minimum of data collected in exchange for a lower rate.

+[Dedicated clusters](logs/logs-dedicated-clusters.md) provide more functionality and cost savings if you ingest at least 500 GB per day collectively among multiple workspaces in the same region. Unlike commitment tiers, workspaces in a dedicated cluster don't need to individually reach 500 GB.

+See [Azure Monitor Logs pricing details](logs/cost-logs.md) for information on commitment tiers and guidance on determining which is most appropriate for your level of usage. See [Usage and estimated costs](usage-estimated-costs.md#usage-and-estimated-costs) to view estimated costs for your usage at different pricing tiers.

+As your monitoring environment becomes more complex, you'll need to consider whether to create more Log Analytics workspaces. This need might surface as you place resources in more regions or as you implement more services that use workspaces such as Microsoft Sentinel and Microsoft Defender for Cloud.

+There can be cost implications with your workspace design, most notably when you combine different services such as operational data from Azure Monitor and security data from Microsoft Sentinel. For a description of these implications and guidance on determining the most cost-effective solution for your environment, see:

+ - [Workspaces with Microsoft Sentinel](logs/cost-logs.md#workspaces-with-microsoft-sentinel)

+- [Workspaces with Microsoft Defender for Cloud](logs/cost-logs.md#workspaces-with-microsoft-defender-for-cloud)

+Except for [tables that don't incur charges](logs/cost-logs.md#data-size-calculation), all data in a Log Analytics workspace is billed at the same rate by default. You might be collecting data that you query infrequently or that you need to archive for compliance but rarely access. You can significantly reduce your costs by optimizing your data retention and archiving and configuring Basic Logs.

+Data collected in a Log Analytics workspace is retained for 31 days at no charge. The time period is 90 days if Microsoft Sentinel is enabled on the workspace. You can retain data beyond the default for trending analysis or other reporting, but there's a charge for this retention.

+Your retention requirement might be for compliance reasons or for occasional investigation or analysis of historical data. In this case, you should configure [Archived Logs](logs/data-retention-archive.md), which allows you to retain data for up to seven years at a reduced cost. There's a cost to search archived data or temporarily restore it for analysis. If you require infrequent access to this data, this cost is more than offset by the reduced retention cost.

+You can configure retention and archiving for all tables in a workspace or configure each table separately. The options allow you to optimize your costs by setting only the retention you require for each data type.

+You can save on data ingestion costs by configuring [certain tables](logs/basic-logs-configure.md#which-tables-support-basic-logs) in your Log Analytics workspace that you primarily use for debugging, troubleshooting, and auditing as [Basic Logs](logs/basic-logs-configure.md).

+Tables configured for Basic Logs have a lower ingestion cost in exchange for reduced features. They can't be used for alerting, their retention is set to eight days, they support a limited version of the query language, and there's a cost for querying them. If you query these tables infrequently, this query cost can be more than offset by the reduced ingestion cost.

+See [Query Basic Logs in Azure Monitor (preview)](.//logs/basic-logs-query.md) for information on query limitations. See [Configure Basic Logs in Azure Monitor (Preview)](logs/basic-logs-configure.md) for more information about Basic Logs.

+The most straightforward strategy to reduce your costs for data ingestion and retention is to reduce the amount of data that you collect. Your goal should be to collect the minimal amount of data to meet your monitoring requirements. You might find that you're collecting data that's not being used for alerting or analysis. If so, you have an opportunity to reduce your monitoring costs by modifying your configuration to stop collecting data that you don't need.

+The configuration change varies depending on the data source. The following sections provide guidance for configuring common data sources to reduce the data they send to the workspace.

+Virtual machines can vary significantly in the amount of data they collect, depending on the amount of telemetry generated by the applications and services they have installed. The following table lists the most common data collected from virtual machines and strategies for limiting them for each of the Azure Monitor agents.

+| Event logs | Collect only required event logs and levels. For example, *Information*-level events are rarely used and should typically not be collected. For the Azure Monitor agent, filter particular event IDs that are frequent but not valuable. | Change the [event log configuration for the workspace](agents/data-sources-windows-events.md). | Change the [data collection rule](agents/data-collection-rule-azure-monitor-agent.md). Use [custom XPath queries](agents/data-collection-rule-azure-monitor-agent.md#filter-events-using-xpath-queries) to filter specific event IDs. |

+| Syslog | Reduce the number of facilities collected and only collect required event levels. For example, *Info* and *Debug* level events are rarely used and should typically not be collected. | Change the [Syslog configuration for the workspace](agents/data-sources-syslog.md). | Change the [data collection rule](agents/data-collection-rule-azure-monitor-agent.md). Use [custom XPath queries](agents/data-collection-rule-azure-monitor-agent.md#filter-events-using-xpath-queries) to filter specific events. |

+| Performance counters | Collect only the performance counters required and reduce the frequency of collection. For the Azure Monitor agent, consider sending performance data only to Metrics and not Logs. | Change the [performance counter configuration for the workspace](agents/data-sources-performance-counters.md). | Change the [data collection rule](agents/data-collection-rule-azure-monitor-agent.md). Use [custom XPath queries](agents/data-collection-rule-azure-monitor-agent.md#filter-events-using-xpath-queries) to filter specific counters. |

+The bulk of data collection from virtual machines will be from Windows or Syslog events. While you can provide more filtering with the Azure Monitor agent, you still might be collecting records that provide little value. Use [transformations](essentials//data-collection-transformations.md) to implement more granular filtering and also to filter data from columns that provide little value. For example, you might have a Windows event that's valuable for alerting, but it includes columns with redundant or excessive data. You can create a transformation that allows the event to be collected but removes this excessive data.

+See the following section on filtering data with transformations for a summary on where to implement filtering and transformations for different data sources.

+You should be cautious with any configuration using multi-homed agents where a single virtual machine sends data to multiple workspaces because you might be incurring charges for the same data multiple times. If you do multi-home agents, make sure you're sending unique data to each workspace.

+You can also collect duplicate data with a single virtual machine running both the Azure Monitor agent and Log Analytics agent, even if they're both sending data to the same workspace. While the agents can coexist, each works independently without any knowledge of the other. Continue to use the Log Analytics agent until you [migrate to the Azure Monitor agent](./agents/azure-monitor-agent-migration.md) rather than using both together unless you can ensure that each is collecting unique data.

+See [Analyze usage in Log Analytics workspace](logs/analyze-usage.md) for guidance on analyzing your collected data to make sure you aren't collecting duplicate data for the same machine.

+## Application Insights

+There are multiple methods that you can use to limit the amount of data collected by Application Insights:

+* **Sampling**: [Sampling](app/sampling.md) is the primary tool you can use to tune the amount of data collected by Application Insights. Use sampling to reduce the amount of telemetry that's sent from your applications with minimal distortion of metrics.

+* **Limit Ajax calls**: [Limit the number of Ajax calls](app/javascript.md#configuration) that can be reported in every page view or disable Ajax reporting. If you disable Ajax calls, you'll be disabling [JavaScript correlation](app/javascript.md#enable-distributed-tracing) too.

+* **Limit the use of custom metrics**: The Application Insights option to [Enable alerting on custom metric dimensions](app/pre-aggregated-metrics-log-metrics.md#custom-metrics-dimensions-and-pre-aggregation) can increase costs. Using this option can result in the creation of more pre-aggregation metrics.

+* **Ensure use of updated SDKs**: Earlier versions of the ASP.NET Core SDK and Worker Service SDK [collect many counters by default](app/eventcounters.md#default-counters-collected), which were collected as custom metrics. Use later versions to specify [only required counters](app/eventcounters.md#customizing-counters-to-be-collected).

+The data volume for [resource logs](essentials/resource-logs.md) varies significantly between services, so you should only collect the categories that are required. You might also not want to collect platform metrics from Azure resources because this data is already being collected in Metrics. Only configure your diagnostic data to collect metrics if you need metric data in the workspace for more complex analysis with log queries.

+Diagnostic settings don't allow granular filtering of resource logs. You might require certain logs in a particular category but not others. In this case, use [transformations](essentials/data-collection-transformations.md) on the workspace to filter logs that you don't require. You can also filter out the value of certain columns that you don't require to save additional cost.

+## Other insights and services

+See the documentation for other services that store their data in a Log Analytics workspace for recommendations on optimizing their data usage:

+- **Container insights**: [Understand monitoring costs for Container insights](containers/container-insights-cost.md#controlling-ingestion-to-reduce-cost)

+- **Microsoft Sentinel**: [Reduce costs for Microsoft Sentinel](../sentinel/billing-reduce-costs.md)

+- **Defender for Cloud**: [Setting the security event option at the workspace level](../defender-for-cloud/enable-data-collection.md#setting-the-security-event-option-at-the-workspace-level)

+You can use [data collection rule transformations in Azure Monitor](essentials//data-collection-transformations.md) to filter incoming data to reduce costs for data ingestion and retention. In addition to filtering records from the incoming data, you can filter out columns in the data, reducing its billable size as described in [Data size calculation](logs/cost-logs.md#data-size-calculation).

+Use ingestion-time transformations on the workspace to further filter data for workflows where you don't have granular control. For example, you can select categories in a [diagnostic setting](essentials/diagnostic-settings.md) to collect resource logs for a particular service, but that category might also send records that you don't need. Create a transformation for the table that service uses to filter out records you don't want.

+You can also use ingestion-time transformations to lower the storage requirements for records you want by removing columns without useful information. For example, you might have error events in a resource log that you want for alerting. But you might not require certain columns in those records that contain a large amount of data. You can create a transformation for the table that removes those columns.

+The following table shows methods to apply transformations to different workflows.

+> Azure tables here refers to tables that are created and maintained by Microsoft and documented in the [Azure Monitor reference](/azure/azure-monitor/reference/). Custom tables are created by custom applications and have a suffix of *_CL* in their name.

+| Azure Monitor agent | Azure tables | Collect data from standard sources such as Windows events, Syslog, and performance data and send to Azure tables in Log Analytics workspace. | Use XPath in the data collection rule (DCR) to collect specific data from client machines. Ingestion-time transformations in the agent DCR aren't yet supported. |

+| Log Analytics agent | Azure tables | Collect data from standard sources such as Windows events, Syslog, and performance data and send it to Azure tables in the Log Analytics workspace. | Configure data collection on the workspace. Optionally, create ingestion-time transformation in the workspace DCR to filter records and columns. |

+| Log Analytics agent | Custom tables | Configure [custom logs](agents/data-sources-custom-logs.md) on the workspace to collect file-based text logs. | Configure ingestion-time transformation in the workspace DCR to filter or transform incoming data. You must first migrate the custom table to the new logs ingestion API. |

+| Data Collector API | Custom tables | Use the [Data Collector API](logs/data-collector-api.md) to send data to custom tables in the workspace by using the REST API. | Configure ingestion-time transformation in the workspace DCR to filter or transform incoming data. You must first migrate the custom table to the new Logs ingestion API. |

+| Logs ingestion API | Custom tables<br>Azure tables | Use the [Logs ingestion API](logs/logs-ingestion-api-overview.md) to send data to the workspace using REST API. | Configure ingestion-time transformation in the DCR for the custom log. |

+| Other data sources | Azure tables | Includes resource logs from diagnostic settings and other Azure Monitor features such as Application insights, Container insights, and VM insights. | Configure ingestion-time transformation in the workspace DCR to filter or transform incoming data. |

+After you've configured your environment and data collection for cost optimization, you need to continue to monitor it to ensure that you don't experience unexpected increases in billable usage. You should also analyze your usage regularly to determine if you have other opportunities to reduce your usage. For example, you might want to further filter out collected data that hasn't proven to be useful.

+A [daily cap](logs/daily-cap.md) disables data collection in a Log Analytics workspace for the rest of the day after your configured limit is reached. A daily cap shouldn't be used as a method to reduce costs but as a preventative measure to ensure that you don't exceed a particular budget. Daily caps are typically used by organizations that are particularly cost conscious.

+When data collection stops, you effectively have no monitoring of features and resources relying on that workspace. Instead of relying on the daily cap alone, you can configure an alert rule to notify you when data collection reaches some level before the daily cap. Notification allows you to address any increases before data collection shuts down, or even to temporarily disable collection for less critical resources.

+See [Set daily cap on Log Analytics workspace](logs/daily-cap.md) for information on how the daily cap works and how to configure one.

+To avoid unexpected bills, you should be proactively notified anytime you experience excessive usage. Notification allows you to address any potential anomalies before the end of your billing period.

+The following example is a [log alert rule](alerts/alerts-unified-log.md) that sends an alert if the billable data volume ingested in the last 24 hours was greater than 50 GB. Modify the **Alert Logic** setting to use a different threshold based on expected usage in your environment. You can also increase the frequency to check usage multiple times every day, but this option will result in a higher charge for the alert rule.

+| Alert rule name | Billable data volume greater than 50 GB in 24 hours. |

+See [Analyze usage in Log Analytics workspace](logs/analyze-usage.md) for information on using log queries like the one used here to analyze billable usage in your workspace.

+When you detect an increase in data collection, you need methods to analyze your collected data to identify the source of the increase. You should also periodically analyze data collection to determine if there's additional configuration that can decrease your usage further. This practice is particularly important when you add a new set of data sources, such as a new set of virtual machines or onboard a new service.

+See [Analyze usage in Log Analytics workspace](logs/analyze-usage.md) for different methods to analyze your collected data and billable usage. This article includes various log queries that will help you identify the source of any data increases and to understand your basic usage patterns.

+- See [Azure Monitor Logs pricing details](logs/cost-logs.md) for information on how charges are calculated for data in a Log Analytics workspace and different configuration options to reduce your charges.

+- See [Analyze usage in Log Analytics workspace](logs/analyze-usage.md) for information on analyzing the data in your workspace to determine the source of any higher-than-expected usage and opportunities to reduce your amount of data collected.

+- See [Set daily cap on Log Analytics workspace](logs/daily-cap.md) to control your costs by setting a daily limit on the amount of data that can be ingested in a workspace.

+ Title: 'Azure Monitor best practices: Configure data collection'

+# Azure Monitor best practices: Configure data collection

+> The features of Azure Monitor and their configuration will vary depending on your business requirements balanced with the cost of the enabled features. Each of the following steps identifies whether there's potential cost, and you should assess these costs before proceeding. See [Azure Monitor pricing](https://azure.microsoft.com/pricing/details/monitor/) for complete pricing details.

+You require at least one Log Analytics workspace to enable [Azure Monitor Logs](logs/data-platform-logs.md), which is required for:

+- Collecting data such as logs from Azure resources.

+- Collecting data from the guest operating system of Azure Virtual Machines.

+- Enabling most Azure Monitor insights.

+Other services such as Microsoft Sentinel and Microsoft Defender for Cloud also use a Log Analytics workspace and can share the same one that you use for Azure Monitor.

+There's no cost for creating a Log Analytics workspace, but there's a potential charge after you configure data to be collected into it. See [Azure Monitor Logs pricing details](logs/cost-logs.md) for information on how log data is charged.

+See [Create a Log Analytics workspace in the Azure portal](logs/quick-create-workspace.md) to create an initial Log Analytics workspace, and see [Manage access to Log Analytics workspaces](logs/manage-access.md) to configure access. You can use scalable methods such as Resource Manager templates to configure workspaces, although this step is often not required because most environments will require a minimal number.

+Start with a single workspace to support initial monitoring. See [Design a Log Analytics workspace configuration](logs/workspace-design.md) for guidance on when to use multiple workspaces and how to locate and configure them.

+Some monitoring of Azure resources is available automatically with no configuration required. To collect more monitoring data, you must perform configuration steps.

+The following table shows the configuration steps required to collect all available data from your Azure resources. It also shows at which step data is sent to Azure Monitor Metrics and Azure Monitor Logs. The following sections describe each step in further detail.

+[](media/best-practices-data-collection/best-practices-azure-resources.png#lightbox)

+### Collect tenant and subscription logs

+The [Azure Active Directory (Azure AD) logs](../active-directory/reports-monitoring/overview-reports.md) for your tenant and the [activity log](essentials/platform-logs-overview.md) for your subscription are collected automatically. When you send them to a Log Analytics workspace, you can analyze these events with other log data by using log queries in Log Analytics. You can also create log query alerts, which are the only way to alert on Azure AD logs and provide more complex logic than activity log alerts.

+There's no cost for sending the activity log to a workspace, but there's a data ingestion and retention charge for Azure AD logs.

+See [Integrate Azure AD logs with Azure Monitor logs](../active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md) and [Create diagnostic settings to send platform logs and metrics to different destinations](essentials/diagnostic-settings.md) to create a diagnostic setting for your tenant and subscription to send log entries to your Log Analytics workspace.

+Resources in Azure automatically generate [resource logs](essentials/platform-logs-overview.md) that provide details of operations performed within the resource. Unlike platform metrics, you need to configure resource logs to be collected. Create a diagnostic setting to send them to a Log Analytics workspace and combine them with the other data used with Azure Monitor Logs. The same diagnostic setting also can be used to send the platform metrics for most resources to the same workspace. This way, you can analyze metric data by using log queries with other collected data.

+There's a cost for collecting resource logs in your Log Analytics workspace, so only select those log categories with valuable data. Collecting all categories will incur cost for collecting data with little value. See the monitoring documentation for each Azure service for a description of categories and recommendations for which to collect. Also see [Azure Monitor best practices - cost management](logs/cost-logs.md) for recommendations on optimizing the cost of your log collection.

+See [Create diagnostic settings to collect resource logs and metrics in Azure](essentials/diagnostic-settings.md#create-diagnostic-settings) to create a diagnostic setting for an Azure resource.

+Because a diagnostic setting needs to be created for each Azure resource, use Azure Policy to automatically create a diagnostic setting as each resource is created. Each Azure resource type has a unique set of categories that need to be listed in the diagnostic setting. Because of this, each resource type requires a separate policy definition. Some resource types have built-in policy definitions that you can assign without modification. For other resource types, you need to create a custom definition.

+Insights provide a specialized monitoring experience for a particular service. They use the same data already being collected such as platform metrics and resource logs, but they provide custom workbooks that assist you in identifying and analyzing the most critical data. Most insights will be available in the Azure portal with no configuration required, other than collecting resource logs for that service. See the monitoring documentation for each Azure service to determine whether it has an insight and if it requires configuration.

+There's no cost for insights, but you might be charged for any data they collect.

+> The following insights are much more complex than others and have more guidance for their configuration:

+>

+Virtual machines generate similar data as other Azure resources, but they require a containerized version of the Log Analytics agent to collect required data. Container insights help you prepare your containerized environment for monitoring. It works in conjunction with third-party tools to provide comprehensive monitoring of Azure Kubernetes Service (AKS) and the workflows it supports. See [Monitoring Azure Kubernetes Service with Azure Monitor](../aks/monitor-aks.md?toc=/azure/azure-monitor/toc.json) for a dedicated scenario on monitoring AKS with Azure Monitor.

+Azure Monitor monitors your custom applications by using [Application Insights](app/app-insights-overview.md), which you must configure for each application you want to monitor. The configuration process varies depending on the type of application being monitored and the type of monitoring that you want to perform. Data collected by Application Insights is stored in Azure Monitor Metrics, Azure Monitor Logs, and Azure Blob Storage, depending on the feature. Performance data is stored in both Azure Monitor Metrics and Azure Monitor Logs with no more configuration required.

+You must create a resource in Application Insights for each application that you're going to monitor. Log data collected by Application Insights is stored in Azure Monitor Logs for a workspace-based application. Log data for classic applications is stored separately from your Log Analytics workspace as described in [Data structure](logs/log-analytics-workspace-overview.md#data-structure).

+ When you create the application, you must select whether to use classic or workspace based. See [Create an Application Insights resource](app/create-new-resource.md) to create a classic application.

+ A fundamental design decision is whether to use separate or a single application resource for multiple applications. Separate resources can save costs and prevent mixing data from different applications, but a single resource can simplify your monitoring by keeping all relevant telemetry together. See [How many Application Insights resources should I deploy](app/separate-resources.md) for criteria to help you make this design decision.

+To enable monitoring for an application, you must decide whether you'll use codeless or code-based monitoring. The configuration process varies depending on this decision and the type of application you're going to monitor.

+**Codeless monitoring** is easiest to implement and can be configured after your code development. It doesn't require any updates to your code. For information on how to enable monitoring based on your application, see:

+- [ASP.NET applications hosted in IIS on Azure Virtual Machines or Azure Virtual Machine Scale Sets](app/azure-vm-vmss-apps.md)

+**Code-based monitoring** is more customizable and collects more telemetry, but it requires adding a dependency to your code on the Application Insights SDK NuGet packages. For information on how to enable monitoring based on your application, see:

+- [ASP.NET applications](app/asp-net.md)

+- [ASP.NET Core applications](app/asp-net-core.md)

+- [.NET console applications](app/console.md)

+Availability tests in Application Insights are recurring tests that monitor the availability and responsiveness of your application at regular intervals from points around the world. You can create a simple ping test for free. You can also create a sequence of web requests to simulate user transactions, which have associated costs.

+See [Monitor the availability of any website](app/monitor-web-app-availability.md) for a summary of the different kinds of tests and information on creating them.

+Profiler in Application Insights provides performance traces for .NET applications. It helps you identify the "hot" code path that takes the longest time when it's handling a particular web request. The process for configuring the profiler varies depending on the type of application.

+See [Profile production applications in Azure with Application Insights](app/profiler-overview.md) for information on configuring Profiler.

+Snapshot Debugger in Application Insights monitors exception telemetry from your .NET application. It collects snapshots on your top-throwing exceptions so that you have the information you need to diagnose issues in production. The process for configuring Snapshot Debugger varies depending on the type of application.

+See [Debug snapshots on exceptions in .NET apps](app/snapshot-debugger.md) for information on configuring Snapshot Debugger.

+With data collection configured for all your Azure resources, see [Analyze and visualize data](best-practices-analysis.md) to see options for analyzing this data.

+In this guide, you'll learn the two ways to enable Change Analysis for Azure Functions and web app in-guest changes:

+- For one or a few Azure Functions or web apps, enable Change Analysis via the UI.

+> Slot-level enablement for Azure Functions or web app is not supported at the moment.

+## Enable Azure Functions and web app in-guest change collection via the Change Analysis portal

+description: Describes specific steps for using Azure Monitor to enable continuous monitoring throughout your workflows.

+Continuous monitoring refers to the process and technology required to incorporate monitoring across each phase of your DevOps and IT operations lifecycles. It helps to continuously ensure the health, performance, and reliability of your application and infrastructure as it moves from development to production. Continuous monitoring builds on the concepts of continuous integration and continuous deployment (CI/CD). CI/CD helps you develop and deliver software faster and more reliably to provide continuous value to your users.

+[Azure Monitor](overview.md) is the unified monitoring solution in Azure that provides full-stack observability across applications and infrastructure in the cloud and on-premises. It works seamlessly with [Visual Studio and Visual Studio Code](https://visualstudio.microsoft.com/) during development and test. It integrates with [Azure DevOps](/azure/devops/user-guide/index) for release management and work item management during deployment and operations. It even integrates across the IT system management (ITSM) and SIEM tools of your choice to help track issues and incidents within your existing IT processes.

+This article describes specific steps for using Azure Monitor to enable continuous monitoring throughout your workflows. Links to other documentation provide information on implementing different features.

+To gain observability across your entire environment, you need to enable monitoring on all your web applications and services. This way, you can easily visualize end-to-end transactions and connections across all the components. For example:

+- [Azure DevOps projects](../devops-project/overview.md) give you a simplified experience with your existing code and Git repository. You can also choose from one of the sample applications to create a CI/CD pipeline to Azure.

+- [Continuous monitoring in your DevOps release pipeline](./app/continuous-monitoring.md) allows you to gate or roll back your deployment based on monitoring data.

+- [Status Monitor](./app/status-monitor-v2-overview.md) allows you to instrument a live .NET app on Windows with Application Insights, without having to modify or redeploy your code.

+- If you have access to the code for your application, enable full monitoring with [Application Insights](./app/app-insights-overview.md) by installing the Azure Monitor Application Insights SDK for [.NET](./app/asp-net.md), [.NET Core](./app/asp-net-core.md), [Java](./app/java-in-process-agent.md), [Node.js](./app/nodejs-quick-start.md), or [any other programming languages](./app/platforms.md). Full monitoring allows you to specify custom events, metrics, or page views that are relevant to your application and your business.

+Applications are only as reliable as their underlying infrastructure. Having monitoring enabled across your entire infrastructure will help you achieve full observability and make it easier to discover a potential root cause when something fails. Azure Monitor helps you track the health and performance of your entire hybrid infrastructure including resources such as VMs, containers, storage, and network. For example, you can:

+- Get [platform metrics, activity logs, and diagnostics logs](data-sources.md) automatically from most of your Azure resources with no configuration.

+- Enable deeper monitoring for Azure Kubernetes Service (AKS) clusters with [Container insights](containers/container-insights-overview.md).

+[Infrastructure as code](/azure/devops/learn/what-is-infrastructure-as-code) is the management of infrastructure in a descriptive model, using the same versioning that DevOps teams use for source code. It adds reliability and scalability to your environment and allows you to use similar processes that are used to manage your applications. For example, you can:

+- Use [Azure Resource Manager templates](./logs/resource-manager-workspace.md) to enable monitoring and configure alerts over a large set of resources.

+- Use [Azure Policy](../governance/policy/overview.md) to enforce different rules over your resources. Azure Policy ensures that those resources stay compliant with your corporate standards and service level agreements.

+## Combine resources in Azure resource groups

+A typical application on Azure today includes multiple resources such as VMs and app services or microservices hosted on Azure Cloud Services, AKS clusters, or Azure Service Fabric. These applications frequently use dependencies like Azure Event Hubs, Azure Storage, Azure SQL, and Azure Service Bus. For example, you can:

+- Combine resources in Azure resource groups to get full visibility across all your resources that make up your different applications. [Resource group insights](./insights/resource-group-insights.md) provides a simple way to keep track of the health and performance of your entire full-stack application and enables drilling down into respective components for any investigations or debugging.

+## Ensure quality through continuous deployment

+CI/CD allows you to automatically integrate and deploy code changes to your application based on the results of automated testing. It streamlines the deployment process and ensures the quality of any changes before they move into production. For example, you can:

+- Use [Azure Pipelines](/azure/devops/pipelines) to implement continuous deployment and automate your entire process from code commit to production based on your CI/CD tests.

+- Use [quality gates](/azure/devops/pipelines/release/approvals/gates) to integrate monitoring into your pre-deployment or post-deployment. Quality gates ensure that you're meeting the key health and performance metrics, also known as KPIs, as your applications move from development to production. They also ensure that any differences in the infrastructure environment or scale aren't negatively affecting your KPIs.

+- [Maintain separate monitoring instances](./app/separate-resources.md) between your different deployment environments, such as Dev, Test, Canary, and Prod. Separate monitoring instances ensure that collected data is relevant across the associated applications and infrastructure. If you need to correlate data across environments, you can use [multi-resource charts in metrics explorer](./essentials/metrics-charts.md) or create [cross-resource queries in Azure Monitor](logs/cross-workspace-query.md).

+A critical aspect of monitoring is proactively notifying administrators of any current and predicted issues. For example, you can:

+- Create [alerts in Azure Monitor](./alerts/alerts-overview.md) based on logs and metrics to identify predictable failure states. You should have a goal of making all alerts actionable, which means that they represent actual critical conditions and seek to reduce false positives. Use [dynamic thresholds](alerts/alerts-dynamic-thresholds.md) to automatically calculate baselines on metric data rather than defining your own static thresholds.

+- Define actions for alerts to use the most effective means of notifying your administrators. Available [actions for notification](alerts/action-groups.md#create-an-action-group-by-using-the-azure-portal) are SMS, emails, push notifications, or voice calls.

+- Remediate situations identified in alerts as well with [Azure Automation runbooks](../automation/automation-webhooks.md) or [Azure Logic Apps](/connectors/custom-connectors/create-webhook-trigger) that can be launched from an alert by using webhooks.

+Ensuring that your development and operations have access to the same telemetry and tools allows them to view patterns across your entire environment and minimize your mean time to detect and mean time to restore. For example, you can:

+- Prepare [workbooks](./visualize/workbooks-overview.md) to ensure knowledge sharing between development and operations. Workbooks could be prepared as dynamic reports with metric charts and log queries. They can also be troubleshooting guides prepared by developers to help customer support or operations handle basic problems.

+ Monitoring is one of the fundamental aspects of the popular Build-Measure-Learn philosophy, which recommends continuously tracking your KPIs and user behavior metrics and then striving to optimize them through planning iterations. Azure Monitor helps you collect metrics and logs relevant to your business and add new data points in the next deployment as required. For example, you can:

+- Use tools in Application Insights to [track user behavior and engagement](./app/tutorial-users.md).

+- Use [Impact analysis](./app/usage-impact.md) to help you prioritize which areas to focus on to drive to important KPIs.

+[Azure Monitor](overview.md) collects and aggregates data from various sources into a common data platform where it can be used for analysis, visualization, and alerting. It provides a consistent experience on top of data from multiple sources, which gives you deep insights across all your monitored resources and even with data from other services that store their data in Azure Monitor.

+Metrics, logs, distributed traces, and changes are commonly referred to as the pillars of observability. These are the different kinds of data that a monitoring tool must collect and analyze to provide sufficient observability of a monitored system. Observability can be achieved by correlating data from multiple pillars and aggregating data across the entire set of resources being monitored. Because Azure Monitor stores data from multiple sources together, the data can be correlated and analyzed using a common set of tools. It also correlates data across multiple Azure subscriptions and tenants, in addition to hosting data for other services.

+You can work with [log queries](logs/log-query-overview.md) interactively with [Log Analytics](logs/log-query-overview.md) in the Azure portal or add the results to an [Azure dashboard](app/tutorial-app-dashboards.md) for visualization in combination with other data. You can also create [log alerts](alerts/alerts-log.md) which will trigger an alert based on the results of a schedule query.

+## Changes

+Change Analysis alerts you to live site issues, outages, component failures, or other change data. It also provides insights into those application changes, increases observability, and reduces the mean time to repair. You automatically register the `Microsoft.ChangeAnalysis` resource provider with an Azure Resource Manager subscription by going to Change Analysis via the Azure portal. For web app in-guest changes, you can enable the [Change Analysis tool via the Change Analysis portal](./change/change-analysis-enable.md#enable-azure-functions-and-web-app-in-guest-change-collection-via-the-change-analysis-portal).

+Change Analysis builds on [Azure Resource Graph](../governance/resource-graph/overview.md) to provide a historical record of how your Azure resources have changed over time. It detects managed identities, platform operating system upgrades, and hostname changes. Change Analysis securely queries IP configuration rules, TLS settings, and extension versions to provide more detailed change data.

+Read more about Change Analysis at [Use Change Analysis in Azure Monitor](./change/change-analysis.md). [Try Change Analysis for observability into your Azure subscriptions](https://aka.ms/cahome).

+Change Analysis alerts you to live site issues, outages, component failures, or other change data. It also provides insights into those application changes, increases observability, and reduces the mean time to repair. You automatically register the `Microsoft.ChangeAnalysis` resource provider with an Azure Resource Manager subscription by going to Change Analysis via the Azure portal. For web app in-guest changes, you can enable Change Analysis by using the [Diagnose and solve problems tool](./change/change-analysis-enable.md#enable-azure-functions-and-web-app-in-guest-change-collection-via-the-change-analysis-portal).

+You can deploy and configure Azure Monitor at scale by using [Azure Resource Manager templates](../azure-resource-manager/templates/syntax.md). This article lists sample templates for Azure Monitor features. You can modify these samples for your particular requirements and deploy them by using any standard method for deploying Resource Manager templates.

+## Deploy the sample templates

+The basic steps to use one of the template samples are:

+1. Modify the parameters for your environment and save the JSON file.

+1. Deploy the template by using [any deployment method for Resource Manager templates](../azure-resource-manager/templates/deploy-powershell.md).

+Learn more about [Resource Manager templates](../azure-resource-manager/templates/overview.md).

+* For large volumes (greater than 10 TB), it can take multiple hours to transfer all the data from the backup media.

+2. From the backup list, select the backup to restore. Select the three dots (`…`) to the right of the backup, then select **Restore to new volume** from the Action menu.

+3. In the Create a Volume page that appears, provide information for the fields in the page as applicable, and select **Review + Create** to begin restoring the backup to a new volume.

+* [Azure NetApp Files datastores for Azure VMware Solution](../azure-vmware/attach-azure-netapp-files-to-azure-vmware-solution-hosts.md) is now in public preview. You can back up Azure NetApp Files datastores and VMs using Cloud Backup. This virtual appliance installs in the Azure VMware Solution cluster and provides policy based automated backup of VMs integrated with Azure NetApp Files snapshot technology for fast backups and restores of VMs, groups of VMs (organized in resource groups) or complete datastores.

+ permissions:

+ id-token: write

+ contents: read

+description: Describes the Microsoft.Solutions.ArmApiControl UI element for Azure portal that's used to call API operations.

+The `ArmApiControl` gets results from an Azure Resource Manager API operation using GET or POST. You can use the results to populate dynamic content in other controls.

+There's no UI for `ArmApiControl`.

+The following example shows the control's schema.

+ "name": "testApi",

+ "type": "Microsoft.Solutions.ArmApiControl",

+ "request": {

+ "method": "{HTTP-method}",

+ "path": "{path-for-the-URL}",

+ "body": {

+ "key1": "value1",

+ "key2": "value2"

+ }

+The control's output isn't displayed to the user. Instead, the operation's results are used in other controls.

+- The `request.method` property specifies the HTTP method. Only GET or POST are allowed.

+- The `request.path` property specifies a URL that must be a relative path to an Azure Resource Manager endpoint. It can be a static path or can be constructed dynamically by referring output values of the other controls.

+ For example, an Azure Resource Manager call into the `Microsoft.Network/expressRouteCircuits` resource provider.

+ "path": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/expressRouteCircuits/{circuitName}?api-version=2022-01-01"

+In the following example, the `providersApi` element uses the `ArmApiControl` and calls an API to get an array of provider objects.

+The `providersDropDown` element's `allowedValues` property is configured to use the array and get the provider names. The provider names are displayed in the dropdown list.

+The `output` property `providerName` shows the provider name that was selected from the dropdown list. The output can be used to pass the value to a parameter in an Azure Resource Manager template.

+ "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",

+ "handler": "Microsoft.Azure.CreateUIDef",

+ "version": "0.1.2-preview",

+ "parameters": {

+ "basics": [

+ {

+ "name": "providersApi",

+ "type": "Microsoft.Solutions.ArmApiControl",

+ "request": {

+ "method": "GET",

+ "path": "[concat(subscription().id, '/providers/Microsoft.Network/expressRouteServiceProviders?api-version=2022-01-01')]"

+ }

+ },

+ {

+ "name": "providerDropDown",

+ "type": "Microsoft.Common.DropDown",

+ "label": "Provider",

+ "toolTip": "The provider that offers the express route connection.",

+ "constraints": {

+ "allowedValues": "[map(basics('providersApi').value, (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",

+ "required": true

+ },

+ "visible": true

+ }

+ ],

+ "steps": [],

+ "outputs": {

+ "providerName": "[basics('providerDropDown')]"

+ }

+For an example of the `ArmApiControl` that uses the `request.body` property, see the [Microsoft.Common.TextBox](microsoft-common-textbox.md#single-line) single-line example. That example checks the availability of a storage account name and returns a message if the name is unavailable.

+- For an introduction to creating UI definitions, see [CreateUiDefinition.json for Azure managed application's create experience](create-uidefinition-overview.md).

+- To learn more about functions like `map`, `basics`, and `parse`, see [CreateUiDefinition functions](create-uidefinition-functions.md).

+> | privateEndpoints | resource group | 2-64 | Alphanumerics, underscores, periods, and hyphens.<br><br>Start with alphanumeric. End alphanumeric or underscore. |

+# Quickstart: Create and deploy ARM templates by using the Azure portal

+In this quickstart, you learn how to create an Azure Resource Manager template (ARM template) in the Azure portal. You edit and deploy the template from the portal.

+## Retrieve a custom template

+Rather than manually building an entire ARM template, let's start by retrieving a pre-built template that accomplishes our goal. The [Azure Quickstart Templates repo](https://github.com/Azure/azure-quickstart-templates) repo contains a large collection of templates that deploy common scenarios. The portal makes it easy for you find and use templates from this repo. You can save the template and reuse it later.

+1. From the Azure portal search bar, search for **deploy a custom template** and then select it from the available options.

+ :::image type="content" source="./media/quickstart-create-templates-use-the-portal/search-custom-template.png" alt-text="Screenshot of Search for Custom Template.":::

+1. For **Template** source, notice that **Quickstart template** is selected by default. You can keep this selection. In the drop-down, search for *quickstarts/microsoft.storage/storage-account-create* and select it. After finding the quickstart template, select **Select template.**

+ :::image type="content" source="./media/quickstart-create-templates-use-the-portal/select-custom-template.png" alt-text="Screenshot of Select Quickstart Template.":::

+1. In the next blade, you provide custom values to use for the deployment.

+ For **Resource group**, select **Create new** and provide *myResourceGroup* for the name. You can use the default values for the other fields. When you've finished providing values, select **Review + create**.

+ :::image type="content" source="./media/quickstart-create-templates-use-the-portal/input-fields-template.png" alt-text="Screenshot for Input Fields for Template.":::

+

+1. The portal validates your template and the values you provided. After validation succeeds, select **Create** to start the deployment.

+

+ :::image type="content" source="./media/quickstart-create-templates-use-the-portal/template-validation.png" alt-text="Screenshot for Validation and create.":::

+1. Once your validation has passed, you'll see the status of the deployment. When it completes successfully, select **Go to resource** to see the storage account.

+ :::image type="content" source="./media/quickstart-create-templates-use-the-portal/deploy-success.png" alt-text="Screenshot for Deployment Succeeded Notification.":::

+1. From this screen, you can view the new storage account and its properties.

+ :::image type="content" source="./media/quickstart-create-templates-use-the-portal/view-storage-account.png" alt-text="Screenshot for View Deployment Page.":::

+## Edit and deploy the template

+You can use the portal for quickly developing and deploying ARM templates. In general, we recommend using Visual Studio Code for developing your ARM templates, and Azure CLI or Azure PowerShell for deploying the template, but you can use the portal for quick deployments without installing those tools.

+In this section, let's suppose you have an ARM template that you want to deploy one time with setting up the other tools.

+1. Again, select **Deploy a custom template** in the portal.

+1. This time, select **Build your own template in the editor**.

+ :::image type="content" source="./media/quickstart-create-templates-use-the-portal/build-own-template.png" alt-text="Screenshot for Build your own template.":::

+1. You see a blank template.

+ :::image type="content" source="./media/quickstart-create-templates-use-the-portal/blank-template.png" alt-text="Screenshot for Blank Template.":::

+1. Replace the blank template with the following template. It deploys a virtual network with a subnet.

+ ```json

+ {

+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "vnetName": {

+ "type": "string",

+ "defaultValue": "VNet1",

+ "metadata": {

+ "description": "VNet name"

+ }

+ },

+ "vnetAddressPrefix": {

+ "type": "string",

+ "defaultValue": "10.0.0.0/16",

+ "metadata": {

+ "description": "Address prefix"

+ }

+ },

+ "subnetPrefix": {

+ "type": "string",

+ "defaultValue": "10.0.0.0/24",

+ "metadata": {

+ "description": "Subnet Prefix"

+ }

+ },

+ "subnetName": {

+ "type": "string",

+ "defaultValue": "Subnet1",

+ "metadata": {

+ "description": "Subnet Name"

+ }

+ },

+ "location": {

+ "type": "string",

+ "defaultValue": "[resourceGroup().location]",

+ "metadata": {

+ "description": "Location for all resources."

+ }

+ }

+ },

+ "resources": [

+ {

+ "type": "Microsoft.Network/virtualNetworks",

+ "apiVersion": "2021-08-01",

+ "name": "[parameters('vnetName')]",

+ "location": "[parameters('location')]",

+ "properties": {

+ "addressSpace": {

+ "addressPrefixes": [

+ "[parameters('vnetAddressPrefix')]"

+ ]

+ },

+ "subnets": [

+ {

+ "name": "[parameters('subnetName')]",

+ "properties": {

+ "addressPrefix": "[parameters('subnetPrefix')]"

+ }

+ }

+ ]

+ }

+ }

+ ]

+ }

+ ```

+1. Select **Save**.

+1. You see the blade for providing deployment values. Again, select **myResourceGroup** for the resource group. You can use the other default values. When you're done providing values, select **Review + create**

+1. After the portal validates the template, select **Create**.

+1. When the deployment completes, you see the status of the deployment. This time select the name of the resource group.

+ :::image type="content" source="./media/quickstart-create-templates-use-the-portal/view-second-deployment.png" alt-text="Screenshot for View second deployment.":::

+1. Notice that your resource group now contains a storage account and a virtual network.

+

+ :::image type="content" source="./media/quickstart-create-templates-use-the-portal/view-resource-group.png" alt-text="Screenshot for View Storage Account and Virtual Network.":::

+## Export a custom template

+Sometimes the easiest way to work with an ARM template is to have the portal generate it for you. The portal can create an ARM template based on the current state of your resource group.

+1. In your resource group, select **Export template**.

+

+ :::image type="content" source="./media/quickstart-create-templates-use-the-portal/export-template.png" alt-text="Screenshot for Export Template.":::

+1. The portal generates a template for you based on the current state of the resource group. Notice that this template isn't the same as either template you deployed earlier. It contains definitions for both the storage account and virtual network, along with other resources like a blob service that was automatically created for your storage account.

+1. To save this template for later use, select **Download**.

+ :::image type="content" source="./media/quickstart-create-templates-use-the-portal/download-template.png" alt-text="Screenshot for Download exported template.":::

+You now have an ARM template that represents the current state of the resource group. This template is auto-generated. Before using the template for production deployments, you may want to revise it, such as adding parameters for template reuse.

+1. In the Azure portal, select **Resource groups** on the left menu.

+1. Enter the resource group name in the **Filter for any field** search box.

+In this tutorial, you learned how to generate a template from the Azure portal, and how to deploy the template using the portal. The template used in this Quickstart is a simple template with one Azure resource. When the template is complex, it's easier to use Visual Studio Code, or Visual Studio to develop the template. To learn more about template development, see our new beginner tutorial series:

+# Quickstart: Create ARM templates with Visual Studio Code

+The Azure Resource Manager Tools for Visual Studio Code provide language support, resource snippets, and resource autocompletion. These tools help create and validate Azure Resource Manager templates (ARM templates), and are therefore the recommended method of ARM template creation and configuration. In this quickstart, you use the extension to create an ARM template from scratch. While doing so you experience the extensions capabilities such as ARM template snippets, validation, completions, and parameter file support.

+3. Replace your sensitive text with the below syntax in the Upstream URL Pattern:

+ ```

+ {@Microsoft.KeyVault(SecretUri=<secret-identity>)}

+ ```

+ `<secret-identity>` is the full data-plane URI of a secret in Key Vault, optionally including a version, e.g., https://myvault.vault.azure.net/secrets/mysecret/ or https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931

+

+ For example, a complete reference would look like the following:

+ ```

+ @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/)

+ ```

+> The service rereads the secret content every 30 minutes or whenever the upstream settings or managed identity changes. Try updating the Upstream settings if you'd like an immediate update when the Key Vault content is changed.

+* Download or clone the [AzureSignalR-sample](https://github.com/aspnet/AzureSignalR-samples) GitHub repository.

+In this section, you use the [.NET Core command-line interface (CLI)](/dotnet/core/tools/) to create an ASP.NET Core MVC web app project. The advantage of using the .NET Core CLI over Visual Studio is that it's available across the Windows, macOS, and Linux platforms.

+1. Run the following command to restore packages for your project:

+1. Prepare the Secret Manager for use with this project.

+ ````dotnetcli

+ dotnet user-secrets init

+ ````

+1. Add a secret named *Azure:SignalR:ConnectionString* to Secret Manager.

+1. Open *Startup.cs* and update the `ConfigureServices` method to use Azure SignalR Service by calling the `AddSignalR()` and `AddAzureSignalR()` methods:

+1. In *Startup.cs*, update the `Configure` method by replacing it with the following code.

+ Title: Configure replication to Azure SQL Edge

+ Title: Create a T-SQL streaming job in Azure SQL Edge

+description: Learn about creating Stream Analytics jobs in Azure SQL Edge.

+keywords:

+ - SQL Edge

+ - data retention

+keywords:

+ - SQL Edge

+ - data retention

+keywords:

+ - SQL Edge

+ - data retention

+keywords:

+ - Date_Bucket

+ - SQL Edge

+keywords:

+ - SQL Edge

+ - sqlpackage

+keywords:

+ - SQL Edge

+ - container

+ - kubernetes

+ms.technology: machine-learning

+keywords: deploy SQL Edge

+keywords: deploy SQL Edge

+keywords:

+ - SQL Edge

+ - container

+ - docker

+description: Learn about the DROP EXTERNAL STREAM statement in Azure SQL Edge

+ Title: Supported features of Azure SQL Edge

+keywords:

+ - introduction to SQL Edge

+ - what is SQL Edge

+ - SQL Edge overview

+keywords:

+ - SQL Edge

+ - containers

+ - high availability

+keywords:

+ - SQL Edge

+ - timeseries

+keywords: deploy SQL Edge

+ Title: What is Azure SQL Edge?

+keywords:

+ - introduction to SQL Edge

+ - what is SQL Edge

+ - SQL Edge overview

+keywords:

+ - SQL Edge

+ - data retention

+ Title: Release notes for Azure SQL Edge

+description: Release notes detailing what's new or what has changed in the Azure SQL Edge images.

+keywords: release notes SQL Edge

+description: Providing details about external partners who are working with Azure SQL Edge

+keywords: security partners Azure SQL Edge

+ Title: Secure Azure SQL Edge

+keywords:

+ - SQL Edge

+ - security

+keywords:

+ - sys.external_streams

+ - SQL Edge

+keywords:

+ - sys.external_job_streams

+ - SQL Edge

+keywords:

+ - sys.external_streaming_jobs

+ - SQL Edge

+keywords:

+ - sys.external_streams

+ - SQL Edge

+keywords:

+ - sys.sp_cleanup_data_retention (Transact-SQL)

+ - SQL Edge

+keywords:

+ - SQL Edge

+ - troubleshooting

+ - deployment errors

+ Title: Deploy ML model on Azure SQL Edge using ONNX

+keywords:

+ - SQL Edge

+ - sync data from SQL Edge

+ - SQL Edge data factory

+keywords:

+ - SQL Edge

+ - sync data from SQL Edge

+ - SQL Edge data sync

+* Only paid accounts (ARM or classic) are available on Azure Government.

+* No manual content moderation available in Government cloud.

+- The SAP Bill of Materials (BOM), as generated by ACSS. These YAML files list all required SAP packages for the SAP software installation. There's a main BOM (`S41909SPS03_v0011ms.yaml`, `S42020SPS03_v0003ms.yaml`, `S4HANA_2021_ISS_v0001ms.yaml`) and there are dependent BOMs (`HANA_2_00_059_v0003ms.yaml`, `HANA_2_00_064_v0001ms.yaml` `SUM20SP14_latest.yaml`, `SWPM20SP12_latest.yaml`). They provide the following information:

+ 1. **HANA_2_00_064_v0001ms**

+ 1. **HANA_2_00_064_v0001ms**

+ 1. [HANA_2_00_064_v0001ms.yaml](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/HANA_2_00_064_v0001ms/HANA_2_00_064_v0001ms.yaml)

+ 1. [HANA_2_00_064_v0001ms.yaml](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/HANA_2_00_064_v0001ms/HANA_2_00_064_v0001ms.yaml)

+ 1. [S4HANA_2021_ISS_v0001ms-generic-inifile-param.j2](https://raw.githubusercontent.com/Azure/sap-automation/experimental/deploy/ansible/BOM-catalog/S4HANA_2021_ISS_v0001ms/templates/S4HANA_2021_ISS_v0001ms-generic-inifile-param.j2)

+ 1. [HANA_2_00_064_v0001ms.yaml](https://github.com/Azure/sap-automation/blob/experimental/deploy/ansible/BOM-catalog/HANA_2_00_064_v0001ms/HANA_2_00_064_v0001ms.yaml)

+ 1. [HANA_2_00_064_v0001ms.yaml](https://github.com/Azure/sap-automation/blob/experimental/deploy/ansible/BOM-catalog/HANA_2_00_064_v0001ms/HANA_2_00_064_v0001ms.yaml)

+1. When SAP changes the version of packages for a component in the BOM, you might encounter problems with the automated installation shell script. It's recommended to download your SAP installation media as soon as possible to avoid issues.

+### Special characters like $ in S-user password is not accepted while downloading the BOM.

+1. Follow the step by step instructions upto cloning the 'SAP Automation repository from GitHub' in **Download SAP media** section.

+1. Before running the Ansible playbook set the SPASS environment variable below. Single quotes should be present in the below command

+ ```bash

+ export SPASS='password_with_special_chars'

+ ```

+1. Then run the ansible playbook

+```azurecli

+ ansible-playbook ./sap-automation/deploy/ansible/playbook_bom_downloader.yaml -e "bom_base_name=S41909SPS03_v0011ms" -e "deployer_kv_name=dummy_value" -e "s_user=<username>" -e "s_password=$SPASS" -e "sapbits_access_key=<storageAccountAccessKey>" -e "sapbits_location_base_path=<containerBasePath>"

+ ```

+

+- For `<username>`, use your SAP username.

+- For `<bom_base_name>`, use the SAP Version you want to install i.e. **_S41909SPS03_v0011ms_** or **_S42020SPS03_v0003ms_** or **_S4HANA_2021_ISS_v0001ms_**

+- For `<storageAccountAccessKey>`, use your storage account's access key. You found this value in the [previous section](#download-supporting-software).

+- For `<containerBasePath>`, use the path to your `sapbits` container. You found this value in the [previous section](#download-supporting-software).

+ The format is `https://<your-storage-account>.blob.core.windows.net/sapbits`

+This should resolve the problem and you can proceed with next steps as described in the section.

+> * *Owner* and *Contributor* roles take priority over the custom LUIS roles.

+> * Azure Active Directory (Azure AAD) is only used with custom LUIS roles.

+> * If you are assigned as a *Contributor* on Azure, your role will be shown as *Owner* in LUIS portal.

+> [!NOTE]

+> * If you are assigned as an *Owner* and *LUIS Owner* you will be be shown as *LUIS Owner* in LUIS portal.

+ Title: Role-based access control for the Language service

+description: Learn how to use Azure RBAC for managing individual access to Azure resources.

+# Language role-based access control

+Azure Cognitive Service for Language supports Azure role-based access control (Azure RBAC), an authorization system for managing individual access to Azure resources. Using Azure RBAC, you assign different team members different levels of permissions for your projects authoring resources. See the [Azure RBAC documentation](/azure/role-based-access-control/) for more information.

+## Enable Azure Active Directory authentication

+To use Azure RBAC, you must enable Azure Active Directory authentication. You can [create a new resource with a custom subdomain](../../authentication.md#create-a-resource-with-a-custom-subdomain) or [create a custom subdomain for your existing resource](../../cognitive-services-custom-subdomains.md#how-does-this-impact-existing-resources).

+## Add role assignment to Language resource

+Azure RBAC can be assigned to a Language resource. To grant access to an Azure resource, you add a role assignment.

+1. In the [Azure portal](https://ms.portal.azure.com/), select **All services**.

+1. Select **Cognitive Services**, and navigate to your specific Language resource.

+ > [!NOTE]

+ > You can also set up Azure RBAC for whole resource groups, subscriptions, or management groups. Do this by selecting the desired scope level and then navigating to the desired item. For example, selecting **Resource groups** and then navigating to a specific resource group.

+1. Select **Access control (IAM)** on the left navigation pane.

+1. Select **Add**, then select **Add role assignment**.

+1. On the **Role** tab on the next screen, select a role you want to add.

+1. On the **Members** tab, select a user, group, service principal, or managed identity.

+1. On the **Review + assign** tab, select **Review + assign** to assign the role.

+Within a few minutes, the target will be assigned the selected role at the selected scope. For help with these steps, see [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal).

+## Language role types

+Use the following table to determine access needs for your Language projects.

+These custom roles only apply to Language resources.

+> [!NOTE]

+> * All prebuilt capabilities are accessible to all roles

+> * *Owner* and *Contributor* roles take priority over the custom language roles

+> * AAD is only used in case of custom Language roles

+> * If you are assigned as a *Contributor* on Azure, your role will be shown as *Owner* in Language studio portal.

+### Cognitive Services Language reader

+A user that should only be validating and reviewing the Language apps, typically a tester to ensure the application is performing well before deploying the project. They may want to review the applicationΓÇÖs assets to notify the app developers of any changes that need to be made, but do not have direct access to make them. Readers will have access to view the evaluation results.

+ :::column span="":::

+ **Capabilities**

+ :::column-end:::

+ :::column span="":::

+ **API Access**

+ :::column-end:::

+ :::column span="":::

+ * Read

+ * Test

+ :::column-end:::

+ :::column span="":::

+ All GET APIs under:

+ * [Language authoring conversational language understanding APIs](/rest/api/language/conversational-analysis-authoring)

+ * [Language authoring text analysis APIs](/rest/api/language/text-analysis-authoring)

+ * [Question answering projects](/rest/api/cognitiveservices/questionanswering/question-answering-projects)

+ Only `TriggerExportProjectJob` POST operation under:

+ * [Language authoring conversational language understanding export API](/rest/api/language/conversational-analysis-authoring/export?tabs=HTTP)

+ * [Language authoring text analysis export API](/rest/api/language/text-analysis-authoring/export?tabs=HTTP)

+ Only Export POST operation under:

+ * [Question Answering Projects](/rest/api/cognitiveservices/questionanswering/question-answering-projects/export)

+ All the Batch Testing Web APIs

+ *[Language Runtime CLU APIs](/rest/api/language/conversation-analysis-runtime)

+ *[Language Runtime Text Analysis APIs](/rest/api/language/text-analysis-runtime)

+ :::column-end:::

+### Cognitive Services Language writer

+A user that is responsible for building and modifying an application, as a collaborator in a larger team. The collaborator can modify the Language apps in any way, train those changes, and validate/test those changes in the portal. However, this user shouldnΓÇÖt have access to deploying this application to the runtime, as they may accidentally reflect their changes in production. They also shouldnΓÇÖt be able to delete the application or alter its prediction resources and endpoint settings (assigning or unassigning prediction resources, making the endpoint public). This restricts this role from altering an application currently being used in production. They may also create new applications under this resource, but with the restrictions mentioned.

+ :::column span="":::

+ **Capabilities**

+ :::column-end:::

+ :::column span="":::

+ **API Access**

+ :::column-end:::

+ :::column span="":::

+ * All functionalities under Cognitive Services Language Reader.

+ * Ability to:

+ * Train

+ * Write

+ :::column-end:::

+ :::column span="":::

+ * All APIs under Language reader

+ * All POST, PUT and PATCH APIs under:

+ * [Language conversational language understanding APIs](/rest/api/language/conversational-analysis-authoring)

+ * [Language text analysis APIs](/rest/api/language/text-analysis-authoring)

+ * [question answering projects](/rest/api/cognitiveservices/questionanswering/question-answering-projects)

+ Except for

+ * Delete deployment

+ * Delete trained model

+ * Delete Project

+ * Deploy Model

+ :::column-end:::

+### Cognitive Services Language owner

+> [!NOTE]

+> If you are assigned as an *Owner* and *Language Owner* you will be be shown as *Cognitive Services Language owner* in Language studio portal.

+These users are the gatekeepers for the Language applications in production environments. They should have full access to any of the underlying functions and thus can view everything in the application and have direct access to edit any changes for both authoring and runtime environments

+ :::column span="":::

+ **Functionality**

+ :::column-end:::

+ :::column span="":::

+ **API Access**

+ :::column-end:::

+ :::column span="":::

+ * All functionalities under Cognitive Services Language Writer

+ * Deploy

+ * Delete

+ :::column-end:::

+ :::column span="":::

+ All APIs available under:

+ * [Language authoring conversational language understanding APIs](/rest/api/language/conversational-analysis-authoring)

+ * [Language authoring text analysis APIs](/rest/api/language/text-analysis-authoring)

+ * [question answering projects](/rest/api/cognitiveservices/questionanswering/question-answering-projects)

+

+ :::column-end:::

+* **[Quickstarts](quickstart.md?pivots=rest-api&tabs=document-summarization)** are getting-started instructions to guide you through making requests to the service.

+* **[How-to guides](how-to/document-summarization.md)** contain instructions for using the service in more specific or customized ways.

+* **[Quickstarts](quickstart.md?pivots=rest-api&tabs=conversation-summarization)** are getting-started instructions to guide you through making requests to the service.

+* **[How-to guides](how-to/conversation-summarization.md)** contain instructions for using the service in more specific or customized ways.

+* When there are aspects of an ΓÇ£issueΓÇ¥ and ΓÇ£resolutionΓÇ¥, such as:

+ * The reason for a service chat/call (the issue).

+ * That resolution for the issue.

+|Development option |Description | Links |

+|Development option |Description | Links |

+## Responsible AI

+[Azure Spring Apps](../spring-apps/overview.md) is a platform as a service (PaaS) for Spring developers. If you want to run Spring Boot, Sprng Cloud or any other Spring applications on Azure, Azure Spring Apps is an ideal option. The service manages the infrastructure of Spring applications so developers can focus on their code. Azure Spring Apps provides lifecycle management using comprehensive monitoring and diagnostics, configuration management, service discovery, CI/CD integration, blue-green deployments, and more.

+> [Deploy your first container app](get-started.md)

+### Enable zone redundancy via the Azure portal

+ Title: Transactional batch operations in Azure Cosmos DB using the .NET or Java SDK

+description: Learn how to use TransactionalBatch in the Azure Cosmos DB .NET or Java SDK to perform a group of point operations that either succeed or fail.

+# Transactional batch operations in Azure Cosmos DB using the .NET or Java SDK

+- When you create an export using the [Exports API](/rest/api/cost-management/exports/create-or-update?tabs=HTTP), specify the `recurrencePeriod` in UTC time. The API doesnΓÇÖt convert your local time to UTC.

+ - Example - A weekly export is scheduled on Friday, August 19 with `recurrencePeriod` set to 2:00 PM. The API receives the input as 2:00 PM UTC, Friday, August 19. The weekly export will be scheduled to run every Friday.

+- When you create an export in the Azure portal, its start date time is automatically converted to the equivalent UTC time.

+ - Example - A weekly export is scheduled on Friday, August 19 with the local time of 2:00 AM IST (UTC+5:30) from the Azure portal. The API receives the input as 8:30 PM, Thursday, August 18th. The weekly export will be scheduled to run every Thursday.

+| Table action | Tells ADF what to do with the target Delta table in your sink. You can leave it as-is and append new rows, overwrite the existing table definition and data with new metadata and data, or keep the existing table structure but first truncate all rows, then insert the new rows. | no | None, Truncate, Overwrite | truncate, overwrite |

+> You will need to enable multifactor authentication for the user who manages the VMs and images that are deployed on your device from the cloud. The cloud operations will fail if the user doesn't have multifactor authentication enabled. For steps to enable multifactor authentication click [here](/articles/active-directory/authentication/tutorial-enable-azure-mfa.md)

+> [!IMPORTANT]

+> The **Alerts** page is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+> [!IMPORTANT]

+> The **Azure Monitor workbooks** are currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

+ "communicationIdentifier": {

+ "rawId": "8:acs:bc360ba8-d29b-4ef2-b698-769ebef85521_0000000c-1fb9-4878-07fd-0848220077e1",

+ "communicationUser": {

+ "id": "8:acs:bc360ba8-d29b-4ef2-b698-769ebef85521_0000000c-1fb9-4878-07fd-0848220077e1"

+ }

+ "communicationIdentifier": {

+ "rawId": "8:acs:bc360ba8-d29b-4ef2-b698-769ebef85521_0000000c-1fb9-4878-07fd-0848220077e1",

+ "communicationUser": {

+ "id": "8:acs:bc360ba8-d29b-4ef2-b698-769ebef85521_0000000c-1fb9-4878-07fd-0848220077e1"

+ }

+ "communicationIdentifier": {

+ "rawId": "8:acs:bc360ba8-d29b-4ef2-b698-769ebef85521_0000000c-1fb9-4878-07fd-0848220077e1",

+ "communicationUser": {

+ "id": "8:acs:bc360ba8-d29b-4ef2-b698-769ebef85521_0000000c-1fb9-4878-07fd-0848220077e1"

+ }

+ "communicationIdentifier": {

+ "rawId": "8:acs:bc360ba8-d29b-4ef2-b698-769ebef85521_0000000c-1fb9-4878-07fd-0848220077e1",

+ "communicationUser": {

+ "id": "8:acs:bc360ba8-d29b-4ef2-b698-769ebef85521_0000000c-1fb9-4878-07fd-0848220077e1"

+ }

+ "communicationIdentifier": {

+ "rawId": "8:acs:bc360ba8-d29b-4ef2-b698-769ebef85521_0000000c-1fb9-27cc-07fd-0848220077d8",

+ "communicationUser": {

+ "id": "8:acs:bc360ba8-d29b-4ef2-b698-769ebef85521_0000000c-1fb9-27cc-07fd-0848220077d8"

+ }

+ "communicationIdentifier": {

+ "rawId": "8:acs:bc360ba8-d29b-4ef2-b698-769ebef85521_0000000c-1fb9-4878-07fd-0848220077e1",

+ "communicationUser": {

+ "id": "8:acs:bc360ba8-d29b-4ef2-b698-769ebef85521_0000000c-1fb9-4878-07fd-0848220077e1"

+ }

+The following sections show you how to configure your native application or web application for authentication with Microsoft identity platform 2.0. For more information about Microsoft identity platform 2.0, see [Microsoft identity platform (v2.0) overview](../active-directory/develop/v2-overview.md).

+The throughput capacity of Event Hubs is controlled by *throughput units*. Throughput units are pre-purchased units of capacity. A single throughput unit lets you:

+ [Event Hubs Premium](./event-hubs-premium-overview.md) provides superior performance and better isolation within a managed multitenant PaaS environment. The resources in a Premium tier are isolated at the CPU and memory level so that each tenant workload runs in isolation. This resource container is called a *Processing Unit* (PU). You can purchase 1, 2, 4, 8 or 16 processing Units for each Event Hubs Premium namespace.

+For example, Event Hubs Premium namespace with 1 PU and 1 event hub (100 partitions) can approximately offer core capacity of ~5-10 MB/s ingress and 10-20 MB/s egress for both AMQP or Kafka workloads.

+When an application group is disabled, the client will still be able to connect to the event hub, but the authorization will fail and then the client connection gets closed. Therefore, you'll see lots of successful open and close connections, with same number of authorization failures in diagnostic logs.

+$PolicyConfig = @{

+ PolicyId = '_My GUID_'

+ ContentUri = <_ContentUri output from the Publish command_>

+ DisplayName = 'My audit policy'

+ Description = 'My audit policy'

+ Path = './policies'

+ Platform = 'Windows'

+ PolicyVersion = 1.0.0

+}

+New-GuestConfigurationPolicy @PolicyConfig

+$PolicyConfig2 = @{

+ PolicyId = '_My GUID_'

+ ContentUri = <_ContentUri output from the Publish command_>

+ DisplayName = 'My audit policy'

+ Description = 'My audit policy'

+ Path = './policies'

+ Platform = 'Windows'

+ PolicyVersion = 1.0.0

+ Mode = 'ApplyAndAutoCorrect'

+}

+New-GuestConfigurationPolicy @PolicyConfig2

+# This DSC resource definition...

+# ...can be converted to a hash table:

+$PolicyParameterInfo = @(

+ # Policy parameter name (mandatory)

+ Name = 'ServiceName'

+ # Policy parameter display name (mandatory)

+ DisplayName = 'windows service name.'

+ # Policy parameter description (optional)

+ Description = 'Name of the windows service to be audited.'

+ # DSC configuration resource type (mandatory)

+ ResourceType = 'Service'

+ # DSC configuration resource id (mandatory)

+ ResourceId = 'UserSelectedNameExample'

+ # DSC configuration resource property name (mandatory)

+ ResourcePropertyName = 'Name'

+ # Policy parameter default value (optional)

+ DefaultValue = 'winrm'

+ # Policy parameter allowed values (optional)

+ AllowedValues = @('BDESVC','TermService','wuauserv','winrm')

+ })

+# ...and then passed into the `New-GuestConfigurationPolicy` cmdlet

+$PolicyParam = @{

+ PolicyId = 'My GUID'

+ ContentUri = '<ContentUri output from the Publish command>'

+ DisplayName = 'Audit Windows Service.'

+ Description = "Audit if a Windows Service isn't enabled on Windows machine."

+ Path = '.\policies'

+ Parameter = $PolicyParameterInfo

+ PolicyVersion = 1.0.0

+}

+New-GuestConfigurationPolicy @PolicyParam

+For more information, see [Azure Policy guest configuration](../concepts/guest-configuration.md) and

+## Account Policies-Password Policy

+|Name<br /><sub>(ID)</sub> |Details |Expected value<br /><sub>(Type)</sub> |Severity |

+|||||

+|Account Lockout Duration<br /><sub>(AZ-WIN-73312)</sub> |<br />**Key Path**: [System Access]LockoutDuration<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\>\= 15<br /><sub>(Policy)</sub> |Warning |

+## Administrative Template - Window Defender

+|Name<br /><sub>(ID)</sub> |Details |Expected value<br /><sub>(Type)</sub> |Severity |

+|||||

+|Configure detection for potentially unwanted applications<br /><sub>(AZ-WIN-202219)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows Defender\PUAProtection<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br /><sub>(Registry)</sub> |Critical |

+|Scan all downloaded files and attachments<br /><sub>(AZ-WIN-202221)</sub> |<br />**Key Path**: Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 0<br /><sub>(Registry)</sub> |Warning |

+|Turn off Microsoft Defender AntiVirus<br /><sub>(AZ-WIN-202220)</sub> |<br />**Key Path**: Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 0<br /><sub>(Registry)</sub> |Critical |

+|Turn off real-time protection<br /><sub>(AZ-WIN-202222)</sub> |<br />**Key Path**: Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 0<br /><sub>(Registry)</sub> |Warning |

+|Turn on e-mail scanning<br /><sub>(AZ-WIN-202218)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows Defender\Scan\DisableEmailScanning<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 0<br /><sub>(Registry)</sub> |Warning |

+|Turn on script scanning<br /><sub>(AZ-WIN-202223)</sub> |<br />**Key Path**: Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 0<br /><sub>(Registry)</sub> |Warning |

+## Administrative Templates - MS Security Guide

+|Name<br /><sub>(ID)</sub> |Details |Expected value<br /><sub>(Type)</sub> |Severity |

+|||||

+|Disable SMB v1 client (remove dependency on LanmanWorkstation)<br /><sub>(AZ-WIN-00122)</sub> |<br />**Key Path**: SYSTEM\CurrentControlSet\Services\LanmanWorkstation\DependsOnService<br />**OS**: WS2008, WS2008R2, WS2012<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |Doesn't exist or \= Bowser\0MRxSmb20\0NSI\0\0<br /><sub>(Registry)</sub> |Critical |

+|WDigest Authentication must be disabled.<br /><sub>(AZ-WIN-73497)</sub> |<br />**Key Path**: SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest\UseLogonCredential<br />**OS**: WS2016, WS2019<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 0<br /><sub>(Registry)</sub> |Important |

+## Administrative Templates - MSS

+|Name<br /><sub>(ID)</sub> |Details |Expected value<br /><sub>(Type)</sub> |Severity |

+|||||

+|MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)<br /><sub>(AZ-WIN-202213)</sub> |<br />**Key Path**: System\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 2<br /><sub>(Registry)</sub> |Informational |

+|MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)<br /><sub>(AZ-WIN-202244)</sub> |<br />**Key Path**: System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 2<br /><sub>(Registry)</sub> |Informational |

+|MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers<br /><sub>(AZ-WIN-202214)</sub> |<br />**Key Path**: System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br /><sub>(Registry)</sub> |Informational |

+|MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)<br /><sub>(AZ-WIN-202215)</sub> |<br />**Key Path**: SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br /><sub>(Registry)</sub> |Warning |

+|MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning<br /><sub>(AZ-WIN-202212)</sub> |<br />**Key Path**: SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member | 90<br /><sub>(Registry)</sub> |Informational |

+|Windows Server must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.<br /><sub>(AZ-WIN-73503)</sub> |<br />**Key Path**: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect<br />**OS**: WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 0<br /><sub>(Registry)</sub> |Informational |

+|Hardened UNC Paths - NETLOGON<br /><sub>(AZ_WIN_202250)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\NETLOGON<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= RequireMutualAuthentication=1, RequireIntegrity=1<br /><sub>(Registry)</sub> |Warning |

+|Hardened UNC Paths - SYSVOL<br /><sub>(AZ_WIN_202251)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\\*\SYSVOL<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= RequireMutualAuthentication=1, RequireIntegrity=1<br /><sub>(Registry)</sub> |Warning |

+## Administrative Templates - Security Guide

+|Name<br /><sub>(ID)</sub> |Details |Expected value<br /><sub>(Type)</sub> |Severity |

+|||||

+|Enable Structured Exception Handling Overwrite Protection (SEHOP)<br /><sub>(AZ-WIN-202210)</sub> |<br />**Key Path**: SYSTEM\CurrentControlSet\Control\Session Manager\kernel\DisableExceptionChainValidation<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 0<br /><sub>(Registry)</sub> |Critical |

+|NetBT NodeType configuration<br /><sub>(AZ-WIN-202211)</sub> |<br />**Key Path**: SYSTEM\CurrentControlSet\Services\NetBT\Parameters\NodeType<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 2<br /><sub>(Registry)</sub> |Warning |

+|Boot-Start Driver Initialization Policy<br /><sub>(CCE-37912-3)</sub> |**Description**: This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: - Good: The driver has been signed and has not been tampered with. - Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. - Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. - Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped. If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized.<br />**Key Path**: SYSTEM\CurrentControlSet\Policies\EarlyLaunch\DriverLoadPolicy<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |Doesn't exist or \= 3<br /><sub>(Registry)</sub> |Warning |

+|Do not enumerate connected users on domain-joined computers<br /><sub>(AZ-WIN-202216)</sub> |<br />**Key Path**: Software\Policies\Microsoft\Windows\System\DontEnumerateConnectedUsers<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br /><sub>(Registry)</sub> |Warning |

+|Encryption Oracle Remediation for CredSSP protocol<br /><sub>(AZ-WIN-201910)</sub> |<br />**Key Path**: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\AllowEncryptionOracle<br />**OS**: WS2016, WS2019<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 0<br /><sub>(Registry)</sub> |Critical |

+|Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'<br /><sub>(CCE-36169-1)</sub> |**Description**: The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: `Enabled: FALSE` (unchecked).<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 0<br /><sub>(Registry)</sub> |Critical |

+|Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'<br /><sub>(CCE-36169-1a)</sub> |**Description**: The "Process even if the Group Policy objects have not changed" option updates and reapplies policies even if the policies have not changed. The recommended state for this setting is: `Enabled: TRUE` (checked).<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 0<br /><sub>(Registry)</sub> |Critical |

+|Enumerate local users on domain-joined computers<br /><sub>(AZ_WIN_202204)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\System\EnumerateLocalUsers<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Member |Doesn't exist or \= 0<br /><sub>(Registry)</sub> |Warning |

+|Prevent device metadata retrieval from the Internet<br /><sub>(AZ-WIN-202251)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\Device Metadata\PreventDeviceMetadataFromNetwork<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br /><sub>(Registry)</sub> |Informational |

+|Remote host allows delegation of non-exportable credentials<br /><sub>(AZ-WIN-20199)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowProtectedCreds<br />**OS**: WS2016, WS2019<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br /><sub>(Registry)</sub> |Critical |

+|Turn off background refresh of Group Policy<br /><sub>(CCE-14437-8)</sub> |<br />**Key Path**: Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableBkGndGroupPolicy<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 0<br /><sub>(Registry)</sub> |Warning |

+|Turn off downloading of print drivers over HTTP<br /><sub>(CCE-36625-2)</sub> |**Description**: This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: `Enabled`.<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows NT\Printers\DisableWebPnPDownload<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br /><sub>(Registry)</sub> |Warning |

+## Administrative Templates - Windows Component

+|Name<br /><sub>(ID)</sub> |Details |Expected value<br /><sub>(Type)</sub> |Severity |

+|||||

+|Turn off cloud consumer account state content<br /><sub>(AZ-WIN-202217)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\CloudContent\DisableConsumerAccountStateContent<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br /><sub>(Registry)</sub> |Warning |

+## Administrative Templates - Windows Components

+|Name<br /><sub>(ID)</sub> |Details |Expected value<br /><sub>(Type)</sub> |Severity |

+|||||

+|Do not allow drive redirection<br /><sub>(AZ-WIN-73569)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableCdm<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br /><sub>(Registry)</sub> |Warning |

+|Turn on PowerShell Transcription<br /><sub>(AZ-WIN-202208)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\EnableTranscripting<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 0<br /><sub>(Registry)</sub> |Warning |

+## Administrative Templates - Windows Security

+|Name<br /><sub>(ID)</sub> |Details |Expected value<br /><sub>(Type)</sub> |Severity |

+|||||

+|Prevent users from modifying settings<br /><sub>(AZ-WIN-202209)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection\DisallowExploitProtectionOverride<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br /><sub>(Registry)</sub> |Warning |

+## Administrative Template - Windows Defender

+|Name<br /><sub>(ID)</sub> |Details |Expected value<br /><sub>(Type)</sub> |Severity |

+|||||

+|Configure Attack Surface Reduction rules<br /><sub>(AZ_WIN_202205)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\ExploitGuard_ASR_Rules<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br /><sub>(Registry)</sub> |Warning |

+|Prevent users and apps from accessing dangerous websites<br /><sub>(AZ_WIN_202207)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection\EnableNetworkProtection<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br /><sub>(Registry)</sub> |Warning |

+## Audit Computer Account Management

+|Name<br /><sub>(ID)</sub> |Details |Expected value<br /><sub>(Type)</sub> |Severity |

+|||||

+|Audit Computer Account Management<br /><sub>(CCE-38004-8)</sub> |<br />**Key Path**: {0CCE9236-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller |\= Success<br /><sub>(Audit)</sub> |Critical |

+## Secured Core

+|Name<br /><sub>(ID)</sub> |Details |Expected value<br /><sub>(Type)</sub> |Severity |

+|||||

+|Enable boot DMA protection<br /><sub>(AZ-WIN-202250)</sub> |<br />**Key Path**: BootDMAProtection<br />**OS**: Ex= [WSASHCI22H2<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br /><sub>(OsConfig)</sub> |Critical |

+|Enable hypervisor enforced code integrity<br /><sub>(AZ-WIN-202246)</sub> |<br />**Key Path**: HypervisorEnforcedCodeIntegrityStatus<br />**OS**: Ex= [WSASHCI22H2<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 0<br /><sub>(OsConfig)</sub> |Critical |

+|Enable secure boot<br /><sub>(AZ-WIN-202248)</sub> |<br />**Key Path**: SecureBootState<br />**OS**: Ex= [WSASHCI22H2<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br /><sub>(OsConfig)</sub> |Critical |

+|Enable system guard<br /><sub>(AZ-WIN-202247)</sub> |<br />**Key Path**: SystemGuardStatus<br />**OS**: Ex= [WSASHCI22H2<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 0<br /><sub>(OsConfig)</sub> |Critical |

+|Enable virtualization based security<br /><sub>(AZ-WIN-202245)</sub> |<br />**Key Path**: VirtualizationBasedSecurityStatus<br />**OS**: Ex= [WSASHCI22H2<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 0<br /><sub>(OsConfig)</sub> |Critical |

+|Set TPM version<br /><sub>(AZ-WIN-202249)</sub> |<br />**Key Path**: TPMVersion<br />**OS**: Ex= [WSASHCI22H2<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member | 2.0<br /><sub>(OsConfig)</sub> |Critical |

+|Accounts: Block Microsoft accounts<br /><sub>(AZ-WIN-202201)</sub> |<br />**Key Path**: Software\Microsoft\Windows\CurrentVersion\Policies\System\NoConnectedUser<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 3<br /><sub>(Registry)</sub> |Warning |

+|Network access: Allow anonymous SID/Name translation<br /><sub>(CCE-10024-8)</sub> |<br />**Key Path**: [System Access]LSAAnonymousNameLookup<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 0<br /><sub>(Policy)</sub> |Warning |

+|Limits print driver installation to Administrators<br /><sub>(AZ_WIN_202202)</sub> |<br />**Key Path**: Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br /><sub>(Registry)</sub> |Warning |

+## Security Options - Domain member

+|Name<br /><sub>(ID)</sub> |Details |Expected value<br /><sub>(Type)</sub> |Severity |

+|||||

+|Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'<br /><sub>(CCE-36142-8)</sub> |<br />**Key Path**: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |Doesn't exist or \= 1<br /><sub>(Registry)</sub> |Critical |

+|Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'<br /><sub>(CCE-37130-2)</sub> |<br />**Key Path**: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |Doesn't exist or \= 1<br /><sub>(Registry)</sub> |Critical |

+|Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'<br /><sub>(CCE-37222-7)</sub> |**Description**: <p><span>This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: 'Enabled'.</span></p><br />**Key Path**: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |Doesn't exist or \= 1<br /><sub>(Registry)</sub> |Critical |

+|Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'<br /><sub>(CCE-37508-9)</sub> |**Description**: <p><span>This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: 'Disabled'.</span></p><br />**Key Path**: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |Doesn't exist or \= 0<br /><sub>(Registry)</sub> |Critical |

+|Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'<br /><sub>(CCE-37431-4)</sub> |**Description**: This policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change their domain passwords every 30 days. If you increase this interval significantly so that the computers no longer change their passwords, an attacker would have more time to undertake a brute force attack against one of the computer accounts. The recommended state for this setting is: `30 or fewer days, but not 0`. **Note:** A value of `0` does not conform to the benchmark as it disables maximum password age.<br />**Key Path**: System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |In 1-30<br /><sub>(Registry)</sub> |Critical |

+|Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'<br /><sub>(CCE-37614-5)</sub> |<br />**Key Path**: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |Doesn't exist or \= 1<br /><sub>(Registry)</sub> |Critical |

+|Caching of logon credentials must be limited<br /><sub>(AZ-WIN-73651)</sub> |<br />**Key Path**: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount<br />**OS**: WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |In 1-4<br /><sub>(Registry)</sub> |Informational |

+|Interactive logon: Machine inactivity limit<br /><sub>(AZ-WIN-73645)</sub> |<br />**Key Path**: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs<br />**OS**: WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |In 1-900<br /><sub>(Registry)</sub> |Important |

+|Interactive logon: Message text for users attempting to log on<br /><sub>(AZ-WIN-202253)</sub> |<br />**Key Path**: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member | <br /><sub>(Registry)</sub> |Warning |

+|Interactive logon: Message title for users attempting to log on<br /><sub>(AZ-WIN-202254)</sub> |<br />**Key Path**: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member | <br /><sub>(Registry)</sub> |Warning |

+|Interactive logon: Prompt user to change password before expiration<br /><sub>(CCE-10930-6)</sub> |<br />**Key Path**: Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |In 5-14<br /><sub>(Registry)</sub> |Informational |

+|Microsoft network server: Server SPN target name validation level<br /><sub>(CCE-10617-9)</sub> |<br />**Key Path**: System\CurrentControlSet\Services\LanManServer\Parameters\SMBServerNameHardeningLevel<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Member |\= 1<br /><sub>(Registry)</sub> |Warning |

+|Accounts: Rename administrator account<br /><sub>(CCE-10976-9)</sub> |<br />**Key Path**: [System Access]NewAdministratorName<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member | Administrator<br /><sub>(Policy)</sub> |Warning |

+## Security Options - Shutdown

+|Shutdown: Allow system to be shut down without having to log on<br /><sub>(CCE-36788-8)</sub> |**Description**: This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. It is recommended to disable this policy setting to restrict the ability to shut down the computer to users with credentials on the system. The recommended state for this setting is: `Disabled`. **Note:** In Server 2008 R2 and older versions, this setting had no impact on Remote Desktop (RDP) / Terminal Services sessions - it only affected the local console. However, Microsoft changed the behavior in Windows Server 2012 (non-R2) and above, where if set to Enabled, RDP sessions are also allowed to shut down or restart the server.<br />**Key Path**: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |Doesn't exist or \= 0<br /><sub>(Registry)</sub> |Warning |

+|Shutdown: Clear virtual memory pagefile<br /><sub>(AZ-WIN-00181)</sub> |**Description**: This policy setting determines whether the virtual memory pagefile is cleared when the system is shut down. When this policy setting is enabled, the system pagefile is cleared each time that the system shuts down properly. If you enable this security setting, the hibernation file (Hiberfil.sys) is zeroed out when hibernation is disabled on a portable computer system. It will take longer to shut down and restart the computer, and will be especially noticeable on computers with large paging files.<br />**Key Path**: System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Member, Workgroup Member |Doesn't exist or \= 0<br /><sub>(Registry)</sub> |Critical |

+## Security Options - System cryptography

+|Users must be required to enter a password to access private keys stored on the computer.<br /><sub>(AZ-WIN-73699)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\Cryptography\ForceKeyProtection<br />**OS**: WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 2<br /><sub>(Registry)</sub> |Important |

+|Windows Server must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.<br /><sub>(AZ-WIN-73701)</sub> |<br />**Key Path**: SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled<br />**OS**: WS2016, WS2019, WS2022<br />**Server Type**: Domain Member |\= 1<br /><sub>(Registry)</sub> |Important |

+|System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)<br /><sub>(CCE-37644-2)</sub> |**Description**: This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: `Enabled`.<br />**Key Path**: SYSTEM\CurrentControlSet\Control\Session Manager\ProtectionMode<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br /><sub>(Registry)</sub> |Critical |

+|User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop<br /><sub>(CCE-36863-9)</sub> |**Description**: This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. The recommended state for this setting is: `Disabled`.<br />**Key Path**: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 0<br /><sub>(Registry)</sub> |Critical |

+|User Account Control: Only elevate UIAccess applications that are installed in secure locations<br /><sub>(CCE-37057-7)</sub> |**Description**: This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - `…\Program Files\`, including subfolders - `…\Windows\system32\` - `…\Program Files (x86)\`, including subfolders for 64-bit versions of Windows **Note:** Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: `Enabled`.<br />**Key Path**: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br /><sub>(Registry)</sub> |Critical |

+|User Account Control: Run all administrators in Admin Approval Mode<br /><sub>(CCE-36869-6)</sub> |**Description**: This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: `Enabled`. **Note:** If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.<br />**Key Path**: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br /><sub>(Registry)</sub> |Critical |

+|User Account Control: Switch to the secure desktop when prompting for elevation<br /><sub>(CCE-36866-2)</sub> |**Description**: This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: `Enabled`.<br />**Key Path**: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br /><sub>(Registry)</sub> |Critical |

+|User Account Control: Virtualize file and registry write failures to per-user locations<br /><sub>(CCE-37064-3)</sub> |**Description**: This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - `%ProgramFiles%`, - `%Windir%`, - `%Windir%\system32`, or - `HKEY_LOCAL_MACHINE\Software`. The recommended state for this setting is: `Enabled`.<br />**Key Path**: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br /><sub>(Registry)</sub> |Critical |

+|Account lockout threshold.<br /><sub>(AZ-WIN-73311)</sub> |<br />**Key Path**: [System Access]LockoutBadCount<br />**OS**: WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |In 1-3<br /><sub>(Policy)</sub> |Important |

+|Reset account lockout counter.<br /><sub>(AZ-WIN-73309)</sub> |<br />**Key Path**: [System Access]ResetLockoutCount<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\>\= 15<br /><sub>(Policy)</sub> |Important |

+## Security Settings - Windows Firewall

+|Name<br /><sub>(ID)</sub> |Details |Expected value<br /><sub>(Type)</sub> |Severity |

+|||||

+|Windows Firewall: Domain: Allow unicast response<br /><sub>(AZ-WIN-00088)</sub> |**Description**: <p><span>This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages.  </span></p><p><span>We recommend this setting to ‘Yes’ for Private and Domain profiles, this will set the registry value to 0.</span></p><br />**Key Path**: Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DisableUnicastResponsesToMulticastBroadcast<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 0<br /><sub>(Registry)</sub> |Warning |

+|Windows Firewall: Domain: Firewall state<br /><sub>(CCE-36062-8)</sub> |**Description**: Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile.<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br /><sub>(Registry)</sub> |Critical |

+|Windows Firewall: Domain: Inbound connections<br /><sub>(AZ-WIN-202252)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultInboundAction<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br /><sub>(Registry)</sub> |Critical |

+|Windows Firewall: Domain: Logging: Log dropped packets<br /><sub>(AZ-WIN-202226)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\LogDroppedPackets<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br /><sub>(Registry)</sub> |Informational |

+|Windows Firewall: Domain: Logging: Log successful connections<br /><sub>(AZ-WIN-202227)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\LogSuccessfulConnections<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br /><sub>(Registry)</sub> |Warning |

+|Windows Firewall: Domain: Logging: Name<br /><sub>(AZ-WIN-202224)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\LogFilePath<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= %SystemRoot%\System32\logfiles\firewall\domainfw.log<br /><sub>(Registry)</sub> |Informational |

+|Windows Firewall: Domain: Logging: Size limit (KB)<br /><sub>(AZ-WIN-202225)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\LogFileSize<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\>\= 16384<br /><sub>(Registry)</sub> |Warning |

+|Windows Firewall: Domain: Outbound connections<br /><sub>(CCE-36146-9)</sub> |**Description**: This setting determines the behavior for outbound connections that do not match an outbound firewall rule. In Windows Vista, the default behavior is to allow connections unless there are firewall rules that block the connection.<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultOutboundAction<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 0<br /><sub>(Registry)</sub> |Critical |

+|Windows Firewall: Domain: Settings: Apply local connection security rules<br /><sub>(CCE-38040-2)</sub> |**Description**: <p><span>This setting controls whether local administrators are allowed to create local connection rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is ‘Yes’, this will set the registry value to 1.</span></p><br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AllowLocalIPsecPolicyMerge<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 0<br /><sub>(Registry)</sub> |Critical |

+|Windows Firewall: Domain: Settings: Apply local firewall rules<br /><sub>(CCE-37860-4)</sub> |**Description**: <p><span>This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy.</span></p><p><span>The recommended state for this setting is Yes, this will set the registry value to 1. </span></p><br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AllowLocalPolicyMerge<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |Doesn't exist or \= 0<br /><sub>(Registry)</sub> |Critical |

+|Windows Firewall: Domain: Settings: Display a notification<br /><sub>(CCE-38041-0)</sub> |**Description**: <p><span>By selecting this option, no notification is displayed to the user when a program is blocked from receiving inbound connections. In a server environment, the popups are not useful as the users is not logged in, popups are not necessary and can add confusion for the administrator.  </span></p><p><span>Configure this policy setting to ‘No’, this will set the registry value to 1.  Windows Firewall will not display a notification when a program is blocked from receiving inbound connections.</span></p><br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\DisableNotifications<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br /><sub>(Registry)</sub> |Warning |

+|Windows Firewall: Private: Allow unicast response<br /><sub>(AZ-WIN-00089)</sub> |**Description**: <p><span>This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages.  </span></p><p><span>We recommend this setting to ‘Yes’ for Private and Domain profiles, this will set the registry value to 0.</span></p><br />**Key Path**: Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DisableUnicastResponsesToMulticastBroadcast<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 0<br /><sub>(Registry)</sub> |Warning |

+|Windows Firewall: Private: Firewall state<br /><sub>(CCE-38239-0)</sub> |**Description**: Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile.<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\EnableFirewall<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br /><sub>(Registry)</sub> |Critical |

+|Windows Firewall: Private: Inbound connections<br /><sub>(AZ-WIN-202228)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultInboundAction<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br /><sub>(Registry)</sub> |Critical |

+|Windows Firewall: Private: Logging: Log dropped packets<br /><sub>(AZ-WIN-202231)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\LogDroppedPackets<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br /><sub>(Registry)</sub> |Informational |

+|Windows Firewall: Private: Logging: Log successful connections<br /><sub>(AZ-WIN-202232)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\LogSuccessfulConnections<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br /><sub>(Registry)</sub> |Warning |

+|Windows Firewall: Private: Logging: Name<br /><sub>(AZ-WIN-202229)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\LogFilePath<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= %SystemRoot%\System32\logfiles\firewall\privatefw.log<br /><sub>(Registry)</sub> |Informational |

+|Windows Firewall: Private: Logging: Size limit (KB)<br /><sub>(AZ-WIN-202230)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\LogFileSize<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\>\= 16384<br /><sub>(Registry)</sub> |Warning |

+|Windows Firewall: Private: Outbound connections<br /><sub>(CCE-38332-3)</sub> |**Description**: This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules that block the connection. Important If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying.<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultOutboundAction<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 0<br /><sub>(Registry)</sub> |Critical |

+|Windows Firewall: Private: Settings: Apply local connection security rules<br /><sub>(CCE-36063-6)</sub> |**Description**: <p><span>This setting controls whether local administrators are allowed to create local connection rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is ‘Yes’, this will set the registry value to 1.</span></p><br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\AllowLocalIPsecPolicyMerge<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 0<br /><sub>(Registry)</sub> |Critical |

+|Windows Firewall: Private: Settings: Apply local firewall rules<br /><sub>(CCE-37438-9)</sub> |**Description**: <p><span>This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy.</span></p><p><span>The recommended state for this setting is Yes, this will set the registry value to 1. </span></p><br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\AllowLocalPolicyMerge<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |Doesn't exist or \= 0<br /><sub>(Registry)</sub> |Critical |

+|Windows Firewall: Private: Settings: Display a notification<br /><sub>(CCE-37621-0)</sub> |**Description**: <p><span>By selecting this option, no notification is displayed to the user when a program is blocked from receiving inbound connections. In a server environment, the popups are not useful as the users is not logged in, popups are not necessary and can add confusion for the administrator.  </span></p><p><span> Configure this policy setting to ‘No’, this will set the registry value to 1.  Windows Firewall will not display a notification when a program is blocked from receiving inbound connections.</span></p><br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\DisableNotifications<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br /><sub>(Registry)</sub> |Warning |

+|Windows Firewall: Public: Allow unicast response<br /><sub>(AZ-WIN-00090)</sub> |**Description**: <p><span>This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages. This can be done by changing the state for this setting to ‘No’, this will set the registry value to 1.</span></p><br />**Key Path**: Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DisableUnicastResponsesToMulticastBroadcast<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br /><sub>(Registry)</sub> |Warning |

+|Windows Firewall: Public: Firewall state<br /><sub>(CCE-37862-0)</sub> |**Description**: Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile.<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\EnableFirewall<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br /><sub>(Registry)</sub> |Critical |

+|Windows Firewall: Public: Inbound connections<br /><sub>(AZ-WIN-202234)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultInboundAction<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br /><sub>(Registry)</sub> |Critical |

+|Windows Firewall: Public: Logging: Log dropped packets<br /><sub>(AZ-WIN-202237)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\LogDroppedPackets<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= 1<br /><sub>(Registry)</sub> |Informational |

+|Windows Firewall: Public: Logging: Log successful connections<br /><sub>(AZ-WIN-202233)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\LogSuccessfulConnections<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br /><sub>(Registry)</sub> |Warning |

+|Windows Firewall: Public: Logging: Name<br /><sub>(AZ-WIN-202235)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\LogFilePath<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\= %SystemRoot%\System32\logfiles\firewall\publicfw.log<br /><sub>(Registry)</sub> |Informational |

+|Windows Firewall: Public: Logging: Size limit (KB)<br /><sub>(AZ-WIN-202236)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\LogFileSize<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\>\= 16384<br /><sub>(Registry)</sub> |Informational |

+|Windows Firewall: Public: Outbound connections<br /><sub>(CCE-37434-8)</sub> |**Description**: This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules that block the connection. Important If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying.<br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultOutboundAction<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 0<br /><sub>(Registry)</sub> |Critical |

+|Windows Firewall: Public: Settings: Apply local connection security rules<br /><sub>(CCE-36268-1)</sub> |**Description**: <p><span>This setting controls whether local administrators are allowed to create local connection rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is ‘Yes’, this will set the registry value to 1.</span></p><br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\AllowLocalIPsecPolicyMerge<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 0<br /><sub>(Registry)</sub> |Critical |

+|Windows Firewall: Public: Settings: Apply local firewall rules<br /><sub>(CCE-37861-2)</sub> |**Description**: <p><span>This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy.</span></p><p><span>The recommended state for this setting is Yes, this will set the registry value to 1. </span></p><br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\AllowLocalPolicyMerge<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |Doesn't exist or \= 0<br /><sub>(Registry)</sub> |Critical |

+|Windows Firewall: Public: Settings: Display a notification<br /><sub>(CCE-38043-6)</sub> |**Description**: <p><span>By selecting this option, no notification is displayed to the user when a program is blocked from receiving inbound connections. In a server environment, the popups are not useful as the users is not logged in, popups are not necessary and can add confusion for the administrator.  </span></p><p><span>Configure this policy setting to ‘No’, this will set the registry value to 1.  Windows Firewall will not display a notification when a program is blocked from receiving inbound connections.</span></p><br />**Key Path**: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\DisableNotifications<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br /><sub>(Registry)</sub> |Warning |

+|Audit Kerberos Authentication Service<br /><sub>(AZ-WIN-00004)</sub> |<br />**Key Path**: {0CCE9242-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller |\>\= Success and Failure<br /><sub>(Audit)</sub> |Critical |

+|Audit Distribution Group Management<br /><sub>(CCE-36265-7)</sub> |<br />**Key Path**: {0CCE9238-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller |\>\= Success<br /><sub>(Audit)</sub> |Critical |

+|Audit Other Account Management Events<br /><sub>(CCE-37855-4)</sub> |**Description**: This subcategory reports other account management events. Events for this subcategory include: ΓÇö 4782: The password hash an account was accessed. ΓÇö 4793: The Password Policy Checking API was called. Refer to the Microsoft Knowledgebase article "Description of security events in Windows Vista and in Windows Server 2008" for the most recent information about this setting: https://support.microsoft.com/topic/ms16-014-description-of-the-security-update-for-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2-windows-server-2012-windows-8-1-and-windows-server-2012-r2-february-9-2016-1ff344d3-cd1c-cdbd-15b4-9344c7a7e6bd.<br />**Key Path**: {0CCE923A-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller |\>\= Success<br /><sub>(Audit)</sub> |Critical |

+|Audit User Account Management<br /><sub>(CCE-37856-2)</sub> |**Description**: This subcategory reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user accounts. Events for this subcategory include: - 4720: A user account was created. - 4722: A user account was enabled. - 4723: An attempt was made to change an account's password. - 4724: An attempt was made to reset an account's password. - 4725: A user account was disabled. - 4726: A user account was deleted. - 4738: A user account was changed. - 4740: A user account was locked out. - 4765: SID History was added to an account. - 4766: An attempt to add SID History to an account failed. - 4767: A user account was unlocked. - 4780: The ACL was set on accounts which are members of administrators groups. - 4781: The name of an account was changed: - 4794: An attempt was made to set the Directory Services Restore Mode. - 5376: Credential Manager credentials were backed up. - 5377: Credential Manager credentials were restored from a backup. The recommended state for this setting is: `Success and Failure`.<br />**Key Path**: {0CCE9235-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= Success and Failure<br /><sub>(Audit)</sub> |Critical |

+|Audit Process Creation<br /><sub>(CCE-36059-4)</sub> |**Description**: This subcategory reports the creation of a process and the name of the program or user that created it. Events for this subcategory include: - 4688: A new process has been created. - 4696: A primary token was assigned to process. Refer to Microsoft Knowledge Base article 947226: [Description of security events in Windows Vista and in Windows Server 2008](https://support.microsoft.com/en-us/kb/947226) for the most recent information about this setting. The recommended state for this setting is: `Success`.<br />**Key Path**: {0CCE922B-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\>\= Success<br /><sub>(Audit)</sub> |Critical |

+## System Audit Policies - DS Access

+|Name<br /><sub>(ID)</sub> |Details |Expected value<br /><sub>(Type)</sub> |Severity |

+|||||

+|Audit Directory Service Access<br /><sub>(CCE-37433-0)</sub> |<br />**Key Path**: {0CCE923B-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller |\>\= Failure<br /><sub>(Audit)</sub> |Critical |

+|Audit Directory Service Changes<br /><sub>(CCE-37616-0)</sub> |<br />**Key Path**: {0CCE923C-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller |\>\= Success<br /><sub>(Audit)</sub> |Critical |

+|Audit Directory Service Replication<br /><sub>(AZ-WIN-00093)</sub> |<br />**Key Path**: {0CCE923D-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member |\>\= No Auditing<br /><sub>(Audit)</sub> |Critical |

+|Audit Account Lockout<br /><sub>(CCE-37133-6)</sub> |**Description**: This subcategory reports when a user's account is locked out as a result of too many failed logon attempts. Events for this subcategory include: ΓÇö 4625: An account failed to log on. Refer to the Microsoft Knowledgebase article 'Description of security events in Windows Vista and in Windows Server 2008' for the most recent information about this setting: https://support.microsoft.com/topic/ms16-014-description-of-the-security-update-for-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2-windows-server-2012-windows-8-1-and-windows-server-2012-r2-february-9-2016-1ff344d3-cd1c-cdbd-15b4-9344c7a7e6bd.<br />**Key Path**: {0CCE9217-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\>\= Failure<br /><sub>(Audit)</sub> |Critical |

+|Audit Detailed File Share<br /><sub>(AZ-WIN-00100)</sub> |<br />**Key Path**: {0CCE9244-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\>\= Failure<br /><sub>(Audit)</sub> |Critical |

+|Audit File Share<br /><sub>(AZ-WIN-00102)</sub> |<br />**Key Path**: {0CCE9224-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= Success and Failure<br /><sub>(Audit)</sub> |Critical |

+|Audit Authorization Policy Change<br /><sub>(CCE-36320-0)</sub> |<br />**Key Path**: {0CCE9231-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\>\= Success<br /><sub>(Audit)</sub> |Critical |

+|Audit Other Policy Change Events<br /><sub>(AZ-WIN-00114)</sub> |<br />**Key Path**: {0CCE9234-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\>\= Failure<br /><sub>(Audit)</sub> |Critical |

+|Audit IPsec Driver<br /><sub>(CCE-37853-9)</sub> |<br />**Key Path**: {0CCE9213-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\>\= Success and Failure<br /><sub>(Audit)</sub> |Critical |

+|Audit Other System Events<br /><sub>(CCE-38030-3)</sub> |<br />**Key Path**: {0CCE9214-69AE-11D9-BED3-505054503030}<br />**OS**: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= Success and Failure<br /><sub>(Audit)</sub> |Critical |

+|The Debug programs user right must only be assigned to the Administrators group.<br /><sub>(AZ-WIN-73755)</sub> |<br />**Key Path**: [Privilege Rights]SeDebugPrivilege<br />**OS**: WS2016, WS2019<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= Administrators<br /><sub>(Policy)</sub> |Critical |

+|The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service.<br /><sub>(AZ-WIN-73785)</sub> |<br />**Key Path**: [Privilege Rights]SeImpersonatePrivilege<br />**OS**: WS2016, WS2019<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member | Administrators,Service,Local Service,Network Service<br /><sub>(Policy)</sub> |Important |

+|Block all consumer Microsoft account user authentication<br /><sub>(AZ-WIN-20198)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\MicrosoftAccount\DisableUserAuth<br />**OS**: WS2016, WS2019<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br /><sub>(Registry)</sub> |Critical |

+|PowerShell script block logging must be enabled.<br /><sub>(AZ-WIN-73591)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging<br />**OS**: WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member, Workgroup Member |\= 1<br /><sub>(Registry)</sub> |Important |

+|The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.<br /><sub>(AZ-WIN-73543)</sub> |<br />**Key Path**: SOFTWARE\Policies\Microsoft\Windows\AppCompat\DisableInventory<br />**OS**: WS2016, WS2019, WS2022<br />**Server Type**: Domain Member |\= 1<br /><sub>(Registry)</sub> |Informational |

+## Windows Settings - Security Settings

+|Adjust memory quotas for a process<br /><sub>(CCE-10849-8)</sub> |<br />**Key Path**: [Privilege Rights]SeIncreaseQuotaPrivilege<br />**OS**: WS2012, WS2012R2, WS2016, WS2019, WS2022<br />**Server Type**: Domain Controller, Domain Member | Administrators, Local Service, Network Service<br /><sub>(Policy)</sub> |Warning |

+- [Azure Policy guest configuration](../concepts/guest-configuration.md).

+* [Develop Java MapReduce programs](apache-hadoop-develop-deploy-java-mapreduce-linux.md)

+> You'll want to confirm that the **Microsoft.HealthcareApis** and **Microsoft.EventHub** resource providers have been registered with your Azure subscription for a successful deployment. To learn more about registering resource providers, see [Azure resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types)

+You can also view or modify the list of shared access policies by choosing **Shared access policies** in the **Security settings** section. These policies define the permissions for devices and services to connect to IoT Hub.

+Select **Add shared access policy** to open the **Add shared access policy** blade. You can enter the new policy name and the permissions that you want to associate with this policy, as shown in the following figure:

+* The **Service Connect** policy grants permission to access service endpoints. This permission is used by back-end cloud services to send and receive messages from devices. It's also used to update and read device twin and module twin data.

+* The **Device Connect** policy grants permissions for sending and receiving messages using the IoT Hub device-side endpoints. This permission is used by devices to send and receive messages from an IoT hub or update and read device twin and module twin data. It's also used for file uploads.

+Select **Add** to add this newly created policy to the existing list.

+## Message routing for an IoT hub

+Select **Message Routing** under **Messaging** to see the Message Routing pane, where you define routes and custom endpoints for the hub. [Message routing](iot-hub-devguide-messages-d2c.md) enables you to manage how data is sent from your devices to your endpoints. The first step is to add a new route. Then you can add an existing endpoint to the route, or create a new one of the types supported, such as blob storage.

+**Routes** is the first tab on the **Message Routing** pane. To add a new route, select **+ Add**.

+

+You see the following screen.

+For **Endpoint**, select one from the dropdown list or add a new one. In this example, a storage account and container are already available. To add them as an endpoint, choose **+ Add** next to the Endpoint dropdown and select **Blob Storage**.

+The following screen shows where the storage account and container are specified.

+

+Add an endpoint name in **Endpoint name** if needed. Select **Pick a container** to select the storage account and container. When you've chosen a container then **Select**, the page returns to the **Add a storage endpoint** pane. Use the defaults for the rest of the fields and **Create** to create the endpoint for the storage account and add it to the routing rules.

+You return to the **Add a route** page. For **Data source**, select Device Telemetry Messages.

+Select **Save** to save the routing rule. You return to the **Message routing** pane, and your new routing rule is displayed.

+Select the **Custom endpoints** tab. You see any custom endpoints already created. From here, you can add new endpoints or delete existing endpoints.

+> If you delete a route, it does not delete the endpoints assigned to that route. To delete an endpoint, select the Custom endpoints tab, select the endpoint you want to delete, and choose **Delete**.

+1. If you know the resource group to which the IoT hub belongs, choose **Resource groups**, then select the resource group from the list. The resource group screen shows all of the resources in that group, including the IoT hubs. Select your hub.

+2. Choose **All resources**. On the **All resources** pane, there's a dropdown list that defaults to `All types`. Select the dropdown list, uncheck `Select all`. Find `IoT Hub` and check it. Select the dropdown list box to close it, and the entries will be filtered, showing only your IoT hubs.

+To delete an IoT hub, find the IoT hub you want to delete, then choose **Delete**.

+ Title: Reliability in Azure Lab Services

+description: Learn about reliability in Azure Lab Services

+# What is reliability in Azure Lab Services?

+This article describes reliability support in Azure Lab Services, and covers regional resiliency with availability zones. For a more detailed overview of reliability in Azure, see [Azure resiliency](/azure/availability-zones/overview.md).

+## Availability zone support

+Azure availability zones are at least three physically separate groups of datacenters within each Azure region. Datacenters within each zone are equipped with independent power, cooling, and networking infrastructure. In the case of a local zone failure, availability zones allow the services to fail over to the other availability zones to provide continuity in service with minimal interruption. Failures can range from software and hardware failures to events such as earthquakes, floods, and fires. Tolerance to failures is achieved with redundancy and logical isolation of Azure services. For more detailed information on availability zones in Azure, see [Regions and availability zones](/azure/availability-zones/az-overview.md).

+Azure availability zones-enabled services are designed to provide the right level of resiliency and flexibility. They can be configured in two ways. They can be either zone redundant, with automatic replication across zones, or zonal, with instances pinned to a specific zone. You can also combine these approaches. For more information on zonal vs. zone-redundant architecture, see [Build solutions with availability zones](/azure/architecture/high-availability/building-solutions-for-high-availability).

+Azure Lab Services provide availability zone redundancy automatically in all regions listed in this article. While the service infrastructure is zone redundant, customer labs and VMs are not zone redundant.

+Currently, the service is not zonal. That is, you canΓÇÖt configure a lab or the VMs in the lab to align to a specific zone. A lab and VMs may be distributed across zones in a region.

+### SLA improvements

+There are no increased SLAs available for availability in Azure Lab Services. For the monthly uptime SLAs for Azure Lab Services, see [SLA for Azure Lab Services](https://azure.microsoft.com/support/legal/sla/lab-services/v1_0/).

+The Azure Lab Services infrastructure uses Cosmos DB storage. The Cosmos DB storage region is the same as the region where the lab plan is located. All the regional Cosmos DB accounts are single region. In the zone-redundant regions listed in this article, the Cosmos DB accounts are single region with Availability Zones. In the other regions, the accounts are single region without Availability Zones. For high availability capabilities for these account types, see [SLAs for Cosmos DB](/azure/cosmos-db/high-availability#slas).

+### Zone down experience

+#### Azure Lab Services infrastructure

+Azure Lab Services infrastructure is zone-redundant in the following regions:

+- Australia East

+- Canada Central

+- France Central

+- Korea Central

+- East Asia

+Resources apart from the Lab resources and virtual machines are zone redundant in these regions.

+In the event of a zone outage in these regions, you can still perform the following tasks:

+- Access the Azure Lab Services website

+- Create/manage lab plans

+- Create Users

+- Configure lab schedules

+- Create/manage labs and VMs in regions unaffected by the zone outage.

+Data loss may occur only with an unrecoverable disaster in the Cosmos DB region. For more information, see [Region Outages](/azure/cosmos-db/high-availability#region-outages).

+For regions not listed, access to the Azure Lab Services infrastructure is not guaranteed when there is a zone outage in the region containing the lab plan. You will only be able to perform the following tasks:

+- Access the Azure Lab Services website

+- Create/manage lab plans, labs, and VMs in regions unaffected by the zone outage

+> [!NOTE]

+> Existing labs and VMs in regions unaffected by the zone outage aren't affected by a loss of infrastructure in the lab plan region. Existing labs and VMs in unaffected regions can still run and operate as normal.

+#### Labs and VMs

+Azure Lab Services is not currently zone aligned. So, VMs in a region may be distributed across zones in the region. Therefore, when a zone in a region experiences an outage, there are no guarantees that a lab or any VMs in the associated region will be available.

+As a result, the following operations are not guaranteed in the event of a zone outage:

+- Manage or access labs/VMs

+- Start/stop/reset VMs

+- Create/publish/delete labs

+- Scale up/down labs

+- Connect to VMs

+If there's a zone outage in the region, there's no expectation that you can use any labs or VMs in the region.

+Labs and VMs in other regions will be unaffected by the outage.

+#### Zone outage preparation and recovery

+Lab and VM services will be restored as soon as the zone availability is restored (the outage is resolved).

+If infrastructure is impacted, it will be restored when the zone availability is resolved.

+### Region down experience

+#### Azure Lab Services infrastructure

+In a regional outage, in most scenarios you will only be able to perform the following tasks related to Azure Lab Services infrastructure:

+- Access the Azure Lab Services website

+- Create/manage lab plans, labs, and VMs in regions unaffected by the zone outage

+Typically, labs are in the same region as the lab plan. However, if the outage is in the lab plan region and an existing lab is in an unaffected region, you can still perform the following tasks for the existing lab in the unaffected region:

+- Create Users

+- Configure lab schedules

+#### Labs and VMs

+In a regional outage, labs and VMs in the region are unavailable, so you will not be able to use or manage them.

+Existing labs and VMs in regions unaffected by the outage aren't affected by a loss of infrastructure in the lab plan region. Existing labs and VMs in unaffected regions can still run and operate as normal.

+#### Regional outage preparation and recovery

+Lab and VM services will be restored as soon as the regional outage is restored (the outage is resolved).

+If infrastructure is impacted, it will be restored when the regional outage is resolved.

+### Fault tolerance

+If you want to preserve maximum access to Azure Lab Services infrastructure during a zone outage, create the lab plan in one of the zone-redundant regions listed.

+- Australia East

+- Canada Central

+- France Central

+- Korea Central

+- East Asia

+## Disaster recovery

+Azure Lab Services does not provide regional failover support. If you want to preserve maximum access to the Azure Lab Services infrastructure during a zone outage, create the lab plan in one of the [zone-redundant regions](#fault-tolerance).

+### Outage detection, notification, and management

+Azure Lab Services does not provide any service-specific signals about an outage, but is dependent on Azure communications that inform customers about outages. For more information on service health, see [Resource health overview](/azure/service-health/resource-health-overview).

+## Next steps

+> [!div class="nextstepaction"]

+> [Resiliency in Azure](/azure/availability-zones/overview.md)

+ Title: Add authentication for calls to custom APIs

+description: Set up authentication for calls to custom APIs from Azure Logic Apps.

+# Add authentication when calling custom APIs from Azure Logic Apps

+To improve security for calls to your APIs, you can set up Azure Active Directory (Azure AD) authentication through the Azure portal so you don't have to update your code. Or, you can require and enforce authentication through your API's code.

+You can add authentication in the following ways:

+* [No code changes](#no-code): Protect your API with [Azure Active Directory (Azure AD)](../active-directory/fundamentals/active-directory-whatis.md) through the Azure portal, so you don't have to update your code or redeploy your API.

+ >

+ > By default, the Azure AD authentication that you select in the Azure portal doesn't

+ > provide fine-grained authorization. For example, this authentication locks your API

+ > to just a specific tenant, not to a specific user or app.

+* [Update your API's code](#update-code): Protect your API by enforcing [certificate authentication](#certificate), [basic authentication](#basic), or [Azure AD authentication](#azure-ad-code) through code.

+## Authenticate calls to your API without changing code

+1. Create two Azure Active Directory (Azure AD) application identities: one for your logic app resource and one for your web app (or API app).

+1. To authenticate calls to your API, use the credentials (client ID and secret) for the service principal that's associated with the Azure AD application identity for your logic app.

+1. Include the application IDs in your logic app's workflow definition.

+### Part 1: Create an Azure AD application identity for your logic app

+Your logic app resource uses this Azure AD application identity to authenticate against Azure AD. You only have to set up this identity one time for your directory. For example, you can choose to use the same identity for all your logic apps, even though you can create unique identities for each logic app. You can set up these identities in the Azure portal or use [PowerShell](#powershell).

+#### [Portal](#tab/azure-portal)

+1. In the [Azure portal](https://portal.azure.com), select **Azure Active Directory**.

+1. Confirm that you're in the same directory as your web app or API app.

+ >

+ > Or, select **Overview** > **Switch directory**.

+1. On the directory menu, under **Manage**, select **App registrations** > **New registration**.

+ The **All registrations** list shows all the app registrations in your directory. To view only your app registrations, select **Owned applications**.

+ 

+1. Provide a user-facing name for your logic app's application identity. Select the supported account types. For **Redirect URI**, select **Web**, provide a unique URL where to return the authentication response, and select **Register**.

+ 

+ The **Owned applications** list now includes your created application identity. If this identity doesn't appear, on the toolbar, select **Refresh**.

+ 

+1. From the app registrations list, select your new application identity.

+1. From the application identity navigation menu, select **Overview**.

+1. On the **Overview** pane, under **Essentials**, copy and save the **Application ID** to use as the "client ID" for your logic app in Part 3.

+ 

+1. From the application identity navigation menu, select **Certificates & secrets**.

+1. On the **Client secrets** tab, select **New client secret**.

+1. For **Description**, provide a name for your secret. Under **Expires**, select a duration for your secret. When you're done, select **Add**.

+ The secret that you create acts as the application identity's "secret" or password for your logic app.

+ 

+ On the **Certificates & secrets** pane, under **Client secrets**, your secret now appears along with a secret value and secret ID.

+ 

+1. Copy the secret value for later use. When you configure your logic app in Part 3, you specify this value as the "secret" or password.

+#### [PowerShell](#tab/azure-powershell)

+You can perform this task through Azure Resource Manager with PowerShell. In PowerShell, run the following commands:

+1. Make sure to copy the **Tenant ID** (GUID for your Azure AD tenant), the **Application ID**, and the password that you used.

+For more information, learn how to [create a service principal with PowerShell to access resources](../active-directory/develop/howto-authenticate-service-principal-powershell.md).

+### Part 2: Create an Azure AD application identity for your web app or API app

+If your web app or API app is already deployed, you can turn on authentication and create the application identity in the Azure portal. Otherwise, you can [turn on authentication when you deploy with an Azure Resource Manager template](#authen-deploy).

+**Create the application identity for a deployed web app or API app in the Azure portal**

+1. In the [Azure portal](https://portal.azure.com), find and select your web app or API app.