-1. Open the `TrustFrameworksExtension.xml` and define a new **ContentDefinition** to customize the [self-asserted technical profile](https://docs.microsoft.com/azure/active-directory-b2c/self-asserted-technical-profile).

-A **claims provider** is an interface to communicate with different types of parties via its [technical profiles](https://docs.microsoft.com/azure/active-directory-b2c/technicalprofiles).

-When you've finished the Azure AD B2C tutorials, you can delete the tenant you used for testing or training. To delete the tenant, you'll first need to delete all tenant resources. In this article, you'll:

-1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.

-1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.

-1. Select the **Azure Active Directory** service.

-1. Under **Manage**, select **Properties**.

-1. Sign out of the Azure portal and then sign back in to refresh your access. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.

-1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.

-1. Select the **Azure Active Directory** service.

-1. On the **Overview** page, select **Delete tenant**. The **Required action** column indicates the resources you'll need to remove before you can delete the tenant.

-If you have the confirmation page open from the previous section, you can use the links in the **Required action** column to open the Azure portal pages where you can remove these resources. Or, you can remove tenant resources from within the Azure AD B2C service using the following steps.

-1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.

-1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.

-1. Select the **Azure AD B2C** service. Or use the search box to find and select **Azure AD B2C**.

-1. Delete all users *except* the admin account you're currently signed in as: Under **Manage**, select **Users**. On the **All users** page, select the checkbox next to each user (except the admin account you're currently signed in as). Select **Delete**, and then select **Yes** when prompted.

-1. Delete app registrations and the *b2c-extensions-app*: Under **Manage**, select **App registrations**. Select the **All applications** tab. Select an application, and then select **Delete**. Repeat for all applications, including the **b2c-extensions-app** application.

-1. Delete any identity providers you configured: Under **Manage**, select **Identity providers**. Select an identity provider you configured, and then select **Remove**.

-1. Delete user flows: Under **Policies**, select **User flows**. Next to each user flow, select the ellipses (...) and then select **Delete**.

-1. Delete policy keys: Under **Policies**, select **Identity Experience Framework**, and then select **Policy keys**. Next to each policy key, select the ellipses (...) and then select **Delete**.

-1. Delete custom policies: Under **Policies**, select **Identity Experience Framework**, select **Custom policies**, and then delete all policies.

-1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.

-1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.

-1. Select the **Azure Active Directory** service.

- * Under **Manage**, select **Properties**.

- * Under **Access management for Azure resources**, select **Yes**, and then select **Save**.

- * Sign out of the Azure portal and then sign back in to refresh your access, and select the **Azure Active Directory** service.

-1. On the **Overview** page, select **Delete tenant**.

- 

-This article covers how to improve the security of user sign-in by adding the application and location in Microsoft Authenticator app push notifications.

-Your organization will need to enable Authenticator app push notifications for some users or groups using the new Authentication Methods Policy API.

-When a user receives a Passwordless phone sign-in or MFA push notification in the Authenticator app, they'll see the name of the application that requests the approval and the location based on the IP address where the sign-in originated from.

-### Policy schema changes

->[!NOTE]

->In Graph Explorer, ensure you've consented to the **Policy.Read.All** and **Policy.ReadWrite.AuthenticationMethod** permissions.

-Identify a single target group for the schema configuration. Then use the following API endpoint to change the displayAppInformationRequiredState property to **enabled**:

-https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator

->[!NOTE]

->For Passwordless phone sign-in, the Authenticator app does not retrieve policy information just in time for each sign-in request. Instead, the Authenticator app does a best effort retrieval of the policy once every 7 days. We understand this limitation is less than ideal and are working to optimize the behavior. In the meantime, if you want to force a policy update to test using additional context with Passwordless phone sign-in, you can remove and re-add the account in the Authenticator app.

-#### MicrosoftAuthenticatorAuthenticationMethodConfiguration properties

-**PROPERTIES**

-| Property | Type | Description |

-|||-|

-| ID | String | The authentication method policy identifier. |

-| state | authenticationMethodState | Possible values are: **enabled**<br>**disabled** |

-

-**RELATIONSHIPS**

-| Relationship | Type | Description |

-|--||-|

-| includeTargets | [microsoftAuthenticatorAuthenticationMethodTarget](/graph/api/resources/passwordlessmicrosoftauthenticatorauthenticationmethodtarget) |

-| collection | A collection of users or groups who are enabled to use the authentication method. |

-

-#### MicrosoftAuthenticator includeTarget properties

-

-**PROPERTIES**

-| Property | Type | Description |

-|-||-|

-| authenticationMode | String | Possible values are:<br>**any**: Both passwordless phone sign-in and traditional second factor notifications are allowed.<br>**deviceBasedPush**: Only passwordless phone sign-in notifications are allowed.<br>**push**: Only traditional second factor push notifications are allowed. |

-| ID | String | Object ID of an Azure AD user or group. |

-| targetType | authenticationMethodTargetType | Possible values are: **user**, **group**.<br>You can only set one group or user for additional context. |

-| displayAppInformationRequiredState | advancedConfigState | Possible values are:<br>**enabled** explicitly enables the feature for the selected group.<br>**disabled** explicitly disables the feature for the selected group.<br>**default** allows Azure AD to manage whether the feature is enabled or not for the selected group. |

->[!NOTE]

->Additional context can only be enabled for a single group.

-#### Example of how to enable additional context for all users

-Change the **displayAppInformationRequiredState** from **default** to **enabled**.

-The value of Authentication Mode can be either **any** or **push**, depending on whether or not you also want to enable passwordless phone sign-in. In these examples, we'll use **any**, but if you don't want to allow passwordless, use **push**.

-You need to PATCH the entire includeTarget to prevent overwriting any previous configuration. In that case, do a GET first, update only the relevant fields, and then PATCH. The following example only shows the update to the **displayAppInformationRequiredState**.

-```json

-//Retrieve your existing policy via a GET.

-//Leverage the Response body to create the Request body section. Then update the Request body similar to the Request body as shown below.

-//Change the Query to PATCH and Run query

-

-{

- "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

- "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",

- "id": "MicrosoftAuthenticator",

- "state": "enabled",

- "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",

- "includeTargets": [

- {

- "targetType": "group",

- "id": "all_users",

- "authenticationMode": "any",

- "displayAppInformationRequiredState": "enabled",

- "numberMatchingRequiredState": "enabled"

- }

- ]

-}

-

-```

-

-To confirm this update has applied, run the GET request below using the endpoint below.

-GET - https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator

-

-

-#### Example of how to enable additional context for a single group

-

-Change the **displayAppInformationRequiredState** value from **default** to **enabled.**

-Change the **id** from **all_users** to the ObjectID of the group from the Azure AD portal.

-You need to PATCH the entire includeTarget to prevent overwriting any previous configuration. We recommend that you do a GET first, and then update only the relevant fields and then PATCH. The example below only shows the update to the **displayAppInformationRequiredState**.

-```json

-//Copy paste the below in the Request body section as shown below.

-//Leverage the Response body to create the Request body section. Then update the Request body similar to the Request body as shown below.

-//Change query to PATCH and run query

-{

- "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

- "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",

- "id": "MicrosoftAuthenticator",

- "state": "enabled",

- "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",

- "includeTargets": [

- {

- "targetType": "group",

- "id": "1ca44590-e896-4dbe-98ed-b140b1e7a53a",

- "authenticationMode": "any",

- "displayAppInformationRequiredState": "enabled",

- "numberMatchingRequiredState": "enabled"

- }

- ]

-}

-```

-

-To verify, RUN GET again and verify the ObjectID

-GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator

-

-#### Example of error when enabling additional context for multiple groups

-The PATCH request will fail with 400 Bad Request and the error will contain the following message:

-`Persistance of policy failed with error: You cannot enable multiple targets for feature 'Require Display App Information'. Choose only one of the following includeTargets to enable: aede0efe-c1b4-40dc-8ae7-2c402f23e312,aede0efe-c1b4-40dc-8ae7-2c402f23e317.`

-### Test the end-user experience

-Add the test user account to the Authenticator app. The account **doesn't** need to be enabled for phone sign-in.

-See the end-user experience of an Authenticator multifactor authentication push notification with additional context by signing into aka.ms/MFAsetup.

-### Turn off additional context

-To turn off additional context, you'll need to PATCH remove **displayAppInformationRequiredState** from **enabled** to **disabled**/**default**.

-```json

-{

- "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

- "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",

- "id": "MicrosoftAuthenticator",

- "state": "enabled",

- "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",

- "includeTargets": [

- {

- "targetType": "group",

- "id": "all_users",

- "authenticationMode": "any",

- "displayAppInformationRequiredState": "enabled",

- "numberMatchingRequiredState": "default"

- }

- ]

-}

-```

-## Enable additional context in the portal

-To enable additional context in the Azure AD portal, complete the following steps:

-1. Sign in to the [Azure portal](https://portal.azure.com) using an account with *global administrator* permissions.

-1. Search for and select **Azure Active Directory**, then choose **Security** from the menu on the left-hand side.

-1. Under the **Manage** menu header, select **Authentication methods** > **Policies**.

-1. From the list of available authentication methods, select **Microsoft Authenticator**.

- 

-1. Select the target users, select the three dots on the right, and choose **Configure**.

-

- 

-1. Select the **Authentication mode**, and then for **Show additional context in notifications (Preview)**, select **Enable**, and then select **Done**.

- 

-Additional context isn't supported for Network Policy Server (NPS).

-[Authentication methods in Azure Active Directory - Microsoft Authenticator app](concept-authentication-authenticator-app.md)

-This article covers how to enable number matching in Microsoft Authenticator push notifications to improve user sign-in security.

->Number matching is a key security upgrade to traditional second factor notifications in the Authenticator app that will be enabled by default for all tenants a few months after general availability (GA).<br>

-Your organization will need to enable Authenticator (traditional second factor) push notifications for some users or groups using the new Authentication Methods Policy API. If your organization is using ADFS adapter or NPS extensions, please upgrade to the latest versions for a consistent experience.

-### Policy schema changes

->[!NOTE]

->In Graph Explorer, ensure you've consented to the **Policy.Read.All** and **Policy.ReadWrite.AuthenticationMethod** permissions.

-Identify your single target group for the schema configuration. Then use the following API endpoint to change the numberMatchingRequiredState property to **enabled**:

-https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator

-#### MicrosoftAuthenticatorAuthenticationMethodConfiguration properties

-**PROPERTIES**

-| Property | Type | Description |

-|||-|

-| ID | String | The authentication method policy identifier. |

-| state | authenticationMethodState | Possible values are: **enabled**<br>**disabled** |

-

-**RELATIONSHIPS**

-| Relationship | Type | Description |

-|--||-|

-| includeTargets | [microsoftAuthenticatorAuthenticationMethodTarget](/graph/api/resources/passwordlessmicrosoftauthenticatorauthenticationmethodtarget) |

-| collection | A collection of users or groups who are enabled to use the authentication method. |

-

-#### MicrosoftAuthenticator includeTarget properties

-

-**PROPERTIES**

-| Property | Type | Description |

-|-||-|

-| authenticationMode | String | Possible values are:<br>**any**: Both passwordless phone sign-in and traditional second factor notifications are allowed.<br>**deviceBasedPush**: Only passwordless phone sign-in notifications are allowed.<br>**push**: Only traditional second factor push notifications are allowed. |

-| ID | String | Object ID of an Azure AD user or group. |

-| targetType | authenticationMethodTargetType | Possible values are: **user**, **group**.<br>Note: You'll be able to only set one group or user for number matching. |

-| numberMatchingRequiredState | advancedConfigState | Possible values are:<br>**enabled** explicitly enables the feature for the selected group.<br>**disabled** explicitly disables the feature for the selected group.<br>**default** allows Azure AD to manage whether the feature is enabled or not for the selected group. |

->[!NOTE]

->Number matching can only be enabled for a single group.

-#### Example of how to enable number matching for all users

-You'll need to change the **numberMatchingRequiredState** from **default** to **enabled**.

-Note that the value of Authentication Mode can be either **any** or **push**, depending on whether or not you also want to enable passwordless phone sign-in. In these examples, we'll use **any**, but if you don't want to allow passwordless, use **push**.

->[!NOTE]

->For passwordless users, enabling or disabling number matching has no impact because it's already part of the passwordless experience.

-You might need to patch the entire includeTarget to prevent overwriting any previous configuration. In that case, do a GET first, update only the relevant fields, and then PATCH. The following example only shows the update to the **numberMatchingRequiredState**.

-```json

-//Retrieve your existing policy via a GET.

-//Leverage the Response body to create the Request body section. Then update the Request body similar to the Request body as shown below.

-//Change the Query to PATCH and Run query

-

-{

- "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

- "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",

- "id": "MicrosoftAuthenticator",

- "state": "enabled",

- "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",

- "includeTargets": [

- {

- "targetType": "group",

- "id": "all_users",

- "authenticationMode": "any",

- "displayAppInformationRequiredState": "enabled",

- "numberMatchingRequiredState": "enabled"

- }

- ]

-}

-

-```

-

-To confirm this update has applied, please run the GET request below using the endpoint below.

-GET - https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator

-

-

-#### Example of how to enable number matching for a single group

-

-We'll need to change the **numberMatchingRequiredState** value from **default** to **enabled.**

-You'll need to change the **id** from **all_users** to the ObjectID of the group from the Azure AD portal.

-You need to PATCH the entire includeTarget to prevent overwriting any previous configuration. We recommend that you do a GET first, and then update only the relevant fields and then PATCH. The example below only shows the update to the **numberMatchingRequiredState**.

-```json

-//Copy paste the below in the Request body section as shown below.

-//Leverage the Response body to create the Request body section. Then update the Request body similar to the Request body as shown below.

-//Change query to PATCH and run query

-{

- "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

- "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",

- "id": "MicrosoftAuthenticator",

- "state": "enabled",

- "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",

- "includeTargets": [

- {

- "targetType": "group",

- "id": "1ca44590-e896-4dbe-98ed-b140b1e7a53a",

- "authenticationMode": "any",

- "displayAppInformationRequiredState": "enabled",

- "numberMatchingRequiredState": "enabled"

- }

- ]

-}

-```

-

-To verify, RUN GET again and verify the ObjectID

-GET https://graph.microsoft.com/beta/authenticationMethodsPolicy/authenticationMethodConfigurations/MicrosoftAuthenticator

-

-#### Example of error when enabling number matching for multiple groups

-The PATCH request will fail with 400 Bad Request and the error will contain the following message:

-`Persistance of policy failed with error: You cannot enable multiple targets for feature 'Require Number Matching'. Choose only one of the following includeTargets to enable: aede0efe-c1b4-40dc-8ae7-2c402f23e312,aede0efe-c1b4-40dc-8ae7-2c402f23e317.`

-### Test the end user experience

-Add the test user account to the Authenticator app. The account does **not** need to be enabled for phone sign-in.

-See the end user experience of an Authenticator MFA push notification with number matching by signing into aka.ms/MFAsetup.

-### Turn off number matching

-To turn number matching off, you'll need to PATCH remove **numberMatchingRequiredState** from **enabled** to **disabled**/**default**.

-```json

-{

- "@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodConfigurations/$entity",

- "@odata.type": "#microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration",

- "id": "MicrosoftAuthenticator",

- "state": "enabled",

- "includeTargets@odata.context": "https://graph.microsoft.com/beta/$metadata#authenticationMethodsPolicy/authenticationMethodConfigurations('MicrosoftAuthenticator')/microsoft.graph.microsoftAuthenticatorAuthenticationMethodConfiguration/includeTargets",

- "includeTargets": [

- {

- "targetType": "group",

- "id": "all_users",

- "authenticationMode": "any",

- "displayAppInformationRequiredState": "enabled",

- "numberMatchingRequiredState": "default"

- }

- ]

-}

-```

-## Enable number matching in the portal

-To enable number matching in the Azure portal, complete the following steps:

-1. Sign-in to the [Azure portal](https://portal.azure.com) using an account with *global administrator* permissions.

-1. Search for and select **Azure Active Directory**, then choose **Security** from the menu on the left-hand side.

-1. Under the **Manage** menu header, select **Authentication methods** > **Policies**.

-1. From the list of available authentication methods, select **Microsoft Authenticator**.

- 

-1. Select the target users, select the three dots on the right, and choose **Configure**.

-

- 

-1. Select the **Authentication mode**, and then for **Require number matching (Preview)**, select **Enable**, and then select **Done**.

- 

-

->[!NOTE]

->[Least privileged role in Azure Active Directory - Multifactor authentication](../roles/delegate-by-task.md#multi-factor-authentication)

-Number matching isn't supported for Apple Watch notifications. Apple Watch need to use their phone to approve notifications when number matching is enabled.

-**Multi-factor authentication.** The Microsoft identity platform provides native multi-factor authentication. IT administrators can require multi-factor authentication to access your application, so that you do not have to code this support yourself. Learn more about [Multi-Factor Authentication](https://azure.microsoft.com/documentation/services/multi-factor-authentication/).

-[Sign users in using the Microsoft identity platform](./authentication-vs-authorization.md)

-This article shows you how to create a new Azure Active Directory (Azure AD) application and service principal that can be used with the role-based access control. When you have applications, hosted services, or automated tools that needs to access or modify resources, you can create an identity for the app. This identity is known as a service principal. Access to resources is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.

- 

- 

- 

-1. Name the application. Select a supported account type, which determines who can use the application. Under **Redirect URI**, select **Web** for the type of application you want to create. Enter the URI where the access token is sent to. You can't create credentials for a [Native application](../app-proxy/application-proxy-configure-native-client-application.md). You can't use that type for an automated application. After setting the values, select **Register**.

- 

- 

- 

-1. Select Select **Add** > **Add role assignment** to open the **Add role assignment** page.

-1. Select the role you wish to assign to the application. For example, to allow the application to execute actions like **reboot**, **start** and **stop** instances, select the **Contributor** role. Read more about the [available roles](../../role-based-access-control/built-in-roles.md) By default, Azure AD applications aren't displayed in the available options. To find your application, search for the name and select it.

- Assign the Contributor role to the application at the subscription scope. For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).

- 

- 

- 

- 

-This feature preview in Azure Active Directory (Azure AD), part of Microsoft Entra, enables admins to create dynamic groups that populate by adding members of other groups using the memberOf attribute. Apps that couldn't read group-based membership previously in Azure AD can now read the entire membership of these new memberOf groups. Not only can these groups be used for apps, they can also be used for licensing assignments. The following diagram illustrates how you could create Dynamic-Group-A with members of Security-Group-X and Security-Group-Y. Members of the groups inside of Security-Group-X and Security-Group-Y don't become members of Dynamic-Group-A.

-Since data in transit can take place in different scenarios, is also relevant to know that Microsoft Azure uses [virtual networking](https://azure.microsoft.com/documentation/services/virtual-network/) to isolate tenantsΓÇÖ traffic from one another, employing measures such as host- and guest-level firewalls, IP packet filtering, port blocking, and HTTPS endpoints. However, most of AzureΓÇÖs internal communications, including infrastructure-to-infrastructure and infrastructure-to-customer (on-premises), are also encrypted. Another important scenario is the communications within Azure datacenters; Microsoft manages networks to assure that no VM can impersonate or eavesdrop on the IP address of another. TLS/SSL is used when accessing Azure Storage or SQL Databases, or when connecting to Cloud Services. In this case, the customer administrator is responsible for obtaining a TLS/SSL certificate and deploying it to their tenant infrastructure. Data traffic moving between Virtual Machines in the same deployment or between tenants in a single deployment via Microsoft Azure Virtual Network can be protected through encrypted communication protocols such as HTTPS, SSL/TLS, or others.

-> *On August 31, 2022, all 1.x versions of Azure AD Connect will be retired because they include SQL Server 2012 components that will no longer be supported.* Upgrade to the most recent version of Azure AD Connect (2.x version) by that date or [evaluate and switch to Azure AD cloud sync](../cloud-sync/what-is-cloud-sync.md).

-> This policy does not change the retirement of all 1.x versions of Azure AD Connect Sync on 31 August 2022, which is due to the retirement of the SQL Server 2012 and Azure AD Authentication Library (ADAL) components.

-| [Cloud App Security](/cloud-app-security/manage-admins) | All permissions of the Security Reader role |

-[Cloud App Security](/cloud-app-security/manage-admins) | Has read permissions and can manage alerts

-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](https://docs.microsoft.com/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).

-* To enable Security Assertion Markup Language (SAML) single sign-on for Atlassian Cloud products, you need to set up Atlassian Access. Learn more about [Atlassian Access]( https://www.atlassian.com/enterprise/cloud/identity-manager).

-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](https://docs.microsoft.com/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).

- 

-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](https://docs.microsoft.com/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).

-Once you configure AWS IAM Identity Center you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](https://docs.microsoft.com/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).

-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](https://docs.microsoft.com/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).

-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](https://docs.microsoft.com/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).

-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](https://docs.microsoft.com/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).

-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](https://docs.microsoft.com/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).

-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](https://docs.microsoft.com/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).

-Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, as well as walk through the SSO configuration as well. You can learn more about O365 wizards [here](https://docs.microsoft.com/microsoft-365/admin/misc/azure-ad-setup-guides?view=o365-worldwide).

-Customize and style the managed portal through the built-in, drag-and-drop visual editor:

-* [Add custom HTML](developer-portal-faq.md#how-do-i-add-custom-html-to-my-developer-portal) - for example, add HTML for a form or to embed a video player. The custom code is rendered in an inline frame (iframe).

-See [this tutorial](api-management-howto-developer-portal-customize.md) for example customizations.

-## <a name="managed-vs-self-hosted"></a> Extensibility

-In some cases you might need functionality beyond the customization and styling options supported in the managed developer portal. If you need to implement custom logic, which isn't supported out-of-the-box, you can modify the portal's codebase, available on [GitHub](https://github.com/Azure/api-management-developer-portal). For example, you could create a new widget to integrate with a third-party support system. When you implement new functionality, you can choose one of the following options:

-For extensibility details and instructions, refer to the [GitHub repository](https://github.com/Azure/api-management-developer-portal) and the tutorial to [implement a widget](developer-portal-implement-widgets.md). The tutorial to [customize the managed portal](api-management-howto-developer-portal-customize.md) walks you through the portal's administrative panel, which is common for **managed** and **self-hosted** versions.

-* For certain situations, you can [add custom HTML](#how-do-i-add-custom-html-to-my-developer-portal) to add functionality to the portal.

-* [Implement the missing functionality yourself](developer-portal-implement-widgets.md).

-Learn more about developer portal [extensibility](api-management-howto-developer-portal.md#managed-vs-self-hosted).

-## How do I add custom HTML to my developer portal?

-The managed developer portal includes a **Custom HTML code** widget that enables you to insert HTML code for small portal customizations. For example, use custom HTML to embed a video or to add a form. The portal renders the custom widget in an inline frame (iframe).

-

-1. In the administrative interface for the developer portal, go to the page or section where you want to insert the widget.

-1. Select the grey "plus" (**+**) icon that appears when you hover the pointer over the page.

-1. In the **Add widget** window, select **Custom HTML code**.

-

- :::image type="content" source="media/developer-portal-faq/add-custom-html-code-widget.png" alt-text="Add widget for custom HTML code":::

-1. Select the "pencil" icon to customize the widget.

-1. Enter a **Width** and **Height** (in pixels) for the widget.

-1. To inherit styles from the developer portal (recommended), select **Apply developer portal styling**.

- > [!NOTE]

- > If this setting isn't selected, the embedded elements will be plain HTML controls, without the styles of the developer portal.

-

- :::image type="content" source="media/developer-portal-faq/configure-html-custom-code.png" alt-text="Configure HTML custom code":::

-1. Replace the sample **HTML code** with your custom content.

-1. When configuration is complete, close the window.

-1. Save your changes, and [republish the portal](api-management-howto-developer-portal-customize.md#publish).

-> [!NOTE]

-> Microsoft does not support the HTML code you add in the Custom HTML Code widget.

-

-description: Learn how to implement widgets that consume data from external APIs and display it on the API Management developer portal.

-# Implement widgets in the developer portal

-In this tutorial, you implement a widget that consumes data from an external API and displays it on the API Management developer portal.

-The widget will retrieve session descriptions from the sample [Conference API](https://conferenceapi.azurewebsites.net/?format=json). The session identifier will be set through a designated widget editor.

-To help you in the development process, refer to the completed widget located in the `examples` folder of the API Management developer portal [GitHub repository](https://github.com/Azure/api-management-developer-portal/): `/examples/widgets/conference-session`.

-## Prerequisites

-* Set up a [local environment](developer-portal-self-host.md#step-1-set-up-local-environment) for the latest release of the developer portal.

-* You should understand the [Paperbits widget anatomy](https://paperbits.io/wiki/widget-anatomy).

-## Copy the scaffold

-Use a `widget` scaffold from the `/scaffolds` folder as a starting point to build the new widget.

-1. Copy the folder `/scaffolds/widget` to `/community/widgets`.

-1. Rename the folder to `conference-session`.

-## Rename exported module classes

-Rename the exported module classes by replacing the `Widget` prefix with `ConferenceSession` and change the binding name to avoid name collision, in these files:

-

-For example, in the `widget.design.module.ts` file, change `WidgetDesignModule` to `ConferenceSessionDesignModule`:

-

-```typescript

-export class WidgetDesignModule implements IInjectorModule {

- public register(injector: IInjector): void {

- injector.bind("widget", WidgetViewModel);

- injector.bind("widgetEditor", WidgetEditorViewModel);

-```

-to

-

-```typescript

-export class ConferenceSessionDesignModule implements IInjectorModule {

- public register(injector: IInjector): void {

- injector.bind("conferenceSession", WidgetViewModel);

- injector.bind("conferenceSessionEditor", WidgetEditorViewModel);

-```

-

-

-## Register the widget

-Register the widget's modules in the portal's root modules by adding the following lines in the respective files:

-1. `src/apim.design.module.ts` - a module that registers design-time dependencies.

- ```typescript

- import { ConferenceSessionDesignModule } from "../community/widgets/conference-session/widget.design.module";

-

- ...

- injector.bindModule(new ConferenceSessionDesignModule());

- ```

-1. `src/apim.publish.module.ts` - a module that registers publish-time dependencies.

- ```typescript

- import { ConferenceSessionPublishModule } from "../community/widgets/conference-session/widget.publish.module";

- ...

- injector.bindModule(new ConferenceSessionPublishModule());

- ```

-1. `src/apim.runtime.module.ts` - runtime dependencies.

- ```typescript

- import { ConferenceSessionRuntimeModule } from "../community/widgets/conference-session/widget.runtime.module";

- ...

- injector.bindModule(new ConferenceSessionRuntimeModule());

- ```

-## Place the widget in the portal

-Now you're ready to plug in the duplicated scaffold and use it in developer portal.

-1. Run the `npm start` command.

-1. When the application loads, place the new widget on a page. You can find it under the name `Your widget` in the `Community` category in the widget selector.

- :::image type="content" source="media/developer-portal-implement-widgets/widget-selector.png" alt-text="Screenshot of widget selector":::

-1. Save the page by pressing **Ctrl**+**S** (or **Γîÿ**+**S** on macOS).

- > [!NOTE]

- > In design-time, you can still interact with the website by holding the **Ctrl** (or **Γîÿ**) key.

-## Add custom properties

-For the widget to fetch session descriptions, it needs to be aware of the session identifier. Add the `Session ID` property to the respective interfaces and classes:

-In order for the widget to fetch the session description, it needs to be aware of the session identifier. Add the session ID property to the respective interfaces and classes:

-1. `widgetContract.ts` - data contract (data layer) defining how the widget configuration is persisted.

- ```typescript

- export interface WidgetContract extends Contract {

- sessionNumber: string;

- }

- ```

-1. `widgetModel.ts` - model (business layer) - a primary representation of the widget in the system. It's updated by editors and rendered by the presentation layer.

- ```typescript

- export class WidgetModel {

- public sessionNumber: string;

- }

- ```

-1. `ko/widgetViewModel.ts` - viewmodel (presentation layer) - a UI framework-specific object that developer portal renders with the HTML template.

- > [!NOTE]

- > You don't need to change anything in this file.

-## Configure binders

-Enable the flow of the `sessionNumber` from the data source to the widget presentation. Edit the `ModelBinder` and `ViewModelBinder` entities:

-1. `widgetModelBinder.ts` helps to prepare the model using data described in the contract.

- ```typescript

- export class WidgetModelBinder implements IModelBinder<WidgetModel> {

- public async contractToModel(contract: WidgetContract): Promise<WidgetModel> {

- model.sessionNumber = contract.sessionNumber || "107"; // 107 is the default session id

- ...

- }

-

- public modelToContract(model: WidgetModel): Contract {

- const contract: WidgetContract = {

- sessionNumber: model.sessionNumber

- ...

- };

- ...

- }

- }

- ```

-1. `ko/widgetViewModelBinder.ts` knows how developer portal needs to present the model (as a viewmodel) in a specific UI framework.

- ```typescript

- ...

- public async updateViewModel(model: WidgetModel, viewModel: WidgetViewModel): Promise<void> {

- viewModel.runtimeConfig(JSON.stringify({

- sessionNumber: model.sessionNumber

- }));

- }

- }

- ...

- ```

-## Adjust design-time widget template

-The components of each scope run independently. They have separate dependency injection containers, their own configuration, lifecycle, etc. They may even be powered by different UI frameworks (in this example it is Knockout JS).

-From the design-time perspective, any runtime component is just an HTML tag with certain attributes and/or content. Configuration if necessary is passed with plain markup. In simple cases, like in this example, the parameter is passed in the attribute. If the configuration is more complex, you could use an identifier of the required setting(s) fetched by a designated configuration provider (for example, `ISettingsProvider`).

-1. Update the `ko/widgetView.html` file:

- ```html

- <widget-runtime data-bind="attr: { params: runtimeConfig }"></widget-runtime>

- ```

- When developer portal runs the `attr` binding in *design-time* or *publish-time*, the resulting HTML is:

- ```html

- <widget-runtime params="{ sessionNumber: 107 }"></widget-runtime>

- ```

- Then, in runtime, `widget-runtime` component will read `sessionNumber` and use it in the initialization code (see below).

-1. Update the `widgetHandlers.ts` file to assign the session ID on creation:

- ```typescript

- ...

- createModel: async () => {

- var model = new WidgetModel();

- model.sessionNumber = "107";

- return model;

- }

- ...

- ```

-## Revise runtime view model

-Runtime components are the code running in the website itself. For example, in the API Management developer portal, they are all the scripts behind dynamic components (for example, *API details*, *API console*), handling operations such as code sample generation, sending requests, etc.

-Your runtime component's view model needs to have the following methods and properties:

- ```typescript

- ...

- import * as ko from "knockout";

- import { Component, RuntimeComponent, OnMounted, OnDestroyed, Param } from "@paperbits/common/ko/decorators";

- import { HttpClient, HttpRequest } from "@paperbits/common/http";

- ...

- export class WidgetRuntime {

- public readonly sessionDescription: ko.Observable<string>;

- constructor(private readonly httpClient: HttpClient) {

- ...

- this.sessionNumber = ko.observable();

- this.sessionDescription = ko.observable();

- ...

- }

- @Param()

- public readonly sessionNumber: ko.Observable<string>;

- @OnMounted()

- public async initialize(): Promise<void> {

- ...

- const sessionNumber = this.sessionNumber();

- const request: HttpRequest = {

- url: `https://conferenceapi.azurewebsites.net/session/${sessionNumber}`,

- method: "GET"

- };

- const response = await this.httpClient.send<string>(request);

- const sessionDescription = response.toText();

-

- this.sessionDescription(sessionDescription);

- ...

- }

- ...

- }

- ```

-## Tweak the widget template

-Update your widget to display the session description.

-Use a paragraph tag and a `markdown` (or `text`) binding in the `ko/runtime/widget-runtime.html` file to render the description:

-```html

-<p data-bind="markdown: sessionDescription"></p>

-```

-## Add the widget editor

-The widget is now configured to fetch the description of the session `107`. You specified `107` in the code as the default session. To check that you did everything right, run `npm start` and confirm that developer portal shows the description on the page.

-Now, carry out these steps to allow the user to set up the session ID through a widget editor:

-1. Update the `ko/widgetEditorViewModel.ts` file:

- ```typescript

- export class WidgetEditor implements WidgetEditor<WidgetModel> {

- public readonly sessionNumber: ko.Observable<string>;

- constructor() {

- this.sessionNumber = ko.observable();

- }

- @Param()

- public model: WidgetModel;

- @Event()

- public onChange: (model: WidgetModel) => void;

- @OnMounted()

- public async initialize(): Promise<void> {

- this.sessionNumber(this.model.sessionNumber);

- this.sessionNumber.subscribe(this.applyChanges);

- }

- private applyChanges(): void {

- this.model.sessionNumber = this.sessionNumber();

- this.onChange(this.model);

- }

- }

- ```

- The editor view model uses the same approach that you've seen previously, but there is a new property `onChange`, decorated with `@Event()`. It wires the callback to notify the listeners (in this case - a content editor) of changes to the model.

-1. Update the `ko/widgetEditorView.html` file:

- ```html

- <input type="text" class="form-control" data-bind="textInput: sessionNumber" />

- ```

-1. Run `npm start` again. You should be able to change `sessionNumber` in the widget editor. Change the ID to `108`, save the changes, and refresh the browser's tab. If you're experiencing problems, you may need to add the widget onto the page again.

- :::image type="content" source="media/developer-portal-implement-widgets/widget-editor.png" alt-text="Screenshot of widget editor":::

-## Rename the widget

-Change the widget name in the `constants.ts` file:

-```typescript

-...

-export const widgetName = "conference-session";

-export const widgetDisplayName = "Conference session";

-...

-```

-> [!NOTE]

-> If you're contributing the widget to the repository, the `widgetName` needs to be the same as its folder name and needs to be derived from the display name (lowercase and spaces replaced with dashes). The category should remain `Community`.

-## Next steps

-Learn more about the developer portal:

-This tutorial describes how to self-host the [API Management developer portal](api-management-howto-developer-portal.md). Self-hosting gives you flexibility to extend the developer portal with custom logic and widgets that dynamically customize pages on runtime. You can self-host multiple portals for your API Management instance, with different features. When you self-host a portal, you become its maintainer and you're responsible for its upgrades.

-The following steps show how to set up your local development environment, carry out changes in the developer portal, and publish and deploy them to an Azure storage account.

-All developers place their community-contributed widgets in the `/community/widgets/` folder of the API Management developer portal [GitHub repository](https://github.com/Azure/api-management-developer-portal). Each has been accepted by the developer portal team. You can use the widgets by injecting them into your [self-hosted version](developer-portal-self-host.md) of the portal. The managed version of the developer portal doesn't currently support community widgets.

-## Inject and use external widgets

-Your widget will inherit the repository's license. It will be available for [opt-in installation](developer-portal-use-community-widgets.md) in the self-hosted version of the portal. The developer portal team may decide to also include it in the managed version of the portal.

-Refer to the [widget implementation](developer-portal-implement-widgets.md) tutorial for an example of how to develop your own widget.

-Besides App Service, Azure offers other services that can be used for hosting websites and web applications. For most scenarios, App Service is the best choice. For microservice architecture, consider [Azure Spring Apps](../spring-apps/index.yml) or [Service Fabric](https://azure.microsoft.com/documentation/services/service-fabric). If you need more control over the VMs on which your code runs, consider [Azure Virtual Machines](https://azure.microsoft.com/documentation/services/virtual-machines/). For more information about how to choose between these Azure services, see [Azure App Service, Virtual Machines, Service Fabric, and Cloud Services comparison](/azure/architecture/guide/technology-choices/compute-decision-tree).

-* [Azure Load Balancer](https://azure.microsoft.com/documentation/services/load-balancer/)

-* [Azure Traffic Manager](https://azure.microsoft.com/documentation/services/traffic-manager/)

-> * For an enhanced experience and advanced model quality, try the [Form Recognizer v3.0 Studio ](https://formrecognizer.appliedai.azure.com/studio).

-For more troubleshooting of this issue, see [Issue: You are not seeing any Linux data](../../azure-monitor/agents/agent-linux-troubleshoot.md#issue-you-are-not-seeing-any-linux-data).

-Azure App Configuration events enable applications to react to changes in key-values. This is done without the need for complicated code or expensive and inefficient polling services. Instead, events are pushed through [Azure Event Grid](https://azure.microsoft.com/services/event-grid/) to subscribers such as [Azure Functions](https://azure.microsoft.com/services/functions/), [Azure Logic Apps](https://azure.microsoft.com/services/logic-apps/), or even to your own custom http listener. Critically, you only pay for what you use.

-Azure App Configuration events are sent to the Azure Event Grid, which provides reliable delivery services to your applications through rich retry policies and dead-letter delivery. To learn more, see [Event Grid message delivery and retry](../event-grid/delivery-and-retry.md).

-Take a look at [Use Event Grid for data change notifications](./howto-app-configuration-event.md) for a quick example.

-

-Event grid uses [event subscriptions](../event-grid/concepts.md#event-subscriptions) to route event messages to subscribers. Azure App Configuration event subscriptions can include two types of events:

-> |`Microsoft.AppConfiguration.KeyValueModified`|Fired when a key-value is created or replaced|

-> |`Microsoft.AppConfiguration.KeyValueDeleted`|Fired when a key-value is deleted|

-Azure App Configuration events contain all the information you need to respond to changes in your data. You can identify an App Configuration event because the eventType property starts with "Microsoft.AppConfiguration". Additional information about the usage of Event Grid event properties is documented in [Event Grid event schema](../event-grid/event-schema.md).

-> |topic|string|Full Azure Resource Manager id of the App Configuration that emits the event.|

-> |subject|string|The URI of the key-value that is the subject of the event.|

-> |eventTime|string|The date/time that the event was generated, in ISO 8601 format.|

-> |eventType|string|"Microsoft.AppConfiguration.KeyValueModified" or "Microsoft.AppConfiguration.KeyValueDeleted".|

-> |data|object|Collection of Azure App Configuration specific event data|

-> |data.etag|string|For `KeyValueModified` the etag of the new key-value. For `KeyValueDeleted` the etag of the key-value that was deleted.|

-Here is an example of a KeyValueModified event:

-> * Multiple subscriptions can be configured to route events to the same event handler, so do not assume events are from a particular source. Instead, check the topic of the message to ensure the App Configuration instance sending the event.

-> * Check the eventType and do not assume that all events you receive will be the types you expect.

-> * Use the etag fields to understand if your information about objects is still up-to-date.

-Learn more about Event Grid and give Azure App Configuration events a try:

-Azure App Configuration [encrypts sensitive information at rest](../security/fundamentals/encryption-atrest.md). The use of customer-managed keys provides enhanced data protection by allowing you to manage your encryption keys. When managed key encryption is used, all sensitive information in App Configuration is encrypted with a user-provided Azure Key Vault key. This provides the ability to rotate the encryption key on demand. It also provides the ability to revoke Azure App Configuration's access to sensitive information by revoking the App Configuration instance's access to the key.

-## Overview

-Azure App Configuration encrypts sensitive information at rest using a 256-bit AES encryption key provided by Microsoft. Every App Configuration instance has its own encryption key managed by the service and used to encrypt sensitive information. Sensitive information includes the values found in key-value pairs. When customer-managed key capability is enabled, App Configuration uses a managed identity assigned to the App Configuration instance to authenticate with Azure Active Directory. The managed identity then calls Azure Key Vault and wraps the App Configuration instance's encryption key. The wrapped encryption key is then stored and the unwrapped encryption key is cached within App Configuration for one hour. App Configuration refreshes the unwrapped version of the App Configuration instance's encryption key hourly. This ensures availability under normal operating conditions.

->[!IMPORTANT]

-> If the identity assigned to the App Configuration instance is no longer authorized to unwrap the instance's encryption key, or if the managed key is permanently deleted, then it will no longer be possible to decrypt sensitive information stored in the App Configuration instance. Using Azure Key Vault's [soft delete](../key-vault/general/soft-delete-overview.md) function mitigates the chance of accidentally deleting your encryption key.

-When users enable the customer managed key capability on their Azure App Configuration instance, they control the serviceΓÇÖs ability to access their sensitive information. The managed key serves as a root encryption key. A user can revoke their App Configuration instanceΓÇÖs access to their managed key by changing their key vault access policy. When this access is revoked, App Configuration will lose the ability to decrypt user data within one hour. At this point, the App Configuration instance will forbid all access attempts. This situation is recoverable by granting the service access to the managed key once again. Within one hour, App Configuration will be able to decrypt user data and operate under normal conditions.

->[!NOTE]

->All Azure App Configuration data is stored for up to 24 hours in an isolated backup. This includes the unwrapped encryption key. This data is not immediately available to the service or service team. In the event of an emergency restore, Azure App Configuration will re-revoke itself from the managed key data.

- - The key must not be expired, it must be enabled, and it must have both wrap and unwrap capabilities enabled

-Once these resources are configured, two steps remain to allow Azure App Configuration to use the Key Vault key:

-1. Assign a managed identity to the Azure App Configuration instance

-2. Grant the identity `GET`, `WRAP`, and `UNWRAP` permissions in the target Key Vault's access policy.

-To begin, you will need a properly configured Azure App Configuration instance. If you do not yet have an App Configuration instance available, follow one of these quickstarts to set one up:

->[!TIP]

-> The Azure Cloud Shell is a free interactive shell that you can use to run the command line instructions in this article. It has common Azure tools preinstalled, including the .NET Core SDK. If you are logged in to your Azure subscription, launch your [Azure Cloud Shell](https://shell.azure.com) from shell.azure.com. You can learn more about Azure Cloud Shell by [reading our documentation](../cloud-shell/overview.md)

-1. Create an Azure Key Vault using the Azure CLI. Note that both `vault-name` and `resource-group-name` are user-provided and must be unique. We use `contoso-vault` and `contoso-resource-group` in these examples.

-

-

-

- The output from this command shows the key ID ("kid") for the generated key. Make a note of the key ID to use later in this exercise. The key ID has the form: `https://{my key vault}.vault.azure.net/keys/{key-name}/{Key version}`. The key ID has three important components:

-1. Create a system assigned managed identity using the Azure CLI, substituting the name of your App Configuration instance and resource group used in the previous steps. The managed identity will be used to access the managed key. We use `contoso-app-config` to illustrate the name of an App Configuration instance:

-

-

- The output of this command includes the principal ID ("principalId") and tenant ID ("tenandId") of the system assigned identity. These IDs will be used to grant the identity access to the managed key.

-1. The managed identity of the Azure App Configuration instance needs access to the key to perform key validation, encryption, and decryption. The specific set of actions to which it needs access includes: `GET`, `WRAP`, and `UNWRAP` for keys. Granting the access requires the principal ID of the App Configuration instance's managed identity. This value was obtained in the previous step. It is shown below as `contoso-principalId`. Grant permission to the managed key using the command line:

-1. Once the Azure App Configuration instance can access the managed key, we can enable the customer-managed key capability in the service using the Azure CLI. Recall the following properties recorded during the key creation steps: `key name` `key vault URI`.

-In this article, you configured your Azure App Configuration instance to use a customer-managed key for encryption. Learn how to [integrate your service with Azure Managed Identities](howto-integrate-azure-managed-service-identity.md).

-# Leverage content-type to store JSON key-values in App Configuration

-Data is stored in App Configuration as key-values, where values are treated as the string type by default. However, you can specify a custom type by leveraging the content-type property associated with each key-value, so that you can preserve the original type of your data or have your application behave differently based on content-type.

-In App Configuration, you can use the JSON media type as the content-type of your key-values to avail benefits like:

-#### Valid JSON content-type

-Media types, as defined [here](https://www.iana.org/assignments/media-types/media-types.xhtml), can be assigned to the content-type associated with each key-value.

-A media type consists of a type and a subtype. If the type is `application` and the subtype (or suffix) is `json`, the media type will be considered a valid JSON content-type.

-Some examples of valid JSON content-types are:

-#### Valid JSON values

-When a key-value has JSON content-type, its value must be in valid JSON format for clients to process it correctly. Otherwise, clients may fail or fall back and treat it as string format.

-> For the rest of this article, any key-value in App Configuration that has a valid JSON content-type and a valid JSON value will be referred to as **JSON key-value**.

-JSON key-values can be created using Azure portal, Azure CLI or by importing from a JSON file. In this section, you will find instructions on creating the same JSON key-values using all three methods.

-> If you are using Azure CLI or Azure Cloud Shell to create JSON key-values, the value provided must be an escaped JSON string.

-Create a JSON file called `Import.json` with the following content and import as key-values into App Configuration:

-> [!Note]

-> The `--depth` argument is used for flattening hierarchical data from a file into key-value pairs. In this tutorial, depth is specified for demonstrating that you can also store JSON objects as values in App Configuration. If depth is not specified, JSON objects will be flattened to the deepest level by default.

-

-One of the major benefits of using JSON key-values is the ability to preserve the original data type of your values while exporting. If a key-value in App Configuration doesn't have JSON content-type, its value will be treated as string.

-Consider these key-values without JSON content-type:

-However, when you export JSON key-values to a file, all values will preserve their original data type. To verify this, export key-values from your App Configuration to a JSON file. You'll see that the exported file has the same contents as the `Import.json` file you previously imported.

-> If your App Configuration store has some key-values without JSON content-type, they will also be exported to the same file in string format.

-The easiest way to consume JSON key-values in your application is through App Configuration provider libraries. With the provider libraries, you don't need to implement special handling of JSON key-values in your application. They will be parsed and converted to match the native configuration of your application.

-You may access the new keys directly or you may choose to [bind configuration values to instances of .NET objects](/aspnet/core/fundamentals/configuration/#bind-hierarchical-configuration-data-using-the-options-pattern).

-> [!Important]

-> Native support for JSON key-values is available in .NET configuration provider version 4.0.0 (or later). See [*Next steps*](#next-steps) section for more details.

-If you are using the SDK or REST API to read key-values from App Configuration, based on the content-type, your application is responsible for parsing the value of a JSON key-value.

-* [ASP.NET Core quickstart](./quickstart-aspnet-core-app.md)

- * Prerequisite: [Microsoft.Azure.AppConfiguration.AspNetCore](https://www.nuget.org/packages/Microsoft.Azure.AppConfiguration.AspNetCore) package v4.0.0 or later.

-* [.NET Core quickstart](./quickstart-dotnet-core-app.md)

- * Prerequisite: [Microsoft.Extensions.Configuration.AzureAppConfiguration](https://www.nuget.org/packages/Microsoft.Extensions.Configuration.AzureAppConfiguration) package v4.0.0 or later.

-Your application may fail to run if it depends on Azure App Configuration and cannot reach it. Enhance the resiliency of your application by packaging configuration data into a file that's deployed with the application and loaded locally during application startup. This approach guarantees that your application has default setting values on startup. These values are overwritten by any newer changes in an App Configuration store when it's available.

-To do a cloud build, with Azure DevOps for example, make sure the [Azure CLI](/cli/azure/install-azure-cli) is installed in your build system.

-1. Open *Program.cs*, and update the `CreateWebHostBuilder` method to use the exported JSON file by calling the `config.AddJsonFile()` method. Add the `System.Reflection` namespace as well.

-1. Set an environment variable named **ConnectionString**, and set it to the access key to your App Configuration store.

- If you use the Windows command prompt, run the following command and restart the command prompt to allow the change to take effect:

- setx ConnectionString "connection-string-of-your-app-configuration-store"

- $Env:ConnectionString = "connection-string-of-your-app-configuration-store"

- If you use macOS or Linux, run the following command:

- export ConnectionString='connection-string-of-your-app-configuration-store'

-2. To build the app by using the .NET Core CLI, run the following command in the command shell:

-3. After the build successfully completes, run the following command to run the web app locally:

-4. Open a browser window and go to `http://localhost:5000`, which is the default URL for the web app hosted locally.

- 

- az sql mi-arc create --name <secondaryinstance> --tier bc --replicas 3 ΓÇôlicense-type DisasterRecovery --k8s-namespace <namespace> --use-k8s

-Azure Arc-enabled Kubernetes integrates with several Azure services to bring cloud management and governance to your hybrid Kubernetes clusters. Most of these services already offer private endpoints, but you need to configure your firewall and routing rules to allow access to Azure Active Directory and Azure Resource Manager over the internet until these services offer private endpoints. You also need to allow access to Microsoft Container Registry (and Azure Front Door.First Party as a precursor for Microsoft Container Registry) to pull images & Helm charts to enable services like Azure Monitor, as well as for initial setup of Azure Arc agents on the Kubernetes clusters.

-* If your network is configured to route all internet-bound traffic through the Azure VPN or ExpressRoute circuit, you can configure the network security group (NSG) associated with your subnet in Azure to allow outbound TCP 443 (HTTPS) access to Azure AD, Azure Resource Manager, Azure Frontdoor and Microsoft Container Registry using [service tags] (/azure/virtual-network/service-tags-overview). The NSG rules should look like the following:

- | Destination service tag | AzureActiveDirectory | AzureResourceManager | FrontDoor.FirstParty | MicrosoftContainerRegistry

-* Configure the firewall on your local network to allow outbound TCP 443 (HTTPS) access to Azure AD, Azure Resource Manager, and Microsoft Container Registry, and inbound & outbound access to Azure FrontDoor.FirstParty using the downloadable service tag files. The JSON file contains all the public IP address ranges used by Azure AD, Azure Resource Manager, Azure FrontDoor.FirstParty, and Microsoft Container Registry and is updated monthly to reflect any changes. Azure Active Directory's service tag is AzureActiveDirectory, Azure Resource Manager's service tag is AzureResourceManager, Microsoft Container Registry's service tag is MicrosoftContainerRegistry, and Azure Front Door's service tag is FrontDoor.FirstParty. Consult with your network administrator and network firewall vendor to learn how to configure your firewall rules.

-

-

-|`*.servicebus.windows.net`, `guestnotificationservice.azure.com`, `*.guestnotificationservice.azure.com`, `sts.windows.net`, `https://k8sconnectcsp.azureedge.net` | For [Cluster Connect](cluster-connect.md) and for [Custom Location](custom-locations.md) based scenarios. |

-> To translate the `*.servicebus.windows.net` wildcard into specific endpoints, use the command `\GET /urls/allowlist?api-version=2020-01-01&location=<location>`. Within this command, the region must be specified for the `<location>` placeholder.

-* Windows Admin Center - Review the requirements to [prepare your environment](/windows-server/manage/windows-admin-center/deploy/prepare-environment) to deploy and [configure Azure integration ](/windows-server/manage/windows-admin-center/azure/azure-integration).

-description: Learn how to build an Azure Resource Manager template that deploys your function app.

-You can use an Azure Resource Manager template to deploy a function app. This article outlines the required resources and parameters for doing so. You might need to deploy other resources, depending on the [triggers and bindings](functions-triggers-bindings.md) in your function app.

-For more information about creating templates, see [Authoring Azure Resource Manager templates](../azure-resource-manager/templates/syntax.md).

-For sample templates, see:

-| A function app | Required | [Microsoft.Web/sites](/azure/templates/microsoft.web/sites) |

-| An [Azure Storage](../storage/index.yml) account | Required | [Microsoft.Storage/storageAccounts](/azure/templates/microsoft.storage/storageaccounts) |

-| An [Application Insights](../azure-monitor/app/app-insights-overview.md) component | Optional | [Microsoft.Insights/components](/azure/templates/microsoft.insights/components) |

-| A [hosting plan](./functions-scale.md) | Optional¹ | [Microsoft.Web/serverfarms](/azure/templates/microsoft.web/serverfarms) |

-An Azure storage account is required for a function app. You need a general purpose account that supports blobs, tables, queues, and files. For more information, see [Azure Functions storage account requirements](storage-considerations.md#storage-account-requirements).

-```json

-{

- "type": "Microsoft.Storage/storageAccounts",

- "name": "[variables('storageAccountName')]",

- "apiVersion": "2019-06-01",

- "location": "[resourceGroup().location]",

- "kind": "StorageV2",

- "sku": {

- "name": "[parameters('storageAccountType')]"

-The Azure Functions runtime uses the `AzureWebJobsStorage` connection string to create internal queues. When Application Insights is not enabled, the runtime uses the `AzureWebJobsDashboard` connection string to log to Azure Table storage and power the **Monitor** tab in the portal.

-"appSettings": [

- {

- "name": "AzureWebJobsStorage",

- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]"

- },

- "name": "AzureWebJobsDashboard",

- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]"

-Application Insights is recommended for monitoring your function apps. The Application Insights resource is defined with the type **Microsoft.Insights/components** and the kind **web**:

-{

- "apiVersion": "2015-05-01",

- "name": "[variables('appInsightsName')]",

- "type": "Microsoft.Insights/components",

- "kind": "web",

- "location": "[resourceGroup().location]",

- "tags": {

- "[concat('hidden-link:', resourceGroup().id, '/providers/Microsoft.Web/sites/', variables('functionAppName'))]": "Resource"

- },

- "properties": {

- "Application_Type": "web",

- "ApplicationId": "[variables('appInsightsName')]"

-},

-"appSettings": [

- "name": "APPINSIGHTS_INSTRUMENTATIONKEY",

- "value": "[reference(resourceId('microsoft.insights/components/', variables('appInsightsName')), '2015-05-01').InstrumentationKey]"

-The definition of the hosting plan varies, and can be one of the following:

-```json

-{

- "apiVersion": "2015-08-01",

- "type": "Microsoft.Web/sites",

- "name": "[variables('functionAppName')]",

- "location": "[resourceGroup().location]",

- "kind": "functionapp",

- "dependsOn": [

- "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",

- "[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]"

-> If you are explicitly defining a hosting plan, an additional item would be needed in the dependsOn array: `"[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]"`

-"properties": {

- "siteConfig": {

- "appSettings": [

- {

- "name": "AzureWebJobsStorage",

- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]"

- },

- {

- "name": "FUNCTIONS_WORKER_RUNTIME",

- "value": "node"

- },

- {

- "name": "WEBSITE_NODE_DEFAULT_VERSION",

- "value": "~14"

- },

- {

- "name": "FUNCTIONS_EXTENSION_VERSION",

- "value": "~4"

- ]

-}

-The Consumption plan automatically allocates compute power when your code is running, scales out as necessary to handle load, and then scales in when code is not running. You don't have to pay for idle VMs, and you don't have to reserve capacity in advance. To learn more, see [Azure Functions scale and hosting](consumption-plan.md).

-For a sample Azure Resource Manager template, see [Function app on Consumption plan].

-# [Windows](#tab/windows)

-```json

-{

- "type": "Microsoft.Web/serverfarms",

- "apiVersion": "2021-02-01",

- "name": "[variables('hostingPlanName')]",

- "location": "[parameters('location')]",

- "sku": {

- "name": "Y1",

- "tier": "Dynamic",

- "size": "Y1",

- "family": "Y",

- "capacity":0

- },

- "properties": {

- "name":"[variables('hostingPlanName')]",

- "computeMode": "Dynamic"

-# [Linux](#tab/linux)

-```json

-{

- "type": "Microsoft.Web/serverfarms",

- "apiVersion": "2021-02-01",

- "name": "[variables('hostingPlanName')]",

- "location": "[parameters('location')]",

- "sku": {

- "name": "Y1",

- "tier": "Dynamic",

- "size": "Y1",

- "family": "Y",

- "capacity":0

- },

- "properties": {

- "name":"[variables('hostingPlanName')]",

- "computeMode": "Dynamic",

- "reserved": true

-# [Windows](#tab/windows)

-For a sample Azure Resource Manager template, see [Azure Function App Hosted on Windows Consumption Plan](https://github.com/Azure-Samples/function-app-arm-templates/tree/main/function-app-windows-consumption).

-```json

-{

- "type": "Microsoft.Web/sites",

- "apiVersion": "2021-02-01",

- "name": "[parameters('functionAppName')]",

- "location": "[parameters('location')]",

- "kind": "functionapp",

- "dependsOn": [

- "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",

- "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",

- "[resourceId('Microsoft.Insights/components', variables('applicationInsightsName'))]"

- ],

- "properties": {

- "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",

- "siteConfig": {

- "appSettings": [

- {

- "name": "APPINSIGHTS_INSTRUMENTATIONKEY",

- "value": "[reference(resourceId('microsoft.insights/components', variables('applicationInsightsName')), '2015-05-01').InstrumentationKey]"

- },

- {

- "name": "AzureWebJobsStorage",

- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value)]"

- },

- {

- "name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",

- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value)]"

- },

- {

- "name": "WEBSITE_CONTENTSHARE",

- "value": "[toLower(parameters('functionAppName'))]"

- },

- {

- "name": "FUNCTIONS_EXTENSION_VERSION",

- "value": "~4"

- },

- {

- "name": "FUNCTIONS_WORKER_RUNTIME",

- "value": "node"

- },

- {

- "name": "WEBSITE_NODE_DEFAULT_VERSION",

- "value": "~14"

-> Do not need to set the [`WEBSITE_CONTENTSHARE`](functions-app-settings.md#website_contentshare) setting in a deployment slot. This setting is generated for you when the app is created in the deployment slot.

-# [Linux](#tab/linux)

-The function app must have set `"kind": "functionapp,linux"`, and it must have set property `"reserved": true`. Linux apps should also include a `linuxFxVersion` property under siteConfig. If you are just deploying code, the value for this is determined by your desired runtime stack in the format of runtime|runtimeVersion. For example: `python|3.7`, `node|14` and `dotnet|3.1`.

-For a sample Azure Resource Manager template, see [Azure Function App Hosted on Linux Consumption Plan](https://github.com/Azure-Samples/function-app-arm-templates/tree/main/function-app-linux-consumption).

-```json

-{

- "type": "Microsoft.Web/sites",

- "apiVersion": "2021-02-01",

- "name": "[parameters('functionAppName')]",

- "location": "[parameters('location')]",

- "kind": "functionapp,linux",

- "dependsOn": [

- "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",

- "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",

- "[resourceId('Microsoft.Insights/components', variables('applicationInsightsName'))]"

- ],

- "properties": {

- "reserved": true,

- "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",

- "siteConfig": {

- "linuxFxVersion": "node|14",

- "appSettings": [

- {

- "name": "APPINSIGHTS_INSTRUMENTATIONKEY",

- "value": "[reference(resourceId('Microsoft.Insights/components', parameters('functionAppName')), '2015-05-01').InstrumentationKey]"

- },

- {

- "name": "AzureWebJobsStorage",

- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value)]"

- },

- {

- "name": "FUNCTIONS_EXTENSION_VERSION",

- "value": "~4"

- },

- {

- "name": "FUNCTIONS_WORKER_RUNTIME",

- "value": "node"

-A Premium plan is a special type of "serverfarm" resource. You can specify it by using either `EP1`, `EP2`, or `EP3` for the `Name` property value in the `sku` as following:

-# [Windows](#tab/windows)

-```json

-{

- "type": "Microsoft.Web/serverfarms",

- "apiVersion": "2021-02-01",

- "name": "[variables('hostingPlanName')]",

- "location": "[parameters('location')]",

- "sku": {

- "tier": "ElasticPremium",

- "name": "EP1",

- "family": "EP"

- },

- "properties": {

- "name": "[parameters('hostingPlanName')]",

- "maximumElasticWorkerCount": 20

- },

- "kind": "elastic"

-# [Linux](#tab/linux)

-To run your app on Linux, you must also set property `"reserved": true` for the serverfarms resource:

-{

- "type": "Microsoft.Web/serverfarms",

- "apiVersion": "2021-02-01",

- "name": "[variables('hostingPlanName')]",

- "location": "[parameters('location')]",

- "sku": {

- "tier": "ElasticPremium",

- "name": "EP1",

- "family": "EP"

- },

- "properties": {

- "maximumElasticWorkerCount": 20,

- "reserved": true

- },

- "kind": "elastic"

-}

-### Create a function app

-For function app on a Premium plan, you will need to set the `serverFarmId` property on the app so that it points to the resource ID of the plan. You should ensure that the function app has a `dependsOn` setting for the plan as well.

-A Premium plan requires another settings in the site configuration: [`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`](functions-app-settings.md#website_contentazurefileconnectionstring) and [`WEBSITE_CONTENTSHARE`](functions-app-settings.md#website_contentshare). This property configures the storage account where the function app code and configuration are stored, which are used for dynamic scale.

-For a sample Azure Resource Manager template, see [Azure Function App Hosted on Premium Plan](https://github.com/Azure-Samples/function-app-arm-templates/tree/main/function-app-premium-plan).

-The settings required by a function app running in Premium plan differ between Windows and Linux.

-# [Windows](#tab/windows)

-{

- "type": "Microsoft.Web/sites",

- "apiVersion": "2021-02-01",

- "name": "[parameters('functionAppName')]",

- "location": "[parameters('location')]",

- "kind": "functionapp",

- "dependsOn": [

- "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",

- "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",

- "[resourceId('Microsoft.Insights/components', variables('applicationInsightsName'))]"

- ],

- "properties": {

- "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",

- "siteConfig": {

- "appSettings": [

- {

- "name": "APPINSIGHTS_INSTRUMENTATIONKEY",

- "value": "[reference(resourceId('microsoft.insights/components', variables('applicationInsightsName')), '2015-05-01').InstrumentationKey]"

- },

- {

- "name": "AzureWebJobsStorage",

- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value)]"

- },

- {

- "name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",

- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value)]"

- },

- {

- "name": "WEBSITE_CONTENTSHARE",

- "value": "[toLower(parameters('functionAppName'))]"

- },

- {

- "name": "FUNCTIONS_EXTENSION_VERSION",

- "value": "~4"

- },

- {

- "name": "FUNCTIONS_WORKER_RUNTIME",

- "value": "node"

- },

- {

- "name": "WEBSITE_NODE_DEFAULT_VERSION",

- "value": "~14"

- }

- ]

-}

-> [!IMPORTANT]

-> You don't need to set the [`WEBSITE_CONTENTSHARE`](functions-app-settings.md#website_contentshare) setting because it's generated for you when the site is first created.

-# [Linux](#tab/linux)

-The function app must have set `"kind": "functionapp,linux"`, and it must have set property `"reserved": true`. Linux apps should also include a `linuxFxVersion` property under siteConfig. If you are just deploying code, the value for this is determined by your desired runtime stack in the format of runtime|runtimeVersion. For example: `python|3.7`, `node|14` and `dotnet|3.1`.

-{

- "type": "Microsoft.Web/sites",

- "apiVersion": "2021-02-01",

- "name": "[parameters('functionAppName')]",

- "location": "[parameters('location')]",

- "kind": "functionapp,linux",

- "dependsOn": [

- "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",

- "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",

- "[resourceId('Microsoft.Insights/components', variables('applicationInsightsName'))]"

- ],

- "properties": {

- "reserved": true,

- "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",

- "siteConfig": {

- "linuxFxVersion": "node|14",

- "appSettings": [

- {

- "name": "APPINSIGHTS_INSTRUMENTATIONKEY",

- "value": "[reference(resourceId('microsoft.insights/components', variables('applicationInsightsName')), '2015-05-01').InstrumentationKey]"

- },

- {

- "name": "AzureWebJobsStorage",

- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value)]"

- },

- {

- "name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING",

- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value)]"

- },

- {

- "name": "WEBSITE_CONTENTSHARE",

- "value": "[toLower(parameters('functionAppName'))]"

- },

- {

- "name": "FUNCTIONS_EXTENSION_VERSION",

- "value": "~4"

- },

- {

- "name": "FUNCTIONS_WORKER_RUNTIME",

- "value": "node"

-For a sample Azure Resource Manager template, see [Function app on Azure App Service plan].

-### Create an App Service plan

-An App Service plan is defined by a "serverfarm" resource. You can specify the SKU as follows:

-# [Windows](#tab/windows)

-```json

-{

- "type": "Microsoft.Web/serverfarms",

- "apiVersion": "2021-02-01",

- "name": "[variables('hostingPlanName')]",

- "location": "[parameters('location')]",

- "sku": {

- "tier": "Standard",

- "name": "S1",

- "size": "S1",

- "family": "S",

- "capacity": 1

-# [Linux](#tab/linux)

-```json

-{

- "type": "Microsoft.Web/serverfarms",

- "apiVersion": "2021-02-01",

- "name": "[variables('hostingPlanName')]",

- "location": "[parameters('location')]",

- "sku": {

- "tier": "Standard",

- "name": "S1",

- "size": "S1",

- "family": "S",

- "capacity": 1

- },

- "properties": {

- "reserved": true

-For a sample Azure Resource Manager template, see [Azure Function App Hosted on Dedicated Plan](https://github.com/Azure-Samples/function-app-arm-templates/tree/main/function-app-dedicated-plan).

-# [Windows](#tab/windows)

-```json

-{

- "type": "Microsoft.Web/sites",

- "apiVersion": "2021-02-01",

- "name": "[parameters('functionAppName')]",

- "location": "[parameters('location')]",

- "kind": "functionapp",

- "dependsOn": [

- "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",

- "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",

- "[resourceId('Microsoft.Insights/components', variables('applicationInsightsName'))]"

- ],

- "properties": {

- "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",

- "siteConfig": {

- "alwaysOn": true,

- "appSettings": [

- {

- "name": "APPINSIGHTS_INSTRUMENTATIONKEY",

- "value": "[reference(resourceId('microsoft.insights/components', variables('applicationInsightsName')), '2015-05-01').InstrumentationKey]"

- },

- {

- "name": "AzureWebJobsStorage",

- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value)]"

- },

- {

- "name": "FUNCTIONS_EXTENSION_VERSION",

- "value": "~4"

- },

- {

- "name": "FUNCTIONS_WORKER_RUNTIME",

- "value": "node"

- },

- {

- "name": "WEBSITE_NODE_DEFAULT_VERSION",

- "value": "~14"

-# [Linux](#tab/linux)

-The function app must have set `"kind": "functionapp,linux"`, and it must have set property `"reserved": true`. Linux apps should also include a `linuxFxVersion` property under siteConfig. If you are just deploying code, the value for this is determined by your desired runtime stack in the format of runtime|runtimeVersion. Examples of `linuxFxVersion` property include: `python|3.7`, `node|14` and `dotnet|3.1`.

-{

- "type": "Microsoft.Web/sites",

- "apiVersion": "2021-02-01",

- "name": "[parameters('functionAppName')]",

- "location": "[parameters('location')]",

- "kind": "functionapp,linux",

- "dependsOn": [

- "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",

- "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",

- "[resourceId('Microsoft.Insights/components', variables('applicationInsightsName'))]"

- ],

- "properties": {

- "reserved": true,

- "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",

- "siteConfig": {

- "alwaysOn": true,

- "linuxFxVersion": "node|14",

- "appSettings": [

- {

- "name": "APPINSIGHTS_INSTRUMENTATIONKEY",

- "value": "[reference(resourceId('microsoft.insights/components', variables('applicationInsightsName')), '2015-05-01').InstrumentationKey]"

- },

- {

- "name": "AzureWebJobsStorage",

- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';EndpointSuffix=', environment().suffixes.storage, ';AccountKey=',listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value)]"

- },

- {

- "name": "FUNCTIONS_EXTENSION_VERSION",

- "value": "~4"

- },

- {

- "name": "FUNCTIONS_WORKER_RUNTIME",

- "value": "node"

-If you are [deploying a custom container image](./functions-create-function-linux-custom-image.md), you must specify it with `linuxFxVersion` and include configuration that allows your image to be pulled, as in [Web App for Containers](../app-service/index.yml). Also, set `WEBSITES_ENABLE_APP_SERVICE_STORAGE` to `false`, since your app content is provided in the container itself:

-```json

-{

- "apiVersion": "2016-03-01",

- "type": "Microsoft.Web/sites",

- "name": "[variables('functionAppName')]",

- "location": "[resourceGroup().location]",

- "kind": "functionapp",

- "dependsOn": [

- "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",

- "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"

- ],

- "properties": {

- "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('hostingPlanName'))]",

- "siteConfig": {

- "appSettings": [

- "name": "AzureWebJobsStorage",

- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]"

- },

- "name": "FUNCTIONS_WORKER_RUNTIME",

- "value": "node"

- },

- "name": "WEBSITE_NODE_DEFAULT_VERSION",

- "value": "~14"

- },

- "name": "FUNCTIONS_EXTENSION_VERSION",

- "value": "~3"

- },

- "name": "DOCKER_REGISTRY_SERVER_URL",

- "value": "[parameters('dockerRegistryUrl')]"

- },

- "name": "DOCKER_REGISTRY_SERVER_USERNAME",

- "value": "[parameters('dockerRegistryUsername')]"

- },

- "name": "DOCKER_REGISTRY_SERVER_PASSWORD",

- "value": "[parameters('dockerRegistryPassword')]"

- },

- "name": "WEBSITES_ENABLE_APP_SERVICE_STORAGE",

- "value": "false"

- ],

- "linuxFxVersion": "DOCKER|myacr.azurecr.io/myimage:mytag"

-To create the app and plan resources, you must have already [created an App Service Kubernetes environment](../app-service/manage-create-arc-environment.md) for an Azure Arc-enabled Kubernetes cluster. These examples assume you have the resource ID of the custom location and App Service Kubernetes environment that you are deploying to. For most templates, you can supply these as parameters.

-{

- "parameters": {

- "kubeEnvironmentId" : {

- "type": "string"

- },

- "customLocationId" : {

- "type": "string"

- }

-```json

-{

- "extendedLocation": {

- "type": "customlocation",

- "name": "[parameters('customLocationId')]"

- },

-The plan resource should use the Kubernetes (K1) SKU, and its `kind` field should be "linux,kubernetes". Within `properties`, `reserved` should be "true", and `kubeEnvironmentProfile.id` should be set to the App Service Kubernetes environment resource ID. An example plan might look like the following:

- "name": "[variables('hostingPlanName')]",

- "location": "[parameters('location')]",

- "apiVersion": "2020-12-01",

- "kind": "linux,kubernetes",

- "sku": {

- "name": "K1",

- "tier": "Kubernetes"

- },

- "extendedLocation": {

- "type": "customlocation",

- "name": "[parameters('customLocationId')]"

- },

- "properties": {

- "name": "[variables('hostingPlanName')]",

- "location": "[parameters('location')]",

- "workerSizeId": "0",

- "numberOfWorkers": "1",

- "kubeEnvironmentProfile": {

- "id": "[parameters('kubeEnvironmentId')]"

- "reserved": true

-The function app resource should have its `kind` field set to "functionapp,linux,kubernetes" or "functionapp,linux,kubernetes,container" depending on if you intend to deploy via code or container. An example function app might look like the following:

- {

- "apiVersion": "2018-11-01",

- "type": "Microsoft.Web/sites",

- "name": "[variables('appName')]",

- "kind": "kubernetes,functionapp,linux,container",

- "location": "[parameters('location')]",

- "extendedLocation": {

- "type": "customlocation",

- "name": "[parameters('customLocationId')]"

- },

- "dependsOn": [

- "[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]",

- "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",

- "[variables('hostingPlanId')]"

- ],

- "properties": {

- "serverFarmId": "[variables('hostingPlanId')]",

- "siteConfig": {

- "linuxFxVersion": "DOCKER|mcr.microsoft.com/azure-functions/dotnet:3.0-appservice-quickstart",

- "appSettings": [

- "name": "FUNCTIONS_EXTENSION_VERSION",

- "value": "~3"

- },

- "name": "AzureWebJobsStorage",

- "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2015-05-01-preview').key1)]"

- },

- "name": "APPINSIGHTS_INSTRUMENTATIONKEY",

- "value": "[reference(resourceId('microsoft.insights/components/', variables('appInsightsName')), '2015-05-01').InstrumentationKey]"

- ],

- "alwaysOn": true

-> To successfully deploy your application by using Azure Resource Manager, it's important to understand how resources are deployed in Azure. In the following example, top-level configurations are applied by using **siteConfig**. It's important to set these configurations at a top level, because they convey information to the Functions runtime and deployment engine. Top-level information is required before the child **sourcecontrols/web** resource is applied. Although it's possible to configure these settings in the child-level **config/appSettings** resource, in some cases your function app must be deployed *before* **config/appSettings** is applied. For example, when you are using functions with [Logic Apps](../logic-apps/index.yml), your functions are a dependency of another resource.

-{

- "apiVersion": "2015-08-01",

- "name": "[parameters('appName')]",

- "type": "Microsoft.Web/sites",

- "kind": "functionapp",

- "location": "[parameters('location')]",

- "dependsOn": [

- "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]",

- "[resourceId('Microsoft.Web/serverfarms', parameters('appName'))]"

- ],

- "properties": {

- "serverFarmId": "[variables('appServicePlanName')]",

- "siteConfig": {

- {

- "name": "FUNCTIONS_EXTENSION_VERSION",

- "value": "~3"

- },

- {

- "name": "Project",

- "value": "src"

- }

- }

- },

- "resources": [

- {

- "apiVersion": "2015-08-01",

- "name": "appsettings",

- "type": "config",

- "dependsOn": [

- "[resourceId('Microsoft.Web/Sites', parameters('appName'))]",

- "[resourceId('Microsoft.Web/Sites/sourcecontrols', parameters('appName'), 'web')]",

- "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]"

- ],

- "properties": {

- "AzureWebJobsStorage": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]",

- "AzureWebJobsDashboard": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]",

- "FUNCTIONS_EXTENSION_VERSION": "~3",

- "FUNCTIONS_WORKER_RUNTIME": "dotnet",

- "Project": "src"

- {

- "apiVersion": "2015-08-01",

- "name": "web",

- "type": "sourcecontrols",

- "dependsOn": [

- "[resourceId('Microsoft.Web/sites/', parameters('appName'))]"

- ],

- "properties": {

- "RepoUrl": "[parameters('sourceCodeRepositoryURL')]",

- "branch": "[parameters('sourceCodeBranch')]",

- "IsManualIntegration": "[parameters('sourceCodeManualIntegration')]"

- }

- }

- ]

-}

-> This template uses the [Project](https://github.com/projectkudu/kudu/wiki/Customizing-deployments#using-app-settings-instead-of-a-deployment-file) app settings value, which sets the base directory in which the Functions deployment engine (Kudu) looks for deployable code. In our repository, our functions are in a subfolder of the **src** folder. So, in the preceding example, we set the app settings value to `src`. If your functions are in the root of your repository, or if you are not deploying from source control, you can remove this app settings value.

-You can use any of the following ways to deploy your template:

-Here is an example that uses markdown:

-Here is an example that uses HTML:

-The following PowerShell commands create a resource group and deploy a template that creates a function app with its required resources. To run locally, you must have [Azure PowerShell](/powershell/azure/install-az-ps) installed. Run [`Connect-AzAccount`](/powershell/module/az.accounts/connect-azaccount) to sign in.

-# Create the parameters for the file, which for this template is the function app name.

-$TemplateParams = @{"appName" = "<function-app-name>"}

-New-AzResourceGroupDeployment -ResourceGroupName "MyResourceGroup" -TemplateFile template.json -TemplateParameterObject $TemplateParams -Verbose

-To test out this deployment, you can use a [template like this one](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.web/function-app-create-dynamic/azuredeploy.json) that creates a function app on Windows in a Consumption plan. Replace `<function-app-name>` with a unique name for your function app.

-|Central US| 100 | 40 |

-|East US | 100 | 60 |

-|East US 2| 100 | 40 |

-|West Europe| 100 | 40 |

-* PowerShell - [docs.microsoft.com](/powershell/scripting/powershell-support-lifecycle#powershell-end-of-support-dates)

-For more information, see [How to use managed identities for App Service and Azure Functions](../app-service/overview-managed-identity.md?toc=%2fazure%2fazure-functions%2ftoc.json).

-[Azure Key Vault](../key-vault/general/overview.md) is a service that provides centralized secrets management, with full control over access policies and audit history. You can use a Key Vault reference in the place of a connection string or key in your application settings. To learn more, see [Use Key Vault references for App Service and Azure Functions](../app-service/app-service-key-vault-references.md?toc=%2fazure%2fazure-functions%2ftoc.json).

-Access restrictions allow you to define lists of allow/deny rules to control traffic to your app. Rules are evaluated in priority order. If there are no rules defined, then your app will accept traffic from any address. To learn more, see [Azure App Service Access Restrictions](../app-service/app-service-ip-restrictions.md?toc=%2fazure%2fazure-functions%2ftoc.json).

-See [Manage the availability of Windows virtual machines](./virtual-machines/availability.md?toc=%2fazure%2fvirtual-machines%2fwindows%2ftoc.json) and [Manage the availability of Linux virtual machines](./virtual-machines/availability.md?toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json)

-See [Manage the availability of Windows virtual machines](./virtual-machines/availability.md?toc=%2fazure%2fvirtual-machines%2fwindows%2ftoc.json) or [Manage the availability of Linux virtual machines](./virtual-machines/availability.md?toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json)

-See [Navigate and select Windows virtual machine images in Azure with PowerShell or the CLI](virtual-machines/windows/cli-ps-findimage.md?toc=%2fazure%2fvirtual-machines%2fwindows%2ftoc.json)

-See [Manage the availability of Windows virtual machines](./virtual-machines/availability.md?toc=%2fazure%2fvirtual-machines%2fwindows%2ftoc.json) and [Manage the availability of Linux virtual machines](./virtual-machines/availability.md?toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json)

-The software implementation of a physical computer that runs an operating system. Multiple virtual machines can run simultaneously on the same hardware. In Azure, virtual machines are available in a variety of sizes.

-See [Virtual Machines documentation](https://azure.microsoft.com/documentation/services/virtual-machines/)

-See [About virtual machine extensions and features (Windows)](./virtual-machines/extensions/features-windows.md?toc=%2fazure%2fvirtual-machines%2fwindows%2ftoc.json) or [About virtual machine extensions and features (Linux)](./virtual-machines/extensions/features-linux.md?toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json)

-|[Cloud Navigator, Inc - formerly ISC](https://www.cloudnav.com )|

-|[NTS Cloud](http://ntscloud.com/ )|

-# How to troubleshoot issues with the Log Analytics agent for Linux

-This article provides help troubleshooting errors you might experience with the Log Analytics agent for Linux in Azure Monitor and suggests possible solutions to resolve them.

-The Log Analytics Agent Linux Troubleshooting Tool is a script designed to help find and diagnose issues with the Log Analytics Agent. It is automatically included with the agent upon installation. Running the tool should be the first step in diagnosing an issue.

-### How to Use

-The Troubleshooting Tool can be run by pasting the following command into a terminal window on a machine with the Log Analytics agent:

-### Manual Installation

-The Troubleshooting Tool is automatically included upon installation of the Log Analytics Agent. However, if installation fails in any way, it can also be installed manually by following the steps below.

-1. Ensure that the [GNU Project Debugger (GDB)](https://www.gnu.org/software/gdb/) is installed on the machine since the troubleshooter relies on it.

-2. Copy the troubleshooter bundle onto your machine: `wget https://raw.github.com/microsoft/OMS-Agent-for-Linux/master/source/code/troubleshooter/omsagent_tst.tar.gz`

-3. Unpack the bundle: `tar -xzvf omsagent_tst.tar.gz`

-4. Run the manual installation: `sudo ./install_tst`

-### Scenarios Covered

-Below is a list of scenarios checked by the Troubleshooting Tool:

-1. Agent is unhealthy, heartbeat doesn't work properly

-2. Agent doesn't start, can't connect to Log Analytic Services

-3. Agent syslog isn't working

-4. Agent has high CPU / memory usage

-5. Agent having installation issues

-6. Agent custom logs aren't working

-7. Collect Agent logs

-For more details, please check out our [GitHub documentation](https://github.com/microsoft/OMS-Agent-for-Linux/blob/master/docs/Troubleshooting-Tool.md).

- > Please run the Log Collector tool when you experience an issue. Having the logs initially will greatly help our support team troubleshoot your issue quicker.

-## Purge and Re-Install the Linux Agent

-We've seen that a clean re-install of the Agent will fix most issues. In fact this may be the first suggestion from Support to get the Agent into a uncorrupted state from our support team. Running the troubleshooter, log collect, and attempting a clean re-install will help solve issues more quickly.

-2. Run the purge script (with sudo permissions):

-## Important log locations and Log Collector tool

- We recommend you to use our log collector tool to retrieve important logs for troubleshooting or before submitting a GitHub issue. You can read more about the tool and how to run it [here](https://github.com/Microsoft/OMS-Agent-for-Linux/blob/master/tools/LogCollector/OMS_Linux_Agent_Log_Collector.md).

- Category | File Location

- Additional configurations | `/etc/opt/microsoft/omsagent/<workspace id>/conf/omsagent.d/*.conf`

- > Editing configuration files for performance counters and Syslog is overwritten if the collection is configured from the [Agents configuration](../agents/agent-data-sources.md#configuring-data-sources) in the Azure portal for your workspace. To disable configuration for all agents, disable collection from **Agents configuration** or for a single agent run the following:

-| Error Code | Meaning |

-| NOT_DEFINED | Because the necessary dependencies are not installed, the auoms auditd plugin will not be installed. Installation of auoms failed, install package auditd. |

-| 2 | Invalid option provided to the shell bundle. Run `sudo sh ./omsagent-*.universal*.sh --help` for usage |

-| 4 | Invalid package type OR invalid proxy settings; omsagent-*rpm*.sh packages can only be installed on RPM-based systems, and omsagent-*deb*.sh packages can only be installed on Debian-based systems. It is recommend you use the universal installer from the [latest release](../vm/monitor-virtual-machine.md#agents). Also review to verify your proxy settings. |

-| 5 | The shell bundle must be executed as root OR there was 403 error returned during onboarding. Run your command using `sudo`. |

-| 6 | Invalid package architecture OR there was error 200 error returned during onboarding; omsagent-\*x64.sh packages can only be installed on 64-bit systems, and omsagent-\*x86.sh packages can only be installed on 32-bit systems. Download the correct package for your architecture from the [latest release](https://github.com/Microsoft/OMS-Agent-for-Linux/releases/latest). |

-| 30 | Internal bundle error. File a [GitHub Issue](https://github.com/Microsoft/OMS-Agent-for-Linux/issues) with details from the output. |

-| 55 | Unsupported openssl version OR Cannot connect to Azure Monitor OR dpkg is locked OR missing curl program. |

-| 62 | Missing tar program, install tar. |

-| 63 | Missing sed program, install sed. |

-| 64 | Missing curl program, install curl. |

-| 65 | Missing gpg program, install gpg. |

-| Error Code | Meaning |

-| 30 | Internal script error. File a [GitHub Issue](https://github.com/Microsoft/OMS-Agent-for-Linux/issues) with details from the output. |

-| 31 | Error generating agent ID. File a [GitHub Issue](https://github.com/Microsoft/OMS-Agent-for-Linux/issues) with details from the output. |

-| 33 | Error generating metaconfiguration for omsconfig. File a [GitHub Issue](https://github.com/Microsoft/OMS-Agent-for-Linux/issues) with details from the output. |

-### OMS output plugin debug

- FluentD allows for plugin-specific logging levels allowing you to specify different log levels for inputs and outputs. To specify a different log level for OMS output, edit the general agent configuration at `/etc/opt/microsoft/omsagent/<workspace id>/conf/omsagent.conf`.

- In the OMS output plugin, before the end of the configuration file, change the `log_level` property from `info` to `debug`:

-Debug logging allows you to see batched uploads to Azure Monitor separated by type, number of data items, and time taken to send:

-*Example debug enabled log:*

-Instead of using the OMS output plugin you can also output data items directly to `stdout`, which is visible in the Log Analytics agent for Linux log file.

-In the Log Analytics general agent configuration file at `/etc/opt/microsoft/omsagent/<workspace id>/conf/omsagent.conf`, comment out the OMS output plugin by adding a `#` in front of each line:

-Below the output plugin, uncomment the following section by removing the `#` in front of each line:

-## Issue: Unable to connect through proxy to Azure Monitor

-* The proxy specified during onboarding was incorrect

-* The Azure Monitor and Azure Automation Service Endpoints are not included in the approved list in your datacenter

-1. Reonboard to Azure Monitor with the Log Analytics agent for Linux by using the following command with the option `-v` enabled. It allows verbose output of the agent connecting through the proxy to Azure Monitor.

-2. Review the section [Update proxy settings](agent-manage.md#update-proxy-settings) to verify you have properly configured the agent to communicate through a proxy server.

-3. Double-check that the endpoints outlined in the Azure Monitor [network firewall requirements](./log-analytics-agent.md#firewall-requirements) list are added to an allow list correctly. If you use Azure Automation, the necessary network configuration steps are linked above as well.

-* Date and Time is incorrect on Linux Server

-* Workspace ID and Workspace Key used are not correct

-1. Check the time on your Linux server with the command date. If the time is +/- 15 minutes from current time, then onboarding fails. To correct this update the date and/or timezone of your Linux server.

-2. Verify you have installed the latest version of the Log Analytics agent for Linux. The newest version now notifies you if time skew is causing the onboarding failure.

-3. Reonboard using correct Workspace ID and Workspace Key following the installation instructions earlier in this article.

-This is a known issue that occurs on first upload of Linux data into a Log Analytics workspace. This does not affect data being sent or service experience.

-A regression in nss-pem package [v1.0.3-5.el7](https://centos.pkgs.org/7/centos-x86_64/nss-pem-1.0.3-7.el7.x86_64.rpm.html) caused a severe performance issue, that we've been seeing come up a lot in Redhat/Centos 7.x distributions. To learn more about this issue, check the following documentation: Bug [1667121 Performance regression in libcurl](https://bugzilla.redhat.com/show_bug.cgi?id=1667121).

-Performance related bugs don't happen all the time, and they are very difficult to reproduce. If you experience such issue with omiagent you should use the script omiHighCPUDiagnostics.sh which will collect the stack trace of the omiagent when exceeding a certain threshold.

-1. Download the script <br/>

-2. Run diagnostics for 24 hours with 30% CPU threshold <br/>

-3. Callstack will be dumped in omiagent_trace file, If you notice many Curl and NSS function calls, follow resolution steps below.

-### Resolution (step by step)

-1. Upgrade the nss-pem package to [v1.0.3-5.el7_6.1](https://centos.pkgs.org/7/centos-x86_64/nss-pem-1.0.3-7.el7.x86_64.rpm.html). <br/>

-2. If nss-pem is not available for upgrade (mostly happens on Centos), then downgrade curl to 7.29.0-46. If by mistake you run "yum update", then curl will be upgraded to 7.29.0-51 and the issue will happen again. <br/>

-3. Restart OMI: <br/>

-## Issue: You are not seeing forwarded Syslog messages

-* The configuration applied to the Linux server does not allow collection of the sent facilities and/or log levels

-* Syslog is not being forwarded correctly to the Linux server

-* The number of messages being forwarded per second are too great for the base configuration of the Log Analytics agent for Linux to handle

-* Verify the configuration in the Log Analytics workspace for Syslog has all the facilities and the correct log levels. Review [configure Syslog collection in the Azure portal](data-sources-syslog.md#configure-syslog-in-the-azure-portal)

-* Verify the native syslog messaging daemons (`rsyslog`, `syslog-ng`) are able to receive the forwarded messages

-* Check firewall settings on the Syslog server to ensure that messages are not being blocked

-* Simulate a Syslog message to Log Analytics using `logger` command

- * `logger -p local0.err "This is my test message"`

-## Issue: You are receiving Errno address already in use in omsagent log file

-If you see `[error]: unexpected error error_class=Errno::EADDRINUSE error=#<Errno::EADDRINUSE: Address already in use - bind(2) for "127.0.0.1" port 25224>` in omsagent.log.

-This error indicates that the Linux Diagnostic extension (LAD) is installed side by side with the Log Analytics Linux VM extension, and it is using same port for syslog data collection as omsagent.

-1. As root, execute the following commands (note that 25224 is an example and it is possible that in your environment you see a different port number used by LAD):

-2. If the VM is running `rsyslogd`, the file to be modified is: `/etc/rsyslog.d/95-omsagent.conf` (if it exists, else `/etc/rsyslog`). If the VM is running `syslog_ng`, the file to be modified is: `/etc/syslog-ng/syslog-ng.conf`.

-3. Restart omsagent `sudo /opt/microsoft/omsagent/bin/service_control restart`.

-4. Restart syslog service.

-## Issue: You are unable to uninstall omsagent using purge option

-* Linux Diagnostic Extension is installed

-* Linux Diagnostic Extension was installed and uninstalled, but you still see an error about omsagent being used by mdsd and cannot be removed.

-1. Uninstall the Linux Diagnostic Extension (LAD).

-2. Remove Linux Diagnostic Extension files from the machine if they are present in the following location: `/var/lib/waagent/Microsoft.Azure.Diagnostics.LinuxDiagnostic-<version>/` and `/var/opt/microsoft/omsagent/LAD/`.

-## Issue: You cannot see data any Nagios data

-* Omsagent user does not have permissions to read from Nagios log file

-* Nagios source and filter have not been uncommented from omsagent.conf file

-1. Add omsagent user to read from Nagios file by following these [instructions](https://github.com/Microsoft/OMS-Agent-for-Linux/blob/master/docs/OMS-Agent-for-Linux.md#nagios-alerts).

-2. In the Log Analytics agent for Linux general configuration file at `/etc/opt/microsoft/omsagent/<workspace id>/conf/omsagent.conf`, ensure that **both** the Nagios source and filter are uncommented.

-## Issue: You are not seeing any Linux data

-* Onboarding to Azure Monitor failed

-* Connection to Azure Monitor is blocked

-* Virtual machine was rebooted

-* OMI package was manually upgraded to a newer version compared to what was installed by Log Analytics agent for Linux package

-* OMI is frozen, blocking OMS agent

-* DSC resource logs *class not found* error in `omsconfig.log` log file

-* Log Analytics agent for data is backed up

-1. Install all dependencies like auditd package.

-2. Check if onboarding to Azure Monitor was successful by checking if the following file exists: `/etc/opt/microsoft/omsagent/<workspace id>/conf/omsadmin.conf`. If it was not, reonboard using the omsadmin.sh command line [instructions](https://github.com/Microsoft/OMS-Agent-for-Linux/blob/master/docs/OMS-Agent-for-Linux.md#onboarding-using-the-command-line).

-4. If using a proxy, check proxy troubleshooting steps above.

-5. In some Azure distribution systems, omid OMI server daemon does not start after the virtual machine is rebooted. This will result in not seeing Audit, ChangeTracking, or UpdateManagement solution-related data. The workaround is to manually start omi server by running `sudo /opt/omi/bin/service_control restart`.

-6. After OMI package is manually upgraded to a newer version, it has to be manually restarted for Log Analytics agent to continue functioning. This step is required for some distros where OMI server does not automatically start after it is upgraded. Run `sudo /opt/omi/bin/service_control restart` to restart OMI.

-* In some situations, OMI can become frozen. The OMS agent may enter a blocked state waiting for OMI, blocking all data collection. The OMS agent process will be running but there will be no activity, evidenced by no new log lines (such as sent heartbeats) present in `omsagent.log`. Restart OMI with `sudo /opt/omi/bin/service_control restart` to recover the agent.

-7. If you see DSC resource *class not found* error in omsconfig.log, run `sudo /opt/omi/bin/service_control restart`.

-8. In some cases, when the Log Analytics agent for Linux cannot talk to Azure Monitor, data on the agent is backed up to the full buffer size: 50 MB. The agent should be restarted by running the following command `/opt/microsoft/omsagent/bin/service_control restart`.

- > This issue is fixed in Agent version 1.1.0-28 or later

-* If `omsconfig.log` log file does not indicate that `PerformRequiredConfigurationChecks` operations are running periodically on the system, there might be a problem with the cron job/service. Make sure cron job exists under `/etc/cron.d/OMSConsistencyInvoker`. If needed run the following commands to create the cron job:

- ```

- mkdir -p /etc/cron.d/

- echo "*/15 * * * * omsagent /opt/omi/bin/OMSConsistencyInvoker > 2>&1" | sudo tee /etc/cron.d/OMSConsistencyInvoker

- ```

- Also, make sure the cron service is running. You can use `service cron status` with Debian, Ubuntu, SUSE, or `service crond status` with RHEL, CentOS, Oracle Linux to check the status of this service. If the service does not exist, you can install the binaries and start the service using the following:

- **Ubuntu/Debian**

- ```

- # To Install the service binaries

- sudo apt-get install -y cron

- # To start the service

- sudo service cron start

- ```

- **SUSE**

- ```

- # To Install the service binaries

- sudo zypper in cron -y

- # To start the service

- sudo systemctl enable cron

- sudo systemctl start cron

- ```

- **RHEL/CeonOS**

- ```

- # To Install the service binaries

- sudo yum install -y crond

- # To start the service

- sudo service crond start

- ```

- **Oracle Linux**

- ```

- # To Install the service binaries

- sudo yum install -y cronie

- # To start the service

- sudo service crond start

- ```

-## Issue: When configuring collection from the portal for Syslog or Linux performance counters, the settings are not applied

-* The Log Analytics agent for Linux has not picked up the latest configuration

-* The changed settings in the portal were not applied

-* In some cases, the Log Analytics agent for Linux configuration agent might not be able to communicate with the portal configuration service resulting in latest configuration not being applied.

- 1. Check that the `omsconfig` agent is installed by running `dpkg --list omsconfig` or `rpm -qi omsconfig`. If it is not installed, reinstall the latest version of the Log Analytics agent for Linux.

- 2. Check that the `omsconfig` agent can communicate with Azure Monitor by running the following command `sudo su omsagent -c 'python /opt/microsoft/omsconfig/Scripts/GetDscConfiguration.py'`. This command returns the configuration that agent receives from the service, including Syslog settings, Linux performance counters, and custom logs. If this command fails, run the following command `sudo su omsagent -c 'python /opt/microsoft/omsconfig/Scripts/PerformRequiredConfigurationChecks.py'`. This command forces the omsconfig agent to talk to Azure Monitor and retrieve the latest configuration.

-## Issue: You are not seeing any custom log data

-* The setting **Apply the following configuration to my Linux Servers** has not been selected.

-* omsconfig has not picked up the latest custom log configuration from the service.

-* Log Analytics agent for Linux user `omsagent` is unable to access the custom log due to permissions or not being found. You may see the following errors:

-* `[DATETIME] [warn]: file not found. Continuing without tailing it.`

-* `[DATETIME] [error]: file not accessible by omsagent.`

-* Known Issue with Race Condition fixed in Log Analytics agent for Linux version 1.1.0-217

- 1. Reonboard using the omsadmin.sh command line [instructions](https://github.com/Microsoft/OMS-Agent-for-Linux/blob/master/docs/OMS-Agent-for-Linux.md#onboarding-using-the-command-line).

- 2. Under **Advanced Settings** in the Azure portal, ensure that the setting **Apply the following configuration to my Linux Servers** is enabled.

-2. Check that the `omsconfig` agent can communicate with Azure Monitor by running the following command `sudo su omsagent -c 'python /opt/microsoft/omsconfig/Scripts/GetDscConfiguration.py'`. This command returns the configuration that agent receives from the service, including Syslog settings, Linux performance counters, and custom logs. If this command fails, run the following command `sudo su omsagent -c 'python /opt/microsoft/omsconfig/Scripts/PerformRequiredConfigurationChecks.py'`. This command forces the omsconfig agent to talk to Azure Monitor and retrieve the latest configuration.

-**Background:** Instead of the Log Analytics agent for Linux running as a privileged user - `root`, the agent runs as the `omsagent` user. In most cases, explicit permission must be granted to this user in order for certain files to be read. To grant permission to `omsagent` user, run the following commands:

-1. Add the `omsagent` user to specific group `sudo usermod -a -G <GROUPNAME> <USERNAME>`

-2. Grant universal read access to the required file `sudo chmod -R ugo+rx <FILE DIRECTORY>`

-There is a known issue with a race condition with the Log Analytics agent for Linux version earlier than 1.1.0-217. After updating to the latest agent, run the following command to get the latest version of the output plugin `sudo cp /etc/opt/microsoft/omsagent/sysconf/omsagent.conf /etc/opt/microsoft/omsagent/<workspace id>/conf/omsagent.conf`.

-## Issue: You are trying to reonboard to a new workspace

-When you try to reonboard an agent to a new workspace, the Log Analytics agent configuration needs to be cleaned up before reonboarding. To clean up old configuration from the agent, run the shell bundle with `--purge`

-You can continue reonboard after using the `--purge` option

-## Log Analytics agent extension in the Azure portal is marked with a failed state: Provisioning failed

-* Log Analytics agent has been removed from the operating system

-* Log Analytics agent service is down, disabled, or not configured

-Perform the following steps to correct the issue.

-1. Remove extension from Azure portal.

-2. Install the agent following the [instructions](../vm/monitor-virtual-machine.md).

-3. Restart the agent by running the following command: `sudo /opt/microsoft/omsagent/bin/service_control restart`.

-* Wait several minutes and the provisioning state changes to **Provisioning succeeded**.

-Perform the following steps to correct the issue.

-1. Check for the latest release on [page](https://github.com/Microsoft/OMS-Agent-for-Linux/releases/).

-2. Download install script (1.4.2-124 as example version):

-3. Upgrade packages by executing `sudo sh ./omsagent-*.universal.x64.sh --upgrade`.

-## Issue: Installation is failing saying Python2 cannot support ctypes, even though Python3 is being used

-There is a known issue where, if the VM's language isn't English, a check will fail when verifying which version of Python is being used. This leads to the agent always assuming Python2 is being used, and failing if there is no Python2.

- |26002 |Health Service Modules |Workflow could not resolve data source. |This can occur if the specified Windows event log does not exist on the computer. This error can be safely ignored if the computer is not expected to have this event log registered, otherwise if this is a user-specified [event log](data-sources-windows-events.md#configuring-windows-event-logs), verify the information specified is correct. |

-description: Options for managing the Azure Monitor agent (AMA) on Azure virtual machines and Azure Arc-enabled servers.

-This article provides the different options currently available to install, uninstall and update the [Azure Monitor agent](azure-monitor-agent-overview.md). This agent extension can be installed on Azure virtual machines, scale sets and Azure Arc-enabled servers. It also lists the options to create [associations with data collection rules](data-collection-rule-azure-monitor-agent.md) that define which data the agent should collect. Installing, upgrading, or uninstalling the Azure Monitor Agent will not require you to restart your server.

-The Azure Monitor agent is implemented as an [Azure VM extension](../../virtual-machines/extensions/overview.md) with the details in the following table. It can be installed using any of the methods to install virtual machine extensions including those described in this article.

-| TypeHandlerVersion | See [Azure Monitor Agent extension versions](./azure-monitor-agent-extension-versions.md) | [Azure Monitor Agent extension versions](./azure-monitor-agent-extension-versions.md) |

-[View Azure Monitor Agent extension versions](./azure-monitor-agent-extension-versions.md).

- | Built-in Role | Scope(s) | Reason |

- | <ul><li>[Virtual Machine Contributor](../../role-based-access-control/built-in-roles.md#virtual-machine-contributor)</li><li>[Azure Connected Machine Resource Administrator](../../role-based-access-control/built-in-roles.md#azure-connected-machine-resource-administrator)</li></ul> | <ul><li>Virtual machines, scale sets</li><li>Arc-enabled servers</li></ul> | To deploy the agent |

- | Any role that includes the action *Microsoft.Resources/deployments/** | <ul><li>Subscription and/or</li><li>Resource group and/or </li></ul> | To deploy ARM templates |

- - **User-assigned**: This is recommended for large-scale deployments, configurable via [built-in Azure policies](#using-azure-policy). You can create a user-assigned managed identity once and share it across multiple VMs, and is thus more scalable than a system-assigned managed identity. If you use a user-assigned managed identity, you must pass the managed identity details to Azure Monitor Agent via extension settings:

- We recommend using `mi_res_id` as the `identifier-name`. The sample commands below only show usage with `mi_res_id` for the sake of brevity. For more details on `mi_res_id`, `object_id`, and `client_id`, see the [managed identity documentation](../../active-directory/managed-identities-azure-resources/how-to-use-vm-token.md#get-a-token-using-http).

- - **System-assigned**: This is suited for initial testing or small deployments. When used at scale (for example, for all VMs in a subscription) it results in substantial number of identities created (and deleted) in Azure AD (Azure Active Directory). To avoid this churn of identities, it is recommended to use user-assigned managed identities instead. **For Arc-enabled servers, system-assigned managed identity is enabled automatically** (as soon as you install the Arc agent) as it's the only supported type for Arc-enabled servers.

- - This is not required for Azure Arc-enabled servers. The system identity will be enabled automatically if the agent is installed via [creating and assigning a data collection rule using the Azure portal](data-collection-rule-azure-monitor-agent.md#create-data-collection-rule-and-association).

- (If using private links on the agent, you must also add the [dce endpoints](../essentials/data-collection-endpoint-overview.md#components-of-a-data-collection-endpoint))

-> This article only pertains to agent installation or management. After you install the agent, you must review the next article to [configure data collection rules and associate them with the machines](./data-collection-rule-azure-monitor-agent.md) with agents installed.

-> **The Azure Monitor agents cannot function without being associated with data collection rules.**

-## Using the Azure portal

-To install the Azure Monitor agent using the Azure portal, follow the process to [create a data collection rule](data-collection-rule-azure-monitor-agent.md#create-data-collection-rule-and-association) in the Azure portal. This not only creates the rule, but it also associates it to the selected resources and installs the Azure Monitor agent on them if not already installed.

-To uninstall the Azure Monitor agent using the Azure portal, navigate to your virtual machine, scale set or Arc-enabled server, select the **Extensions** tab and click on **AzureMonitorWindowsAgent** or **AzureMonitorLinuxAgent**. In the dialog that pops up, click **Uninstall**.

-To perform a **one time update** of the agent, you must first uninstall the existing agent version and then install the new version as described above.

-The **recommendation** is to enable automatic update of the agent by enabling the [Automatic Extension Upgrade](../../virtual-machines/automatic-extension-upgrade.md) feature. Navigate to your virtual machine or scale set, select the **Extensions** tab and click on **AzureMonitorWindowsAgent** or **AzureMonitorLinuxAgent**. In the dialog that pops up, click **Enable automatic upgrade**.

-## Using Resource Manager templates

-Get sample templates for installing the agent and creating the association from the following:

-Install the templates using [any deployment method for Resource Manager templates](../../azure-resource-manager/templates/deploy-powershell.md) such as the following commands.

-## Using PowerShell

-You can install the Azure Monitor agent on Azure virtual machines and on Azure Arc-enabled servers using the PowerShell command for adding a virtual machine extension.

-Use the following PowerShell commands to install the Azure Monitor agent on Azure virtual machines.

-To perform a **one time update** of the agent, you must first uninstall the existing agent version and then install the new version as described above.

-The **recommendation** is to enable automatic update of the agent by enabling the [Automatic Extension Upgrade](../../virtual-machines/automatic-extension-upgrade.md) feature, using the following PowerShell commands.

-Use the following PowerShell commands to install the Azure Monitor agent on Azure Arc-enabled servers.

-To perform a **one time** upgrade of the agent, use the following PowerShell commands:

-The **recommendation** is to enable automatic update of the agent by enabling the [Automatic Extension Upgrade (preview)](../../azure-arc/servers/manage-automatic-vm-extension-upgrade.md#enable-automatic-extension-upgrade) feature, using the following PowerShell commands.

-## Using Azure CLI

-You can install the Azure Monitor agent on Azure virtual machines and on Azure Arc-enabled servers using the Azure CLI command for adding a virtual machine extension.

-Use the following CLI commands to install the Azure Monitor agent on Azure virtual machines.

-To perform a **one time update** of the agent, you must first uninstall the existing agent version and then install the new version as described above.

-The **recommendation** is to enable automatic update of the agent by enabling the [Automatic Extension Upgrade](../../virtual-machines/automatic-extension-upgrade.md) feature, using the following CLI commands.

-Use the following CLI commands to install the Azure Monitor agent onAzure Azure Arc-enabled servers.

-Use the following CLI commands to install the Azure Monitor agent onAzure Azure Arc-enabled servers.

-To perform a **one time upgrade** of the agent, use the following CLI commands:

-The **recommendation** is to enable automatic update of the agent by enabling the [Automatic Extension Upgrade (preview)](../../azure-arc/servers/manage-automatic-vm-extension-upgrade.md#enable-automatic-extension-upgrade) feature, using the following PowerShell commands.

-## Using Azure Policy

-Use the following policies and policy initiatives to **automatically install the agent and associate it with a data collection rule**, every time you create a virtual machine, scale set, or Arc-enabled server.

-> As per Microsoft Identity best practices, policies for installing Azure Monitor agent on **virtual machines and scale-sets** rely on **user-assigned managed identity**. This is the more scalable and resilient managed identity options for these resources.

-> For **Arc-enabled servers**, policies rely on only **system-assigned managed identity** as the only supported option today.

-Before proceeding, review [prerequisites for agent installation](azure-monitor-agent-manage.md#prerequisites).

-Policy initiatives for Windows and Linux **virtual machines, scale-sets** consist of individual policies that:

- - `Bring Your Own User-Assigned Identity`: If set of `true`, it creates the built-in user-assigned managed identity in the predefined resource group, and assigns it to all machines that the policy is applied to. If set to `false`, you can instead use existing user-assigned identity that **you must assign** to the machines beforehand.

- - `Bring Your Own User-Assigned Managed Identity`: If set to `false`, it configures the agent to use the built-in user-assigned managed identity created by the policy above. If set to `true`, it configures the agent to use an existing user-assigned identity that **you must assign** to the machine(s) in scope beforehand.

- - `User-Assigned Managed Identity Name`: If using your own identity (selected `true`), specify the name of the identity that's assigned to the machine(s)

- - `User-Assigned Managed Identity Resource Group`: If using your own identity (selected `true`), specify the resource group where the identity exists

- - `Additional Virtual Machine Images`: Pass additional VM image names that you want to apply the policy to, if not already included

- - `Data Collection Rule Resource Id`: The ARM resourceId of the rule you want to associate via this policy, to all machines the policy is applied to.

-

-#### Known issues:

-### Built-in policies

-You can choose to use the individual policies from the policy initiative above to perform a single action at scale. For example, if you *only* want to automatically install the agent, use the second agent installation policy from the initiative as shown below.

-

-The initiatives or policies will apply to each virtual machine as it's created. A [remediation task](../../governance/policy/how-to/remediate-resources.md) deploys the policy definitions in the initiative to *existing resources*, so you can configure the Azure Monitor agent for any resources that were already created.

-When you create the assignment by using the Azure portal, you have the option of creating a remediation task at the same time. See [Remediate non-compliant resources with Azure Policy](../../governance/policy/how-to/remediate-resources.md) for details on the remediation.

-description: Describes how to configure the collection of Windows Event logs by Azure Monitor and details of the records they create.

-Windows Event logs are one of the most common [data sources](../agents/agent-data-sources.md) for Log Analytics agents on Windows virtual machines since many applications write to the Windows event log. You can collect events from standard logs, such as System and Application, and any custom logs created by applications you need to monitor.

-

-## Configuring Windows Event logs

-Configure Windows Event logs from the [Agents configuration menu](../agents/agent-data-sources.md#configuring-data-sources) for the Log Analytics workspace.

-Azure Monitor only collects events from the Windows event logs that are specified in the settings. You can add an event log by typing in the name of the log and clicking **+**. For each log, only the events with the selected severities are collected. Check the severities for the particular log that you want to collect. You can't provide any additional criteria to filter events.

-As you type the name of an event log, Azure Monitor provides suggestions of common event log names. If the log you want to add doesn't appear in the list, you can still add it by typing in the full name of the log. You can find the full name of the log by using event viewer. In event viewer, open the *Properties* page for the log and copy the string from the *Full Name* field.

-[](media/data-sources-windows-events/configure.png#lightbox)

-> [!IMPORTANT]

-> You can't configure collection of security events from the workspace using Log Analytics agent. You must use [Microsoft Defender for Cloud](../../security-center/security-center-enable-data-collection.md) or [Microsoft Sentinel](../../sentinel/connect-windows-security-events.md) to collect security events. [Azure Monitor agent](azure-monitor-agent-overview.md) can also be used to collect security events.

-> [!NOTE]

-> Critical events from the Windows event log will have a severity of "Error" in Azure Monitor Logs.

-Azure Monitor collects each event that matches a selected severity from a monitored event log as the event is created. The agent records its place in each event log that it collects from. If the agent goes offline for a while, it collects events from where it last left off, even if those events were created while the agent was offline. There's a potential for these events to not be collected if the event log wraps with uncollected events being overwritten while the agent is offline.

->Azure Monitor does not collect audit events created by SQL Server from source *MSSQLSERVER* with event ID 18453 that contains keywords - *Classic* or *Audit Success* and keyword *0xa0000000000000*.

-Windows event records have a type of **Event** and have the properties in the following table:

-| ManagementGroupName |Name of the management group for System Center Operations Manager agents. For other agents, this value is `AOI-<workspace ID>` |

-| RenderedDescription |Event description with parameter values |

-| SourceSystem |Type of agent the event was collected from. <br> OpsManager ΓÇô Windows agent, either direct connect or Operations Manager managed <br> Linux ΓÇô All Linux agents <br> AzureStorage ΓÇô Azure Diagnostics |

-## Log queries with Windows Events

-The following table provides different examples of log queries that retrieve Windows Event records.

-* Learn about [log queries](../logs/log-query-overview.md) to analyze the data collected from data sources and solutions.

-Exceptions in web applications can be reported with [Application Insights](./app-insights-overview.md). You can correlate failed requests with exceptions and other events on both the client and server, so that you can quickly diagnose the causes. In this article, you'll learn how to set up exception reporting, report exceptions explicitly, diagnose failures, and more.

-You can set up Application Insights to report exceptions that occur in either the server, or the client. Depending on the platform you're application is dependent on, you'll need the appropriate extension or SDK.

-To have exceptions reported from your server side application, consider the following scenarios:

- * **Azure web apps**: Add the [Application Insights Extension](./azure-web-apps.md)

- * **Azure VM and Azure virtual machine scale set IIS-hosted apps**: Add the [Application Monitoring Extension](./azure-vm-vmss-apps.md)

- * Install [Application Insights SDK](./asp-net.md) in your app code, or

- * **IIS web servers**: Run [Application Insights Agent](./status-monitor-v2-overview.md), or

- * **Java web apps**: Enable the [Java agent](./java-in-process-agent.md)

-The JavaScript SDK provides the ability for client side reporting of exceptions that occur in web browsers. To set up exception reporting on the client, see [Application Insights for web pages](./javascript.md).

-With some application frameworks there is a bit more configuration required, consider the following technologies:

-> This article is specifically focused on .NET Framework apps from a code example perspective. Some of the methods that work for .NET Framework are obsolete in the .NET Core SDK. For more information, see [.NET Core SDK documentation](./asp-net-core.md) when building apps with .NET Core.

-Open the app solution in Visual Studio. Run the app, either on your server or on your development machine by using <kbd>F5</kbd>. Recreate the exception.

-Open the **Application Insights Search** telemetry window in Visual Studio. While debugging, select the **Application Insights** dropdown.

-

-

-Application Insights comes with a curated Application Performance Management (APM) experience to help you diagnose failures in your monitored applications. To start, select on the **Failures** option in the Application Insights resource menu located in the **Investigate** section.

-You will see the failure rate trends for your requests, how many of them are failing, and how many users are impacted. As an **Overall** view, you'll see some of the most useful distributions specific to the selected failing operation, including top three response codes, top three exception types, and top three failing dependency types.

-

-To review representative samples for each of these subsets of operations, select the corresponding link. As an example, to diagnose exceptions, you can select the count of a particular exception to be presented with the **End-to-end transaction** details tab:

-

-Alternatively, instead of looking at exceptions of a specific failing operation, you can start from the **Overall** view of exceptions, by switching to the **Exceptions** tab at the top. Here you can see all the exceptions collected for your monitored app.

-* <xref:Microsoft.VisualStudio.ApplicationInsights.TelemetryClient.TrackEvent%2A?displayProperty=nameWithType> is typically used for monitoring usage patterns, but the data it sends also appears under **Custom Events** in diagnostic search. Events are named, and can carry string properties and numeric metrics on which you can [filter your diagnostic searches](./diagnostic-search.md).

-To see these events, open [Search](./diagnostic-search.md) from the left menu, select the drop-down menu **Event types**, and then choose **Custom Event**, **Trace**, or **Exception**.

-

-> If your app generates a lot of telemetry, the adaptive sampling module will automatically reduce the volume that is sent to the portal by sending only a representative fraction of events. Events that are part of the same operation will be selected or deselected as a group, so that you can navigate between related events. For more information, see [Sampling in Application Insights](./sampling.md).

-### How to see request POST data

-* Insert code in your application to call [Microsoft.ApplicationInsights.TrackTrace()](./api-custom-events-metrics.md#tracktrace). Send the POST data in the message parameter. There is a limit to the permitted size, so you should try to send just the essential data.

-## <a name="exceptions"></a> Capturing exceptions and related diagnostic data

-At first, you won't see in the portal all the exceptions that cause failures in your app. You'll see any browser exceptions (if you're using the [JavaScript SDK](./javascript.md) in your web pages). But most server exceptions are caught by IIS and you have to write a bit of code to see them.

-## Reporting exceptions explicitly

-The simplest way is to insert a call to `trackException()` in an exception handler.

-The properties and measurements parameters are optional, but are useful for [filtering and adding](./diagnostic-search.md) extra information. For example, if you have an app that can run several games, you could find all the exception reports related to a particular game. You can add as many items as you like to each dictionary.

-If your web page includes script files from content delivery networks or other domains, ensure your script tag has the attribute `crossorigin="anonymous"`, and that the server sends [CORS headers](https://enable-cors.org/). This will allow you to get a stack trace and detail for unhandled JavaScript exceptions from these resources.

-> The `TelemetryClient` is recommended to be instantiated once, and re-used throughout the life of an application.

-Starting with Application Insights Web SDK version 2.6 (beta3 and later), Application Insights collects unhandled exceptions thrown in the MVC 5+ controllers methods automatically. If you have previously added a custom handler to track such exceptions, you may remove it to prevent double tracking of exceptions.

-There are a number of scenarios when an exception filter cannot correctly handle errors, when exceptions are thrown:

-* From controller constructors.

-* From message handlers.

-* During routing.

-* During response content serialization.

-* During application start-up.

-* In background tasks.

-All exceptions *handled* by application still need to be tracked manually.

-Unhandled exceptions originating from controllers typically result in 500 "Internal Server Error" response. If such response is manually constructed as a result of handled exception (or no exception at all) it is tracked in corresponding request telemetry with `ResultCode` 500, however Application Insights SDK is unable to track corresponding exception.

-If the [CustomErrors](/previous-versions/dotnet/netframework-4.0/h0hfz6fc(v=vs.100)) configuration is `Off`, then exceptions will be available for the [HTTP Module](/previous-versions/dotnet/netframework-3.0/ms178468(v=vs.85)) to collect. However, if it is `RemoteOnly` (default), or `On`, then the exception will be cleared and not available for Application Insights to automatically collect. You can fix that by overriding the [System.Web.Mvc.HandleErrorAttribute class](/dotnet/api/system.web.mvc.handleerrorattribute), and applying the overridden class as shown for the different MVC versions below ([GitHub source](https://github.com/AppInsightsSamples/Mvc2UnhandledExceptions/blob/master/MVC2App/Controllers/AiHandleErrorAttribute.cs)):

- { //or reuse instance (recommended!). see note above

-Replace the HandleError attribute with your new attribute in your controllers.

-#### MVC 4, MVC5

-Starting with Application Insights Web SDK version 2.6 (beta3 and later), Application Insights collects unhandled exceptions thrown in the controller methods automatically for WebAPI 2+. If you have previously added a custom handler to track such exceptions (as described in following examples), you may remove it to prevent double tracking of exceptions.

-There are a number of cases that the exception filters cannot handle. For example:

-* Exception thrown during application start-up.

-All exceptions *handled* by application still need to be tracked manually.

-Unhandled exceptions originating from controllers typically result in 500 "Internal Server Error" response. If such response is manually constructed as a result of handled exception (or no exception at all) it is tracked in a corresponding request telemetry with `ResultCode` 500, however Application Insights SDK is unable to track corresponding exception.

-If you use WebAPI 1 (and prior) of Application Insights Web SDK 2.5 (and prior), refer to the following examples to track exceptions.

- { //or reuse instance (recommended!). see note above

-Add this to the services in WebApiConfig:

-1. Replace the only ExceptionHandler with a custom implementation of IExceptionHandler. This is only called when the framework is still able to choose which response message to send (not when the connection is aborted for instance)

-2. Exception Filters (as described in the section on Web API 1.x controllers above) - not called in all cases.

-Add a class that extends Attribute and implements IErrorHandler and IServiceBehavior.

-If you have [installed the Azure Monitor Application Insights Agent](./status-monitor-v2-overview.md) on your server, you can get a chart of the exceptions rate, measured by .NET. This includes both handled and unhandled .NET exceptions.

-Open a Metric Explorer tab, add a new chart, and select **Exception rate**, listed under Performance Counters.

-The .NET framework calculates the rate by counting the number of exceptions in an interval and dividing by the length of the interval.

-This is different from the 'Exceptions' count calculated by the Application Insights portal counting TrackException reports. The sampling intervals are different, and the SDK doesn't send TrackException reports for all handled and unhandled exceptions.

-Send diagnostic tracing logs for your ASP.NET/ASP.NET Core application from ILogger, NLog, log4Net, or System.Diagnostics.Trace to [Azure Application Insights][start]. For Python applications, send diagnostic tracing logs using AzureLogHandler in OpenCensus Python for Azure Monitor. You can then explore and search them. Those logs are merged with the other log files from your application, so you can identify traces that are associated with each user request and correlate them with other events and exception reports.

-> Do you need the log-capture module? It's a useful adapter for third-party loggers. But if you aren't already using NLog, log4Net, or System.Diagnostics.Trace, consider just calling [**Application Insights TrackTrace()**](./api-custom-events-metrics.md#tracktrace) directly.

-Install your chosen logging framework in your project, which should result in an entry in app.config or web.config.

-Use this method if your project type isn't supported by the Application Insights installer (for example a Windows desktop project).

-1. If you plan to use log4Net or NLog, install it in your project.

-2. In Solution Explorer, right-click your project, and select **Manage NuGet Packages**.

-3. Search for "Application Insights."

-4. Select one of the following packages:

- - For ILogger: [Microsoft.Extensions.Logging.ApplicationInsights](https://www.nuget.org/packages/Microsoft.Extensions.Logging.ApplicationInsights/)

- - For NLog: [Microsoft.ApplicationInsights.NLogTarget](https://www.nuget.org/packages/Microsoft.ApplicationInsights.NLogTarget/)

- - For Log4Net: [Microsoft.ApplicationInsights.Log4NetAppender](https://www.nuget.org/packages/Microsoft.ApplicationInsights.Log4NetAppender/)

- - For System.Diagnostics: [Microsoft.ApplicationInsights.TraceListener](https://www.nuget.org/packages/Microsoft.ApplicationInsights.TraceListener/)

-For each DiagnosticSource you want to trace, add an entry with the **Name** attribute set to the name of your DiagnosticSource.

-An advantage of TrackTrace is that you can put relatively long data in the message. For example, you can encode POST data there.

-This would enable you to easily filter out in [Search][diagnostic] all the messages of a particular severity level that relate to a particular database.

-In your app's overview pane in [the Application Insights portal][portal], select [Search][diagnostic].

-* Find other system log data that relates to the same user request (has the same OperationId).

-> If your application sends a lot of data and you're using the Application Insights SDK for ASP.NET version 2.0.0-beta3 or later, the *adaptive sampling* feature may operate and send only a portion of your telemetry. [Learn more about sampling.](./sampling.md)

-### Delayed telemetry, overloading network, or inefficient transmission

-System.Diagnostics.Tracing has an [Autoflush feature](/dotnet/api/system.diagnostics.trace.autoflush). This causes SDK to flush with every telemetry item, which is undesirable, and can cause logging adapter issues like delayed telemetry, overloading network, inefficient transmission, etc.

-The Application Insights Java agent collects logs from Log4j, Logback and java.util.logging out of the box.

-### There's no Application Insights option on the project context menu

-* Make sure that Developer Analytics Tools is installed on the development machine. At Visual Studio **Tools** > **Extensions and Updates**, look for **Developer Analytics Tools**. If it isn't on the **Installed** tab, open the **Online** tab and install it.

-* This might be a project type that Developer Analytics Tools doesn't support. Use [manual installation](#manual-installation).

-### There's no log adapter option in the configuration tool

-* If you're using System.Diagnostics.Trace, make sure that you've it [configured in *web.config*](/dotnet/api/system.diagnostics.eventlogtracelistener).

-* Make sure that you have the latest version of Application Insights. In Visual Studio, go to **Tools** > **Extensions and Updates**, and open the **Updates** tab. If **Developer Analytics Tools** is there, select it to update it.

-### <a name="emptykey"></a>I get the "Instrumentation key cannot be empty" error message

-### I can see traces but not other events in diagnostic search

-Several factors affect the amount of data that's retained. For more information, see the [limits](./api-custom-events-metrics.md#limits) section of the customer event metrics page.

-### I don't see some log entries that I expected

-If your application sends voluminous amounts of data and you're using the Application Insights SDK for ASP.NET version 2.0.0-beta3 or later, the adaptive sampling feature may operate and send only a portion of your telemetry. [Learn more about sampling.](./sampling.md)

-[start]: ./app-insights-overview.md

-description: Application performance monitoring for Azure app services. Chart load and response time, dependency information, and set alerts on performance.

-# Application Monitoring for Azure App Service Overview

-Enabling monitoring on your ASP.NET, ASP.NET Core, Java, and Node.js based web applications running on [Azure App Services](../../app-service/index.yml) is now easier than ever. Whereas previously you needed to manually instrument your app, the latest extension/agent is now built into the App Service image by default.

-There are two ways to enable application monitoring for Azure App Services hosted applications:

-

- - This method is the easiest to enable, and no code change or advanced configurations are required. It is often referred to as "runtime" monitoring. For Azure App Services we recommend at a minimum enabling this level of monitoring, and then based on your specific scenario you can evaluate whether more advanced monitoring through manual instrumentation is needed.

- - The following are supported for auto-instrumentation monitoring:

- - [.NET Core](./azure-web-apps-net-core.md)

- - [.NET](./azure-web-apps-net.md)

- - [Java](./azure-web-apps-java.md)

- - [Nodejs](./azure-web-apps-nodejs.md)

-

- * This approach is much more customizable, but it requires the following approaches: SDK for [.NET Core](./asp-net-core.md), [.NET](./asp-net.md), [Node.js](./nodejs.md), [Python](./opencensus-python.md), and a standalone agent for [Java](./java-in-process-agent.md). This method, also means you have to manage the updates to the latest version of the packages yourself.

- * If you need to make custom API calls to track events/dependencies not captured by default with auto-instrumentation monitoring, you would need to use this method. Check out the [API for custom events and metrics article](./api-custom-events-metrics.md) to learn more.

-> If both auto-instrumentation monitoring and manual SDK-based instrumentation are detected, in .NET only the manual instrumentation settings will be honored, while in Java only the auto-instrumentation will be emitting the telemetry. This is to prevent duplicate data from being sent.

-> [!NOTE]

-> Snapshot debugger and profiler are only available in .NET and .NET Core

-## Next Steps

- > - If you currently store Application Insights data for longer than the default 90 days and want to retain this larger retention period after migration, you will need to adjust your [workspace retention settings](https://docs.microsoft.com/azure/azure-monitor/logs/data-retention-archive?tabs=portal-1%2Cportal-2#set-retention-and-archive-policy-by-table) from the default 90 days to the desired longer retention period.

-description: Application Insights telemetry correlation

-In a microservices environment, traces from components can go to different storage items. Every component can have its own connection string in Application Insights. To get telemetry for the logical operation, Application Insights queries data from every storage item. When the number of storage items is large, you'll need a hint about where to look next. The Application Insights data model defines two fields to solve this problem: `request.source` and `dependency.target`. The first field identifies the component that initiated the dependency request. The second field identifies which component returned the response of the dependency call.

-For information on querying from multiple disparate instances using the `app` query expression, see [app() expression in Azure Monitor query](../logs/app-expression.md#app-expression-in-azure-monitor-query).

-When the call `GET /api/stock/value` is made to an external service, you need to know the identity of that server so you can set the `dependency.target` field appropriately. When the external service doesn't support monitoring, `target` is set to the host name of the service (for example, `stock-prices-api.com`). But if the service identifies itself by returning a predefined HTTP header, `target` contains the service identity that allows Application Insights to build a distributed trace by querying telemetry from that service.

-W3C TraceContext based distributed tracing is enabled by default in all recent

- Java 3.0 agent supports W3C out of the box and no more configuration is needed.

- - For Java EE apps, add the following to the `<TelemetryModules>` tag in ApplicationInsights.xml:

- ```xml

- <Add type="com.microsoft.applicationinsights.web.extensibility.modules.WebRequestTrackingTelemetryModule>

- <Param name = "W3CEnabled" value ="true"/>

- <Param name ="enableW3CBackCompat" value = "true" />

- </Add>

- ```

- - For Spring Boot apps, add these properties:

- - `azure.application-insights.web.enable-W3C=true`

- - `azure.application-insights.web.enable-W3C-backcompat-mode=true`

- Add the following to AI-Agent.xml:

- > Ideally, you would turn this off when all your services have been updated to newer versions of SDKs that support the W3C protocol. We highly recommend that you move to these newer SDKs as soon as possible.

-> [!IMPORTANT]

-> Make sure the incoming and outgoing configurations are exactly the same.

-### Enable W3C distributed tracing support for Web apps

-Add the following configuration:

-Add the following configuration:

-As a reference, the OpenCensus data model can be found [here](https://github.com/census-instrumentation/opencensus-specs/tree/master/trace).

-If you look at the request entry that was sent to Azure Monitor, you can see fields populated with the trace header information. You can find the data under Logs (Analytics) in the Azure Monitor Application Insights resource.

-

-The `id` field is in the format `<trace-id>.<span-id>`, where the `trace-id` is taken from the trace header that was passed in the request and the `span-id` is a generated 8-byte array for this span.

-The `operation_ParentId` field is in the format `<trace-id>.<parent-id>`, where both the `trace-id` and the `parent-id` are taken from the trace header that was passed in the request.

-OpenCensus Python enables you to correlate logs by adding a trace ID, a span ID, and a sampling flag to log records. You add these attributes by installing OpenCensus [logging integration](https://pypi.org/project/opencensus-ext-logging/). The following attributes will be added to Python `LogRecord` objects: `traceId`, `spanId`, and `traceSampled`. (applicable only for loggers that are created after the integration)

-You can export the log data by using `AzureLogHandler`. For more information, see [this article](./opencensus-python.md#logs).

-We can also pass trace information from one component to another for proper correlation. For example, consider a scenario where there are two components `module1` and `module2`. Module1 calls functions in Module2 and to get logs from both `module1` and `module2` in a single trace we can use following approach:

-[Application Insights Java](./java-in-process-agent.md) supports automatic correlation of telemetry.

-It automatically populates `operation_id` for all telemetry (like traces, exceptions, and custom events) issued within the scope of a request. It also propagates the correlation headers (described earlier) for service-to-service calls via HTTP, RPC, and messaging. See the list of Application Insights Java's

-[autocollected dependencies which support distributed trace propagation](java-in-process-agent.md#autocollected-dependencies).

-> See [custom telemetry](./java-in-process-agent.md#custom-telemetry) if the auto-instrumentation does not cover all

-> of your needs.

-You might want to customize the way component names are displayed in the [Application Map](../../azure-monitor/app/app-map.md). To do so, you can manually set the `cloud_RoleName` by taking one of the following actions:

- You can also set the cloud role name using via environment variable or system property,

- see [configuring cloud role name](./java-standalone-config.md#cloud-role-name) for details.

-# Using Search in Application Insights

-Transaction search is a feature of [Application Insights](./app-insights-overview.md) that you use to find and explore individual telemetry items, such as page views, exceptions, or web requests. And you can view log traces and events that you have coded.

-(For more complex queries over your data, use [Analytics](../logs/log-analytics-tutorial.md).)

-You can open transaction search from the Application Insights Overview tab of your application (located at in the top bar) or under investigate on the left.

-

-Go to the Event types' drop-down menu to see a list of telemetry items- server requests, page views, custom events that you have coded, and so on. At the top of the results' list, is a summary chart showing counts of events over time.

-Click out of the drop-down menu or Refresh to get new events.

-In Visual Studio, there's also an Application Insights Search window. It's most useful for displaying telemetry events generated by the application that you're debugging. But it can also show the events collected from your published app at the Azure portal.

-Open the Search window in Visual Studio:

-

-The Search window has features similar to the web portal:

-

-The Track Operation tab is available when you open a request or a page view. An 'operation' is a sequence of events that is associated with to a single request or page view. For example, dependency calls, exceptions, trace logs, and custom events might be part of a single operation. The Track Operation tab shows graphically the timing and duration of these events in relation to the request or page view.

-

-This will launch the end-to-end transaction details view.

-Open the Event types' drop-down menu and choose the event types you want to see. (If, later, you want to restore the filters, click Reset.)

-* **Trace** - [Diagnostic logs](./asp-net-trace-logs.md) including TrackTrace, log4Net, NLog, and System.Diagnostic.Trace calls.

-* **Request** - HTTP requests received by your server application, including pages, scripts, images, style files, and data. These events are used to create the request and response overview charts.

-* **Page View** - [Telemetry sent by the web client](./javascript.md), used to create page view reports.

-* **Custom Event** - If you inserted calls to TrackEvent() in order to [monitor usage](./api-custom-events-metrics.md), you can search them here.

-* **Exception** - Uncaught [exceptions in the server](./asp-net-exceptions.md), and those that you log by using TrackException().

-* **Dependency** - [Calls from your server application](./asp-net-dependencies.md) to other services such as REST APIs or databases, and AJAX calls from your [client code](./javascript.md).

-* **Availability** - Results of [availability tests](./monitor-web-app-availability.md).

-You can filter events on the values of their properties. The available properties depend on the event types you selected. Click on the filter icon  to start.

-To find all the items with the same property value, either type it into the search bar or click the checkbox when looking through properties in the filter tab.

-

-> To write more complex queries, open [**Logs (Analytics)**](../logs/log-analytics-tutorial.md) from the top of the Search blade.

-You can search for terms in any of the property values. This is useful if you have written [custom events](./api-custom-events-metrics.md) with property values.

-You might want to set a time range, as searches over a shorter range are faster.

-

-Here are the search expressions you can use:

-| `apple` |Find all events in the time range whose fields include the word "apple" |

-If your app generates a large amount of telemetry (and you are using the ASP.NET SDK version 2.0.0-beta3 or later), the adaptive sampling module automatically reduces the volume that is sent to the portal by sending only a representative fraction of events. However, events that are related to the same request are selected or deselected as a group, so that you can navigate between related events.

-[Learn about sampling](./sampling.md).

-Go to the end-to-end transaction detail view by clicking on any telemetry item then select **Create work item**.

-

-The first time you do this, you are asked to configure a link to your Azure DevOps organization and project.

-(You can also configure the link on the Work Items tab.)

-[Learn how to send logs and custom telemetry to Application Insights](./asp-net-trace-logs.md).

-4. From the list of unmonitored clusters, find the container in the list and click **Enable**.

-| | [Use Azure Policy to install Azure Monitor agent and associate with DCR](../agents/azure-monitor-agent-manage.md#using-azure-policy) | Use Azure Policy to install the Azure Monitor agent and associate one or more data collection rules with any virtual machines or virtual machine scale sets as they're created in your subscription.

-|AvailableStorage|No|(deprecated) Available Storage|Bytes|Total|"Available Storage"will be removed from Azure Monitor at the end of September 2023. Cosmos DB collection storage size is now unlimited. The only restriction is that the storage size for each logical partition key is 20GB. You can enable PartitionKeyStatistics in Diagnostic Log to know the storage consumption for top partition keys. For more info about Cosmos DB storage quota, please check this doc https://docs.microsoft.com/azure/cosmos-db/concepts-limits. After deprecation, the remaining alert rules still defined on the deprecated metric will be automatically disabled post the deprecation date.|CollectionName, DatabaseName, Region|

-Designing a workspace configuration includes evaluation of multiple criteria, some of which may in conflict. For example, you may be able to reduce egress charges by creating a separate workspace in each Azure region, but consolidating into a single workspace might allow you to reduce charges even more with a commitment tier. Evaluate each of the criteria below independently and consider your particular requirements and priorities in determining which design will be most effective for your particular environment.

->You can use [Azure Resource Mover](../resource-mover/move-region-within-resource-group.md?toc=%2fazure%2fazure-resource-manager%2fmanagement%2ftoc.json) to verify and migrate the list of supported resources to move across regions, which are dependent on Azure VMware Solution.

-1. Validate solution design is within Azure VMware Solution limits (https://docs.microsoft.com/azure/azure-resource-manager/management/azure-subscription-service-limits).

-[Overview of Creating a Hosted Service for Azure]: https://azure.microsoft.com/documentation/services/cloud-services/

-* Recipe: [Cognitive Services - Multivariate Anomaly Detector](https://microsoft.github.io/SynapseML/docs/next/features/cognitive_services/CognitiveServices).

-* Read about the [SynapseML v0.9.5 release](https://github.com/microsoft/SynapseML/releases/tag/v0.9.5) on GitHub.

-zone_pivot_groups: programming-languages-computer-vision

- winrt::Windows::Foundation::AsyncStatus /* asyncStatus */ ) {

-description: Learn about the different AI models that are available.

-# Azure OpenAI Models

-The service provides access to many different models. Models describe a family of models and are broken out as follows:

-|Modes | Description|

-| GPT-3 series | A set of GPT-3 models that can understand and generate natural language |

-| Codex Series | A set of models that can understand and generate code, including translating natural language to code |

-| Embeddings Series | An embedding is a special format of data representation that can be easily utilized by machine learning models and algorithms. The embedding is an information dense representation of the semantic meaning of a piece of text. Currently we offer three families of embedding models for different functionalities: text search, text similarity and code search |

-Azure OpenAI's models follow a standard naming convention: `{task}-{model name}-{version #}`. For example, our most powerful natural language model is called `text-davinci-001` and a Codex series model would look like `code-cushman-001`.

-> Older versions of the GPT-3 models are available as `ada`, `babbage`, `curie`, `davinci` and do not follow these conventions. These models are primarily intended to be used for fine-tuning and search.

-## GPT-3 Series

-The GPT-3 models can understand and generate natural language. The service offers four model types with different levels of power suitable for different tasks. Davinci is the most capable model, and Ada is the fastest. Going forward these models are named with the following convention: `text-{model name}-XXX` where `XXX` refers to a numerical value for different versions of the model. Currently the latest versions are:

-While Davinci is the most capable, the other models provide significant speed advantages. Our recommendation is for users to start with Davinci while experimenting since it will produce the best results and validate the value our service can provide. Once you have a prototype working, you can then optimize your model choice with the best latency - performance tradeoff for your application.

-### Davinci

-Davinci is the most capable model and can perform any task the other models can perform and often with less instruction. For applications requiring deep understanding of the content, like summarization for a specific audience and creative content generation, Davinci is going to produce the best results. These increased capabilities require more compute resources, so Davinci costs more and isn't as fast as the other models.

-Babbage can perform straightforward tasks like simple classification. ItΓÇÖs also capable when it comes to semantic search ranking how well documents match up with search queries.

-**Use For** Parsing text, simple classification, address correction, keywords

-> [!NOTE]

-> Any task performed by a faster model like Ada can be performed by a more powerful model like Curie or Davinci.

-## Codex Series

-TheyΓÇÖre most capable in Python and proficient in over a dozen languages, including C#, JavaScript, Go, Perl, PHP, Ruby, Swift, TypeScript, SQL, and even Shell.

-Currently we only offer one Codex model: `code-cushman-001`.

-## Embeddings Models

-Currently we offer three families of embedding models for different functionalities: text search, text similarity and code search. Each family includes up to four models across a spectrum of capabilities:

-Ada (1024 dimensions),

-Babbage (2048 dimensions),

-Curie (4096 dimensions),

-Davinci (12,288 dimensions).

-Davinci is the most capable, but is slower and more expensive than the other models. Ada is the least capable, but is both faster and cheaper.

-These embedding models are specifically created to be good at a particular task.

-### Similarity embeddings

-These models are good at capturing semantic similarity between two or more pieces of text.

-| USE CASES | AVAILABLE MODELS |

-|||

-| Clustering, regression, anomaly detection, visualization |Text-similarity-ada-001, <br> text-similarity-babbage-001, <br> text-similarity-curie-001, <br> text-similarity-davinci-001 <br>|

-### Text search embeddings

-These models help measure whether long documents are relevant to a short search query. There are two types: one for embedding the documents to be retrieved, and one for embedding the search query.

-| USE CASES | AVAILABLE MODELS |

-| Search, context relevance, information retrieval | text-search-ada-doc-001, <br> text-search-ada-query-001 <br> text-search-babbage-doc-001, <br> text-search-babbage-query-001, <br> text-search-curie-doc-001, <br> text-search-curie-query-001, <br> text-search-davinci-doc-001, <br> text-search-davinci-query-001 <br> |

-### Code search embeddings

-Similar to text search embeddings, there are two types: one for embedding code snippets to be retrieved and one for embedding natural language search queries.

-| USE CASES | AVAILABLE MODELS |

-| Code search and relevance | code-search-ada-code-001, <br> code-search-ada-text-001, <br> code-search-babbage-code-001, <br> code-search-babbage-text-001 |

-When using our embedding models, keep in mind their limitations and risks.

-## Finding the right model

-We recommend starting with our Davinci model since it will be the best way to understand what the service is capable of. After you have an idea of what you want to accomplish, you can either stay with Davinci if youΓÇÖre not concerned about cost and speed, or you can move onto Curie or another model and try to optimize around its capabilities.

-The actual completion results you see may differ because the API is stochastic by default which means that you might get a slightly different completion every time you call it, even if your prompt stays the same. You can control this behavior with the temperature setting.

-This simple text-in, text-out interface means you can "program" the model by providing instructions or just a few examples of what you'd like it to do. Its success generally depends on the complexity of the task and quality of your prompt. A general rule is to think about how you would write a word problem for a middle school student to solve. A well-written prompt provides enough information for the model to know what you want and how it should respond.

-The models try to predict what you want from the prompt. If you send the words "Give me a list of cat breeds," the model wouldn't automatically assume that you're asking for a list of cat breeds. You could just as easily be asking the model to continue a conversation where the first words are "Give me a list of cat breeds" and the next ones are "and I'll tell you which ones I like." If the model only assumed that you wanted a list of cats, it wouldn't be as good at content creation, classification, or other tasks.

-**Provide quality data.** If you're trying to build a classifier or get the model to follow a pattern, make sure that there are enough examples. Be sure to proofread your examples ΓÇö the model is usually smart enough to see through basic spelling mistakes and give you a response, but it also might assume this is intentional and it can affect the response.

-**Check your settings.** The temperature and top_p settings control how deterministic the model is in generating a response. If you're asking it for a response where there's only one right answer, then you'd want to set these lower. If you're looking for a response that's not obvious, then you might want to set them higher. The number one mistake people use with these settings is assuming that they're "cleverness" or "creativity" controls.

-This next prompt shows how you can use completion to help write React components. We send some code to the API, and it's able to continue the rest because it has an understanding of the React library. We recommend using OpenAI's Codex models for tasks that involve understanding or generating code. Currently only `code-cushman-001` is supported.

-The Codex model series is a descendant of OpenAI's base GPT-3 series that's been trained on both natural language and billions of lines of code. It's most capable in Python and proficient in over a dozen languages including JavaScript, Go, Perl, PHP, Ruby, Swift, TypeScript, SQL, and even Shell.

-**Put comments inside of functions can be helpful.** Recommended coding standards usually suggest placing the description of a function inside the function. Using this format helps Codex more clearly understand what you want the function to do.

-**Lower temperatures give more precise results.** Setting the API temperature to 0, or close to zero (such as 0.1 or 0.2) tends to give better results in most cases. Unlike GPT-3, where a higher temperature can provide useful creative and random results, higher temperatures with Codex may give you really random or erratic responses.

-**Use Codex to explain code.** Codex's ability to create and understand code allows us to use it to perform tasks like explaining what the code in a file does. One way to accomplish this is by putting a comment after a function that starts with "This function" or "This application is." Codex will usually interpret this as the start of an explanation and complete the rest of the text.

-The Azure OpenAI service can solve many different natural language tasks through [prompt engineering](completions.md). Here we show an example of prompting for language translation:

-Here, we prompt GPT-3 for general-knowledge question answering:

-The Codex model series is a descendant of our GPT-3 series that's been trained on both natural language and billions of lines of code. It's most capable in Python and proficient in over a dozen languages including JavaScript, Go, Perl, PHP, Ruby, Swift, TypeScript, SQL, and even Shell.

-Here are a few examples of using Codex that can be tested in the [Azure OpenAI Studio's](https://oai.azure.com) playground with a deployment of a code series model such as `code-cushman-001`.

-Setting the API temperature to 0, or close to zero (such as 0.1 or 0.2) tends to give better results in most cases. Unlike GPT-3, where a higher temperature can provide useful creative and random results, higher temperatures with Codex may give you really random or erratic responses.

-| | |

-| Models available | GPT-3 base series <br> Codex Series <br> Embeddings Series <br> Learn more in our [Models](./concepts/models.md) page.|

-| Fine-tuning | Ada, <br>Babbage, <br> Curie,<br>Code-cushman-001* <br> Davinci*<br> \* available by request|

-| Regional availability | South Central US, <br> West Europe |

-The service provides users access to several different models. Each model provides a different capability and price point. The base GPT-3 models are known as Davinci, Curie, Babbage and Ada in decreasing order of intelligence and speed.

-The Codex series of models are a descendant of GPT-3 and have been trained on both natural language and code to power natural language to code use cases. Learn more about each model on our [models concept page](./concepts/models.md).

-| Max training job size (tokens in training file * # of epochs) | **Ada**: 4-M tokens <br> **Babbage**: 4-M tokens <br> **Curie**: 4-M tokens <br> **Cushman**: 4-M tokens <br> **DaVinci**: 500 K |

-| n_epochs | integer | no | 4 for `ada`, `babbage`, `curie`. 1 for `DaVinci` | The number of epochs to train the model for. An epoch refers to one full cycle through the training dataset. |

-1. Finish all the prerequisite steps in [Chat Quickstart](https://docs.microsoft.com/azure/communication-services/quickstarts/chat/get-started?pivots=programming-language-swift)

-# Azure Cosmos DB dedicated gateway - Overview (Preview)

-You can provision a dedicated gateway to improve performance at scale. The most common reason that you would want to provision a dedicated gateway would be for caching. When you provision a dedicated gateway, an [integrated cache](integrated-cache.md) is automatically configured within the dedicated gateway. Point reads and queries that hit the integrated cache do not use any of your RUs. Provisioning a dedicated gateway with an integrated cache can help read-heavy workloads lower costs on Azure Cosmos DB.

-The dedicated gateway is built into Azure Cosmos DB. When you [provision a dedicated gateway](how-to-configure-integrated-cache.md), you have a fully-managed node that routes requests to backend partitions. Connecting to Azure Cosmos DB with the dedicated gateway provides lower and more predictable latency than connecting to Azure Cosmos DB with the standard gateway. Even cache misses will see latency improvements when comparing the dedicated gateway and standard gateway.

-There are three ways to connect to an Azure Cosmos DB account:

-When you connect to Azure Cosmos DB using direct mode, your application connects directly to the Azure Cosmos DB backend. Even if you have many physical partitions, request routing is handled entirely client-side. Direct mode offers low latency because your application can communicate directly with the Azure Cosmos DB backend and doesn't need an intermediate network hop.

-Graphical representation of direct mode connection:

-* **Standard gateway** - While the backend, which includes your provisioned throughput and storage, has dedicated capacity per container, the standard gateway is shared between many Azure Cosmos accounts. It is practical for many customers to share a standard gateway since the compute resources consumed by each individual customer is small.

-### Connect to Azure Cosmos DB using the dedicated gateway

-You must connect to Azure Cosmos DB using the dedicated gateway in order to use the integrated cache. The dedicated gateway has a different endpoint from the standard one provided with your Azure Cosmos DB account. When you connect to your dedicated gateway endpoint, your application sends a request to the dedicated gateway, which then routes the request to different backend nodes. If possible, the integrated cache will serve the result.

-A dedicated gateway cluster can be provisioned in Core (SQL) API accounts. A dedicated gateway cluster can have up to five nodes and you can add or remove nodes at any time. All dedicated gateway nodes within your account [share the same connection string](how-to-configure-integrated-cache.md#configuring-the-integrated-cache).

-Dedicated gateway nodes are independent from one another. When you provision multiple dedicated gateway nodes, any single node can route any given request. In addition, each node has a separate integrated cache from the others. The cached data within each node depends on the data that was recently [written or read](integrated-cache.md#item-cache) through that specific node. In other words, if an item or query is cached on one node, it isn't necessarily cached on the others.

-Because it is in public preview, the dedicated gateway does not have an availability SLA. However, you should generally expect comparable availability to the rest of your Azure Cosmos DB account.

-The dedicated gateway is available in the following sizes:

-> Once created, you can't modify the size of the dedicated gateway nodes. However, you can add or remove nodes.

-> [!NOTE]

-> You cannot provision a dedicated gateway cluster in accounts with availability zones enabled

-The dedicated gateway has the following limitations during the public preview:

-The dedicated gateway blade is hidden on Azure Cosmos DB accounts with IP firewalls, Vnet, Private Link, or availability zones.

-## Supported regions

-The dedicated gateway is in public preview and isn't supported in every Azure region yet. Throughout the public preview, we'll be adding new capacity. We won't have region restrictions when the dedicated gateway is generally available.

-Current list of supported Azure regions:

-| **Americas** | **Europe and Africa** | **Asia Pacific** |

-| | -- | -- |

-| Brazil South | France Central | Australia Central |

-| Canada Central | France South | Australia Central 2 |

-| Canada East | Germany North | Australia Southeast |

-| Central US | Germany West Central | Central India |

-| East US | North Europe | East Asia |

-| East US 2 | Switzerland North | Japan West |

-| North Central US | UK South | Korea Central |

-| South Central US | UK West | Korea South |

-| West Central US | West Europe | Southeast Asia |

-| West US | | UAE Central |

-| West US 2 | | West India |

- - If all you know is the number of vcores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](convert-vcore-to-request-unit.md)

-# How to configure the Azure Cosmos DB integrated cache (Preview)

-## Provision a dedicated gateway cluster

- :::image type="content" source="./media/how-to-configure-integrated-cache/dedicated-gateway-tab.png" alt-text="An image that shows how to navigate to the dedicated gateway tab" lightbox="./media/how-to-configure-integrated-cache/dedicated-gateway-tab.png" border="false":::

- * **SKU** - Select a SKU with the required compute and memory size.

- * **Number of instances** - Number of nodes. For development purpose, we recommend starting with one node of the D4 size. Based on the amount of data you need to cache, you can increase the node size after initial testing.

- :::image type="content" source="./media/how-to-configure-integrated-cache/dedicated-gateway-input.png" alt-text="An image that shows sample input settings for creating a dedicated gateway cluster" lightbox="./media/how-to-configure-integrated-cache/dedicated-gateway-input.png" border="false":::

- :::image type="content" source="./media/how-to-configure-integrated-cache/dedicated-gateway-notification.png" alt-text="An image that shows how to check if dedicated gateway provisioning is complete" lightbox="./media/how-to-configure-integrated-cache/dedicated-gateway-notification.png" border="false":::

-1. When you create a dedicated gateway, an integrated cache is automatically provisioned. The integrated cache will use approximately 70% of the memory in the dedicated gateway. The remaining 30% of memory in the dedicated gateway is used for routing requests to the backend partitions.

-2. Modify your application's connection string to use the new dedicated gateway endpoint.

- :::image type="content" source="./media/how-to-configure-integrated-cache/dedicated-gateway-connection-string.png" alt-text="An image that shows the dedicated gateway connection string" lightbox="./media/how-to-configure-integrated-cache/dedicated-gateway-connection-string.png" border="false":::

-3. If you're using the .NET or Java SDK, set the connection mode to [gateway mode](sql-sdk-connection-modes.md#available-connectivity-modes). This step isn't necessary for the Python and Node.js SDKs since they don't have additional options of connecting besides gateway mode.

-If you're using the Java SDK, you must also manually set [contentResponseOnWriteEnabled](/java/api/com.azure.cosmos.cosmosclientbuilder.contentresponseonwriteenabled?view=azure-java-stable&preserve-view=true) to `true` within the `CosmosClientBuilder`. If you're using any other SDK, this value already defaults to `true`, so you don't need to make any changes.

-You must adjust the request consistency to session or eventual. If not, the request will always bypass the integrated cache. The easiest way to configure a specific consistency for all read operations is to [set it at the account-level](consistency-levels.md#configure-the-default-consistency-level). You can also configure consistency at the [request-level](how-to-manage-consistency.md#override-the-default-consistency-level), which is recommended if you only want a subset of your reads to utilize the integrated cache.

-Configure `MaxIntegratedCacheStaleness`, which is the maximum time in which you are willing to tolerate stale cached data. We recommend setting the `MaxIntegratedCacheStaleness` as high as possible because it will increase the likelihood that repeated point reads and queries can be cache hits. If you set `MaxIntegratedCacheStaleness` to 0, your read request will **never** use the integrated cache, regardless of the consistency level. When not configured, the default `MaxIntegratedCacheStaleness` is 5 minutes.

-**.NET**

-FeedIterator<Food> myQuery = container.GetItemQueryIterator<Food>(new QueryDefinition("SELECT * FROM c"), requestOptions: new QueryRequestOptions

- ConsistencyLevel = ConsistencyLevel.Eventual,

-> [!NOTE]

-> Currently, you can only adjust the MaxIntegratedCacheStaleness using the latest [.NET](https://www.nuget.org/packages/Microsoft.Azure.Cosmos/3.17.0-preview) and [Java](https://mvnrepository.com/artifact/com.azure/azure-cosmos/4.16.0-beta.1) preview SDK's.

-Finally, you can restart your application and verify integrated cache hits for repeated point reads or queries. Once youΓÇÖve modified your `CosmosClient` to use the dedicated gateway endpoint, all requests will be routed through the dedicated gateway.

- |Target sub-resource |Select the Azure Cosmos DB API type that you want to map. This defaults to only one choice for the SQL, MongoDB, and Cassandra APIs. For the Gremlin and Table APIs, you can also choose **Sql** because these APIs are interoperable with the SQL API. |

- |Integrate with private DNS zone |Select **Yes**. <br><br/> To connect privately with your private endpoint, you need a DNS record. We recommend that you integrate your private endpoint with a private DNS zone. You can also use your own DNS servers or create DNS records by using the host files on your virtual machines. <br><br/> When you select yes for this option, a private DNS zone group is also created. DNS zone group is a link between the private DNS zone and the private endpoint. This link helps you to auto update the private DNS Zone when there is an update to the private endpoint. For example, when you add or remove regions,the private DNS zone is automatically updated. |

-The following table shows the mapping between different Azure Cosmos account API types, supported sub-resources, and the corresponding private zone names. You can also access the Gremlin and Table API accounts through the SQL API, so there are two entries for these APIs.

-# API type of the Azure Cosmos account: Sql, MongoDB, Cassandra, Gremlin, or Table

-$CosmosDbApiType = "Sql"

-$privateEndpointConnection = New-AzPrivateLinkServiceConnection -Name "myConnectionPS" -PrivateLinkServiceId $cosmosDbResourceId -GroupId $CosmosDbApiType

-# API type of your Azure Cosmos account: Sql, MongoDB, Cassandra, Gremlin, or Table

-CosmosDbApiType="Sql"

- --group-ids $CosmosDbApiType \

-# API type of the Azure Cosmos account. It can be one of the following: "Sql", "MongoDB", "Cassandra", "Gremlin", "Table"

-$CosmosDbApiType = "Sql"

- -GroupId $CosmosDbApiType `

-In the PowerShell script, the `GroupId` variable can contain only one value. That value is the API type of the account. Allowed values are: `Sql`, `MongoDB`, `Cassandra`, `Gremlin`, and `Table`. Some Azure Cosmos account types are accessible through multiple APIs. For example:

-For those accounts, you must create one private endpoint for each API type. The corresponding API type is specified in the `GroupId` array.

-# API type of the Azure Cosmos account. It can be one of the following: "Sql", "MongoDB", "Cassandra", "Gremlin", "Table"

-$CosmosDbApiType = "Sql"

- -GroupId $CosmosDbApiType `

-The Azure Cosmos DB integrated cache is an in-memory cache that is built-in to Azure Cosmos DB. This article answers commonly asked questions about the Azure Cosmos DB integrated cache.

-A request served by the integrated cache is faster because the cached data is stored in-memory on the dedicated gateway, rather than on the backend. For cached point reads, you should expect latency of 2-4 ms.

-For cached queries, latency depends on the query. The query cache works by caching the query engineΓÇÖs response for a particular query. This response is then sent back client-side to the SDK for processing. For simple queries, minimal work in the SDK is required and latencies of 2-4 ms are typical. However, more complex queries with `GROUP BY` or `DISTINCT` require more processing in the SDK so latency may be higher, even with the query cache.

-If you were previously connecting to Azure Cosmos DB with direct mode and switch to connecting with the dedicated gateway, you may observe a slight latency increase for some requests. Using gateway mode requires a request to be sent to the gateway (in this case the dedicated gateway) and then routed appropriately to the backend. Direct mode, as the name suggests, allows the client to communicate directly with the backend, removing an extra hop.

-We will have an availability SLA/SLO on the dedicated gateway (and therefore the integrated cache) once the feature is generally available. For scenarios that require high availability, you should provision 3x the number of dedicated gateway instances needed. For example, if one dedicated gateway node is needed in production, you should provision two additional dedicated gateway nodes to account for possible downtime or outages.

-Expanding the integrated cache beyond SQL API is planned on the long-term roadmap but beyond the initial public preview of the integrated cache.

- - If all you know is the number of vcores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](convert-vcore-to-request-unit.md)

-# Azure Cosmos DB integrated cache - Overview (Preview)

-Point reads and queries that hit the integrated cache won't use any RUs. In other words, any cache hits will have an RU charge of 0. Cache hits will have a much lower per-operation cost than reads from the backend database.

-You don't need special code when working with the query cache, even if your queries have multiple pages of results. The best practices and code for query pagination are the same, whether your query hits the integrated cache or is executed on the backend query engine.

-The query cache will automatically cache query continuation tokens, where applicable. If you have a query with multiple pages of results, any pages that are stored in the integrated cache will have an RU charge of 0. If your subsequent pages of query results require backend execution, they'll have a continuation token from the previous page so they can avoid duplicating previous work.

-> Integrated cache instances within different dedicated gateway nodes have independent caches from one another. If data is cached within one node, it is not necessarily cached in the others.

-The integrated cache supports both session and eventual [consistency](consistency-levels.md) only. If a read has consistent prefix, bounded staleness, or strong consistency, it will always bypass the integrated cache.

-> [!NOTE]

-> Customizing `MaxIntegratedCacheStaleness` is only supported in the latest .NET and Java preview SDK's.

- :::image type="content" source="./media/integrated-cache/integrated-cache-metrics.png" alt-text="An image that shows the location of integrated cache metrics" border="false":::

-Metrics are either an average, maximum, or sum across all dedicated gateway nodes. For example, if you provision a dedicated gateway cluster with five nodes, the metrics reflect the aggregated value across all five nodes. It isn't possible to determine the metric values for each individual nodes.

-In some cases, if latency is unexpectedly high, you may need more dedicated gateway nodes rather than bigger nodes. Check the `DedicatedGatewayMaxCpuUsage` and `DedicatedGatewayAverageMemoryUsage` to determine if adding more dedicated gateway nodes would reduce latency. It's good to keep in mind that since all instances of the integrated cache are independent from one another, adding more dedicated gateway nodes won't reduce the `IntegratedCacheEvictedEntriesSize`. Adding more nodes will improve the request volume that your dedicated gateway cluster can handle, though.

- - If all you know is the number of vcores and servers in your existing database cluster, read about [estimating request units using vCores or vCPUs](convert-vcore-to-request-unit.md)

- name : "Groceries",

- description : "Pick up strawberries",

- isComplete : false

-* To learn more about Azure Cosmos DB, refer to the service's [documentation](https://azure.microsoft.com/documentation/services/cosmos-db/) page.

-* To learn more about Azure Cosmos DB, see the [Azure Cosmos DB documentation landing page](https://azure.microsoft.com/documentation/services/cosmos-db/).

-The [Change Feed Processor Sample](https://github.com/Azure-Samples/azure-cosmos-java-sql-api-samples/blob/main/src/main/jav) and [Change feed processor](https://docs.microsoft.com/azure/cosmos-db/sql/change-feed-processor?tabs=java).

-* If you know typical request rates for your current database workload, read about [estimating request units using Azure Cosmos DB capacity planner](estimate-ru-with-capacity-planner.md)

- Returns the starting position of the first occurrence of the second string expression within the first specified string expression, or -1 if the string is not found.

-

-

-INDEX_OF(<str_expr1>, <str_expr2> [, <numeric_expr>])

-```

-

-

-*str_expr1*

- Is the string expression to be searched.

-

-*str_expr2*

- Is the string expression to search for.

- Optional numeric expression that sets the position the search will start. The first position in *str_expr1* is 0.

-

-

- Returns a numeric expression.

-

-

- The following example returns the index of various substrings inside "abc".

-

-SELECT INDEX_OF("abc", "ab") AS i1, INDEX_OF("abc", "b") AS i2, INDEX_OF("abc", "c") AS i3

-```

-

- Here is the result set.

-

-[{"i1": 0, "i2": 1, "i3": -1}]

-```

-* [Azure Storage documentation](https://azure.microsoft.com/documentation/services/storage/)

-Prepaid and virtual cards aren't accepted as payment for Azure subscriptions.

- 

-Use updated [default parameterization template.](https://docs.microsoft.com/azure/data-factory/continuous-integration-delivery-resource-manager-custom-parameters#default-parameterization-template) as one time migration to new method of including global parameters. This template references to all values in global parameter list. You also have to update the deployment task in the **release pipeline** if you are already overriding the template parameters there.

-[ML Studio (classic)](https://azure.microsoft.com/documentation/services/machine-learning/) enables you to build, test, and deploy predictive analytics solutions. From a high-level point of view, it is done in three steps:

-Azure Data Factory and Synapse Analytics enable you to easily create pipelines that use a published [Machine Learning Studio (classic)](https://azure.microsoft.com/documentation/services/machine-learning) web service for predictive analytics. Using the **Batch Execution Activity** in a pipeline, you can invoke Machine Learning Studio (classic) web service to make predictions on the data in batch.

-[ML Studio (classic)](https://azure.microsoft.com/documentation/services/machine-learning/) enables you to build, test, and deploy predictive analytics solutions. From a high-level point of view, it is done in three steps:

-[azure-machine-learning]: https://azure.microsoft.com/services/machine-learning/

-* [Azure Data Factory](https://azure.microsoft.com/documentation/services/data-factory/)

-* [Azure Batch](https://azure.microsoft.com/documentation/services/batch/)

-1. In the [Azure portal](https://portal.azure.com), go to Azure Marketplace.

- 1. Connect to the Azure Cloud Shell or a client with Azure CLI installed. For detailed steps, see [Quickstart for Bash in Azure Cloud Shell](../cloud-shell/quickstart.md).

- 1. Use steps in [Search for Azure Marketplace images](azure-stack-edge-gpu-create-virtual-machine-marketplace-image.md#search-for-azure-marketplace-images) to search the Azure Marketplace for the following Ubuntu 20.04 LTS image:

- ```azurecli

- $urn = Canonical:0001-com-ubuntu-server-focal:20_04-lts:20.04.202007160

- ```

- 1. Create a new managed disk from the Marketplace image.

- 1. Export a VHD from the managed disk to an Azure Storage account.

- For detailed steps, follow the instructions in [Use Azure Marketplace image to create VM image for your Azure Stack Edge](azure-stack-edge-gpu-create-virtual-machine-marketplace-image.md).

-1. Follow these steps to create an Ubuntu VM using the VM image.

-When deployed with a web application firewall (WAF), DDoS Protection Standard protects both at the network layer (Layer 3 and 4, offered by Azure DDoS Protection Standard) and at the application layer (Layer 7, offered by a WAF). WAF offerings include Azure [Application Gateway WAF SKU](../web-application-firewall/ag/ag-overview.md?toc=%2fazure%2fvirtual-network%2ftoc.json) and third-party web application firewall offerings available in the [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps?page=1&search=web%20application%20firewall).

-This reference architecture shows running an Azure App Service application in a single region. This architecture shows a set of proven practices for a web application that uses [Azure App Service](https://azure.microsoft.com/documentation/services/app-service/) and [Azure SQL Database](https://azure.microsoft.com/documentation/services/sql-database/).

-For more information on this reference architecture, see the [Extend Azure HDInsight using an Azure Virtual Network](../hdinsight/hdinsight-plan-virtual-network-deployment.md?toc=%2fazure%2fvirtual-network%2ftoc.json)

- - **Additional features**: All other enhanced Defender for Servers security capabilities for Windows and Linux machines running in Azure, AWS, GCP, and on-premises.

-URI: `https://management.microsoft.com/subscriptions/<subscriptionId>/providers/Microsoft.Security/settings&api-version=2022-05-01-preview`

- | where properties.displayName == "MFA should be enabled on accounts with owner permissions on your subscription"

-> Event Grid will start **requiring authorizations to create partner topics or partner destinations** around June 30th, 2022. You should update your documentation asking your customers to grant you the authorization before you attempt to create a channel or an event channel.

-> Event Grid will start requiring authorizations to create partner topics or partner destinations around June 30th, 2022. Meanwhile, requiring your (subscriber's) authorization for a partner to create resources on your Azure subscription is an **optional** feature. We encourage you to opt-in to use this feature and try to use it in non-production Azure subscriptions before it becomes a mandatory step around June 30th, 2022. To opt-in to this feature, reach out to [mailto:askgrid@microsoft.com](mailto:askgrid@microsoft.com) using the subject line **Request to enforce partner authorization on my Azure subscription(s)** and provide your Azure subscription(s) in the email.

-* **Azure Active Directory (Azure AD)** ΓÇô Azure AD provides the identity management for Microsoft Azure and third-party SaaS applications. For more information about Azure AD, see [here](https://azure.microsoft.com/documentation/services/active-directory/).

-[Microsoft Cloud Solution Provider resources](https://partner.microsoft.com/solutions/cloud-reseller-resources).

-| **[Chunghwa Telecom](https://www.cht.com.tw/en/home/cht/about-cht/products-and-services/International/Cloud-Service)** |Supported |Supported | Taipei |

-| **[UOLDIVEO](https://www.uoldiveo.com.br/)** |Supported |Supported | Sao Paulo |

-Create an Automation account with run-as permissions. For instructions, see [Create an Azure Automation account](../automation/quickstarts/create-account-portal.md).

-To learn more about how to customize the workflow, see [Azure Logic Apps](../logic-apps/logic-apps-overview.md).

->

-Follow the guidelines in this article to provide additional protection for your Azure Virtual Desktop host pool using Azure Firewall.

- For more information, see [Tutorial: Create a host pool by using the Azure portal](../virtual-desktop/create-host-pools-azure-marketplace.md)

-You will need to create an Azure Firewall Policy and create Rule Collections for Network Rules and Applications Rules. Give the Rule Collection a priority and an allow or deny action.

-| Name | Source type | Source | Protocol | Destination ports | Destination type | Destination |

-| | -- | - | -- | -- | - | |

-| Rule Name | IP Address | VNet or Subnet IP Address | TCP | 80 | IP Address | 169.254.169.254, 168.63.129.16 |

-| Rule Name | IP Address | VNet or Subnet IP Address | TCP | 443 | Service Tag | AzureCloud, WindowsVirtualDesktop, AzureFrontDoor.Frontend |

-| Rule Name | IP Address | VNet or Subnet IP Address | TCP, UDP | 53 | IP Address | * |

-|Rule name | IP Address | VNet or Subnet IP Address | TCP | 1688 | IP address | 20.118.99.224, 40.83.235.53 (azkms.core.windows.net)|

-|Rule name | IP Address | VNet or Subnet IP Address | TCP | 1688 | IP address | 23.102.135.246 (kms.core.windows.net)|

-| Name | Source type | Source | Protocol | Destination type | Destination |

-| | -- | - | - | - | - |

-| Rule Name | IP Address | VNet or Subnet IP Address | Https:443 | FQDN Tag | WindowsVirtualDesktop, WindowsUpdate, Windows Diagnostics, MicrosoftActiveProtectionService |

-Depending on your organization needs, you might want to enable secure outbound internet access for your end users. If the list of allowed destinations is well-defined (for example, for [Microsoft 365 access](/microsoft-365/enterprise/microsoft-365-ip-web-service)), you can use Azure Firewall application and network rules to configure the required access. This routes end-user traffic directly to the internet for best performance. If you need to allow network connectivity for Windows 365 or Intune, see [Network requirments for Windows 365](/windows-365/requirements-network#allow-network-connectivity) and [Network endpoints for Intune](/mem/intune/fundamentals/intune-endpoints).

-## Additional considerations

-You might need to configure additional firewall rules, depending on your requirements:

- By default, virtual machines running Windows connect to `time.windows.com` over UDP port 123 for time synchronization. Create a network rule to allow this access, or for a time server that you use in your environment.

-You can add a wildcard domain under the section for front-end hosts or domains. Similar to subdomains, Azure Front Door (classic) validates that there's CNAME record mapping for your wildcard domain. This DNS mapping can be a direct CNAME record mapping like `*.contoso.com` mapped to `contoso.azurefd.net`. Or you can use afdverify temporary mapping. For example, `afdverify.contoso.com` mapped to `afdverify.contoso.azurefd.net` validates the CNAME record map for the wildcard.

-> Custom machine configuration policy definitions using **AuditIfNotExists** are

-> Generally Available, but definitions using **DeployIfNotExists** with guest

-> configuration are **in preview**.

- ContentUri = <_ContentUri output from the Publish command_>

- Path = './policies'

- ContentUri = <_ContentUri output from the Publish command_>

- Path = './policies'

- ContentUri = '<ContentUri output from the Publish command>'

- Path = '.\policies'

-New-AzPolicyDefinition -Name 'mypolicydefinition' -Policy '.\policies'

-Set-AzStorageBlobContent -Container "guestconfiguration" -File ./MyConfig.zip -Blob "guestconfiguration" -Context $Context

-Optionally, you can add a SAS token in the URL, this ensures that the content package will be accessed securely. The below example generates a blob SAS token with full blob permission and returns the full blob URI with the shared access signature token.

-$contenturi = New-AzStorageBlobSASToken -Context $Context -FullUri -Container guestconfiguration -Blob "guestconfiguration" -Permission rwd

-# Understand the machine configuration feature of Azure Policy

-description: Learn how to Enable Private Link on an HDInsight Kafka Rest Proxy cluster.

-As a prerequisite, complete the steps mentioned in [Enable Private Link on an HDInsight cluster document](./hdinsight-private-link.md), then perform the below steps.

-For more information on the REST API used in this document, see the [WebHCat reference](https://cwiki.apache.org/confluence/display/Hive/WebHCat+Reference) document.

-| Null pointer exception on running compaction against an MM table.|[HIVE-21280 ](https://issues.apache.org/jira/browse/HIVE-21280)|

-| Tez: SplitGenerator tries to look for plan files, which won't exist for Tez|[HIVE-22169 ](https://issues.apache.org/jira/browse/HIVE-22169)|

-| switch Hive UDFs to use Re2J regex engine|[HIVE-19661 ](https://issues.apache.org/jira/browse/HIVE-19661)|

-| Bucketing: Bucketing version 1 is incorrectly partitioning data|[HIVE-21167 ](https://issues.apache.org/jira/browse/HIVE-21167)|

-| For ALTER TABLE t SET TBLPROPERTIES ('EXTERNAL'='TRUE'); `TBL_TYPE` attribute changes not reflecting for non-CAPS|[HIVE-20057 ](https://issues.apache.org/jira/browse/HIVE-20057)|

-The `$convert-data` custom endpoint in the FHIR service is meant for data conversion from different data types to FHIR. It uses the Liquid template engine and the templates from the [FHIR Converter](https://github.com/microsoft/FHIR-Converter) project as the default templates. You can customize these conversion templates as needed. Currently it supports three types of data conversion: **C-CDA to FHIR**, **HL7v2 to FHIR**, **JSON to FHIR**.

-| inputData | Data to be converted. | For `Hl7v2`: string <br> For `Ccda`: XML <br> For `Json`: JSON |

-| inputDataType | Data type of input. | ```HL7v2```, ``Ccda``, ``Json`` |

-| templateCollectionReference | Reference to an [OCI image ](https://github.com/opencontainers/image-spec) template collection on [Azure Container Registry (ACR)](https://azure.microsoft.com/services/container-registry/). It's the image containing Liquid templates to use for conversion. It can be a reference either to the default templates or a custom template image that is registered within the FHIR service. See below to learn about customizing the templates, hosting those on ACR, and registering to the FHIR service. | For ***default/sample*** templates: <br> **HL7v2** templates: <br>```microsofthealth/fhirconverter:default``` <br>``microsofthealth/hl7v2templates:default``<br> **C-CDA** templates: <br> ``microsofthealth/ccdatemplates:default`` <br> **JSON** templates: <br> ``microsofthealth/jsontemplates:default`` <br><br> For ***custom*** templates: <br> \<RegistryServer\>/\<imageName\>@\<imageDigest\>, \<RegistryServer\>/\<imageName\>:\<imageTag\> |

-| rootTemplate | The root template to use while transforming the data. | For **HL7v2**:<br> "ADT_A01", "ADT_A02", "ADT_A03", "ADT_A04", "ADT_A05", "ADT_A08", "ADT_A11", "ADT_A13", "ADT_A14", "ADT_A15", "ADT_A16", "ADT_A25", "ADT_A26", "ADT_A27", "ADT_A28", "ADT_A29", "ADT_A31", "ADT_A47", "ADT_A60", "OML_O21", "ORU_R01", "ORM_O01", "VXU_V04", "SIU_S12", "SIU_S13", "SIU_S14", "SIU_S15", "SIU_S16", "SIU_S17", "SIU_S26", "MDM_T01", "MDM_T02"<br><br> For **C-CDA**:<br> "CCD", "ConsultationNote", "DischargeSummary", "HistoryandPhysical", "OperativeNote", "ProcedureNote", "ProgressNote", "ReferralNote", "TransferSummary" <br><br> For **JSON**: <br> "ExamplePatient", "Stu3ChargeItem" <br> |

-description: This document describes how to get started with the MedTech service in Azure Health Data Services.

-MedTech service in Azure Health Data Services is a Platform as a service (PaaS) that enables you to gather data from diverse medical devices and change it into a Fast Healthcare Interoperability Resources (FHIR&#174;) service format. MedTech service's device data translation capabilities make it possible to convert a wide variety of data into a unified FHIR format that provides secure health data management in a cloud environment.

-| IoT Edge device container | toolboc/azure-iot-edge-device-container | Windows, Linux, macOS, ARM | Testing a scenario with many IoT Edge devices at scale. |

-When you first install IoT Edge and provision your device, the device is set up with temporary certificates so that you can test the service.

-These temporary certificates expire in 90 days, or can be reset by restarting your machine.

-## Customize certificate lifetime

-<!-- 1.2 -->

-If you don't provide your own production certificates when you install and provision IoT Edge, the IoT Edge security manager automatically generates an **edge CA certificate**. This self-signed certificate is only meant for development and testing scenarios, not production. This certificate expires after 90 days.

-<!-- end 1.2 -->

-* If you don't provide your own production certificates when you install and provision IoT Edge, the IoT Edge security manager automatically generates a **device CA certificate**. This self-signed certificate is only meant for development and testing scenarios, not production. This certificate expires after 90 days.

-For these two automatically generated certificates, you have the option of setting a flag in the config file to configure the number of days for the lifetime of the certificates.

-<!-- 1.2 -->

-Upon expiry after the specified number of days, IoT Edge has to be restarted to regenerate the edge CA certificate. The edge CA certificate won't be renewed automatically.

-<!-- end 1.2 -->

-| [1.4](https://github.com/Azure/azure-iotedge/releases/tag/1.4.0) | Stable | August 2022 | Automatic image clean-up of unused Docker images <br> Ability to pass a [custom JSON payload to DPS on provisioning](../iot-dps/how-to-send-additional-data.md#iot-edge-support) <br> Ability to require all modules in a deployment be downloaded before restart <br> Use of the TCG TPM2 Software Stack which enables TPM hierarchy authorization values, specifying the TPM index at which to persist the DPS authentication key, and accommodating more [TPM configurations](http://github.com/Azure/iotedge/blob/897aed8c5573e8cad4b602e5a1298bdc64cd28b4/edgelet/contrib/config/linux/template.toml#L262-L288)

-Following this document, learn how to configure a package repository using [OSConfig for IoT](https://docs.microsoft.com/azure/osconfig/overview-osconfig-for-iot) and deploy packages based updates from that repository to your device fleet using [Device Update for IoT Hub](understand-device-update.md). Package-based updates are targeted updates that alter only a specific component or application on the device. They lead to lower consumption of bandwidth and help reduce the time to download and install the update. Package-based updates also typically allow for less downtime of devices when you apply an update and avoid the overhead of creating images.

-1. Configure the package repository of your choice with the OSConfigΓÇÖs configure package repo module. See [how to](https://docs.microsoft.com/azure/osconfig/howto-pmc?tabs=portal%2Csingle#example-1--specify-desired-package-sources). This repository should be the location where you wish to store packages to be downloaded to the device.

-* A *string* that contains a URI of an [Azure Storage](https://azure.microsoft.com/documentation/services/storage/) blob container to use as *output* from the job. The job creates a block blob in this container to store any error information from the completed import **Job**. The SAS token must include these permissions:

-* [Azure IoT Hub Device Provisioning Service](../iot-dps/index.yml)

- * *Receive device-to-cloud messages*. This endpoint is compatible with [Azure Event Hubs](https://azure.microsoft.com/documentation/services/event-hubs/). A back-end service can use it to read the [device-to-cloud messages](iot-hub-devguide-messages-d2c.md) sent by your devices. You can create custom endpoints on your IoT hub in addition to this built-in endpoint.

-*Device provisioning* is the process of adding the initial device data to the stores in your solution. To enable a new device to connect to your hub, you must add a device ID and keys to the IoT Hub identity registry. As part of the provisioning process, you might need to initialize device-specific data in other solution stores. You can also use the Azure IoT Hub Device Provisioning Service to enable zero-touch, just-in-time provisioning to one or more IoT hubs without requiring human intervention. To learn more, see the [provisioning service documentation](https://azure.microsoft.com/documentation/services/iot-dps).

-* [Azure IoT Hub Device Provisioning Service](https://azure.microsoft.com/documentation/services/iot-dps)

-By default, messages are routed to the built-in service-facing endpoint (**messages/events**) that is compatible with [Event Hubs](https://azure.microsoft.com/documentation/services/event-hubs/). This endpoint is currently only exposed using the [AMQP](https://www.amqp.org/) protocol on port 5671 and [AMQP over WebSockets](http://docs.oasis-open.org/amqp-bindmap/amqp-wsb/v1.0/cs01/amqp-wsb-v1.0-cs01.html) on port 443. An IoT hub exposes the following properties to enable you to control the built-in Event Hub-compatible messaging endpoint **messages/events**.

-

-

-

-

-

-description: The Responsible AI dashboard is a comprehensive UI and set of SDK/YAML components to help data scientists debug their machine learning models and make data-driven decisions.

-# Assess AI systems and make data-driven decisions with Azure Machine Learning Responsible AI dashboard (preview)

-Implementing Responsible AI in practice requires rigorous engineering. Rigorous engineering, however, can be tedious, manual, and time-consuming without the right tooling and infrastructure. Machine learning professionals need tools to implement responsible AI in practice effectively and efficiently.

-The Responsible AI dashboard provides a single pane of glass that brings together several mature Responsible AI tools in the areas of model [performance and fairness assessment](http://fairlearn.org/), data exploration, [machine learning interpretability](https://interpret.ml/), [error analysis](https://erroranalysis.ai/), [counterfactual analysis and perturbations](https://github.com/interpretml/DiCE), and [causal inference](https://github.com/microsoft/EconML) for a holistic assessment and debugging of models and making informed data-driven decisions. Having access to all of these tools in one interface empowers you to:

-1. Evaluate and debug your machine learning models by identifying model errors and fairness issues, diagnosing why those errors are happening, and informing your mitigation steps.

-2. Boost your data-driven decision-making abilities by addressing questions such as *ΓÇ£what is the minimum change the end user could apply to their features to get a different outcome from the model?ΓÇ¥ and/or ΓÇ£what is the causal effect of reducing or increasing a feature (for example, red meat consumption) on a real-world outcome (for example, diabetes progression)?ΓÇ¥*

-The dashboard could be customized to include the only subset of tools that are relevant to your use case.

-Responsible AI dashboard is also accompanied by a [PDF scorecard](how-to-responsible-ai-scorecard.md), which enables you to export Responsible AI metadata and insights of your data and models for sharing offline with the product and compliance stakeholders.

-The Responsible AI dashboard brings together, in a comprehensive view, various new and pre-existing tools, integrating them with the Azure Machine Learning [CLIv2, Python SDKv2](concept-v2.md) and [studio](overview-what-is-machine-learning-studio.md). These tools include:

-1. [Data explorer](concept-data-analysis.md) to understand and explore your dataset distributions and statistics.

-2. [Model overview and fairness assessment](concept-fairness-ml.md) to evaluate the performance of your model and evaluate your modelΓÇÖs group fairness issues (how diverse groups of people are impacted by your modelΓÇÖs predictions).

-3. [Error Analysis](concept-error-analysis.md) to view and understand how errors are distributed in your dataset.

-4. [Model interpretability](how-to-machine-learning-interpretability.md) (aggregate/individual feature importance values) to understand your modelΓÇÖs predictions and how those overall and individual predictions are made.

-5. [Counterfactual What-If](concept-counterfactual-analysis.md) to observe how feature perturbations would impact your model predictions while providing you with the closest data points with opposing or different model predictions.

-6. [Causal analysis](concept-causal-inference.md) to use historical data to view the causal effects of treatment features on real-world outcomes.

-Together, these components will enable you to debug machine learning models, while informing your data-driven and model-driven business decisions. The following diagram and two sections explain how these tools could be incorporated into your AI lifecycle to achieve improved models and solid data insights.

- - *What kinds of errors does my model have?*

- - *In what areas are errors most prevalent?*

- - *What are the causes of these errors?*

- - *Where should I focus my resources to improve my model?*

- - *How can I improve my model?*

- - *What social or technical solutions exist for these issues?*

-Below are the components of the Responsible AI dashboard supporting model debugging:

-| Identify | Error Analysis | The Error Analysis component provides machine learning practitioners with a deeper understanding of model failure distribution and assists you with quickly identifying erroneous cohorts of data. <br><br> The capabilities of this component in the dashboard are founded by the [Error Analysis](https://erroranalysis.ai/) package.|

-| Identify | Fairness Analysis | The Fairness component assesses how different groups, defined in terms of sensitive attributes such as sex, race, age, etc., are affected by your model predictions and how the observed disparities may be mitigated. It evaluates the performance of your model by exploring the distribution of your prediction values and the values of your model performance metrics across different sensitive subgroups. The capabilities of this component in the dashboard are founded by the [Fairlearn](https://fairlearn.org/) package. |

-| Identify | Model Overview | The Model Overview component aggregates various model assessment metrics, showing a high-level view of model prediction distribution for better investigation of its performance. It also enables group fairness assessment, highlighting the breakdown of model performance across different sensitive groups. |

-| Diagnose | Data Explorer | The Data Explorer component helps to visualize datasets based on predicted and actual outcomes, error groups, and specific features. This helps to identify issues of over- and underrepresentation and to see how data is clustered in the dataset. |

-| Diagnose | Model Interpretability | The Interpretability component generates human-understandable explanations of the predictions of a machine learning model. It provides multiple views into a modelΓÇÖs behavior: global explanations (for example, which features affect the overall behavior of a loan allocation model) and local explanations (for example, why an applicantΓÇÖs loan application was approved or rejected). <br><br> The capabilities of this component in the dashboard are founded by the [InterpretML](https://interpret.ml/) package. |

-| Diagnose | Counterfactual Analysis and What-If| The Counterfactual Analysis and what-if component consist of two functionalities for better error diagnosis: <br> - Generating a set of examples with minimal changes to a given point such that those changes alter the model's prediction (showing the closest data points with opposite model predictions). <br> - Enabling interactive and custom what-if perturbations for individual data points to understand how the model reacts to feature changes. <br> <br> The capabilities of this component in the dashboard are founded by the [DiCE](https://github.com/interpretml/DiCE) package. |

-Mitigation steps are available via standalone tools such as [Fairlearn](https://fairlearn.org/) (see [unfairness mitigation algorithms](https://fairlearn.org/v0.7.0/user_guide/mitigation.html)).

-Decision-making is one of the biggest promises of machine learning. The Responsible AI dashboard helps you inform your model-driven and data-driven business decisions.

-Exploratory data analysis, counterfactual analysis, and causal inference capabilities can assist you to make informed model-driven and data-driven decisions responsibly.

-Below are the components of the Responsible AI dashboard supporting responsible decision-making:

- - The component could be reused here to understand data distributions and identify over- and underrepresentation. Data exploration is a critical part of decision making as one can conclude that it isn't feasible to make informed decisions about a cohort that is underrepresented within data.

- - The Causal Inference component estimates how a real-world outcome changes in the presence of an intervention. It also helps to construct promising interventions by simulating different feature responses to various interventions and creating rules to determine which population cohorts would benefit from a particular intervention. Collectively, these functionalities allow you to apply new policies and effect real-world change.

- - The capabilities of this component are founded by the [EconML](https://github.com/Microsoft/EconML) package, which estimates heterogeneous treatment effects from observational data via machine learning.

- - The Counterfactual Analysis component described above could be reused here to help data scientists generate minimum changes applied to a data point's features leading to opposite model predictions (Taylor would have gotten the loan approval from the AI if they earned 10,000 more annual income and had two fewer credit cards open). Providing such information to the end users informs their perspective, educating them on how they can take action to get the desired outcome from the AI in the future.

- - The capabilities of this component are founded by the [DiCE](https://github.com/interpretml/DiCE) package.

-## Why should you use the Responsible AI dashboard?

-### Challenges with the status quo

-While progress has been made on individual tools for specific areas of Responsible AI, data scientists often need to use various tools (for example, performance assessment and model interpretability and fairness assessment) together, to holistically evaluate their models and data. For example, if a data scientist discovers a fairness issue with one tool, they then need to jump to a different tool to understand what data or model factors lie at the root of the issue before taking any steps on mitigation. This highly challenging process is further complicated for the following reasons.

-### Responsible AI dashboard challenging the status quo

-The Responsible AI dashboard is the first comprehensive yet customizable tool, bringing together fragmented experiences under one roof, enabling you to seamlessly onboard to a single customizable framework for model debugging and data-driven decision making.

-Using the Responsible AI dashboard, you can create dataset cohorts (subgroups of data), pass those cohorts to all of the supported components (for example, model interpretability, data explorer, model performance, etc.) and observe your model health for your identified cohorts. You can further compare insights from all supported components across a variety of pre-built cohorts to perform disaggregated analysis and find the blind spots of your model.

-Whenever you're ready to share those insights with other stakeholders, you can extract them easily via our [Responsible AI PDF scorecard](how-to-responsible-ai-scorecard.md)) and attach the PDF report to your compliance reports or share it with other colleagues to build trust and get their approval.

-## How to customize the Responsible AI dashboard?

-The Responsible AI dashboardΓÇÖs strength lies in its customizability. It empowers users to design tailored, end-to-end model debugging and decision-making workflows that address their particular needs. Need some inspiration? Here are some examples of how its components can be put together to analyze scenarios in diverse ways:

-| Responsible AI Dashboard Flow | Use Case |

-| Model Overview -> Error Analysis -> Data Explorer | To identify model errors and diagnose them by understanding the underlying data distribution |

-| Model Overview -> Fairness Assessment -> Data Explorer | To identify model fairness issues and diagnose them by understanding the underlying data distribution |

-| Model Overview -> Error Analysis -> Counterfactuals Analysis and What-If | To diagnose errors in individual instances with counterfactual analysis (minimum change to lead to a different model prediction) |

-| Model Overview -> Data Explorer | To understand the root cause of errors and fairness issues introduced via data imbalances or lack of representation of a particular data cohort |

-| Model Overview -> Interpretability | To diagnose model errors through understanding how the model has made its predictions |

-| Data Explorer -> Causal Inference | To distinguish between correlations and causations in the data or decide the best treatments to apply to see a positive outcome |

-| Interpretability -> Causal Inference | To learn whether the factors that the model has used for prediction making have any causal effect on the real-world outcome|

-| Data Explorer -> Counterfactuals Analysis and What-If | To address customer questions about what they can do next time to get a different outcome from an AI|

-## Who should use the Responsible AI dashboard?

-The Responsible AI dashboard, and its corresponding [Responsible AI scorecard](how-to-responsible-ai-scorecard.md), could be incorporated by the following personas to build trust with AI systems.

-description: Learn what responsible AI is and how to use it with Azure Machine Learning to understand models, protect data and control the model lifecycle.

-#Customer intent: As a data scientist, I want to learn what responsible AI is and how I can use it in Azure Machine Learning.

-# What is Responsible AI? (preview)

-Responsible Artificial Intelligence (Responsible AI) is an approach to developing, assessing, and deploying AI systems in a safe, trustworthy and ethical manner. AI systems are the product of many different decisions made by those who develop and deploy them. From system purpose to how people interact with AI systems, we need to proactively guide these decisions toward more beneficial and equitable outcomes. That means keeping people and their goals at the center of system design decisions and respecting enduring values like fairness, reliability, and transparency.

-At Microsoft, we've developed a [Responsible AI Standard](https://blogs.microsoft.com/wp-content/uploads/prod/sites/5/2022/06/Microsoft-Responsible-AI-Standard-v2-General-Requirements-3.pdf), a framework to guide how we build AI systems, according to our six principles of fairness, reliability and safety, privacy and security, inclusiveness, transparency, and accountability. For us, these principles are the cornerstone of a responsible and trustworthy approach to AI, especially as intelligent technology becomes more prevalent in the products and services we use every day.

-This article explains the six principles and demonstrates how Azure Machine Learning supports tools for making it seamless for ML developers and data scientists to implement and operationalize them in practice.

-AI systems should treat everyone fairly and avoid affecting similarly situated groups of people in different ways. For example, when AI systems provide guidance on medical treatment, loan applications, or employment, they should make the same recommendations to everyone with similar symptoms, financial circumstances, or professional qualifications.

-**Fairness and inclusiveness in Azure Machine Learning**: Azure Machine LearningΓÇÖs [fairness assessment component](./concept-fairness-ml.md) of the [Responsible AI dashboard](./concept-responsible-ai-dashboard.md) enables data scientists and ML developers to assess model fairness across sensitive groups defined in terms of gender, ethnicity, age, etc.

-To build trust, it's critical that AI systems operate reliably, safely, and consistently under normal circumstances and in unexpected conditions. These systems should be able to operate as they were originally designed, respond safely to unanticipated conditions, and resist harmful manipulation. It's also important to be able to verify that these systems are behaving as intended under actual operating conditions. How they behave and the variety of conditions they can handle reliably and safely largely reflects the range of situations and circumstances that developers anticipate during design and testing.

-**Reliability and safety in Azure Machine Learning**: Azure Machine LearningΓÇÖs [Error Analysis](./concept-error-analysis.md) component of the [Responsible AI dashboard](./concept-responsible-ai-dashboard.md) enables data scientists and ML developers to get a deep understanding of how failure is distributed for a model, identify cohorts of data with higher error rate than the overall benchmark. These discrepancies might occur when the system or model underperforms for specific demographic groups or infrequently observed input conditions in the training data.

-When AI systems are used to help inform decisions that have tremendous impacts on people's lives, it's critical that people understand how those decisions were made. For example, a bank might use an AI system to decide whether a person is creditworthy, or a company might use an AI system to determine the most qualified candidates to hire.

-A crucial part of transparency is what we refer to as interpretability or the useful explanation of the behavior of AI systems and their components. Improving interpretability requires that stakeholders comprehend how and why AI systems function the way they do so that they can identify potential performance issues, fairness issues, exclusionary practices, or unintended outcomes.

-**Transparency in Azure Machine Learning**: Azure Machine LearningΓÇÖs [Model Interpretability](how-to-machine-learning-interpretability.md) and [Counterfactual What-If](./concept-counterfactual-analysis.md) components of the [Responsible AI dashboard](concept-responsible-ai-dashboard.md) enable data scientists and ML developers to generate human-understandable descriptions of the predictions of a model. The Model Interpretability component provides multiple views into their modelΓÇÖs behavior: global explanations (for example, what features affect the overall behavior of a loan allocation model?) and local explanations (for example, why a customerΓÇÖs loan application was approved or rejected?). One can also observe model explanations for a selected cohort of data points (for example, what features affect the overall behavior of a loan allocation model for low-income applicants?). Moreover, the Counterfactual What-If component enables understanding and debugging a machine learning model in terms of how it reacts to feature changes and perturbations. Azure Machine Learning also supports a [Responsible AI scorecard](./how-to-responsible-ai-scorecard.md), a customizable PDF report that machine learning developers can easily configure, generate, download, and share with their technical and non-technical stakeholders to educate them about their datasets and models health, achieve compliance, and build trust. This scorecard could also be used in audit reviews to uncover the characteristics of machine learning models.

-## Privacy and Security

-As AI becomes more prevalent, protecting the privacy and securing important personal and business information is becoming more critical and complex. With AI, privacy and data security issues require especially close attention because access to data is essential for AI systems to make accurate and informed predictions and decisions about people. AI systems must comply with privacy laws that require transparency about the collection, use, and storage of data and mandate that consumers have appropriate controls to choose how their data is used.

-**Privacy and Security in Azure Machine Learning**: Azure Machine Learning is enabling administrators, DevOps, and MLOps developers to [create a secure configuration that is compliant](concept-enterprise-security.md) with their company's policies. With Azure Machine Learning and the Azure platform, users can:

-Microsoft has also created two open source packages that could enable further implementation of privacy and security principles:

-The people who design and deploy AI systems must be accountable for how their systems operate. Organizations should draw upon industry standards to develop accountability norms. These norms can ensure that AI systems aren't the final authority on any decision that impacts people's lives and that humans maintain meaningful control over otherwise highly autonomous AI systems.

-**Accountability in Azure Machine Learning**: Azure Machine LearningΓÇÖs [Machine Learning Operations (MLOps)](concept-model-management-and-deployment.md) is based on DevOps principles and practices that increase the efficiency of AI workflows. Azure Machine Learning provides the following MLOps capabilities for better accountability of your AI systems:

-Besides the MLOps capabilities, Azure Machine LearningΓÇÖs [Responsible AI scorecard](how-to-responsible-ai-scorecard.md) creates accountability by enabling cross-stakeholders communications and by empowering machine learning developers to easily configure, download, and share their model health insights with their technical and non-technical stakeholders to educate them about their AI's data and model health, and build trust.

-The ML platform also enables decision-making by informing model-driven and data-driven business decisions:

-Operationalize the machine learning models that you have built by wrapping them in a web service interface. Operationalizing machine learning models enables clients written in any language to invoke predictions from those models. For more information, see the [Machine Learning documentation](https://azure.microsoft.com/documentation/services/machine-learning/).

-> GitHub Actions for Azure Machine Learning are provided as-is, and are not fully supported by Microsoft. If you encounter problems with a specific action, open an issue in the repository for the action. For example, if you encounter a problem with the aml-deploy action, report the problem in the [https://github.com/Azure/aml-deploy]( https://github.com/Azure/aml-deploy) repo.

-description: Learn how to find and use the Juypter Notebooks designed to help you explore the SDK and serve as models for your own machine learning projects.

-The [Azure Machine Learning Notebooks repository](https://github.com/azure/machinelearningnotebooks) includes the latest Azure Machine Learning Python SDK samples. These Jupyter notebooks are designed to help you explore the SDK and serve as models for your own machine learning projects. In this repository, you'll find tutorial notebooks in the **tutorials** folder and feature-specific notebooks in the **how-to-use-azureml** folder.

-Also explore the community-driven repository of [AzureML-Examples](https://github.com/Azure/azureml-examples). This repository includes notebooks and [CLI (v2)](how-to-configure-cli.md) examples. For information on the various example types, see the [readme](https://github.com/Azure/azureml-examples#azure-machine-learning-examples).

-This article shows you how to access the repositories from the following environments:

-<a name="notebookvm"></a>

-## Get samples on Azure Machine Learning compute instance

-<a name="byo"></a>

-## Get samples on your notebook server

-These instructions install the base SDK packages necessary for the quickstart and tutorial notebooks. Other sample notebooks may require you to install extra components. For more information, see [Install the Azure Machine Learning SDK for Python](/python/api/overview/azure/ml/install).

-<a name="dsvm"></a>

-## Get samples on DSVM

-* [Create an AKS cluster (CLI)](/cli/azure/aks?bc=%2fazure%2fbread%2ftoc.json&toc=%2fazure%2faks%2fTOC.json#az-aks-create)

-You can remove offer listings and plans from the Microsoft commercial marketplace, which will prevent new customers from finding and purchasing them. Any customers who previously acquired the offer or plan can still use it, and they can download it again if needed. However, they won't get updates if you decide to republish the offer or plan at a later time.

-This article describes how to create an Azure VMware Solution assessment for on-premises servers in VMware environment with Azure Migrate: Discovery and assessment.

-**Azure VM** | Assessments to migrate your on-premises servers to Azure virtual machines. You can assess your on-premises servers in [VMware](how-to-set-up-appliance-vmware.md) and [Hyper-V](how-to-set-up-appliance-hyper-v.md) environment, and [physical servers](how-to-set-up-appliance-physical.md) for migration to Azure VMs using this assessment type.

-**Azure App Service** | Assessments to migrate your on-premises ASP.NET web apps, running on IIS web servers, from your VMware environment to Azure App Service.

-**Azure VMware Solution (AVS)** | Assessments to migrate your on-premises servers to [Azure VMware Solution (AVS)](../azure-vmware/introduction.md). You can assess your on-premises servers in [VMware environment](how-to-set-up-appliance-vmware.md) for migration to Azure VMware Solution (AVS) using this assessment type. [Learn more](concepts-azure-vmware-solution-assessment-calculation.md)

-> Azure VMware Solution (AVS) assessment can be created for servers in VMware environment only.

- - The **Storage type** is defaulted to **vSAN**. This is the default storage type for an AVS private cloud.

- - The **Node type** is defaulted to **AV36**. Azure Migrate recommends the node of nodes needed to migrate the servers to AVS.

- - In **Dedupe and compression factor**, specify the anticipated dedupe and compression factor for your workloads. Actual value can be obtained from on-premises vSAN or storage config and this may vary by workload. A value of 3 would mean 3x so for 300GB disk only 100GB storage would be used. A value of 1 would mean no dedupe or compression. You can only add values from 1 to 10 up to one decimal place.

- - **Not ready for AVS**: The VM will not start in AVS. For example, if the on-premises VMware VM has an external device attached such as a cd-rom the VMware VMotion operation will fail (if using VMware VMotion).

- - **VMware HCX or Enterprise**: For VMware servers, VMware Hybrid Cloud Extension (HCX) solution is the suggested migration tool to migrate your on-premises workload to your Azure VMware Solution (AVS) private cloud. [Learn More](../azure-vmware/configure-vmware-hcx.md).

- - **Unknown**: For servers imported via a CSV file, the default migration tool is unknown. Though for VMware servers, it is suggested to use the VMware Hybrid Cloud Extension (HCX) solution.

-| VM series| [B-series](https://docs.microsoft.com/azure/virtual-machines/sizes-b-series-burstable) | [Ddsv4-series](https://docs.microsoft.com/azure/virtual-machines/ddv4-ddsv4-series#ddsv4-series) | [Edsv4](https://docs.microsoft.com/azure/virtual-machines/edv4-edsv4-series#edsv4-series)/[Edsv5-series](https://docs.microsoft.com/azure/virtual-machines/edv5-edsv5-series#edsv5-series)*|

-If an endpoint becomes unreachable, connection troubleshoot informs you of the reason. Potential reasons are a DNS name resolution problem, the CPU, memory, or firewall within the operating system of a VM, or the hop type of a custom route, or security rule for the VM or subnet of the outbound connection. Learn more about [security rules](../virtual-network/network-security-groups-overview.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json#security-rules) and [route hop types](../virtual-network/virtual-networks-udr-overview.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json) in Azure.

-Network performance monitor is a cloud-based hybrid network monitoring solution that helps you monitor network performance between various points in your network infrastructure. It also helps you monitor network connectivity to service and application endpoints and monitor the performance of Azure ExpressRoute. Network performance monitor detects network issues like traffic blackholing, routing errors, and issues that conventional network monitoring methods aren't able to detect. The solution generates alerts and notifies you when a threshold is breached for a network link. It also ensures timely detection of network performance issues and localizes the source of the problem to a particular network segment or device. Learn more about [network performance monitor](../azure-monitor/insights/network-performance-monitor.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json).

-There are [limits](../azure-resource-manager/management/azure-subscription-service-limits.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json#azure-resource-manager-virtual-networking-limits) to the number of network resources that you can create within an Azure subscription and region. If you meet the limits, you're unable to create more resources within the subscription or region. The *network subscription limit* capability provides a summary of how many of each network resource you have deployed in a subscription and region, and what the limit is for the resource. The following picture shows the partial output for network resources deployed in the East US region for an example subscription:

-You can enable diagnostic logging for Azure networking resources such as network security groups, public IP addresses, load balancers, virtual network gateways, and application gateways. The *Diagnostic logs* capability provides a single interface to enable and disable network resource diagnostic logs for any existing network resource that generates a diagnostic log. You can view diagnostic logs using tools such as Microsoft Power BI and Azure Monitor logs. To learn more about analyzing Azure network diagnostic logs, see [Azure network solutions in Azure Monitor logs](../azure-monitor/insights/azure-networking-analytics.md?toc=%2fazure%2fnetwork-watcher%2ftoc.json).

-|[NTT Data](https://us.nttdata.com/en/digital/cloud-transformation)|[Managed

-[Notification Hubs tutorials and guides]: https://azure.microsoft.com/documentation/services/notification-hubs

-Create a Azure Web Application Firewall on Azure Front Door using the Azure portal:

-Upgrading a major version of Citus can introduce changes in behavior.

-It's best to familiarize yourself with new product features and changes

-to avoid surprises.

-extensions](reference-extensions.md), including the Citus extension.

-Citus version before you upgrade your production environment. Also, please see

-* If the target storage account is in a different Azure subscription than the one for Microsoft Purview account, [register the Microsoft.Purview resource provider](../azure-resource-manager/management/resource-providers-and-types.md) in the Azure subscription where the Azure data store is located.

-* If the source storage account is in a different Azure subscription than the one for Microsoft Purview account, [register the Microsoft.Purview resource provider](../azure-resource-manager/management/resource-providers-and-types.md) in the Azure subscription where the Azure data store is located.

- + `"generateNormalizedImagePerPage"` (applies to PDF only) to generate an array of normalized images where each page in the PDF is rendered to one output image. For non-PDF files, the behavior of this parameter is same as if you had set "generateNormalizedImages".

-Use the [Azure.Search.Documents (version 11) client library](/dotnet/api/overview/azure/search.documents-readme) to create a .NET Core console application in C# that creates, loads, and queries a search index.

-Azure SDK for .NET conforms to [.NET Standard 2.0](/dotnet/standard/net-standard#net-implementation-support), which means .NET Framework 4.6.1 and .NET Core 2.0 as minimum requirements.

-Assemble service connection information, and then start Visual Studio to create a new Console App project that can run on .NET Core.

- static void Main(string[] args)

- {

- string serviceName = "<YOUR-SERVICE-NAME>";

- string indexName = "hotels-quickstart";

- string apiKey = "<YOUR-ADMIN-API-KEY>";

-Build a notebook that creates, loads, and queries an Azure Cognitive Search index using Python and the [azure-search-documents library](/python/api/overview/azure/search-documents-readme) in the Azure SDK for Python. This article explains how to build a notebook step by step. Alternatively, you can [download and run a finished Jupyter Python notebook](https://github.com/Azure-Samples/azure-search-python-samples).

- !pip install azure-search-documents --pre

- !pip show azure-search-documents

-1. In this example, look up a specific document based on its key. You would typically want to return a document when a user select on a document in a search result.

- When the index was created, a suggester named "sg" was also created as part of the request. A suggester definition specifies which fields can be used to find potential matches to suggester requests. In this example, those fields are 'Tags', 'Address/City', 'Address/Country'. To simulate auto-complete, pass in the letters "sa" as a partial string. The autocomplete method of [SearchClient](/python/api/azure-search-documents/azure.search.documents.searchclient) sends back potential term matches.

- :::image type="content" source="media/tutorial-multiple-data-sources/cosmos-newdb.png" alt-text="Create a new database" border="false":::

- :::image type="content" source="media/tutorial-multiple-data-sources/cosmos-dbname.png" alt-text="Configure database" border="false":::

- :::image type="content" source="media/tutorial-multiple-data-sources/cosmos-add-container.png" alt-text="Add container" border="false":::

- :::image type="content" source="media/tutorial-multiple-data-sources/cosmos-upload.png" alt-text="Upload to Azure Cosmos DB collection" border="false":::

- :::image type="content" source="media/tutorial-multiple-data-sources/blob-add-container.png" alt-text="Create a blob container" border="false":::

-Fabric](https://azure.microsoft.com/documentation/services/service-fabric).

-Machines](https://azure.microsoft.com/documentation/services/virtual-machines/).

-Download the latest version of the [Microsoft Threat Modeling Tool](https://aka.ms/threatmodelingtool).

-Download the latest version of the [Microsoft Threat Modeling Tool](https://aka.ms/threatmodelingtool).

-Download the latest version of the [Microsoft Threat Modeling Tool](https://aka.ms/threatmodelingtool).

-Download the latest version of the [Microsoft Threat Modeling Tool](https://aka.ms/threatmodelingtool).

-Download the latest version of the [Microsoft Threat Modeling Tool](https://aka.ms/threatmodelingtool).

-| - [Azure Firewall ](../../sentinel/data-connectors-reference.md#azure-firewall) | GA | GA |

-| - [Azure Key Vault ](../../sentinel/data-connectors-reference.md#azure-key-vault) | Public Preview | Not Available |

-| - [F5 BIG-IP ](../../sentinel/data-connectors-reference.md#f5-big-ip) | GA | GA |

-| - [Forcepoint DLP ](../../sentinel/data-connectors-reference.md#forcepoint-data-loss-prevention-dlp-preview) | Public Preview | Not Available |

-| - [Google Workspace (G Suite) ](../../sentinel/data-connectors-reference.md#google-workspace-g-suite-preview) | Public Preview | Not Available |

-| - [SonicWall Firewall ](../../sentinel/data-connectors-reference.md#sophos-cloud-optix-preview) | Public Preview | Public Preview |

-* [Multi-Factor Authentication](https://azure.microsoft.com/documentation/services/multi-factor-authentication/)

-* [Azure Active Directory](https://azure.microsoft.com/documentation/services/active-directory/)

-* [Manage user access with Azure AD access reviews](../../active-directory/governance/access-reviews-overview.md)

-* [Multi-Factor Authentication](https://azure.microsoft.com/documentation/services/multi-factor-authentication/)

-* Use IPsec for [Azure VPN](https://azure.microsoft.com/documentation/services/vpn-gateway/) to further protect management traffic from eavesdropping and token theft, or consider an isolated Internet link via [Azure ExpressRoute](https://azure.microsoft.com/documentation/services/expressroute/).

-* [Microsoft Security Response Center](https://www.microsoft.com/msrc) -- where Microsoft security vulnerabilities, including issues with Azure, can be reported or via email to [secure@microsoft.com](mailto:secure@microsoft.com)

-**Option**: Use [ExpressRoute](https://azure.microsoft.com/documentation/services/expressroute/). It provides functionality similar to the site-to-site VPN. The main differences are:

-[Azure Site Recovery](https://azure.microsoft.com/documentation/services/site-recovery) provides business continuity by orchestrating the replication of on-premises virtual and physical machines to Azure, or to a secondary site. If your primary site is unavailable, you fail over to the secondary location so that users can keep working. You fail back when systems return to working order. Use Microsoft Defender for Cloud to perform more intelligent and effective threat detection.

-[Azure Monitor logs](https://azure.microsoft.com/documentation/services/log-analytics) provides monitoring services by collecting data from managed resources into a central repository. This data could include events, performance data, or custom data provided through the API. Once collected, the data is available for alerting, analysis, and export.

-[Azure Backup](https://azure.microsoft.com/documentation/services/backup) provides data backup and restore services and is part of the Azure Monitor suite of products and services.

-Encryption and authentication do not improve security unless the keys themselves are protected. You can simplify the management and security of your critical secrets and keys by storing them in [Azure Key Vault](../../key-vault/general/overview.md). Key Vault provides the option to store your keys in hardware Security modules (HSMs) certified to FIPS 140-2 Level 2 standards. Your SQL Server encryption keys for backup or [transparent data encryption](/sql/relational-databases/security/encryption/transparent-data-encryption) can all be stored in Key Vault with any keys or secrets from your applications. Permissions and access to these protected items are managed through [Azure Active Directory](https://azure.microsoft.com/documentation/services/active-directory/).

-Use [Azure Application Insights](https://azure.microsoft.com/documentation/services/application-insights) to monitor availability, performance, and usage of your application, whether it's hosted in the cloud or on-premises. By using Application Insights, you can quickly identify and diagnose errors in your application without waiting for a user to report them. With the information that you collect, you can make informed choices on your application's maintenance and improvements.

-[Azure Monitor logs](https://azure.microsoft.com/documentation/services/log-analytics) provides monitoring services by collecting data from managed resources into a central repository. This data could include events, performance data, or custom data provided through the API. Once collected, the data is available for alerting, analysis, and export.

-Key Vault provides the option to store your keys in hardware security modules (HSMs) certified to FIPS 140-2 Level 2 standards. Your SQL Server encryption keys for backup or [transparent data encryption](/sql/relational-databases/security/encryption/transparent-data-encryption) can all be stored in Key Vault with any keys or secrets from your applications. Permissions and access to these protected items are managed through [Azure Active Directory](https://azure.microsoft.com/documentation/services/active-directory/).

-The following table lists the free data sources you can enable in Microsoft Sentinel. Some of the data connectors, such as Microsoft 365 Defender and Defender for Cloud Apps, include both free and paid data types.

-| Microsoft Sentinel Data Connector | Data type | Free or paid |

-|-|--||

-| **Azure Activity Logs** | AzureActivity | Free |

-| **Azure AD Identity Protection** | SecurityAlert (IPC) | Free |

-| **Office 365** | OfficeActivity (SharePoint) | Free|

-|| OfficeActivity (Exchange)|Free|

-|| OfficeActivity (Teams) | Free|

-| **Microsoft Defender for Cloud** | SecurityAlert (Defender for Cloud) | Free |

-| **Microsoft Defender for IoT** | SecurityAlert (Defender for IoT) | Free |

-| **Microsoft 365 Defender** | SecurityIncident | Free|

-||SecurityAlert| Free|

-||DeviceEvents | Paid|

-||DeviceFileEvents | Paid|

-||DeviceImageLoadEvents | Paid|

-||DeviceInfo | Paid|

-||DeviceLogonEvents | Paid|

-||DeviceNetworkEvents | Paid|

-||DeviceNetworkInfo | Paid|

-||DeviceProcessEvents | Paid|

-||DeviceRegistryEvents | Paid|

-||DeviceFileCertificateInfo | Paid|

-| **Microsoft Defender for Endpoint** | SecurityAlert (MDATP) | Free |

-| **Microsoft Defender for Identity** | SecurityAlert (AATP) | Free |

-| **Microsoft Defender for Cloud Apps** | SecurityAlert (Defender for Cloud Apps) | Free |

-||MCASShadowITReporting | Paid|

-1. For the target product, specify **Microsoft Sentinel**.

-| **Azure** | Office | OfficeActivity | Office 365 Management Activity API schemas: <br>- [Common schema ](/office/office-365-management-api/office-365-management-activity-api-schema#common-schema) <br>- [Exchange Admin schema ](/office/office-365-management-api/office-365-management-activity-api-schema#exchange-admin-schema) <br>- [Exchange Mailbox schema](/office/office-365-management-api/office-365-management-activity-api-schema#exchange-mailbox-schema) <br>- [SharePoint Base schema](/office/office-365-management-api/office-365-management-activity-api-schema#sharepoint-base-schema) <br>- [SharePoint file operations](/office/office-365-management-api/office-365-management-activity-api-schema#sharepoint-file-operations) |