+ <InputClaim ClaimTypeReferenceId="email" TransformationClaimType="personalizations.0.dynamic_template_data.verify-email" />

+- Find more [claims transformation samples](https://github.com/azure-ad-b2c/unit-tests/tree/main/claims-transformation/json) on the Azure AD B2C community GitHub repo

+`aud` | `https://login.microsoftonline.com/{tenantId}/oauth2/V2.0/token` | The "aud" (audience) claim identifies the recipients that the JWT is intended for (here Azure AD) See [RFC 7519, Section 4.1.3](https://tools.ietf.org/html/rfc7519#section-4.1.3). In this case, that recipient is the login server (login.microsoftonline.com).

+- [The redirect URI must be marked as type `spa`](v2-oauth2-auth-code-flow.md#redirect-uris-for-single-page-apps-spas) to enable CORS on login endpoints.

+description: Protocol reference for the Microsoft identity platform's implementation of the OAuth 2.0 authorization code grant

+The OAuth 2.0 authorization code grant type, or _auth code flow_, enables a client application to obtain authorized access to protected resources like web APIs. The auth code flow requires a user-agent that supports redirection from the authorization server (the Microsoft identity platform) back to your application. For example, a web browser, desktop, or mobile application operated by a user to sign in to your app and access their data.

+This article describes low-level protocol details usually required only when manually crafting and issuing raw HTTP requests to execute the flow, which we do **not** recommend. Instead, use a [Microsoft-built and supported authentication library](reference-v2-libraries.md) to get security tokens and call protected web APIs in your apps.

+## Applications that support the auth code flow

+Use the auth code flow paired with Proof Key for Code Exchange (PKCE) and OpenID Connect (OIDC) to get access tokens and ID tokens in these types of apps:

+- [Single-page web application (SPA)](v2-app-types.md#single-page-apps-javascript)

+- [Standard (server-based) web application](v2-app-types.md#web-apps)

+- [Desktop and mobile apps](v2-app-types.md#mobile-and-native-apps)

+## Protocol details

+The OAuth 2.0 authorization code flow is described in [section 4.1 of the OAuth 2.0 specification](https://tools.ietf.org/html/rfc6749). Apps using the OAuth 2.0 authorization code flow acquire an `access_token` to include in requests to resources protected by the Microsoft identity platform (typically APIs). Apps can also request new ID and access tokens for previously authenticated entities by using a refresh mechanism.

+This diagram shows a high-level view of the authentication flow:

+## Redirect URIs for single-page apps (SPAs)

+Redirect URIs for SPAs that use the auth code flow require special configuration.

+- **Add a redirect URI** that supports auth code flow with PKCE and cross-origin resource sharing (CORS): Follow the steps in [Redirect URI: MSAL.js 2.0 with auth code flow](scenario-spa-app-registration.md#redirect-uri-msaljs-20-with-auth-code-flow).

+- **Update a redirect URI**: Set the redirect URI's `type` to `spa` by using the [application manifest editor](reference-app-manifest.md) in the Azure portal.

+The `spa` redirect type is backward-compatible with the implicit flow. Apps currently using the implicit flow to get tokens can move to the `spa` redirect URI type without issues and continue using the implicit flow.

+> Single page apps may receive an `invalid_request` error indicating that cross-origin token redemption is permitted only for the 'Single-Page Application' client-type. This indicates that the redirect URI used to request the token has not been marked as a `spa` redirect URI. Review the [application registration steps](#redirect-uris-for-single-page-apps-spas) on how to enable this flow.

+- **SubjectConfirmationData for a SAML assertion sourced from an OBO call**: If the target application requires a `Recipient` value in `SubjectConfirmationData`, then the value must be configured as the first non-wildcard Reply URL in the resource application configuration. Since the default Reply URL isn't used to determine the `Recipient` value, you might have to reorder the Reply URLs in the application configuration.

+- **The SubjectConfirmationData node**: The node can't contain an `InResponseTo` attribute since it's not part of a SAML response. The application receiving the SAML token must be able to accept the SAML assertion without an `InResponseTo` attribute.

+## Block users from viewing their BitLocker keys (preview)

+In this preivew, admins can block self-service BitLocker key access to the registered owner of the device. Default users without the BitLocker read permission will be unable to view or copy their BitLocker key(s) for their owned devices.

+To disable/enable self-service BitLocker recovery:

+```PowerShell

+Connect-MgGraph -Scopes Policy.ReadWrite.Authorization

+$authPolicyUri = "https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy"

+$body = @{

+ defaultUserRolePermissions = @{

+ allowedToReadBitlockerKeysForOwnedDevice = $false #Set this to $true to allow BitLocker self-service recovery

+ }

+}| ConvertTo-Json

+Invoke-MgGraphRequest -Uri $authPolicyUri -Method PATCH -Body $body

+# Show current policy setting

+$authPolicy = Invoke-MgGraphRequest -Uri $authPolicyUri

+$authPolicy.defaultUserRolePermissions

+```

+In January 2022, we've added the following 47 new applications in our App gallery with Federation support:

+Azure AD access reviews reviewer recommendations now account for non-interactive sign-in information, improving upon original recommendations based on interactive last sign-ins only. Reviewers can now make more accurate decisions based on the last sign-in activity of the users they're reviewing. To learn more about how to create access reviews, go to [Create an access review of groups and applications in Azure AD](../governance/create-access-review.md).

+We're no longer publishing sign-in logs with the following error codes because these events are pre-authentication events that occur before our service has authenticated a user. Because these events happen before authentication, our service isn't always able to correctly identify the user. If a user continues on to authenticate, the user sign-in will show up in your tenant Sign-in logs. These logs are no longer visible in the Azure portal UX, and querying these error codes in the Graph API will no longer return results.

+|50058| Session information isn't sufficient for single-sign-on.|

+|16000| Either multiple user identities are available for the current request or selected account isn't supported for the scenario.|

+The Public Preview feature for Azure AD Connect Cloud Sync Password writeback provides customers the capability to write back a user's password changes in the cloud to the on-premises directory in real time using the lightweight Azure AD cloud provisioning agent.[Learn more](../authentication/tutorial-enable-cloud-sync-sspr-writeback.md).

+Entitlement Management's enriched review experience allows even more flexibility on access packages reviews. Admins can now choose what happens to access if the reviewers don't respond, provide helper information to reviewers, or decide whether a justification is necessary. [Learn more](../governance/entitlement-management-access-reviews-create.md).

+The total number of required permissions for any single application registration mustn't exceed 400 permissions, across all APIs. The change to enforce this limit will begin rolling out mid-October 2021. Applications exceeding the limit can't increase the number of permissions they're configured for. The existing limit on the number of distinct APIs for which permissions are required remains unchanged and may not exceed 50 APIs.

+If there's no trust relation between a home and resource tenant, a guest user would have previously been asked to re-register their device, which would break the previous registration. However, the user would end up in a registration loop because only home tenant device registration is supported. In this specific scenario, instead of this loop, we've created a new conditional access blocking page. The page tells the end user that they can't get access to conditional access protected resources as a guest user. [Learn more](../external-identities/b2b-quickstart-add-guest-users-portal.md#prerequisites).

+The modern Edge browser is now included in the requirement to provide an `Origin` header when redeeming a [single page app authorization code](../develop/v2-oauth2-auth-code-flow.md#redirect-uris-for-single-page-apps-spas). A compatibility fix accidentally exempted the modern Edge browser from CORS controls, and that bug is being fixed during October. A subset of applications depended on CORS being disabled in the browser, which has the side effect of removing the `Origin` header from traffic. This is an unsupported configuration for using Azure AD, and these apps that depended on disabling CORS can no longer use modern Edge as a security workaround. All modern browsers must now include the `Origin` header per HTTP spec, to ensure CORS is enforced. [Learn more](../develop/reference-breaking-changes.md#the-device-code-flow-ux-will-now-include-an-app-confirmation-prompt).

+To help administrators understand that their users are blocked for multi-factor authentication as a result of fraud report, we've added a new audit event. This audit event is tracked when the user reports fraud. The audit log is available in addition to the existing information in the sign-in logs about fraud report. To learn how to get the audit report, see [multi-factor authentication Fraud alert](../authentication/howto-mfa-mfasettings.md#fraud-alert).

+With this new capability, connector groups can be assigned to the closest regional Application Proxy service an application is hosted in. This can improve app performance in scenarios where apps are hosted in regions other than the home tenant's region. [Learn more](../app-proxy/application-proxy-network-topology.md#optimize-connector-groups-to-use-closest-application-proxy-cloud-service).

+[Travel & Expense Management](https://app.expenseonce.com/Account/Login), [Tribeloo](../saas-apps/tribeloo-tutorial.md), [Itslearning File Picker](https://pmteam.itslearning.com/), [Crises Control](../saas-apps/crises-control-tutorial.md), [CourtAlert](https://www.courtalert.com/), [StealthMail](https://stealthmail.com/), [Edmentum - Study Island](https://app.studyisland.com/cfw/login/), [Virtual Risk Manager](../saas-apps/virtual-risk-manager-tutorial.md), [TIMU](../saas-apps/timu-tutorial.md), [Looker Analytics Platform](../saas-apps/looker-analytics-platform-tutorial.md), [Talview - Recruit](https://recruit.talview.com/login), Real Time Translator, [Klaxoon](https://access.klaxoon.com/login), [Podbean](../saas-apps/podbean-tutorial.md), [zcal](https://zcal.co/signup), [expensemanager](https://api.expense-manager.com/), [Netsparker Enterprise](../saas-apps/netsparker-enterprise-tutorial.md), [En-trak Tenant Experience Platform](https://portal.en-trak.app/), [Appian](../saas-apps/appian-tutorial.md), [Panorays](../saas-apps/panorays-tutorial.md), [Builterra](https://portal.builterra.com/), [EVA Check-in](https://my.evacheckin.com/organization), [HowNow WebApp SSO](../saas-apps/hownow-webapp-sso-tutorial.md), [Coupa Risk Assess](../saas-apps/coupa-risk-assess-tutorial.md), [Lucid (All Products)](../saas-apps/lucid-tutorial.md), [GoBright](https://portal.brightbooking.eu/), [SailPoint IdentityNow](../saas-apps/sailpoint-identitynow-tutorial.md),[Resource Central](../saas-apps/resource-central-tutorial.md), [UiPathStudioO365App](https://www.uipath.com/product/platform), [Jedox](../saas-apps/jedox-tutorial.md), [Cequence Application Security](../saas-apps/cequence-application-security-tutorial.md), [PerimeterX](../saas-apps/perimeterx-tutorial.md), [TrendMiner](../saas-apps/trendminer-tutorial.md), [Lexion](../saas-apps/lexion-tutorial.md), [WorkWare](../saas-apps/workware-tutorial.md), [ProdPad](../saas-apps/prodpad-tutorial.md), [AWS ClientVPN](../saas-apps/aws-clientvpn-tutorial.md), [AppSec Flow SSO](../saas-apps/appsec-flow-sso-tutorial.md), [Luum](../saas-apps/luum-tutorial.md), [Freight Measure](https://www.gpcsl.com/freight.html), [Terraform Cloud](../saas-apps/terraform-cloud-tutorial.md), [Nature Research](../saas-apps/nature-research-tutorial.md), [Play Digital Signage](https://login.playsignage.com/login), [RemotePC](../saas-apps/remotepc-tutorial.md), [Prolorus](../saas-apps/prolorus-tutorial.md), [Hirebridge ATS](../saas-apps/hirebridge-ats-tutorial.md), [Teamgage](https://teamgage.com), [Roadmunk](../saas-apps/roadmunk-tutorial.md), [Sunrise Software Relations CRM](https://cloud.relations-crm.com/), [Procaire](../saas-apps/procaire-tutorial.md), [Mentor&reg; by eDriving: Business](https://www.edriving.com/), [Gradle Enterprise](https://gradle.com/)

+- Integrate with Azure AD B2C user flows and custom policies. Conditions can be triggered from built-in user flows in Azure AD B2C or can be incorporated into B2C custom policies. As with other aspects of the B2C user flow, end user experience messaging can be customized. Customization is according to the organization's voice, brand, and mitigation alternatives.

+We're updating the Identity Secure Score portal to align with the changes introduced in Microsoft Secure Score's [new release](/microsoft-365/security/mtp/microsoft-secure-score-whats-new).

+- "Identity Secure Score" renamed to "Secure Score for Identity" for brand alignment with Microsoft Secure Score

+Azure AD My sign-ins is a new feature that allows enterprise users to review their sign-in history to check for any unusual activity. Additionally, this feature allows end users to report "This wasn't me" or "This was me" on suspicious activities. To learn more about using this feature, see [View and search your recent sign-in activity from the My sign-ins page](https://support.microsoft.com/account-billing/view-and-search-your-work-or-school-account-sign-in-activity-from-my-sign-ins-9e7d108c-8e3f-42aa-ac3a-bca892898972#confirm-unusual-activity).

+[Appreiz](https://microsoftteams.appreiz.com/), [Inextor Vault](https://inexto.com/inexto-suite/inextor), [Beekast](https://my.beekast.com/), [Templafy OpenID Connect](https://app.templafy.com/), [PeterConnects receptionist](https://msteams.peterconnects.com/), [AlohaCloud](https://www.alohacloud.com/), Control Tower, [Cocoom](https://start.cocoom.com/), [COINS Construction Cloud](https://sso.coinsconstructioncloud.com/#login/), [Medxnote MT](https://task.teamsmain.medx.im/authorization), [Reflekt](https://reflekt.konsolute.com/login), [Rever](https://app.reverscore.net/access), [MyCompanyArchive](https://login.mycompanyarchive.com/), [GReminders](https://app.greminders.com/o365-oauth), [Titanfile](../saas-apps/titanfile-tutorial.md), [Wootric](../saas-apps/wootric-tutorial.md), [SolarWinds Orion](https://support.solarwinds.com/SuccessCenter/s/orion-platform?language=en_US), [OpenText Directory Services](../saas-apps/opentext-directory-services-tutorial.md), [Datasite](../saas-apps/datasite-tutorial.md), [BlogIn](../saas-apps/blogin-tutorial.md), [IntSights](../saas-apps/intsights-tutorial.md), [kpifire](../saas-apps/kpifire-tutorial.md), [Textline](../saas-apps/textline-tutorial.md), [Cloud Academy - SSO](../saas-apps/cloud-academy-sso-tutorial.md), [Community Spark](../saas-apps/community-spark-tutorial.md), [Chatwork](../saas-apps/chatwork-tutorial.md), [CloudSign](../saas-apps/cloudsign-tutorial.md), [C3M Cloud Control](../saas-apps/c3m-cloud-control-tutorial.md), [SmartHR](https://smarthr.jp/), [NumlyEngage&trade;](../saas-apps/numlyengage-tutorial.md), [Michigan Data Hub Single Sign-On](../saas-apps/michigan-data-hub-single-sign-on-tutorial.md), [Egress](../saas-apps/egress-tutorial.md), [SendSafely](../saas-apps/sendsafely-tutorial.md), [Eletive](https://app.eletive.com/), [Right-Hand Cybersecurity ADI](https://right-hand.ai/), [Fyde Enterprise Authentication](https://enterprise.fyde.com/), [Verme](../saas-apps/verme-tutorial.md), [Lenses.io](../saas-apps/lensesio-tutorial.md), [Momenta](../saas-apps/momenta-tutorial.md), [Uprise](https://app.uprise.co/sign-in), [Q](https://q.moduleq.com/login), [CloudCords](../saas-apps/cloudcords-tutorial.md), [TellMe Bot](https://tellme365liteweb.azurewebsites.net/), [Inspire](https://app.inspiresoftware.com/), [Maverics Identity Orchestrator SAML Connector](https://www.strata.io/identity-fabric/), [Smartschool (School Management System)](https://smartschoolz.com/login), [Zepto - Intelligent timekeeping](https://user.zepto-ai.com/signin), [Studi.ly](https://studi.ly/), [Trackplan](http://www.trackplanfm.com/), [Skedda](../saas-apps/skedda-tutorial.md), [WhosOnLocation](../saas-apps/whos-on-location-tutorial.md), [Coggle](../saas-apps/coggle-tutorial.md), [Kemp LoadMaster](https://kemptechnologies.com/cloud-load-balancer/), [BrowserStack Single Sign-on](../saas-apps/browserstack-single-sign-on-tutorial.md)

+[Report-only mode for Azure AD Conditional Access](../conditional-access/concept-conditional-access-report-only.md) lets you evaluate the result of a policy without enforcing access controls. You can test report-only policies across your organization and understand their impact before enabling them, making deployment safer and easier. Over the past few months, we've seen strong adoption of report-only modeΓÇöover 26M users are already in scope of a report-only policy. With the announcement today, new Azure AD Conditional Access policies will be created in report-only mode by default. This means you can monitor the impact of your policies from the moment they're created. And for those of you who use the MS Graph APIs, you can [manage report-only policies programmatically](/graph/api/resources/conditionalaccesspolicy) as well.

+The [insights and reporting workbook](../conditional-access/howto-conditional-access-insights-reporting.md) gives admins a summary view of Azure AD Conditional Access in their tenant. With the capability to select an individual policy, admins can better understand what each policy does and monitor any changes in real time. The workbook streams data stored in Azure Monitor, which you can set up in a few minutes [following these instructions](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md). To make the dashboard more discoverable, we've moved it to the new insights and reporting tab within the Azure AD Conditional Access menu.

+Office is launching a series of mobile-first business apps that cater to non-traditional organizations, and to employees in large organizations that don't use email as their primary communication method. These apps target frontline employees, deskless workers, field agents, or retail employees that may not get an email address from their employer, have access to a computer, or to IT. This project will let these employees sign in to business applications by entering a phone number and roundtripping a code. For more details, please see our [admin documentation](../authentication/howto-authentication-sms-signin.md) and [end user documentation](https://support.microsoft.com/account-billing/set-up-sms-sign-in-as-a-phone-verification-method-0aa5b3b3-a716-4ff2-b0d6-31d2bcfbac42).

+[Report-only mode for Azure AD Conditional Access](../conditional-access/concept-conditional-access-report-only.md) lets you evaluate the result of a policy without enforcing access controls. You can test report-only policies across your organization and understand their impact before enabling them, making deployment safer and easier. Over the past few months, we've seen strong adoption of report-only mode, with over 26M users already in scope of a report-only policy. With this announcement, new Azure AD Conditional Access policies will be created in report-only mode by default. This means you can monitor the impact of your policies from the moment they're created. And for those of you who use the MS Graph APIs, you can also [manage report-only policies programmatically](/graph/api/resources/conditionalaccesspolicy).

+The Conditional Access [insights and reporting workbook](../conditional-access/howto-conditional-access-insights-reporting.md) gives admins a summary view of Azure AD Conditional Access in their tenant. With the capability to select an individual policy, admins can better understand what each policy does and monitor any changes in real time. The workbook streams data stored in Azure Monitor, which you can set up in a few minutes [following these instructions](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md). To make the dashboard more discoverable, we've moved it to the new insights and reporting tab within the Azure AD Conditional Access menu.

+These APIs are a key tool for managing your users' authentication methods. Now you can programmatically pre-register and manage the authenticators used for multifactor authentication (MFA) and self-service password reset (SSPR). This has been one of the most-requested features in the Azure AD Multi-Factor Authentication (MFA), SSPR, and Microsoft Graph spaces. The new APIs we've released in this wave give you the ability to:

+- Read, add, update, and remove a user's authentication phones

+- Reset a user's password

+My Staff enables Firstline Managers, such as a store manager, to ensure that their staff members are able to access their Azure AD accounts. Instead of relying on a central helpdesk, organizations can delegate common tasks, such as resetting passwords or changing phone numbers, to a Firstline Manager. With My Staff, a user who can't access their account can re-gain access in just a couple of selections, with no helpdesk or IT staff required. For more information, see the [Manage your users with My Staff (preview)](../roles/my-staff-configure.md) and [Delegate user management with My Staff (preview)](https://support.microsoft.com/account-billing/manage-front-line-users-with-my-staff-c65b9673-7e1c-4ad6-812b-1a31ce4460bd).

+We're excited to share that we've now rolled out the refreshed [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md) experience in the [Microsoft Azure Government portal](https://portal.azure.us/). For more information, see our [announcement blog post](https://techcommunity.microsoft.com/t5/public-sector-blog/identity-protection-refresh-in-microsoft-azure-government/ba-p/1223667).

+

+>[Azure Key Vault](../../key-vault/general/overview.md)

+ Title: 'Tutorial: Azure AD SSO integration with SonarQube'

+description: Learn how to configure single sign-on between Azure Active Directory and SonarQube.

+# Tutorial: Azure AD SSO integration with SonarQube

+In this tutorial, you'll learn how to integrate SonarQube with Azure Active Directory (Azure AD). When you integrate SonarQube with Azure AD, you can:

+* Control in Azure AD who has access to SonarQube.

+* Enable your users to be automatically signed-in to SonarQube with their Azure AD accounts.

+* SonarQube single sign-on (SSO) enabled subscription.

+> [!NOTE]

+> Help on installing SonarQube can be found in the [online documentation](https://docs.sonarqube.org/latest/setup/install-server/).

+* SonarQube supports **SP** initiated SSO.

+## Add SonarQube from the gallery

+To configure the integration of SonarQube into Azure AD, you need to add SonarQube from the gallery to your list of managed SaaS apps.

+1. In the **Add from the gallery** section, type **SonarQube** in the search box.

+1. Select **SonarQube** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

+## Configure and test Azure AD SSO for SonarQube

+Configure and test Azure AD SSO with SonarQube using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in SonarQube.

+To configure and test Azure AD SSO with SonarQube, perform the following steps:

+1. **[Configure SonarQube SSO](#configure-sonarqube-sso)** - to configure the single sign-on settings on application side.

+ 1. **[Create SonarQube test user](#create-sonarqube-test-user)** - to have a counterpart of B.Simon in SonarQube that is linked to the Azure AD representation of user.

+1. In the Azure portal, on the **SonarQube** application integration page, find the **Manage** section and select **single sign-on**.

+1. On the **Set up SonarQube** section, copy the appropriate URL(s) based on your requirement.

+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to SonarQube.

+1. In the applications list, select **SonarQube**.

+## Configure SonarQube SSO

+1. Open a new web browser window and sign into your SonarQube company site as an administrator.

+### Create SonarQube test user

+In this section, you create a user called B.Simon in SonarQube. Work with [SonarQube Client support team](https://sonarsource.com/company/contact/) to add the users in the SonarQube platform. Users must be created and activated before you use single sign-on.

+* Click on **Test this application** in Azure portal. This will redirect to SonarQube Sign-on URL where you can initiate the login flow.

+* Go to SonarQube Sign-on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the SonarQube tile in the My Apps, this will redirect to SonarQube Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+* Once you configure SonarQube, you can enforce session controls, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session controls extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

+> Clusters with Linux node pools created on Kubernetes v1.19 or greater default to `containerd` for its container runtime. Clusters with node pools on a earlier supported Kubernetes versions receive Docker for their container runtime. Linux node pools will be updated to `containerd` once the node pool Kubernetes version is updated to a version that supports `containerd`.

+> Using `containerd` with Windows Server 2019 node pools is generally available, and will be the only container runtime option in Kubernetes 1.21 and greater. You can still use Docker node pools and clusters on versions below 1.23, but Docker is no longer supported as of September 2022. For more details, see [Add a Windows Server node pool with `containerd`][aks-add-np-containerd].

+[aks-add-np-containerd]: ./learn/quick-windows-container-deploy-cli.md#add-a-windows-server-node-pool-with-containerd

+Add-ons are a fully supported way to provide extra capabilities for your AKS cluster. Add-ons' installation, configuration, and lifecycle is managed by AKS. Use `az aks addon` to install an add-on or manage the add-ons for your cluster.

+## GitHub Actions

+GitHub Actions helps you automate your software development workflows from within GitHub. For more details on using GitHub Actions with Azure, see [What is GitHub Actions for Azures][github-actions]. For an example of using GitHub Actions with an AKS cluster, see [Build, test, and deploy containers to Azure Kubernetes Service using GitHub Actions][github-actions-aks].

+[release-tracker]: release-tracker.md

+[github-actions]: /azure/developer/github/github-actions

+[azure/aks-set-context]: https://github.com/Azure/aks-set-context

+[azure/k8s-set-context]: https://github.com/Azure/k8s-set-context

+[azure/k8s-bake]: https://github.com/Azure/k8s-bake

+[azure/k8s-create-secret]: https://github.com/Azure/k8s-create-secret

+[azure/k8s-deploy]: https://github.com/Azure/k8s-deploy

+[azure/k8s-lint]: https://github.com/Azure/k8s-lint

+[azure/setup-helm]: https://github.com/Azure/setup-helm

+[azure/setup-kubectl]: https://github.com/Azure/setup-kubectl

+[azure/k8s-artifact-substitute]: https://github.com/Azure/k8s-artifact-substitute

+[azure/aks-create-action]: https://github.com/Azure/aks-create-action

+[azure/aks-github-runner]: https://github.com/Azure/aks-github-runner

+[github-actions-aks]: kubernetes-action.md

+[GitHub Actions](https://docs.github.com/en/actions) gives you the flexibility to build an automated software development lifecycle workflow. You can use multiple Kubernetes actions to deploy to containers from Azure Container Registry to Azure Kubernetes Service with GitHub Actions.

+## Prerequisites

+- A GitHub account. If you don't have one, sign up for [free](https://github.com/join).

+- An existing AKS cluster with an attached Azure Container Registry (ACR).

+## Configure integration between Azure and your GitHub repository

+When using GitHub Actions, you need to configure the integration between Azure and your GitHub repository. For more details on connecting your GitHub repository to Azure, see [Use GitHub Actions to connect to Azure][connect-gh-azure].

+## Available actions

+GitHub Actions helps you automate your software development workflows from within GitHub. For more details on using GitHub Actions with Azure, see [What is GitHub Actions for Azures][github-actions].

+The below table shows the available GitHub Actions that integrate specifically with AKS.

+| Name | Description | More details |

+||||

+|`azure/aks-set-context`|Set the target AKS cluster context which will be used by other actions or run any kubectl commands.|[azure/aks-set-context][azure/aks-set-context]|

+|`azure/k8s-set-context`|Set the target Kubernetes cluster context which will be used by other actions or run any kubectl commands.|[azure/k8s-set-context][azure/k8s-set-context]|

+|`azure/k8s-bake`|Bake manifest file to be used for deployments using Helm, kustomize or kompose.|[azure/k8s-bake][azure/k8s-bake]|

+|`azure/k8s-create-secret`|Create a generic secret or docker-registry secret in the Kubernetes cluster.|[azure/k8s-create-secret][azure/k8s-create-secret]|

+|`azure/k8s-deploy`|Deploy manifests to Kubernetes clusters.|[azure/k8s-deploy][azure/k8s-deploy]|

+|`azure/k8s-lint`|Validate/lint your manifest files.|[azure/k8s-lint][azure/k8s-lint]|

+|`azure/setup-helm`|Install a specific version of Helm binary on the runner.|[azure/setup-helm][azure/setup-helm]|

+|`azure/setup-kubectl`|Installs a specific version of kubectl on the runner.|[azure/setup-kubectl][azure/setup-kubectl]|

+|`azure/k8s-artifact-substitute`|Update the tag or digest for container images.|[azure/k8s-artifact-substitute][azure/k8s-artifact-substitute]|

+|`azure/aks-create-action`|Create an AKS cluster using Terraform.|[azure/aks-create-action][azure/aks-create-action]|

+|`azure/aks-github-runner`|Set up self-hosted agents for GitHub Actions.|[azure/aks-github-runner][azure/aks-github-runner]|

+In addition, the example in the next section uses the [azure/acr-build][azure/acr-build] action.

+## Example of using GitHub Actions with AKS

+As an example, you can use GitHub Actions to deploy an application to your AKS cluster every time a change is pushed to your GitHub repository. This example uses the [Azure Vote][gh-azure-vote] application.

+> [!NOTE]

+> This example uses a service principal for authentication with your ACR and AKS cluster. Alternatively, you can configure Open ID Connect (OIDC) and update the `azure/login` action to use OIDC. For more details, see [Set up Azure Login with OpenID Connect authentication][oidc-auth].

+### Fork and update the repository

+Navigate to the [Azure Vote][gh-azure-vote] repository and click the **Fork** button.

+Once the repository is forked, update `azure-vote-all-in-one-redis.yaml` to use your ACR for the `azure-vote-front` image

+```yaml

+...

+ containers:

+ - name: azure-vote-front

+ image: <registryName>.azurecr.io/azuredocs/azure-vote-front:v1

+...

+```

+> [!IMPORTANT]

+> The update to `azure-vote-all-in-one-redis.yaml` must be committed to your repository before you can complete the later steps.

+### Create secrets

+Create a service principal to access your resource group with the `Contributor` role using the following command, replacing:

+- `<SUBSCRIPTION_ID>` with the subscription ID of your Azure account

+- `<RESOURCE_GROUP>` with the name of the resource group where your ACR is located

+```azurecli-interactive

+az ad sp create-for-rbac \

+ --name "ghActionAzureVote" \

+ --scope /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP> \

+ --role Contributor \

+ --sdk-auth

+```

+The following shows an example output from the above command.

+```output

+{

+ "clientId": <clientId>,

+ "clientSecret": <clientSecret>,

+ "subscriptionId": <subscriptionId>,

+ "tenantId": <tenantId>,

+ ...

+}

+In your GitHub repository, create the below secrets for your action to use. To create a secret:

+1. Navigate to the repository's settings, and click *Secrets* then *Actions*.

+1. For each secret, click *New Repository Secret* and enter the name and value of the secret.

+For more details on creating secrets, see [Encrypted Secrets][github-actions-secrets].

+|Secret name |Secret value |

+|AZURE_CREDENTIALS|The entire JSON output from the `az ad sp create-for-rbac` command|

+|service_principal | The value of `<clientId>`|

+|service_principal_password| The value of `<clientSecret>`|

+|subscription| The value of `<subscriptionId>`|

+|tenant|The value of `<tenantId>`|

+|registry|The name of your registry|

+|repository|azuredocs|

+|resource_group|The name of your resource group|

+|cluster_name|The name of your cluster|

+### Create actions file

+Create a `.github/workflows/main.yml` in your repository with the following contents:

+name: build_deploy_aks

+on:

+ push:

+ paths:

+ - "azure-vote/**"

+ - name: Checkout source code

+ uses: actions/checkout@v3

+ - name: ACR build

+ id: build-push-acr

+ uses: azure/acr-build@v1

+ with:

+ service_principal: ${{ secrets.service_principal }}

+ service_principal_password: ${{ secrets.service_principal_password }}

+ tenant: ${{ secrets.tenant }}

+ registry: ${{ secrets.registry }}

+ repository: ${{ secrets.repository }}

+ image: azure-vote-front

+ folder: azure-vote

+ branch: master

+ tag: ${{ github.sha }}

+ - name: Azure login

+ id: login

+ uses: azure/login@v1.4.3

+ with:

+ creds: ${{ secrets.AZURE_CREDENTIALS }}

+ - name: Set AKS context

+ id: set-context

+ uses: azure/aks-set-context@v3

+ with:

+ resource-group: '${{ secrets.resource_group }}'

+ cluster-name: '${{ secrets.cluster_name }}'

+ - name: Setup kubectl

+ id: install-kubectl

+ uses: azure/setup-kubectl@v3

+ - name: Deploy to AKS

+ id: deploy-aks

+ uses: Azure/k8s-deploy@v4

+ with:

+ namespace: 'default'

+ manifests: |

+ azure-vote-all-in-one-redis.yaml

+ images: '${{ secrets.registry }}.azurecr.io/${{ secrets.repository }}/azure-vote-front:${{ github.sha }}'

+ pull: false

+> [!IMPORTANT]

+> The `.github/workflows/main.yml` file must be committed to your repository before you can run the action.

+The `on` section contains the event that triggers the action. In the above file, the action is triggered when a change is pushed to the `azure-vote` directory.

+In the above file, the `steps` section contains each distinct action, which is executed in order:

+1. *Checkout source code* uses the [GitHub Actions Checkout Action][actions/checkout] to clone the repository.

+1. *ACR build* uses the [Azure Container Registry Build Action][azure/acr-build] to build the image and upload it to your registry.

+1. *Azure login* uses the [Azure Login Action][azure/login] to sign in to your Azure account.

+1. *Set AKS context* uses the [Azure AKS Set Context Action][azure/aks-set-context] to set the context for your AKS cluster.

+1. *Setup kubectl* uses the [Azure AKS Setup Kubectl Action][azure/setup-kubectl] to install kubectl on your runner.

+1. *Deploy to AKS* uses the [Azure Kubernetes Deploy Action][azure/k8s-deploy] to deploy the application to your Kuberentes cluster.

+Confirm that the action is working by updating `azure-vote/azure-vote/config_file.cfg` to the following and pushing the changes to your repository:

+```output

+# UI Configurations

+TITLE = 'Azure Voting App'

+VOTE1VALUE = 'Fish'

+VOTE2VALUE = 'Dogs'

+SHOWHOST = 'false'

+```

+In your repository, click on *Actions* and confirm a workflow is running. Once complete, confirm the workflow has a green checkmark and the updated application is deployed to your cluster.

+Review the following starter workflows for AKS. For more details on using starter workflows, see [Using starter workflows][use-starter-workflows].

+- [Azure Kubernetes Service (Basic)][aks-swf-basic]

+- [Azure Kubernetes Service Helm][aks-swf-helm]

+- [Azure Kubernetes Service Kustomize][aks-swf-kustomize]

+- [Azure Kubernetes Service Kompose][aks-swf-kompose]

+> [!div class="nextstepaction"]

+> [Learn about Azure Kubernetes Service](/azure/architecture/reference-architectures/containers/aks-start-here)

+[oidc-auth]: /azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux#use-the-azure-login-action-with-openid-connect

+[aks-swf-basic]: https://github.com/actions/starter-workflows/blob/main/deployments/azure-kubernetes-service.yml

+[aks-swf-helm]: https://github.com/actions/starter-workflows/blob/main/deployments/azure-kubernetes-service-helm.yml

+[aks-swf-kustomize]: https://github.com/actions/starter-workflows/blob/main/deployments/azure-kubernetes-service-kustomize.yml

+[aks-swf-kompose]: https://github.com/actions/starter-workflows/blob/main/deployments/azure-kubernetes-service-kompose.yml

+[use-starter-workflows]: https://docs.github.com/actions/using-workflows/using-starter-workflows#using-starter-workflows

+[github-actions]: /azure/developer/github/github-actions

+[github-actions-secrets]: https://docs.github.com/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository

+[azure/aks-set-context]: https://github.com/Azure/aks-set-context

+[azure/k8s-set-context]: https://github.com/Azure/k8s-set-context

+[azure/k8s-bake]: https://github.com/Azure/k8s-bake

+[azure/k8s-create-secret]: https://github.com/Azure/k8s-create-secret

+[azure/k8s-deploy]: https://github.com/Azure/k8s-deploy

+[azure/k8s-lint]: https://github.com/Azure/k8s-lint

+[azure/setup-helm]: https://github.com/Azure/setup-helm

+[azure/setup-kubectl]: https://github.com/Azure/setup-kubectl

+[azure/k8s-artifact-substitute]: https://github.com/Azure/k8s-artifact-substitute

+[azure/aks-create-action]: https://github.com/Azure/aks-create-action

+[azure/aks-github-runner]: https://github.com/Azure/aks-github-runner

+[azure/acr-build]: https://github.com/Azure/acr-build

+[azure/login]: https://github.com/Azure/login

+[connect-gh-azure]: /azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux

+[gh-azure-vote]: https://github.com/Azure-Samples/azure-voting-app-redis

+[actions/checkout]: https://github.com/actions/checkout

+> * This article has been updated with steps to configure an Azure AD B2C app using the Microsoft Authentication Library ([MSAL](../active-directory/develop/msal-overview.md)).

+ url="${connURL}"

+ username="${dbuser}"

+ password="${dbpassword}"

+- Request and Response Buffers can only be disabled for the WAF v2 SKU if request body checking is disabled. Otherwise, Request and Response Buffers cannot be disabled for the WAF v2 SKU.

+ - East Asia

+> [Manage disaster recovery](../app-service/manage-disaster-recovery.md)

+In this article, you'll learn how to disable public access for your Azure App Configuration store. Setting up private access can offer better security for your configuration store.

+> [Use private endpoints for Azure App Configuration](./concept-private-endpoint.md)

+> [!div class="nextstepaction"]

+> [Set up private access to an Azure App Configuration store](howto-set-up-private-access.md)

+ Title: How to set up private access to an Azure App Configuration store

+description: How to set up private access to an Azure App Configuration store in the Azure portal and in the CLI.

+# Set up private access in Azure App Configuration

+In this article, you'll learn how to set up private access for your Azure App Configuration store, by creating a [private endpoint](/azure/private-link/private-endpoint-overview) with Azure Private Link. Private endpoints allow access to your App Configuration store using a private IP address from a virtual network.

+## Prerequisites

+* An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/dotnet).

+* We assume you already have an App Configuration store. If you want to create one, go to [create an App Configuration store](quickstart-aspnet-core-app.md).

+## Sign in to Azure

+You'll need to sign in to Azure first to access the App Configuration service.

+### [Portal](#tab/azure-portal)

+Sign in to the Azure portal at [https://portal.azure.com/](https://portal.azure.com/) with your Azure account.

+### [Azure CLI](#tab/azure-cli)

+Sign in to Azure using the `az login` command in the [Azure CLI](/cli/azure/install-azure-cli).

+```azurecli-interactive

+az login

+```

+This command will prompt your web browser to launch and load an Azure sign-in page. If the browser fails to open, use device code flow with `az login --use-device-code`. For more sign-in options, go to [sign in with the Azure CLI](/cli/azure/authenticate-azure-cli).

+## Create a private endpoint

+### [Portal](#tab/azure-portal)

+1. In your App Configuration store, under **Settings**, select **Networking**.

+1. Select the **Private Access** tab and then **Create** to start setting up a new private endpoint.

+ :::image type="content" source="./media/private-endpoint/create-private-endpoint.png" alt-text="Screenshot of the Azure portal, select create a private endpoint.":::

+1. Fill out the form with the following information:

+ | Parameter | Description | Example |

+ ||--|-|

+ | Subscription | Select an Azure subscription. Your private endpoint must be in the same subscription as your virtual network. You'll select a virtual network later in this how-to guide. | *MyAzureSubscription* |

+ | Resource group | Select a resource group or create a new one. | *MyResourceGroup* |

+ | Name | Enter a name for the new private endpoint for your App Configuration store. | *MyPrivateEndpoint* |

+ | Network Interface Name | This field is completed automatically. Optionally edit the name of the network interface. | *MyPrivateEndpoint-nic* |

+ | Region | Select a region. Your private endpoint must be in the same region as your virtual network. | *Central US* |

+ :::image type="content" source="./media/private-endpoint/basics.png" alt-text="Screenshot of the Azure portal, create a private endpoint, basics tab.":::

+1. Select **Next : Resource >**. Private Link offers options to create private endpoints for different types of Azure resources, such as SQL servers, Azure storage accounts or App Configuration stores. The current App Configuration store is automatically filled in the **Resource** field as that is the resource the private endpoint is connecting to.

+ 1. The resource type **Microsoft.AppConfiguration/configurationStores** and the target subresource **configurationStores** indicate that you're creating an endpoint for an App Configuration store.

+ 1. The name of your configuration store is listed under **Resource**.

+ :::image type="content" source="./media/private-endpoint/resource.png" alt-text="Screenshot of the Azure portal, create a private endpoint, resource tab.":::

+1. Select **Next : Virtual Network >**.

+ 1. Select an existing **Virtual network** to deploy the private endpoint to. If you don't have a virtual network, [create a virtual network](../private-link/create-private-endpoint-portal.md#create-a-virtual-network-and-bastion-host).

+ 1. Select a **Subnet** from the list.

+ 1. Leave the box **Enable network policies for all private endpoints in this subnet** checked.

+ 1. Under **Private IP configuration**, select the option to allocate IP addresses dynamically. For more information, refer to [Private IP addresses](/azure/virtual-network/ip-services/private-ip-addresses#allocation-method).

+ 1. Optionally, you can select or create an **Application security group**. Application security groups allow you to group virtual machines and define network security policies based on those groups.

+ :::image type="content" source="./media/private-endpoint/virtual-network.png" alt-text="Screenshot of the Azure portal, create a private endpoint, virtual network tab.":::

+1. Select **Next : DNS >** to configure a DNS record. If you don't want to make changes to the default settings, you can move forward to the next tab.

+ 1. For **Integrate with private DNS zone**, select **Yes** to integrate your private endpoint with a private DNS zone. You may also use your own DNS servers or create DNS records using the host files on your virtual machines.

+ 1. A subscription and resource group for your private DNS zone are preselected. You can change them optionally.

+ :::image type="content" source="./media/private-endpoint/dns.png" alt-text="Screenshot of the Azure portal, create a private endpoint, DNS tab.":::

+ To learn more about DNS configuration, go to [Name resolution for resources in Azure virtual networks](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server) and [DNS configuration for Private Endpoints](../private-link/private-endpoint-overview.md#dns-configuration).

+1. Select **Next : Tags >** and optionally create tags. Tags are name/value pairs that enable you to categorize resources and view consolidated billing by applying the same tag to multiple resources and resource groups.

+ :::image type="content" source="./media/private-endpoint/tags.png" alt-text="Screenshot of the Azure portal, create a private endpoint, tags tab.":::

+1. Select **Next : Review + create >** to review information about your App Configuration store, private endpoint, virtual network and DNS. You can also select **Download a template for automation** to reuse JSON data from this form later.

+ :::image type="content" source="./media/private-endpoint/review.png" alt-text="Screenshot of the Azure portal, create a private endpoint, review tab.":::

+1. Select **Create**.

+Once deployment is complete, you'll get a notification that your endpoint has been created. If it's auto-approved, you can start accessing your app configuration store privately, else you'll have to wait for approval.

+### [Azure CLI](#tab/azure-cli)

+1. To set up your private endpoint, you need a virtual network. If you don't have one yet, create a virtual network with [az network vnet create](/cli/azure/network/vnet#az-network-vnet-create). Replace the placeholder texts `<vnet-name>`, `<rg-name>`, and `<subnet-name>` with a name for your new virtual network, a resource group name, and a subnet name.

+ ```azurecli-interactive

+ az network vnet create --name <vnet-name> --resource-group <rg-name> --subnet-name <subnet-name> --location <vnet-location>

+ ```

+ > [!div class="mx-tdBreakAll"]

+ > | Placeholder | Description | Example |

+ > ||-|-|

+ > | `<vnet-name>` | Enter a name for your new virtual network. A virtual network enables Azure resources to communicate privately with each other, and with the internet. | `MyVNet` |

+ > | `<rg-name>` | Enter the name of an existing resource group for your virtual network. | `MyResourceGroup` |

+ > | `<subnet-name>` | Enter a name for your new subnet. A subnet is a network inside a network. This is where the private IP address is assigned. | `MySubnet` |

+ > | `<vnet-location>`| Enter an Azure region. Your virtual network must be in the same region as your private endpoint. | `centralus` |

+1. Run the command [az appconfig show](/cli/azure/appconfig/#az-appconfig-show) to retrieve the properties of the App Configuration store, for which you want to set up private access. Replace the placeholder `name` with the name or the App Configuration store.

+ ```azurecli-interactive

+ az appconfig show --name <name>

+ ```

+ This command generates an output with information about your App Configuration store. Note down the *id* value. For instance: */subscriptions/123/resourceGroups/MyResourceGroup/providers/Microsoft.AppConfiguration/configurationStores/MyAppConfigStore*.

+1. Run the command [az network private-endpoint create](/cli/azure/network/private-endpoint#az-network-private-endpoint-create) to create a private endpoint for your App Configuration store. Replace the placeholder texts `<resource-group>`, `<private-endpoint-name>`, `<vnet-name>`, `<private-connection-resource-id>`, `<connection-name>`, and `<location>` with your own information.

+ ```azurecli-interactive

+ az network private-endpoint create --resource-group <resource-group> --name <private-endpoint-name> --vnet-name <vnet-name> --subnet Default --private-connection-resource-id <private-connection-resource-id> --connection-name <connection-name> --location <location> --group-id configurationStores

+ ```

+ > [!div class="mx-tdBreakAll"]

+ > | Placeholder | Description | Example |

+ > ||-||

+ > | `<resource-group>` | Enter the name of an existing resource group for your private endpoint. | `MyResourceGroup` |

+ > | `<private-endpoint-name>` | Enter a name for your new private endpoint. | `MyPrivateEndpoint` |

+ > | `<vnet-name>` | Enter the name of an existing vnet. | `Myvnet` |

+ > | `<private-connection-resource-id>` | Enter your App Configuration store's private connection resource ID. This the ID you saved from the output of the previous step. | `/subscriptions/123/resourceGroups/MyResourceGroup/providers/Microsoft.AppConfiguration/configurationStores/MyAppConfigStore`|

+ > | `<connection-name>` | Enter a connection name. |`MyConnection` |

+ > | `<location>` | Enter an Azure region. Your private endpoint must be in the same region as your virtual network. |`centralus` |

+## Manage private link connection

+### [Portal](#tab/azure-portal)

+Go to **Networking** > **Private Access** in your App Configuration store to access the private endpoints linked to your App Configuration store.

+1. Check the connection state of your private link connection. When you create a private endpoint, the connection must be approved. If the resource for which you're creating a private endpoint is in your directory and you have [sufficient permissions](/azure/private-link/rbac-permissions), the connection request will be auto-approved. Otherwise, you must wait for the owner of that resource to approve your connection request. For more information about the connection approval models, go to [Manage Azure Private Endpoints](/azure/private-link/manage-private-endpoint#private-endpoint-connections).

+1. To manually approve, reject or remove a connection, select the checkbox next to the endpoint you want to edit and select an action item from the top menu.

+ :::image type="content" source="./media/private-endpoint/review-endpoints.png" alt-text="Screenshot of the Azure portal, review existing endpoints.":::

+1. Select the name of the private endpoint to open the private endpoint resource and access more information or to edit the private endpoint.

+### [Azure CLI](#tab/azure-cli)

+#### Review private endpoint connection details

+Run the [az network private-endpoint-connection list](/cli/azure/network/private-endpoint-connection#az-network-private-endpoint-connection-list) command to review all private endpoint connections linked to your App Configuration store and check their connection state. Replace the placeholder texts `resource-group` and `<app-config-store-name>` with the name of the resource group and the name of the store.

+```azurecli-interactive

+az network private-endpoint-connection list --resource-group <resource-group> --name <app-config-store-name> --type Microsoft.AppConfiguration/configurationStores

+```

+Optionally, to get the details of a specific private endpoint, use the [az network private-endpoint-connection show](/cli/azure/network/private-endpoint-connection#az-network-private-endpoint-connection-show) command. Replace the placeholder texts `resource-group` and `app-config-store-name` with the name of the resource group and the name of the store.

+```azurecli-interactive

+az network private-endpoint-connection show --resource-group <resource-group> --name <app-config-store-name> --type Microsoft.AppConfiguration/configurationStores

+```

+#### Get connection approval

+When you create a private endpoint, the connection must be approved. If the resource for which you're creating a private endpoint is in your directory and you have [sufficient permissions](/azure/private-link/rbac-permissions), the connection request will be auto-approved. Otherwise, you must wait for the owner of that resource to approve your connection request.

+To approve a private endpoint connection, use the [az network private-endpoint-connection approve](/cli/azure/network/private-endpoint-connection#az-network-private-endpoint-connection-approve) command. Replace the placeholder texts `resource-group`, `private-endpoint`, and `<app-config-store-name>` with the name of the resource group, the name of the private endpoint and the name of the store.

+```azurecli-interactive

+az network private-endpoint-connection approve --resource-group <resource-group> --name <private-endpoint> --type Microsoft.AppConfiguration/configurationStores --resource-name <app-config-store-name>

+```

+For more information about the connection approval models, go to [Manage Azure Private Endpoints](/azure/private-link/manage-private-endpoint#private-endpoint-connections).

+#### Delete a private endpoint connection

+To delete a private endpoint connection, use the [az network private-endpoint-connection delete](/cli/azure/network/private-endpoint-connection#az-network-private-endpoint-connection-delete) command. Replace the placeholder texts `resource-group` and `private-endpoint` with the name of the resource group and the name of the private endpoint.

+```azurecli-interactive

+az network private-endpoint-connection delete --resource-group <resource-group> --name <private-endpoint>

+```

+For more CLI commands, go to [az network private-endpoint-connection](/cli/azure/network/private-endpoint-connection#az-network-private-endpoint-connection)

+If you have issues with a private endpoint, check the following guide: [Troubleshoot Azure Private Endpoint connectivity problems](/azure/private-link/troubleshoot-private-endpoint-connectivity).

+## Next steps

+> [!div class="nextstepaction"]

+>[Use private endpoints for Azure App Configuration](concept-private-endpoint.md)

+> [!div class="nextstepaction"]

+>[Disable public access in Azure App Configuration](howto-disable-public-access.md)

+ "identity": {

+ "type": "SystemAssigned"

+ },

+ <add type = "Microsoft.Web.Redis.RedisSessionStateProvider"

+ <add type = "Microsoft.Web.Redis.RedisSessionStateProvider"

+ <add type = "Microsoft.Web.Redis.RedisSessionStateProvider"

+While it's tempting to use a wildcard that allows all sites to access your endpoint, this defeats the purpose of CORS, which is to help prevent cross-site scripting attacks. Instead, add a separate CORS entry for the domain of each web app that must access your endpoint.

+### Enable Auto-Update for the Linux Agent

+The **recommendation** is to enable automatic update of the agent by enabling the [Automatic Extension Upgrade](../../virtual-machines/automatic-extension-upgrade.md) feature, using the following PowerShell commands.

+# [Powershell](#tab/PowerShellLinux)

+```powershell

+Set-AzVMExtension \

+ -ResourceGroupName myResourceGroup \

+ -VMName myVM \

+ -ExtensionName OmsAgentForLinux \

+ -ExtensionType OmsAgentForLinux \

+ -Publisher Microsoft.EnterpriseCloud.Monitoring \

+ -TypeHandlerVersion latestVersion

+ -ProtectedSettingString '{"workspaceKey":"myWorkspaceKey"}' \

+ -SettingString '{"workspaceId":"myWorkspaceId","skipDockerProviderInstall": true}' \

+ -EnableAutomaticUpgrade $true

+```

+# [Azure CLI](#tab/CLILinux)

+```powershell

+az vm extension set \

+ --resource-group myResourceGroup \

+ --vm-name myVM \

+ --name OmsAgentForLinux \

+ --publisher Microsoft.EnterpriseCloud.Monitoring \

+ --protected-settings '{"workspaceKey":"myWorkspaceKey"}' \

+ --settings '{"workspaceId":"myWorkspaceId","skipDockerProviderInstall": true}' \

+ --version latestVersion \

+--enable-auto-upgrade true

+```

+ Title: Enable network isolation for the Azure Monitor agent

+# Enable network isolation for the Azure Monitor agent

+|ByteCount|No|Bytes|Bytes|Total|Total number of Bytes transmitted within time period|Protocol, Direction|

+|DatapathAvailability|No|Datapath Availability (Preview)|Count|PortalAverage|NAT Gateway Datapath Availability|No Dimensions|

+|PacketCount|No|Packets|Count|Total|Total number of Packets transmitted within time period|Protocol, Direction|

+|PacketDropCount|No|Dropped Packets|Count|Total|Count of dropped packets|No Dimensions|

+|SNATConnectionCount|No|SNAT Connection Count|Count|Total|Total concurrent active connections|Protocol, ConnectionState|

+|TotalConnectionCount|No|Total SNAT Connection Count|Count|Total|Total number of active SNAT connections|Protocol|

+A [portfolio of Azure Key Management products](../../key-vault/managed-hsm/mhsm-control-data.md#portfolio-of-azure-key-management-products) lists the vaults and managed HSMs that can be used.

+There are two permission models in Key Vault to grants permissions to your cluster and underlay storageΓÇöΓÇöVault access policy, and Azure role-based access control.

+| time-generated-field | The name of a field in the data that contains the timestamp of the data item. If you specify a field, its contents are used for **TimeGenerated**. If you don't specify this field, the default for **TimeGenerated** is the time that the message is ingested. The contents of the message field should follow the ISO 8601 format YYYY-MM-DDThh:mm:ssZ. Note: the Time Generated value cannot be older than 2 days before received time or the row will be dropped.|

+Refer to [Get started with Azure Application Consistent Snapshot tool](azacsnap-get-started.md)

+The **Network Features** functionality enables you to indicate whether you want to use VNet features for an Azure NetApp Files volume. With this functionality, you can set the option to ***Standard*** or ***Basic***. You can specify the setting when you create a new NFS, SMB, or dual-protocol volume. See [Guidelines for Azure NetApp Files network planning](azure-netapp-files-network-topologies.md) for details about network features.

+>[!IMPORTANT]

+>The **Network Features** functionality is currently in public preview. It is not available in Azure Government regions. See [supported regions](azure-netapp-files-network-topologies.md#supported-regions) for a full list.

+## Oracle dNFS

+### Are there any Oracle patches required with dNFS?

+Customers using Oracle 19c and higher must ensure they **are patched for Oracle bug 32931941**. Most of the patch bundles currently in use by Oracle customers do **\*not\*** include this patch. The patch has only been included in a subset of recent patch bundles.

+If a database is exposed to this bug, network interruptions are highly likely to result in fractured block corruption. Network interruptions include events such as storage endpoint relocation, volume relocation, and storage service maintenance events. The corruption may not necessarily be detected immediately.

+This is not a bug on ONTAP or the Azure NetApp Files service itself. It is the result of an Oracle dNFS bug. The response to an NFS IO during a certain networking interruption or reconfiguration events is mishandled. The database will erroneously write a block that was being updated as it was written. In some cases, the corrupted block will be silently corrected by a later overwrite of that same block. If not, it will eventually be detected by Oracle database processes. An error should be logged in the Alert logs, and the Oracle instance is likely to terminate. In addition, dbv and RMAN operations can detect the corruption.

+Oracle publishes [document 1495104.1](https://support.oracle.com/knowledge/Oracle%20Cloud/1495104_1.html), which is continually updated with recommended dNFS patches. If your database uses dNFS, ensure the DBA team is checking for updates in this document.

+### Are there any patches required for use of Oracle dNFS with NFSv4.1?

+If your databases are using Oracle dNFS with NFSv4.1, they **need to be patched for Oracle bugs 33132050 and 33676296**. You may have to request a backport for other versions of Oracle. For example, at the time of writing, these patches are available for 19.11, but not yet 19.3. If you cite these bug numbers in the support case, Oracle's support engineers will know what to do.

+This requirement applies to ONTAP-based systems and services in general, which includes both on-premises ONTAP and Azure NetApp Files.

+Examples of the potential problems if these patches are not applied:

+1. Database hangs on backend storage endpoint moves.

+1. Database hangs on Azure NetApp Files service maintenance events.

+1. Brief Oracle hangs during normal operation that may or may not be noticeable.

+1. Slow Oracle shutdowns: if you monitor the shutdown process, you'll see pauses that could add up to minutes of delays as dNFS I/O times out.

+1. Incorrect dNFS reply caching behavior on reads that will hang a database.

+The patches include a change in dNFS session management and NFS reply caching that resolves these problems.

+**If you cannot patch for these two bugs**, you _must not_ use dNFS with NFSv4.1. You can either disable dNFS or switch to NFSv3.

+### Can I use multipathing with Oracle dNFS and NFSv4.1?

+dNFS will not work with multiple paths when using NFSv4.1. If you need multiple paths, you will have to use NFSv3. dNFS requires cluster-wide `clientID` and `sessionID` trunking for NFSv4.1 to work with multiple paths, and this is not supported by Azure NetApp Files. The result when trying to use this is a hang during dNFS startup

+param time string = utcNow()

+ name: 'store${toLower(time)}'

+## Silencing false positives

+Sometimes a rule can have false positives. For example you may need to include a link to a blob storage directly without using the [environment()](./bicep-functions-deployment.md#environment) function.

+In this case you can disable the warning for one line only, not the entire document, by adding `#disable-next-line <rule name>` before the line with the warning.

+```bicep

+#disable-next-line no-hardcoded-env-urls //Direct download link to my toolset

+scriptDownloadUrl: 'https://mytools.blob.core.windows.net/...'

+```

+It is good practice to add a comment explaining why the rule does not apply to this line.

+For remaining configuration steps for JetStream DR, such as creating a failover runbook, invoking failover to the DR site, and invoking failback to the primary site, see the [JetStream Admin Guide documentation](https://www.jetstreamsoft.com/portal/jetstream-knowledge-base/disaster-recovery-with-azure-netapp-files-jetstream-dr-and-avs-azure-vmware-solution/)).

+| **OS versions** | SLES 12 with SP2, SP3, SP4 and SP5; SLES 15 with SP0, SP1, SP2 and SP3 <br><br> RHEL 7.4, 7.6, 7.7, 7.9, 8.1, 8.2, 8.4, and 8.6 | |

+* The **Standard SKU** enables premium features.

+The following table shows the availability of features per corresponding SKU.

+### Specify SKU

+| Method | SKU Value | Links |

+| Azure portal | Tier - Basic or Standard | [Tutorial](tutorial-create-host-portal.md) |

+| Azure portal | Tier - Basic| [Quickstart](quickstart-host-portal.md) |

+| Azure PowerShell | Basic |[How-to](bastion-create-host-powershell.md) |

+| Azure CLI | Basic| [How-to](create-host-cli.md) |

+| Azure portal |Tier | [How-to](upgrade-sku.md)|

+| Azure portal | Subnet |[Quickstart](quickstart-host-portal.md)<br>[Tutorial](tutorial-create-host-portal.md)|

+| Method | Value | Links | Requires Standard SKU|

+| | | | -- |

+| Azure portal | Public IP address |[Azure portal](https://portal.azure.com)| Yes |

+| Azure PowerShell | -PublicIpAddress| [cmdlet](/powershell/module/az.network/new-azbastion#parameters) | Yes |

+| Azure CLI | --public-ip create |[command](/cli/azure/network/public-ip) | Yes |

+| Method | Value | Links | Requires Standard SKU |

+| | | | |

+| Azure portal |Instance count | [How-to](configure-host-scaling.md)| Yes

+| Azure PowerShell | ScaleUnit | [How-to](configure-host-scaling-powershell.md) | Yes |

+You can specify the port that you want to use to connect to your VMs. By default, the inbound ports used to connect are 3389 for RDP and 22 for SSH. If you configure a custom port value, specify that value when you connect to the VM.

+Custom port values are supported for the Standard SKU only.

+1. Host scaling instance count requires Standard tier. On the **Configuration** page, for **Tier**, verify the tier is **Standard**. If the tier is Basic, select **Standard**. To configure scaling, adjust the instance count. Each instance is a scale unit.

+ :::image type="content" source="./media/configure-host-scaling/select-sku.png" alt-text="Screenshot of Select Tier and Instance count." lightbox="./media/configure-host-scaling/select-sku.png":::

+This article helps you upgrade from the Basic Tier (SKU) to Standard. Once you upgrade, you can't revert back to the Basic SKU without deleting and reconfiguring Bastion. Currently, this setting can be configured in the Azure portal only. For more information about features and SKUs, see [Configuration settings](configuration-settings.md).

+1. On the **Configuration** page, for **Tier**, select **Standard**.

+ :::image type="content" source="./media/upgrade-sku/select-sku.png" alt-text="Screenshot of tier select dropdown with Standard selected." lightbox="./media/upgrade-sku/select-sku.png":::

+1. You can add features at the same time you upgrade the SKU. You don't need to upgrade the SKU and then go back to add the features as a separate step.

+1. Click **Apply** to apply changes. The bastion host will update. This takes about 10 minutes to complete.

+* See [Configuration settings](configuration-settings.md) for more configuration information.

+| Rel 22-07 | [5015811] | Latest Cumulative Update(LCU) | [6.45] | Jul 12, 2022 |

+| Rel 22-07 | [5015827] | Latest Cumulative Update(LCU) | [7.13] | Jul 12, 2022 |

+| Rel 22-07 | [5015808] | Latest Cumulative Update(LCU) | [5.69] | Jul 12, 2022 |

+| Rel 22-07 | [5015805] | IE Cumulative Updates | [2.124], [3.111], [4.104] | Jul 12, 2022 |

+| Rel 22-07 | [5013641] | . NET Framework 3.5 and 4.7.2 Cumulative Update | [6.46] | May 10, 2022 |

+| Rel 22-07 | [5013630] | .NET Framework 4.8 Security and Quality Rollup | [7.14] | May 10, 2022 |

+| Rel 22-07 | [5016058] | Servicing Stack update | [5.70] | Jul 12, 2022 |

+| Rel 22-07 | [4494175] | Microcode | [5.70] | Sep 1, 2020 |

+| Rel 22-07 | [4494174] | Microcode | [6.46] | Sep 1, 2020 |

+| Rel 22-07 | [5013637] | .NET Framework 3.5 Security and Quality Rollup LKG  | [2.126] | Jun 14, 2022 |

+| Rel 22-07 | [5013644] | .NET Framework 4.6.2 Security and Quality Rollup LKG  | [2.126] | May 10, 2022 |

+| Rel 22-07 | [5013638] | .NET Framework 3.5 Security and Quality Rollup LKG 6B is a Non-Sec Release  | [4.106] | Jun 14, 2020 |

+| Rel 22-07 | [5013643] | .NET Framework 4.6.2 Security and Quality Rollup LKG 6B is a Non-Sec Release  | [4.106] | May 10, 2022 |

+| Rel 22-07 | [5013635] | .NET Framework 3.5 Security  and Quality Rollup LKG  | [3.113] | Jun 14, 2022 |

+| Rel 22-07 | [5013642] | .NET Framework 4.6.2 Security and Quality Rollup LKG  | [3.113] | May 10, 2022 |

+| Rel 22-07 | [5015861] | Monthly Rollup  | [2.126] | Jul 12, 2022 |

+| Rel 22-07 | [5015863] | Monthly Rollup  | [3.113] | Jul 12, 2022 |

+| Rel 22-07 | [5015874] | Monthly Rollup  | [4.106] | Jul 12, 2022 |

+| Rel 22-07 | [5016263] | Servicing Stack update  | [3.113] | Jul 12, 2022 |

+| Rel 22-07 | [5016264] | Servicing Stack update  | [4.106] | Jul 12, 2022 |

+| Rel 22-07 | [4578013] | OOB Standalone Security Update  | [4.106] | Aug 19, 2020 |

+| Rel 22-07 | [5016057] | Servicing Stack update  | [2.126] | Jul 12, 2022 |

+[2.126]: ./cloud-services-guestos-update-matrix.md#family-2-releases

+[3.113]: ./cloud-services-guestos-update-matrix.md#family-3-releases

+[4.106]: ./cloud-services-guestos-update-matrix.md#family-4-releases

+[5.70]: ./cloud-services-guestos-update-matrix.md#family-5-releases

+[6.46]: ./cloud-services-guestos-update-matrix.md#family-6-releases

+[7.14]: ./cloud-services-guestos-update-matrix.md#family-7-releases

+###### **August 3, 2022**

+The July Guest OS has released.

+| WA-GUEST-OS-7.14_202207-01 | August 3, 2022 | Post 7.16 |

+|~~WA-GUEST-OS-7.12_202205-01~~| May 26, 2022 | August 3, 2022 |

+| WA-GUEST-OS-6.46_202207-01 | August 3, 2022 | Post 6.48 |

+|~~WA-GUEST-OS-6.44_202205-01~~| May 26, 2022 | August 3, 2022 |

+| WA-GUEST-OS-5.70_202207-01 | August 3, 2022 | Post 5.72 |

+|~~WA-GUEST-OS-5.68_202205-01~~| May 26, 2022 | August 3, 2022 |

+| WA-GUEST-OS-4.106_202207-02 | August 3, 2022 | Post 4.108 |

+|~~WA-GUEST-OS-4.103_202205-01~~| May 26, 2022 | August 2, 2022 |

+| WA-GUEST-OS-3.113_202207-02 | August 3, 2022 | Post 3.115 |

+|~~WA-GUEST-OS-3.110_202205-01~~| May 26, 2022 | August 3, 2022 |

+| WA-GUEST-OS-2.126_202207-02 | August 3, 2022 | Post 2.128 |

+|~~WA-GUEST-OS-2.123_202205-01~~| May 26, 2022 | August 3, 2022 |

+<!-- markdownlint-disable MD024 -->

+<!-- markdownlint-disable MD036 -->

+<!-- checked -->

+> [!div class="nextstepaction"]

+> [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Csharp&Product=Translator&Page=quickstart-translator&Section=prerequisites)

+For more information on Translator authentication options, _see_ the [Translator v3 reference](./reference/v3-0-reference.md#authentication) guide.

+>

+> Remember to remove the key from your code when you're done, and never post it publicly. For production, use a secure way of storing and accessing your credentials like [Azure Key Vault](../../key-vault/general/overview.md). For more information, _see_ the Cognitive Services [security](../cognitive-services-security.md) article.

+### Set up your Visual Studio project

+<!-- checked -->

+> [!div class="nextstepaction"]

+> [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Csharp&Product=Translator&Page=quickstart-translator&Section=set-up-your-visual-studio-project)

+### Build your C# application

+> * For more information, _see_ [**New C# templates generate top-level statements**](/dotnet/core/tutorials/top-level-templates).

+<!-- checked -->

+> [!div class="nextstepaction"]

+> [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Csharp&Product=Translator&Page=quickstart-translator&Section=build-your-c#-application)

+**Translation output:**

+After a successful call, you should see the following response:

+```json

+[

+ {

+ "detectedLanguage": {

+ "language": "en",

+ "score": 1.0

+ },

+ "translations": [

+ {

+ "text": "J'aimerais vraiment conduire votre voiture autour du pâté de maisons plusieurs fois!",

+ "to": "fr"

+ },

+ {

+ "text": "Ngingathanda ngempela ukushayela imoto yakho endaweni evimbelayo izikhathi ezimbalwa!",

+ "to": "zu"

+ }

+ ]

+ }

+]

+```

+<!-- checked -->

+> [!div class="nextstepaction"]

+> [My REST API call was successful](#next-steps) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Csharp&Product=Translator&Page=quickstart-translator&Section=run-your-c#-application)

+<!-- checked -->

+> [!div class="nextstepaction"]

+> [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Go&Product=Translator&Page=quickstart-translator&Section=set-up-your-go-environment)

+### Build your Go application

+<!-- checked -->

+> [!div class="nextstepaction"]

+> [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Go&Product=Translator&Page=quickstart-translator&Section=build-your-go-application)

+**Translation output:**

+After a successful call, you should see the following response:

+```json

+[

+ {

+ "detectedLanguage": {

+ "language": "en",

+ "score": 1.0

+ },

+ "translations": [

+ {

+ "text": "J'aimerais vraiment conduire votre voiture autour du pâté de maisons plusieurs fois!",

+ "to": "fr"

+ },

+ {

+ "text": "Ngingathanda ngempela ukushayela imoto yakho endaweni evimbelayo izikhathi ezimbalwa!",

+ "to": "zu"

+ }

+ ]

+ }

+]

+```

+<!-- checked -->

+> [!div class="nextstepaction"]

+> [My REST API call was successful](#next-steps) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Go&Product=Translator&Page=quickstart-translator&Section=run-your-go-application)

+### [Java: Gradle](#tab/java)

+* You should have the latest version of [Visual Studio Code](https://code.visualstudio.com/) or your preferred IDE. _See_ [Java in Visual Studio Code](https://code.visualstudio.com/docs/languages/java).

+<!-- checked -->

+> [!div class="nextstepaction"]

+> [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Java&Product=Translator&Page=quickstart-translator&Section=set-up-your-java-environment)

+1. Run the `gradle init` command from the translator-text-app directory. This command will create essential build files for Gradle, including _build.gradle.kts_, which is used at runtime to create and configure your application.

+<!-- checked -->

+> [!div class="nextstepaction"]

+> [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Java&Product=Translator&Page=quickstart-translator&Section=create-a-gradle-project)

+### Create your Java Application

+<!-- checked -->

+> [!div class="nextstepaction"]

+> [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Java&Product=Translator&Page=quickstart-translator&Section=create-your-java-application)

+### Build and run your Java application

+**Translation output:**

+After a successful call, you should see the following response:

+```json

+[

+ {

+ "detectedLanguage": {

+ "language": "en",

+ "score": 1.0

+ },

+ "translations": [

+ {

+ "text": "J'aimerais vraiment conduire votre voiture autour du pâté de maisons plusieurs fois!",

+ "to": "fr"

+ },

+ {

+ "text": "Ngingathanda ngempela ukushayela imoto yakho endaweni evimbelayo izikhathi ezimbalwa!",

+ "to": "zu"

+ }

+ ]

+ }

+]

+```

+<!-- checked -->

+> [!div class="nextstepaction"]

+> [My REST API call was successful](#next-steps) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Java&Product=Translator&Page=quickstart-translator&Section=build-and-run-your-java-application)

+### [JavaScript: Node.js](#tab/nodejs)

+### Set up your Node.js Express project

+<!-- checked -->

+> [!div class="nextstepaction"]

+> [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Python&Product=Translator&Page=quickstart-translator&Section=set-up-your-nodejs-express-project)

+### Build your JavaScript application

+<!-- checked -->

+> [!div class="nextstepaction"]

+> [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Python&Product=Translator&Page=quickstart-translator&Section=build-your-javascript-application)

+### Run your JavaScript application

+**Translation output:**

+After a successful call, you should see the following response:

+```json

+[

+ {

+ "detectedLanguage": {

+ "language": "en",

+ "score": 1.0

+ },

+ "translations": [

+ {

+ "text": "J'aimerais vraiment conduire votre voiture autour du pâté de maisons plusieurs fois!",

+ "to": "fr"

+ },

+ {

+ "text": "Ngingathanda ngempela ukushayela imoto yakho endaweni evimbelayo izikhathi ezimbalwa!",

+ "to": "zu"

+ }

+ ]

+ }

+]

+```

+<!-- checked -->

+> [!div class="nextstepaction"]

+> [My REST API call was successful](#next-steps) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Java&Product=Translator&Page=quickstart-translator&Section=run-your-javascript-application)

+### Set up your Python project

+<!-- checked -->

+> [!div class="nextstepaction"]

+> [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Python&Product=Translator&Page=quickstart-translator&Section=set-up-your-python-project)

+### Build your Python application

+<!-- checked -->

+> [!div class="nextstepaction"]

+> [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Python&Product=Translator&Page=quickstart-translator&Section=build-your-python-application)

+### Run your Python application

+**Translation output:**

+After a successful call, you should see the following response:

+<!-- checked -->

+> [!div class="nextstepaction"]

+> [My REST API call was successful](#next-steps) [I ran into an issue](https://microsoft.qualtrics.com/jfe/form/SV_0Cl5zkG3CnDjq6O?PLanguage=Python&Product=Translator&Page=quickstart-translator&Section=run-your-python-application)

+## Next steps

+That's it, congratulations! You've learned to use the Translator service to translate text.

+* [**Dictionary lookup and alternate translations**](translator-text-apis.md#dictionary-examples-translations-in-context)

+Virtual networks (VNETs) are supported in [regions where Cognitive Services are available](https://azure.microsoft.com/global-infrastructure/services/). Cognitive Services supports service tags for network rules configuration. The services listed below are included in the **CognitiveServicesManagement** service tag.

+* Personal Identifiable information (PII)

+These entity categories include identifiable Azure information like authentication information and connection strings. Not returned as PHI.

+When you submit data to conversational PII, you can send one conversation (chat or spoken) per request.

+ |.NET | [1.0.0](https://www.nuget.org/packages/Azure.AI.Language.Conversations/1.0.0) |

+ |Python | [1.0.0](https://pypi.org/project/azure-ai-language-conversations/1.0.0) |

+ * [C#](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/cognitivelanguage/Azure.AI.Language.Conversations/samples/Sample8_AnalyzeConversation_ConversationPII_Transcript.md)

+ * [Python](https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/cognitivelanguage/azure-ai-language-conversations/samples/sample_conv_pii_transcript_input.py)

+ * [C#](/dotnet/api/azure.ai.language.conversations)

+ * [Python](/python/api/azure-ai-language-conversations/azure.ai.language.conversations.aio)

+The PII feature can evaluate unstructured text, extract and redact sensitive information (PII) and health information (PHI) in text across several [pre-defined categories](concepts/entity-categories.md).

+When you submit documents to be processed, you can specify which of [the supported languages](language-support.md) they're written in. if you don't specify a language, extraction will default to English. The API may return offsets in the response to support different [multilingual and emoji encodings](../concepts/multilingual-emoji-support.md).

+## Select which entities to be returned

+The API will attempt to detect the [defined entity categories](concepts/entity-categories.md) for a given document language. If you want to specify which entities will be detected and returned, use the optional `piiCategories` parameter with the appropriate entity categories. This parameter can also let you detect entities that aren't enabled by default for your document language. The following example would detect only `Person`. You can specify one or more [entity types](concepts/entity-categories.md) to be returned.

+**Input:**

+> [!NOTE]

+> In this example, it will return only **person** entity type:

+`https://<your-language-resource-endpoint>/language/:analyze-text?api-version=2022-05-01`

+```bash

+{

+    "kind": "PiiEntityRecognition",

+    "parameters": 

+    {

+        "modelVersion": "latest",

+ "piiCategories" :

+ [

+ "Person"

+ ]

+    },

+    "analysisInput":

+    {

+        "documents":

+        [

+            {

+                "id":"1",

+                "language": "en",

+                "text": "We went to Contoso foodplace located at downtown Seattle last week for a dinner party, and we adore the spot! They provide marvelous food and they have a great menu. The chief cook happens to be the owner (I think his name is John Doe) and he is super nice, coming out of the kitchen and greeted us all. We enjoyed very much dining in the place! The pasta I ordered was tender and juicy, and the place was impeccably clean. You can even pre-order from their online menu at www.contosofoodplace.com, call 112-555-0176 or send email to order@contosofoodplace.com! The only complaint I have is the food didn't come fast enough. Overall I highly recommend it!"

+            }

+        ]

+    }

+}

+```

+**Output:**

+```bash

+{

+ "kind": "PiiEntityRecognitionResults",

+ "results": {

+ "documents": [

+ {

+ "redactedText": "We went to Contoso foodplace located at downtown Seattle last week for a dinner party, and we adore the spot! They provide marvelous food and they have a great menu. The chief cook happens to be the owner (I think his name is ********) and he is super nice, coming out of the kitchen and greeted us all. We enjoyed very much dining in the place! The pasta I ordered was tender and juicy, and the place was impeccably clean. You can even pre-order from their online menu at www.contosofoodplace.com, call 112-555-0176 or send email to order@contosofoodplace.com! The only complaint I have is the food didn't come fast enough. Overall I highly recommend it!",

+ "id": "1",

+ "entities": [

+ {

+ "text": "John Doe",

+ "category": "Person",

+ "offset": 226,

+ "length": 8,

+ "confidenceScore": 0.98

+ }

+ ],

+ "warnings": []

+ }

+ ],

+ "errors": [],

+ "modelVersion": "2021-01-15"

+ }

+}

+```

+Use this article to learn which natural languages are supported by the PII and conversation PII (preview) features of Azure Cognitive Service for Language.

+| Language | Language code | Starting with model version | Notes |

+| Language | Language code | Starting with model version | Notes |

+PII detection is one of the features offered by [Azure Cognitive Service for Language](../overview.md), a collection of machine learning and AI algorithms in the cloud for developing intelligent applications that involve written language. The PII detection feature can **identify, categorize, and redact** sensitive information in unstructured text. For example: phone numbers, email addresses, and forms of identification. The method for utilizing PII in conversations is different than other use cases, and articles for this use have been separated.

+PII comes into two shapes:

+* [PII](how-to-call.md) - works on unstructured text.

+* [Conversation PII (preview)](how-to-call-for-conversations.md) - tailored model to work on conversation transcription.

+An AI system includes not only the technology, but also the people who will use it, the people who will be affected by it, and the environment in which it's deployed. Read the [transparency note for PII](/legal/cognitive-services/language-service/transparency-note-personally-identifiable-information?context=/azure/cognitive-services/language-service/context/context) to learn about responsible AI use and deployment in your systems. You can also see the following articles for more information:

+## Example scenarios

+* **Apply sensitivity labels** - For example, based on the results from the PII service, a public sensitivity label might be applied to documents where no PII entities are detected. For documents where US addresses and phone numbers are recognized, a confidential label might be applied. A highly confidential label might be used for documents where bank routing numbers are recognized.

+* **Redact some categories of personal information from documents that get wider circulation** - For example, if customer contact records are accessible to first line support representatives, the company may want to redact the customer's personal information besides their name from the version of the customer history to preserve the customer's privacy.

+* **Redact personal information in order to reduce unconscious bias** - For example, during a company's resume review process, they may want to block name, address and phone number to help reduce unconscious gender or other biases.

+* **Replace personal information in source data for machine learning to reduce unfairness** ΓÇô For example, if you want to remove names that might reveal gender when training a machine learning model, you could use the service to identify them and you could replace them with generic placeholders for model training.

+* **Remove personal information from call center transcription** ΓÇô For example, if you want to remove names or other PII data that happen between the agent and the customer in a call center scenario. You could use the service to identify and remove them.

+* **Data cleaning for data science** - PII can be used to make the data ready for data scientists and engineers to be able to use these data to train their machine learning models. Redacting the data to make sure that customer data isn't exposed.

+* [Language Studio](../language-studio.md), which is a web-based platform that enables you to try several Language service features without needing to write code.

+>**Prompt**:

+>**Completion**:

+Once you create an Azure OpenAI Resource, you must deploy a model before you can start making API calls and generating text. This action can be done using the Deployment APIs. These APIs allow you to specify the model you wish to use.

+The number of examples typically range from 0 to 100 depending on how many can fit in the maximum input length for a single prompt. Maximum input length can vary depending on the specific models you use. Few-shot learning enables a major reduction in the amount of task-specific data required for accurate predictions. This approach will typically perform less accurately than a fine-tuned model.

+ Title: Quickstart - Send chat message in Power Automate with Azure Communication Services

+description: In this quickstart, learn how to send a chat message in Azure Logic Apps workflows by using the Azure Communication Services Chat connector.

+# Quickstart: Send chat message in Power Automate with Azure Communication Services

+You can create automated workflows that can send chat messages using the Azure Communication Services Chat connector. This quickstart will show how to create a chat, add a participant, send a message and list messages into an existing workflow.

+## Prerequisites

+- An Azure account with an active subscription, or [create an Azure account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- An active Azure Communication Services resource, or [create a Communication Services resource](../create-communication-resource.md).

+- An active Logic Apps resource (logic app), or [create a blank logic app but with the trigger that you want to use](../../../logic-apps/quickstart-create-first-logic-app-workflow.md). Currently, the Azure Communication Services Chat connector provides only actions, so your logic app requires a trigger, at minimum.

+## Create user

+Add a new step in your workflow by using the Azure Communication Services Identity connector, follow these steps in Power Automate with your Power Automate flow open in edit mode.

+1. On the designer, under the step where you want to add the new action, select New step. Alternatively, to add the new action between steps, move your pointer over the arrow between those steps, select the plus sign (+), and select Add an action.

+1. In the Choose an operation search box, enter Communication Services Identity. From the actions list, select Create a user.

+ :::image type="content" source="./media/logic-app/azure-communications-services-connector-create-user.png" alt-text="Screenshot that shows the Azure Communication Services Identity connector Create user action.":::

+1. Provide the Connection String. This can be found in [Microsoft Azure](https://portal.azure.com/), within your Azure Communication Service Resource, on the Keys option from the left menu > Connection String

+ :::image type="content" source="./media/logic-app/azure-portal-connection-string.png" alt-text="Screenshot that shows the Keys page within an Azure Communication Services Resource." lightbox="./media/logic-app/azure-portal-connection-string.png":::

+1. Provide a Connection Name

+1. Click ΓÇ£Show advanced optionsΓÇ¥ and select the Token Scope the action will also output an access token and its expiration time with the specified scope.

+ This action will output a User ID, which is a Communication Services user identity.

+ Additionally, if you click ΓÇ£Show advanced optionsΓÇ¥ and select the Token Scope the action will also output an access token and its expiration time with the specified scope.

+ :::image type="content" source="./media/logic-app/azure-communications-services-connector-create-user-action.png" alt-text="Screenshot that shows the Azure Communication Services Identity connector Create user action options.":::

+1. Select ΓÇ£chatΓÇ¥

+ :::image type="content" source="./media/logic-app/azure-communications-services-connector-create-user-action-advanced.png" alt-text="Screenshot that shows the Azure Communication Services Chat connector advanced options.":::

+1. Click Create. This will output the User ID and an Access Token.

+## Create a chat thread

+1. Add a new action

+1. In the Choose an operation search box, enter Communication Services Chat. From the actions list, select Create chat thread.

+ :::image type="content" source="./media/logic-app/azure-communications-services-connector-create-chat-thread.png" alt-text="Screenshot that shows the Azure Communication Services Chat connector Create a chat thread action.":::

+

+1. Provide the Azure Communication Services endpoint URL. This can be found in [Microsoft Azure](https://portal.azure.com/), within your Azure Communication Service Resource, on the Keys option from the left menu > Endpoint.

+1. Provide a Connection Name

+1. Select the Access Token from the previous step, add a Chat thread topic description. Additionally, add the created user and add a Name for the participant.

+ :::image type="content" source="./media/logic-app/azure-communications-services-connector-create-chat-thread-input.png" alt-text="Screenshot that shows the Azure Communication Services Chat connector Create chat thread action input fields.":::

+

+## Send a message

+1. Add a new action

+1. In the Choose an operation search box, enter Communication Services Chat. From the actions list, select Send a Chat message to chat thread.

+ :::image type="content" source="./media/logic-app/azure-communications-services-connector-send-chat-message.png" alt-text="Screenshot that shows the Azure Communication Services Chat connector Send chat message action.":::

+

+1. Provide the Access Token, Thread ID, Content, and Name information as shown below.

+

+ :::image type="content" source="./media/logic-app/azure-communications-services-connector-send-chat-message-input.png" alt-text="Screenshot that shows the Azure Communication Services Chat connector Send chat message action input fields.":::

+## List chat thread messages

+To verify you have correctly sent a message, we will add one more action to list the chat thread messages.

+1. Add a new action

+1. In the Choose an operation search box, enter Communication Services Chat. From the actions list, select List chat thread messages.

+ :::image type="content" source="./media/logic-app/azure-communications-services-connector-list-chat-messages.png" alt-text="Screenshot that shows the Azure Communication Services Chat connector List chat messages action.":::

+

+1. Provide the Access token and Thread ID as follows

+

+ :::image type="content" source="./media/logic-app/azure-communications-services-connector-list-chat-messages-input.png" alt-text="Screenshot that shows the Azure Communication Services Chat connector Send chat message action input.":::

+## Test your logic app

+To manually start your workflow, on the designer toolbar, select **Run**. The workflow should create a user, issue an access token for that user, then remove it and delete the user. For more information, review [how to run your workflow](../../../logic-apps/quickstart-create-first-logic-app-workflow.md#run-workflow).

+Now click on the List chat thread messages and check the output, the message sent will be in the action outputs.

+## Clean up resources

+To remove a Communication Services subscription, delete the Communication Services resource or resource group. Deleting the resource group also deletes any other resources in that group. For more information, review [how to clean up Communication Services resources](../create-communication-resource.md#clean-up-resources).

+To clean up your logic app workflow and related resources, review [how to clean up Logic Apps resources](../../../logic-apps/quickstart-create-first-logic-app-workflow.md#clean-up-resources).

+## Next steps

+In this quickstart, you learned how to create a user, create a chat thread and send a message using the Azure Communication Services Identity and Azure Communication Services Chat connectors. To learn more check the [Azure Communication Services Chat Connector](/connectors/acschat/) documentation.

+To learn more about access tokens check [Create and Manage Azure Communication Services users and access tokens](../chat/logic-app.md).

+To learn more about how to send an email check [Send email message in Power Automate with Azure Communication Services](../email/logic-app.md).

+ Title: Quickstart -Send email message in Power Automate with Azure Communication Services in Microsoft Power Automate

+description: In this quickstart, learn how to send an email in Azure Logic Apps workflows by using the Azure Communication Services Email connector.

+# Quickstart: Send email message in Power Automate with Azure Communication Services

+This quickstart will show how to send emails using the Azure Communication Services Email connector in your Power Automate workflows.

+## Prerequisites

+- An Azure account with an active subscription, or [create an Azure account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- An active Azure Communication Services resource, or [create a Communication Services resource](../create-communication-resource.md).

+- An active Logic Apps resource (logic app), or [create a blank logic app but with the trigger that you want to use](../../../logic-apps/quickstart-create-first-logic-app-workflow.md). Currently, the Azure Communication Services Email connector provides only actions, so your logic app requires a trigger, at minimum.

+- An Azure Communication Services Email resource with a [configured domain](../email/create-email-communication-resource.md) or [custom domain](../email/add-custom-verified-domains.md).

+- An Azure Communication Services resource [connected with an Azure Email domain](../email/connect-email-communication-resource.md).

+## Send email

+Add a new step in your workflow by using the Azure Communication Services Email connector, follow these steps in Power Automate with your Power Automate flow open in edit mode.

+1. On the designer, under the step where you want to add the new action, select New step. Alternatively, to add the new action between steps, move your pointer over the arrow between those steps, select the plus sign (+), and select Add an action.

+1. In the Choose an operation search box, enter Communication Services Email. From the actions list, select Send email.

+ :::image type="content" source="./media/logic-app/azure-communications-services-connector-send-email.png" alt-text="Screenshot that shows the Azure Communication Services Email connector Send email action.":::

+1. Provide the Connection String. This can be found in the [Microsoft Azure](https://portal.azure.com/), within your Azure Communication Service Resource, on the Keys option from the left menu > Connection String

+ :::image type="content" source="./media/logic-app/azure-communications-services-connection-string.png" alt-text="Screenshot that shows the Azure Communication Services Connection String." lightbox="./media/logic-app/azure-communications-services-connection-string.png":::

+

+1. Provide a Connection Name

+1. Select Send email

+ :::image type="content" source="./media/logic-app/azure-communications-services-connector-send-email.png" alt-text="Screenshot that shows the Azure Communication Services Email connector Send email action.":::

+

+1. Fill the **From** input field using an email domain configured in the [pre-requisites](#prerequisites). Also fill the To, Subject and Body field as shown below

+

+ :::image type="content" source="./media/logic-app/azure-communications-services-connector-send-email-input.png" alt-text="Screenshot that shows the Azure Communication Services Email connector Send email action input.":::

+## Test your logic app

+To manually start your workflow, on the designer toolbar, select **Run**. The workflow should create a user, issue an access token for that user, then remove it and delete the user. For more information, review [how to run your workflow](../../../logic-apps/quickstart-create-first-logic-app-workflow.md#run-workflow). You can check the outputs of these actions after the workflow runs successfully.

+You should have an email in the address specified. Additionally, you can use the Get email message status action to check the status of emails send through the Send email action. To learn more actions, check the [Azure Communication Services Email connector](/connectors/acsemail/) documentation.

+## Clean up resources

+To remove a Communication Services subscription, delete the Communication Services resource or resource group. Deleting the resource group also deletes any other resources in that group. For more information, review [how to clean up Communication Services resources](../create-communication-resource.md#clean-up-resources).

+To clean up your logic app workflow and related resources, review [how to clean up Logic Apps resources](../../../logic-apps/quickstart-create-first-logic-app-workflow.md#clean-up-resources).

+## Next steps

+To learn more about [how to send a chat message](../chat/logic-app.md) from Power Automate using Azure Communication Services.

+To learn more about access tokens check [Create and Manage Azure Communication Services users and access tokens](../chat/logic-app.md).

+ Title: Quickstart - Create and Manage Azure Communication Services users and access tokens in Microsoft Power Automate

+description: In this quickstart, learn how to manage users and access tokens in Azure Logic Apps workflows by using the Azure Communication Services Identity connector.

+# Quickstart: Create and Manage Azure Communication Services users and access tokens in Microsoft Power Automate

+Access tokens let Azure Communication Services connectors authenticate directly against Azure Communication Services as a particular identity. You'll need to create access tokens if you want to perform actions like send a message in a chat using the [Azure Communication Services Chat](../chat/logic-app.md) connector.

+This quickstart shows how to [create a user](#create-user), [delete a user](#delete-a-user), [issue a user an access token](#issue-a-user-access-token) and [remove user access token](#revoke-user-access-tokens) using the [Azure Communication Services Identity](https://powerautomate.microsoft.com/connectors/details/shared_acsidentity/azure-communication-services-identity/) connector.

+## Prerequisites

+- An Azure account with an active subscription, or [create an Azure account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- An active Azure Communication Services resource, or [create a Communication Services resource](../create-communication-resource.md).

+- An active Logic Apps resource (logic app), or [create a blank logic app but with the trigger that you want to use](../../../logic-apps/quickstart-create-first-logic-app-workflow.md). Currently, the Azure Communication Services Identity connector provides only actions, so your logic app requires a trigger, at minimum.

+## Create user

+Add a new step in your workflow by using the Azure Communication Services Identity connector, follow these steps in Power Automate with your Power Automate flow open in edit mode.

+1. On the designer, under the step where you want to add the new action, select New step. Alternatively, to add the new action between steps, move your pointer over the arrow between those steps, select the plus sign (+), and select Add an action.

+1. In the Choose an operation search box, enter Communication Services Identity. From the actions list, select Create a user.

+ :::image type="content" source="./media/logic-app/azure-communications-services-connector-create-user.png" alt-text="Screenshot that shows the Azure Communication Services Identity connector Create user action.":::

+1. Provide the Connection String. This can be found in the [Microsoft Azure](https://portal.azure.com/), within your Azure Communication Service Resource, on the Keys option from the left menu > Connection String

+ :::image type="content" source="./media/logic-app/azure-portal-connection-string.png" alt-text="Screenshot that shows the Keys page within an Azure Communication Services Resource." lightbox="./media/logic-app/azure-portal-connection-string.png":::

+1. Provide a Connection Name

+1. Click **Create**

+ This action will output a User ID, which is a Communication Services user identity.

+ Additionally, if you click ΓÇ£Show advanced optionsΓÇ¥ and select the Token Scope the action will also output an access token and its expiration time with the specified scope.

+ :::image type="content" source="./media/logic-app/azure-communications-services-connector-create-user-action.png" alt-text="Screenshot that shows the Azure Communication Services connector Create user action.":::

+ :::image type="content" source="./media/logic-app/azure-communications-services-connector-create-user-action-advanced.png" alt-text="Screenshot that shows the Azure Communication Services connector Create user action advanced options.":::

+## Issue a user access token

+After you have a Communication Services identity, you can use the Issue a user access token action to issue an access token. The following steps will show you how:

+1. Add a new action and enter Communication Services Identity in the search box. From the actions list, select Issue a user access token.

+ :::image type="content" source="./media/logic-app/azure-communications-services-connector-issue-access-token-action.png" alt-text="Screenshot that shows the Azure Communication Services Identity connector Issue access token action.":::

+

+1. Then, you can use the User ID output from the previous [Create a user](#create-user) step.

+1. Specify the token scope: VoIP or chat. [Learn more about tokens and authentication](../../concepts/authentication.md).

+

+ :::image type="content" source="./media/logic-app/azure-communications-services-connector-issue-access-token-action-token-scope.png" alt-text="Screenshot that shows the Azure Communication Services Identity connector Issue access token action, specifying the token scope.":::

+This will output an access token and its expiration time with the specified scope.

+## Revoke user access tokens

+After you have a Communication Services identity, you can use the Issue a user access token action to revoke an access token . The following steps will show you how:

+1. Add a new action and enter Communication Services Identity in the search box. From the actions list, select Revoke user access tokens.

+

+ :::image type="content" source="./media/logic-app/azure-communications-services-connector-revoke-access-token-action.png" alt-text="Screenshot that shows the Azure Communication Services Identity connector Revoke access token action.":::

+1. Specify the User ID

+ :::image type="content" source="./media/logic-app/azure-communications-services-connector-revoke-access-token-action-user-id.png" alt-text="Screenshot that shows the Azure Communication Services Identity connector Revoke access token action input.":::

+

+This will revoke all user access tokens for the specified user, there are no outputs for this action.

+## Delete a user

+After you have a Communication Services identity, you can use the Issue a user access token action to delete an access token . The following steps will show you how:

+1. Add a new action and enter Communication Services Identity in the search box. From the actions list, select Delete a user.

+ :::image type="content" source="./media/logic-app/azure-communications-services-connector-delete-user.png" alt-text="Screenshot that shows the Azure Communication Services Identity connector Delete user action.":::

+1. Specify the User ID

+

+ :::image type="content" source="./media/logic-app/azure-communications-services-connector-delete-user-id.png" alt-text="Screenshot that shows the Azure Communication Services Identity connector Delete user action input.":::

+ This will remove the user and revoke all user access tokens for the specified user, there are no outputs for this action.

+## Test your logic app

+To manually start your workflow, on the designer toolbar, select **Run**. The workflow should create a user, issue an access token for that user, then remove it and delete the user. For more information, review [how to run your workflow](../../../logic-apps/quickstart-create-first-logic-app-workflow.md#run-workflow). You can check the outputs of these actions after the workflow runs successfully.

+## Clean up resources

+To remove a Communication Services subscription, delete the Communication Services resource or resource group. Deleting the resource group also deletes any other resources in that group. For more information, review [how to clean up Communication Services resources](../create-communication-resource.md#clean-up-resources).

+To clean up your logic app workflow and related resources, review [how to clean up Logic Apps resources](../../../logic-apps/quickstart-create-first-logic-app-workflow.md#clean-up-resources).

+## Next steps

+In this quickstart, you learned how to create a user, delete a user, issue a user an access token and remove user access token using the Azure Communication Services Identity connector. To learn more check the [Azure Communication Services Identity Connector](/connectors/acsidentity/) documentation.

+To see how tokens are use by other connectors, check out [how to send a chat message](../chat/logic-app.md) from Power Automate using Azure Communication Services.

+To learn more about how to send an email using the Azure Communication Services Email connector check [Send email message in Power Automate with Azure Communication Services](../email/logic-app.md).

+ Title: Virtual appointments with Azure Communication Services

+description: Learn concepts for virtual appointments apps

+# Virtual appointments

+This tutorial describes concepts for virtual visit applications. After completing this tutorial and the associated [Sample Builder](https://aka.ms/acs-sample-builder), you will understand common use cases that a virtual appointments application delivers, the Microsoft technologies that can help you build those uses cases, and have built a sample application integrating Microsoft 365 and Azure that you can use to demo and explore further.

+Virtual appointments are a communication pattern where a **consumer** and a **business** assemble for a scheduled appointment. The **organizational boundary** between consumer and business, and **scheduled** nature of the interaction, are key attributes of most virtual appointments. Many industries operate virtual appointments: meetings with a healthcare provider, a loan officer, or a product support technician.

+- **Provider.** The provider gets on the call with the consumer. They must be able to view upcoming virtual appointments and join the virtual visit and engage in communication.

+Azure and Teams are interoperable. This interoperability gives organizations choice in how they deliver virtual appointments using Microsoft's cloud. Three examples include:

+- **Microsoft 365** provides a zero-code suite for virtual appointments using Microsoft [Teams](https://www.microsoft.com/microsoft-teams/group-chat-software/) and [Bookings](https://www.microsoft.com/microsoft-365/business/scheduling-and-booking-app). This is the easiest option but customization is limited. [Check out this video for an introduction.](https://www.youtube.com/watch?v=zqfGrwW2lEw)

+| *Consumer*| Join the visit | Teams or virtual appointments | ACS Calling & Chat | ACS Calling & Chat |

+There are other ways to customize and combine Microsoft tools to deliver a virtual appointments experience:

+

+In this section weΓÇÖre going to use a Sample Builder tool to deploy a Microsoft 365 + Azure hybrid virtual appointments application to an Azure subscription. This application will be a desktop and mobile friendly browser experience, with code that you can use to explore and productionize.

+

+

+And then make sure "Add online meeting" is enabled.

+

+Use the Sample Builder to customize the consumer experience. You can reach the Sampler Builder using this [link](https://aka.ms/acs-sample-builder), or navigating to the page within the Azure Communication Services resource in the Azure portal. Step through the Sample Builder wizard and select Industry template, then configure if Chat or Screen Sharing should be enabled. Change themes and text to you match your application. You can preview your configuration live from the page in both Desktop and Mobile browser form-factors.

+[ ](./media/virtual-visits/sample-builder-themes.png#lightbox)

+[ ](./media/virtual-visits/sample-builder-landing.png#lightbox)

+

+After walking through the ARM template you can **Go to resource group**.

+

+

+

+

+- [**Use the Azure CLI extension, Azure portal or ARM templates**](get-started.md) to manage your applications.

+- [**Monitor your apps**](monitor.md) using Azure Log Analytics.

+> Currently analytical store isn't backuped and can't be restored, and your backup policy can't be planned relying on that.

+* Periodic backup mode is fully compatible with Synapse Link and these 2 features can be used in the same database account.

+ * Database accounts with Synapse Link enabled currently can't use continuous backup mode.

+ * Database accounts with continuous backup mode enabled can enable Synapse Link through a support case. This capability is in preview now.

+ * Database accounts that have neither continuous backup nor Synapse Link enabled can use these two features together through a support case. This capability is in preview now.

+* Currently Synapse Link isn't fully compatible with continuous backup mode. Click [here](analytical-store-introduction.md#backup) for more information.

+* Although analytical store data is not backed up, and therefore cannot be restored, you can rebuild your analytical store by reenabling Synapse Link in the restored container. Click [here](analytical-store-introduction.md#backup) for more information.

+* Currently Synapse Link isn't fully compatible with continuous backup mode. Click [here](analytical-store-introduction.md#backup) for more information.

+## Manage notification contacts

+Notifications allow enterprise administrators to enroll their team members to receive usage, invoice, and user management notifications without giving them billing account access in the Azure portal.

+Notification contacts are shown in the Azure portal in the Notifications under Settings. Managing your notification contacts makes sure that the right people in your organization get Azure EA notifications.

+To view current notifications settings and add contacts:

+1. Sign in to the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_GTM/ModernBillingMenuBlade/AllBillingScopes).

+1. Navigate to **Cost Management + Billing**.

+1. In the left menu, select **Billing scopes** and then select a billing account scope.

+1. In the left menu, under **Settings**, select **Notifications**.

+ Notification contacts are shown on the page.

+1. To add a contact, selectΓÇ»**+ Add**.

+1. In the **Add Contact** area, enter the contact's email address.

+1. Under **Frequency**, select a notification interval. Weekly is the default value.

+1. Under **Categories**, select Lifecycle Management to receive notifications when the enrollment end date is approached or ended.

+1. Select **Add** to save the changes.

+ :::image type="content" source="./media/direct-ea-administration/add-contact.png" alt-text="Screenshot showing the Add Contact window where you add a contact." :::

+The new notification contact is shown in the Notification list.

+An EA admin can manage notification access for a contact by selecting the ellipsis (…) symbol to the right of each contact. They can edit and remove existing notification contacts.

+By default, notification contacts are subscribed for the coverage period end date approaching lifecycle notifications. Unsubscribing lifecycle management notifications suppresses notifications for the coverage period and agreement end date.

+> [!NOTE]

+> Support for complex data type casting from the Cast transformation is currently unavailable. Use a Derived Column transformation instead.

+[Log assert error rows](https://www.youtube.com/watch?v=VFRx0wjlA4s)

+[Fuzzy join](https://www.youtube.com/watch?v=ouMdM4yL78s)

+[User-defined functions](https://www.youtube.com/watch?v=ZFTVoe8eeOc)

+### Error message: "Timeout when reading from staging"

+This error occurs when SSIS-IR with SHIR as a data proxy can't read data from staging blob successfully. Usually, it is due to that SHIR has failed to transfer on-premises data to the staging blob. Then SSIS-IR's attempt to read staging data fails with timeout error. You need to check SHIR logs in C:\ProgramData\SSISTelemetry folder for runtime logs and C:\ProgramData\SSISTelemetry\ExecutionLog folder for execution logs to further investigate why data hasn't been uploaded to staging blob successfully by SHIR.

+ - Confirm that the **Allow access to Azure services** setting is enabled for the database server. This setting isn't applicable when you use an Azure SQL Database server with IP firewall rules/virtual network service endpoints or a managed instance with private endpoint to host SSISDB. For more information, see [Secure Azure SQL Database](/azure/azure-sql/database/secure-database-tutorial#create-firewall-rules). To enable this setting by using PowerShell, see [New-AzSqlServerFirewallRule](/powershell/module/az.sql/new-azsqlserverfirewallrule).

+ - Confirm that your database server doesn't have an SSISDB instance already. The provisioning of an Azure-SSIS IR doesn't support using an existing SSISDB instance.

+ > Excluding any custom setup time, and SSIS IR is not using standard VNet injection, this process will finish within 5 minutes in most cases.

+| **Credential Access** | V7, V9 | Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. With sufficient access within a network, an adversary can create accounts for later use within the environment. |

+- [Enable Defender for Servers on your subscriptions](enable-enhanced-security.md).

+ > Enable database protection for your multicloud SQL servers through the [AWS connector](quickstart-onboard-aws.md?pivots=env-settings#connect-your-aws-account) or the [GCP connector](quickstart-onboard-gcp.md?pivots=env-settings#configure-the-databases-plan).

+|Protected SQL versions:|[SQL Server versions currently supported by Microsoft](/mem/configmgr/core/plan-design/configs/support-for-sql-server-versions) in: <br>- [SQL on Azure virtual machines](/azure/azure-sql/virtual-machines/windows/sql-server-on-azure-vm-iaas-what-is-overview)<br>- [SQL Server on Azure Arc-enabled servers](/sql/sql-server/azure-arc/overview)<br>- On-premises SQL servers on Windows machines without Azure Arc<br>|

+ - **Committed devices**. If you selected a monthly or annual commitment, enter the number of assets you'll want to monitor. If you selected a trial, this section doesn't appear as you have a default of 100 devices.

+Changes to your plan will take effect one hour after confirming the change. This change will appear on your next monthly statement, and you will be charged based on the length of time each plan was in effect.

+You may need to cancel a Defender for IoT plan from your Azure subscription, for example, if you need to work with a new payment entity. Your changes take effect one hour after confirmation. This change will be reflected in your upcoming monthly statement, and you will only be charged for the time that the subscription was active.

+- [Upgrade your Azure subscription](../../cost-management-billing/manage/upgrade-azure-subscription.md)

+| **ArcSight** | Forward Defender for IoT alerts to ArcSight. | [Integrate ArcSight with Microsoft Defender for IoT](integrations/arcsight.md) |

+| **LogRhythm** | Forward Defender for IoT alerts to LogRhythm. | [Integrate LogRhythm with Microsoft Defender for IoT](integrations/logrhythm.md) |

+| **RSA NetWitness** | Forward Defender for IoT alerts to RSA NetWitness | [Integrate RSA NetWitness with Microsoft Defender for IoT](integrations/netwitness.md) <br>[CyberX Platform - RSA NetWitness CEF Parser Implementation Guide](https://community.netwitness.com//t5/netwitness-platform-integrations/cyberx-platform-rsa-netwitness-cef-parser-implementation-guide/ta-p/554364) |

+ Title: Integrate ArcSight with Microsoft Defender for IoT

+description: Learn how to send Microsoft Defender for IoT alerts to ArcSight.

+# Integrate ArcSight with Microsoft Defender for IoT

+This article describes how to send Microsoft Defender for IoT alerts to ArcSight. Integrating Defender for IoT with ArcSight provides visibility into the security and resiliency of OT networks and a unified approach to IT and OT security.

+## Prerequisites

+Before you begin, make sure that you have the following prerequisites:

+- Access to a Defender for IoT OT sensor as an Admin user.

+## Configure the ArcSight receiver type

+To configure your ArcSight server settings so that it can receive Defender for IoT alert information:

+1. Sign in to your ArcSight server.

+1. Configure your receiver type as a **CEF UDP Receiver**.

+For more information, see the [ArcSight SmartConnectors Documentation](https://www.microfocus.com/documentation/arcsight/arcsight-smartconnectors/#gsc.tab=0).

+## Create a Defender for IoT forwarding rule

+This procedure describes how to create a forwarding rule from your OT sensor to send Defender for IoT alerts from that sensor to ArcSight.

+For more information, see [Forward alert information](../how-to-forward-alert-information-to-partners.md).

+1. Sign in to your OT sensor console and select **Forwarding** on the left.

+1. Enter a meaningful name for your rule, and then define your rule details, including:

+ - The minimal alert level. For example, if you select Minor, you are notified about all minor, major and critical incidents.

+ - The protocols you want to include in the rule.

+ - The traffic you want to include in the rule.

+1. In the **Actions** area, define the following values:

+ - **Server**: Select **ArcSight**

+ - **Host**: The ArcSight server address

+ - **Port**: The ArcSight server port

+ - **Timezone**: The timezone of the ArcSight server

+1. Select **Save** to save your forwarding rule.

+## Next steps

+For more information, see:

+- [Integrations with partner services](../integrate-overview.md)

+- [Forward alert information](../how-to-forward-alert-information-to-partners.md)

+- [Manage individual sensors](../how-to-manage-individual-sensors.md)

+ Title: Integrate LogRhythm with Microsoft Defender for IoT

+description: Learn how to send Microsoft Defender for IoT alerts to ALogRhythmrcSight.

+# Integrate LogRhythm with Microsoft Defender for IoT

+This article describes how to send Microsoft Defender for IoT alerts to LogRhythm. Integrating Defender for IoT with LogRhythm provides visibility into the security and resiliency of OT networks and a unified approach to IT and OT security.

+## Prerequisites

+Before you begin, make sure that you have the following prerequisites:

+- Access to a Defender for IoT OT sensor as an Admin user.

+## Create a Defender for IoT forwarding rule

+This procedure describes how to create a forwarding rule from your OT sensor to send Defender for IoT alerts from that sensor to LogRhythm.

+For more information, see [Forward alert information](../how-to-forward-alert-information-to-partners.md).

+1. Sign in to your OT sensor console and select **Forwarding** on the left.

+1. Enter a meaningful name for your rule, and then define your rule details, including:

+ - The minimal alert level. For example, if you select Minor, you are notified about all minor, major and critical incidents.

+ - The protocols you want to include in the rule.

+ - The traffic you want to include in the rule.

+1. In the **Actions** area, define the following values:

+ - **Server**: Select a SYSLOG server option, such as **SYSLOG Server (LEEF format)

+ - **Host**: The IP or hostname of your LogRhythm collector

+ - **Port**: Enter **514**

+ - **Timezone**: Enter your timezone

+1. Select **Save** to save your forwarding rule.

+## Configure LogRhythm to collect logs

+After configuring a forwarding rule from your OT sensor console, configure LogRhythm to collect your Defender for IoT logs.

+For more information, see the [LogRhythm documentation](https://docs.logrhythm.com/docs/devices/syslog-log-sources).

+## Next steps

+For more information, see:

+- [Integrations with partner services](../integrate-overview.md)

+- [Forward alert information](../how-to-forward-alert-information-to-partners.md)

+ Title: Integrate RSA NetWitness with Microsoft Defender for IoT

+description: Learn how to send Microsoft Defender for IoT alerts to RSA NetWitness.

+# Integrate RSA NetWitness with Microsoft Defender for IoT

+This article describes how to send Microsoft Defender for IoT alerts to RSA NetWitness. Integrating Defender for IoT with NetWitness provides visibility into the security and resiliency of OT networks and a unified approach to IT and OT security.

+## Prerequisites

+Before you begin, make sure that you have the following prerequisites:

+- Access to a Defender for IoT OT sensor as an Admin user.

+- NetWitness configuration to collect events from sources that support Common Event Format (CEF). For more information, see the [CyberX Platform - RSA NetWitness CEF Parser Implementation Guide](https://community.netwitness.com//t5/netwitness-platform-integrations/cyberx-platform-rsa-netwitness-cef-parser-implementation-guide/ta-p/554364).

+## Create a Defender for IoT forwarding rule

+This procedure describes how to create a forwarding rule from your OT sensor to send Defender for IoT alerts from that sensor to NetWitness.

+For more information, see [Forward alert information](../how-to-forward-alert-information-to-partners.md).

+1. Sign in to your OT sensor console and select **Forwarding** on the left.

+1. Enter a meaningful name for your rule, and then define your rule details, including:

+ - The minimal alert level. For example, if you select Minor, you are notified about all minor, major and critical incidents.

+ - The protocols you want to include in the rule.

+ - The traffic you want to include in the rule.

+1. In the **Actions** area, define the following values:

+ - **Server**: Select **NetWitness**

+ - **Host**: The NetWitness hostname

+ - **Port**: The NetWitness port

+ - **Timezone**: Enter your NetWitness timezone

+1. Select **Save** to save your forwarding rule.

+## Next steps

+For more information, see:

+- [CyberX Platform - RSA NetWitness CEF Parser Implementation Guide](https://community.netwitness.com//t5/netwitness-platform-integrations/cyberx-platform-rsa-netwitness-cef-parser-implementation-guide/ta-p/554364)

+- [Integrations with partner services](../integrate-overview.md)

+- [Forward alert information](../how-to-forward-alert-information-to-partners.md)

+1. **Committed devices** - Provide the approximate number of network devices that will be monitored. You'll need this information when onboarding your subscription to Defender for IoT in the Azure portal. During the onboarding process, you'll be prompted to enter the number of devices in increments of 100. For more information, see [What is a Defender for IoT committed device?](architecture.md#what-is-a-defender-for-iot-committed-device)

+Before you deploy Azure Firewall, the performance needs to be tested and evaluated to ensure it meets your expectations. Not only should Azure Firewall handle the current traffic on a network, but it should also be ready for potential traffic growth. It is recommended to evaluate on a test network and not in a production environment. The testing should attempt to replicate the production environment as close as possible. This includes the network topology, and emulating the actual characteristics of the expected traffic through the firewall.

+|Premium (no TLS/IDPS) |100|100|

+|Premium single TCP connection with IDPS on *Alert and Deny* mode|up to 300 Mbps|

+ Title: Manage your Azure subscriptions at scale with management groups - Azure Governance

+# Manage your Azure subscriptions at scale with management groups

+> AzManagementGroup related Az PowerShell cmdlets mention that the **-GroupId** is alias of **-GroupName** parameter

+> so we can use either of it to provide Management Group Id as a string value.

+ * **Basename** - Will be used to append the name the Azure resources and services to be deployed.

+ * Provide a working device mapping. For more information, see [How to use device mappings](how-to-use-device-mappings.md).

+ * Provide a working FHIR destination mapping. For more information, see [How to use FHIR destination mappings](how-to-use-fhir-mappings.md).

+To move the application to a different resource group, select **move** beside **Resource group**. On the **Move resources** page, choose the resource group you'd like to move this application to.

+To move the application to a different subscription, select **move** beside **Subscription**. On the **Move resources** page, choose the subscription you'd like to move this application to:

+

+## Manage networking

+You can use private IP addresses from a virtual network address space to manage your devices in IoT Central application to eliminate exposure on the public internet. To learn more, see [Create and configure a private endpoint for IoT Central](../core/howto-create-private-endpoint.md)

+Access to metrics in the Azure portal is managed by [Azure role based access control](../../role-based-access-control/overview.md). Use the Azure portal to add users to the IoT Central application/resource group/subscription to grant them access. You must add a user in the portal even they're already added to the IoT Central application. Use [Azure built-in roles](../../role-based-access-control/built-in-roles.md) for finer grained access control.

+The following example **Metrics** page shows a plot of the number of devices connected to your IoT Central application. For a list of the metrics that are currently available for IoT Central, see [Supported metrics with Azure Monitor](../../azure-monitor/essentials/metrics-supported.md#microsoftiotcentraliotapps).

+### Export logs and metrics

+Use the Azure portal to export metrics and logs to different destinations. To learn more, see Use the **Diagnostics settings** page to configure exporting metrics and logs to different destinations. To learn more, see [Diagnostic settings in Azure Monitor](../../azure-monitor/essentials/diagnostic-settings.md).

+### Analyze logs and metrics

+Use the **Workbooks** page to analyze logs and create visual reports. To learn more, see [Azure Workbooks](../../azure-monitor/visualize/workbooks-overview.md).

+* Libraries in the [Azure IoT Provisioning SDKs](libraries-sdks.md).

+The Azure IoT Hub Device Provisioning Service (DPS) is a helper service for IoT Hub. The DPS package provides SDKs to help you build backend and device applications that leverage DPS to provide zero-touch, just-in-time provisioning to one or more IoT hubs. The SDKs are published in a variety of popular languages and handle the underlying transport and security protocols between your devices or backend apps and DPS, freeing developers to focus on application development. Additionally, using the SDKs provides you with support for future updates to DPS, including security updates.

+- [DPS service SDKs](#service-sdks) provide data plane operations for backend apps. You can use the service SDKs to create and manage individual enrollments and enrollment groups, and to query and manage device registration records.

+- [DPS management SDKs](#management-sdks) provide control plane operations for backend apps. You can use the management SDKs to create and manage DPS instances and metadata. For example, to create and manage DPS instances in your subscription, to upload and verify certificates with a DPS instance, or to create and manage authorization policies or allocation policies in a DPS instance.

+The DPS SDKs help you provision devices to your IoT hubs. Microsoft also provides a set of SDKs to help you build device apps and backend apps that communicate directly with Azure IoT Hub. For example, to help your provisioned devices send telemetry to your IoT hub, and, optionally, to receive messages and job, method, or twin updates from your IoT hub. To learn more, see [Azure IoT Hub SDKs](../iot-hub/iot-hub-devguide-sdks.md).

+The DPS device SDKs provide implementations of the [Register](/rest/api/iot-dps/device/runtime-registration/register-device) API and others that devices call to provision through DPS. The device SDKs can run on general MPU-based computing devices such as a PC, tablet, smartphone, or Raspberry Pi. The SDKs support development in C and in modern managed languages including in C#, Node.JS, Python, and Java.

+> [!WARNING]

+> The **C SDK** listed above is **not** suitable for embedded applications due to its memory management and threading model. For embedded devices, refer to the [Embedded device SDKs](#embedded-device-sdks).

+### Embedded device SDKs

+These SDKs were designed and created to run on devices with limited compute and memory resources and are implemented using the C language.

+| RTOS | SDK | Source | Samples | Reference |

+| :-- | :-- | :-- | :-- | :-- |

+| **Azure RTOS** | Azure RTOS Middleware | [GitHub](https://github.com/azure-rtos/netxduo) | [Quickstarts](../iot-develop/quickstart-devkit-mxchip-az3166.md) | [Reference](https://github.com/azure-rtos/netxduo/tree/master/addons/azure_iot) |

+| **FreeRTOS** | FreeRTOS Middleware | [GitHub](https://github.com/Azure/azure-iot-middleware-freertos) | [Samples](https://github.com/Azure-Samples/iot-middleware-freertos-samples) | [Reference](https://azure.github.io/azure-iot-middleware-freertos) |

+| **Bare Metal** | Azure SDK for Embedded C | [GitHub](https://github.com/Azure/azure-sdk-for-c/tree/master/sdk/docs/iot) | [Samples](https://github.com/Azure/azure-sdk-for-c/blob/master/sdk/samples/iot/README.md) | [Reference](https://azure.github.io/azure-sdk-for-c) |

+Learn more about the device and embedded device SDKs in the [IoT Device Development documentation](../iot-develop/about-iot-sdks.md).

+* Azure account - [create a free account](https://azure.microsoft.com/free/search/)

+* Azure IoT Hub - [create an IoT Hub](https://azure.microsoft.com/services/iot-hub/#overview)

+ For more information on creating an IoT Edge device, see [Quickstart: Deploy your first IoT Edge module to a virtual Linux device](quickstart-linux.md). Later in this tutorial, we'll add an NVIDIA module to our IoT Edge device.

+ Title: Common issues and resolutions for Azure IoT Edge for Linux on Windows | Microsoft Docs

+description: Use this article to resolve common issues encountered when deploying an IoT Edge for Linux on Windows (EFLOW) solution

+# Common issues and resolutions for Azure IoT Edge for Linux on Windows

+Use this article to help resolve common issues that can occur when deploying IoT Edge for Linux on Windows solutions.

+## Installation and Deployment

+The following section addresses the common errors when installing the EFLOW MSI and deploying the EFLOW virtual machine. Ensure you have an understanding of the following EFLOW concepts:

+- [Azure IoT Edge for Linux on Windows prerequisites](https://aka.ms/AzEFLOW-Requirements)

+- [Nested virtualization for Azure IoT Edge for Linux on Windows](./nested-virtualization.md)

+- [Networking configuration for Azure IoT Edge for Linux on Windows](./how-to-configure-iot-edge-for-linux-on-windows-networking.md)

+- [Azure IoT Edge for Linux on Windows virtual switch creation](/how-to-create-virtual-switch.md)

+- [PowerShell functions for IoT Edge for Linux on Windows](./reference-iot-edge-for-linux-on-windows-functions.md)

+> [!div class="mx-tdCol2BreakAll"]

+> | Error | Error Description | Solution |

+> | -- | -- | -- |

+> | HNS API version X doesn't meet minimum version | EFLOW uses HCS/HNS to create the virtual machine on client SKUs. The minimum HNS version its 9.2. | If you're using a Windows version 20H1 or later, the HCS/HNS API should meet the requirement. If you're using Windows Client RS5 (17763), verify you have the latest Windows update. |

+> | Can't find WSSDAGENT service! <br/> WssdAgent is unreachable, update has failed. | The *WSSDAgent* is the EFLOW component that creates and manages the lifecycle of the VM. *WSSDAgent* runs a service on the Windows host OS. If the service isn't running, the VM communication and lifecycle fails. | Verify the *WSSDAgent* service is running on the Windows host OS by opening an elevated PowerShell session and running the command `Get-Service -Name wssdagent`. If WSSDAgent isn't running, try starting the service manually using the cmdlet: `Start-Service -name WSSDAgent`. If it doesn't start, share the content under _C:\ProgramData\wssdagent_. |

+> | Expected image '$vhdPathBackup' is missing | When installing EFLOW current release (CR), the user can provide the data partition size using the *vmDataSize*. If specified, EFLOW resizes the VHDX. The error occurs if the VHDX file isn't found during resizing. | Verify the VHDX file wasn't deleted or moved from the original location. |

+> | Installation of Hyper-V, Hyper-V Management PowerShell or OpenSSH failed. Please install manually and restart deployment. Aborting... | EFLOW installation has required prerequisites to deploy the virtual machine. If one the prerequisites aren't met, the `Deploy-Eflow` cmdlet fails. | Ensure that all required prerequisites are met. _PowerShell_: Close PowerShell session and open a new one. If you have multiple installations, make sure to have the correct module imported. Try a different version of PowerShell.<br/>_Hyper-V_: For more information EFLOW Hyper-V support, see [Azure IoT Edge for Linux on Windows Nested Virtualization](./nested-virtualization.md). <br/> _OpenSSH:_ If you're using your own custom installation, check `customSsh` parameter during deployment. |

+> | $feature isn't available in this Windows edition. <br/> $featureversion could not be enabled. Please add '$featureversion' optional feature in settings and restart the deployment. | When deploying EFLOW, if one of the prerequisites it's not met, the installer tries to install it. If this feature isn't available or the feature installation fails, the EFLOW deployment fails. | Ensure that all required prerequisites are met. _PowerShell_: Close PowerShell session and open a new one. If you have multiple installations, make sure to have the correct module imported. Try a different version of PowerShell.<br/>_Hyper-V_: For more information EFLOW Hyper-V support, see [Azure IoT Edge for Linux on Windows Nested Virtualization](./nested-virtualization.md). <br/> _OpenSSH:_ If you're using your own custom installation, check `customSsh` parameter during deployment. |

+> | Hyper-V properties indicate the Hyper-V component is not functional (property HyperVRequirementVirtualizationFirmwareEnabled is false) <br/> Hyper-V properties indicate the Hyper-V component is not functional (property HyperVisorPresent is false). <br/>Hyper-V core services not running (vmms, vmcompute, hvhost). Ensure Hyper-V is configured properly and capable of starting virtual machines. | These errors are related to Hyper-V virtualization technology stack and services. The EFLOW virtual machine requires several Hyper-V services in order to create and run the virtual machine. If one of these services isn't available, the installation fails. | For more information EFLOW Hyper-V support, see [Azure IoT Edge for Linux on Windows Nested Virtualization](./nested-virtualization.md).|

+> | wssdagent unreachable, please retry... | The *WSSDAgent* is the EFLOW component that creates and manages the lifecycle of the VM. *WSSDAgent* runs a service on the Windows host OS. |Verify the *WSSDAgent* service is running on the Windows host OS by opening an elevated PowerShell session and running the command `Get-Service -Name wssdagent`. If WSSDAgent isn't running, try starting the service manually using the cmdlet: `Start-Service -name WSSDAgent`. If it doesn't start, share the content under _C:\ProgramData\wssdagent_. |

+> | Virtual machine configuration could not be retrieved from wssdagent | Find the EFLOW configuration yaml files under the EFLOW root installation folder. For example, if the default installation directory was used, the configuration files should be in the *C:\Program Files\Azure IoT Edge\yaml* directory. | Check if the directory was deleted or moved. If the directory isn't available, the VM can't be created. EFLOW reinstallation is needed. |

+> | An existing virtual machine was detected. To redeploy the virtual machine, please uninstall and re-install $eflowProductName. <br/> Virtual machine '$name' already exists. You much remove '$name' virtual machine first. | During EFLOW deployment, the installer checks if there's an EFLOW VM created from previous installations. In some cases, if the installation fails in its final steps, the VM was created and it's still running in the Windows host OS. | Make sure to completely uninstall EFLOW before starting a new installation. If you want to remove the Azure IoT Edge for Linux on Windows installation from your device, use the following commands. <br/> 1. In Windows, open **Settings** <br/> 2. Select **Add or Remove Programs** <br/> 3. Select **Azure IoT Edge LTS** app <br/> 4. Select **Uninstall**|

+> | Creating storage vhd (file: $($config["imageNameEflowVm"])) failed | Error when creating or resizing the EFLOW virtual machine VHDX. | Check EFLOW installation logs _C:\Program Files\Azure IoT Edge_ and WSSDAgent logs _C:\ProgramData\wssdagent_ for more information. |

+> | Error: Virtual machine creation failed! <br/> Failed to retrieve virtual machine name. | Error related to virtual machine creation by *WSSDAgent*. Installer will try removing the VM and mark the installation as failed. | Verify the *WSSDAgent* service is running on the Windows host OS by opening an elevated PowerShell session and running the command `Get-Service -Name wssdagent`. If WSSDAgent isn't running, try starting the service manually using the cmdlet: `Start-Service -name WSSDAgent`. If it doesn't start, share the content under _C:\ProgramData\wssdagent_. |

+> | This Windows device does not meet the minimum requirements for Azure EFLOW. Please refer to https://aka.ms/AzEFLOW-Requirements for system requirements | During EFLOW deployment, the *Deploy-EFlow* PowerShell cmdlet checks that all the prerequisites are met. Specifically, Windows SKUs are checked (Windows Server 2019, 2022, Windows Client Professional, or Client Enterprise) and the Windows version is at least 17763. | Verify you're using a supported Windows SKU and version. If using Windows version 17763, ensure to have all the updates applied. |

+> | Not enough memory available. | There isn't enough RAM memory to create the EFLOW VM with the allocated VM memory. By default, the virtual machine has 1024 MB assigned. The Windows host OS needs to have at least X MB free to assign that memory to the VM. | Check the Windows host OS memory available and use the _memoryInMb_ parameter during `Deploy-Eflow` for custom memory assignment. For more information about `Deploy-EFlow` PowerShell cmdlet, see [PowerShell functions for IoT Edge for Linux on Windows](./reference-iot-edge-for-linux-on-windows-functions.md). |

+> | Not enough CPU cores available. | There isn't enough CPU cores available to create the EFLOW VM with the allocated cores. By default, the virtual machine will have one core assigned. The Windows host OS needs to have at least one core to assign that core to the EFLOW VM. | Check the Windows host OS CPU cores available and use the _cpuCore_ parameter during `Deploy-Eflow` for custom memory assignment. For more information about `Deploy-EFlow` PowerShell cmdlet, see [PowerShell functions for IoT Edge for Linux on Windows](./reference-iot-edge-for-linux-on-windows-functions.md). |

+> | Not enough disk space is available on drive '$drive'. | There isn't enough storage available to create the EFLOW VM with the allocated storage size. By default, the VM will use ~18 GB of storage. The Windows host OS needs to have at least 18 GB of free storage to assign that storage to the EFLOW VM VHDX. | Check the Windows host free storage available and use the _vmDiskSize_ parameter during `Deploy-Eflow` for custom storage size. For more information about `Deploy-EFlow` PowerShell cmdlet, see [PowerShell functions for IoT Edge for Linux on Windows](./reference-iot-edge-for-linux-on-windows-functions.md). |

+> | Signature is not valid (file: $filePath, signature status: ${signature.Status}) <br/> Signature is missing (file: $filePath)! <br/> could not track signature to the microsoft root certificate | The signature of the file can't be found or it's invalid. EFLOW PSM and EFLOW updates are all signed using Microsoft certificates. If the Microsoft code or Microsoft CA certificates are not available in the Windows host OS, the validation fails. | Verify all contents were downloaded from official Microsoft sites. Also, if the necessary certificates aren't part of the Windows host, check [Install EFLOW necessary certificates](https://github.com/Azure/iotedge-eflow/issues/158). |

+## Provisioning and IoT Edge runtime

+The following section addresses the common errors when provisioning the EFLOW virtual machine and interact with the IoT Edge runtime. Ensure you have an understanding of the following EFLOW concepts:

+- [What is Azure IoT Hub Device Provisioning Service?](/azure/iot-dps/about-iot-dps)

+- [Understand the Azure IoT Edge runtime and its architecture](./iot-edge-runtime.md)

+- [Troubleshoot your IoT Edge device](./troubleshoot.md)

+> [!div class="mx-tdCol2BreakAll"]

+> | Error | Error Description | Solution |

+> | -- | -- | -- |

+> | Action aborted by user | For some of the EFLOW PowerShell cmdlets, there's user interaction and confirmation needed. | - |

+> | Error, device connection string not provided. <br/> Only the device connection string for *ManualConnectionString* provisioning may be specified. | Incorrect parameters used when using *ManualConnectionString* device provisioning. | For more information about the `Provision-EflowVm` PowerShell cmdlet, see [PowerShell functions for IoT Edge for Linux on Windows](./reference-iot-edge-for-linux-on-windows-functions.md). |

+> | IoT Hub Hostname, Device ID, and/or identity cert/pk parameters for ManualX509 provisioning not specified <br/> Device connection string, scope ID, registration ID, and symmetric key may not be specified for DpsX509 provisioning <br/> Certificate and private key file for ManualX509 provisioning not found (expected at $identityCertPath and $identityPrivKeyPath) | Incorrect parameters used when using _ManualX509_ device provisioning. | For more information about `Provision-EflowVm` PowerShell cmdlet, see [PowerShell functions for IoT Edge for Linux on Windows](./reference-iot-edge-for-linux-on-windows-functions.md). |

+> | Scope ID for DpsTpm provisioning not specified <br/> Only scope ID and registration ID (optional) for DpsTpm provisioning may be specified | Incorrect parameters used when using _DpsTpm_ device provisioning. | For more information about `Provision-EflowVm` PowerShell cmdlet, see [PowerShell functions for IoT Edge for Linux on Windows](./reference-iot-edge-for-linux-on-windows-functions.md). |

+> | Scope ID, registration ID or symmetric key missing for DpsSymmetricKey provisioning <br/> globalEndpoint not specified <br> Only scope ID, registration ID or symmetric key for DpsSymmetricKey provisioning may be specified | Incorrect parameters used when using _DpsSymmetricKey_ device provisioning. | For more information about `Provision-EflowVm` PowerShell cmdlet, see [PowerShell functions for IoT Edge for Linux on Windows](./reference-iot-edge-for-linux-on-windows-functions.md). |

+> | Virtual machine does not exist, deploy it first | The EFLOW MSI was installed, however the EFLOW virtual machine was never deployed. | Deploy the EFLOW VM using the `Deploy-Eflow` PowerShell cmdlet. |

+> | Aborting, iotedge was previously provisioned (headless mode)! | The EFLOW VM was previously provisioned and _headless_ mode isn't supported when reprovisioning. | The issue is fixed and now *-headless* mode is supported with reprovisioning |

+> | Provisioning aborted by user | The EFLOW VM was previously provisioned and the user needs to confirm they want to reprovision. | User must accept reprovisioning to continue with the provisioning process.|

+> | Failed to provision <br/> Failed to provision config.toml. Please provision manually. <br/> iotedge service not running after provisioning, please investigate manually | The EFLOW provisioning information was correctly configured inside the EFLOW VM, but the IoT Edge daemon was not able to provision the device with the cloud provisioning service. | Check the Azure IoT Edge runtime logs. First, connect to the EFLOW virtual machine using the `Connect-EflowVm` PowerShell cmdlet then follow [Troubleshoot your IoT Edge device](./troubleshoot.md) to retrieve the IoT Edge logs. |

+> | Unexpected return from 'sudo iotedge list' <br/> Retrieving iotedge check output from: "$vmName" | The execution of `sudo iotedge list` command inside the EFLOW VM returned an unexpected payload. Generally this is related to IoT Edge service not running correctly inside the EFLOW VM. | Check the Azure IoT Edge runtime logs. First, connect to the EFLOW virtual machine using the `Connect-EflowVm` PowerShell cmdlet then follow [Troubleshoot your IoT Edge device](./troubleshoot.md) to get the IoT Edge logs. |

+> | TPM 2.0 is required to enable DpsTpm | TPM passthrough only works with TPM 2.0 compatible hardware. This could be caused by a physical TPM or if the EFLOW VM is running using nested virtualization using vTPM on the Windows host OS. | Make sure the Windows host OS has a valid TPM 2.0, check [Enable TPM 2.0 on your PC](https://support.microsoft.com/windows/enable-tpm-2-0-on-your-pc-1fd5a332-360d-4f46-a1e7-ae6b0c90645c). |

+> | TPM provisioning information not available! | The TPM passthrough binary inside the EFLOW VM could not get the TPM information from the Windows host OS. This error is probably related to a communication error with the EFLOWProxy. | Ensure that the _EFLOW Proxy Service_ service is running using the PowerShell cmdlet `Get-Service -name "EFLOW Proxy Service"`. If not running, check the Event logs. Open the **Event Viewer** > **Application and service logs** -> **Azure IoT Edge for Linux on Windows**. |

+## Interaction with the VM

+The following section addresses the common errors when interacting with the EFLOW virtual machine, and configure the EFLOW device passthrough options. Ensure you have an understanding of the following EFLOW concepts:

+- [PowerShell functions for IoT Edge for Linux on Windows](./reference-iot-edge-for-linux-on-windows-functions.md)

+- [GPU acceleration for Azure IoT Edge for Linux on Windows](./gpu-acceleration.md)

+> [!div class="mx-tdCol2BreakAll"]

+> | Error | Error Description | Solution |

+> | -- | -- | -- |

+> | Can't process request, EFLOW VM is OFF! | When trying to apply a configuration to the EFLOW virtual machine, the VM must be turned on. If the EFLOW VM is off, then the SSH channel will fail, and no communication is possible with the VM.| Start the EFLOW VM using the *Start-EflowVm* PowerShell cmdlet. For more information about the *Start-EflowVm* cmdlet, see [PowerShell functions for IoT Edge for Linux on Windows](./reference-iot-edge-for-linux-on-windows-functions.md). |

+> | Virtual machine name could not be retrieved from wssdagent <br/> Error: More than one virtual machine found | The WSSDAgent service couldn't find the EFLOW virtual machine. | Verify the EFLOW VM is started and running, use the PowerShell cmdlet `Start-EflowVm`. If using a client SKU, use the `hcsdiag list` cmdlet and find the line that has _wssdagent_ after the GUID of the VM then check the state. If using a server SKU, go to Hyper-V manager and verify there's a VM with the name _Windows-hostname_-EFLOW then check the state. |

+> | Unable to connect virtual machine with SSH.  Aborting.. | The Windows host OS could not establish an SSH connection with the EFLOW VM to execute the necessary commands or copy files. Generally, this issue is related to a networking problem between Windows and the virtual machine. | Try the PowerShell cmdlet `Get-EflowVmAddr` and check if the *IP4Address* assigned to the VM is correct. For more information about networking configurations, see [Azure IoT Edge for Linux on Windows networking](./iot-edge-for-linux-on-windows-networking.md).|

+> | Unexpected return stats from virtual machine | The execution of `Get-EflowVm` PowerShell cmdlet checks the status of the virtual machine. If the communication with the virtual machine fails, or some of the Linux bash commands inside the VM fail, the cmdlet fails. | Check the EFLOW VM connection using `Connect-EflowVm` PowerShell cmdlet and try manually running the VM stats bash commands inside the VM. |

+> | TPM provisioning was not enabled! | To get the TPM provisioning information for the TPM, the EFLOW TPM passthrough must be enabled. If TPM passthrough isn't enabled, the cmdlet fails. | Enable TPM passthrough before getting the TPM information. Use the `Set-EflowVmFeature` PowerShell cmdlet to enable the TPM passthrough. For more information about `Set-EflowVmFeature` PowerShell cmdlet, see [PowerShell functions for IoT Edge for Linux on Windows](./reference-iot-edge-for-linux-on-windows-functions.md). |

+> | Unknown feature '$feature' is provided. | The *Set-EflowVmFeature* cmdlet supports _DpsTpm_ and _Defender_ as the two features that can be enabled or disabled. | For more information about `Set-EflowVmFeature` PowerShell cmdlet, see [PowerShell functions for IoT Edge for Linux on Windows](./reference-iot-edge-for-linux-on-windows-functions.md). |

+> | Unsupported DDA Type: $gpuName | Currently, GPU DDA is only supported for _NVIDIA Tesla T4_ and _NVIDIA A2_. If the user provides another GPU name, the GPU passthrough fails. | Verify all the GPU prerequisites are met. For more information about EFLOW GPU support, check [Azure IoT Edge for Linux on Windows GPU passthrough](https://aka.ms./azeflow-gpu).

+> | Invalid GPU configuration requested, <br/> Passthrough enabled but requested gpuCount == $gpuCount <br/> GPU PassthroughType '$gpuPassthroughType' not supported by '$script:WssdProviderVmms' WssdProvider <br/> Requested GPU configuration cannot be supported by Host, <br/> GPU '$gpuName' not available <br/> Requested GPU configuration cannot be supported by Host, <br/> not enough GPUs available - Requested($gpuCount), Available($($selectedGpuDevice.Count)) <br/> Requested GPU configuration cannot be supported by Host, <br/> GPU PassthroughType '$gpuPassthroughType' not supported <br/> Invalid GPU configuration requested, Passthrough disabled but gpuCount > 0" | These errors are generally related to one or more the GPU dependencies not being met. | Make sure all the GPU prerequisites are met. For more information about EFLOW GPU support, check [Azure IoT Edge for Linux on Windows GPU passthrough](https://aka.ms./azeflow-gpu). |

+## Networking

+The following section addresses the common errors related to EFLOW networking and communication between the EFLOW virtual machine and the Windows host OS. Ensure you have an understanding of the following EFLOW concepts:

+- [Azure IoT Edge for Linux on Windows networking](./iot-edge-for-linux-on-windows-networking.md)

+- [Networking configuration for Azure IoT Edge for Linux on Windows](./how-to-configure-iot-edge-for-linux-on-windows-networking.md)

+- [Azure IoT Edge for Linux on Windows virtual switch creation](/how-to-create-virtual-switch.md)

+> [!div class="mx-tdCol2BreakAll"]

+> | Error | Error Description | Solution |

+> | -- | -- | -- |

+> | Installation of virtual switch failed <br/> The virtual switch '$switchName' of type '$switchType' was not found | When creating the EFLOW VM, there's a check that the virtual switch provided exists and has the correct type. If using no parameter, the installation uses the default switch provided by the Windows client. | Check that the virtual switch being used is part of the Windows host OS. You can check the virtual switches using the PowerShell cmdlet `Get-VmSwitch`. For more information about networking configurations, see [Azure IoT Edge for Linux on Windows networking](./iot-edge-for-linux-on-windows-networking.md). |

+> | The virtual switch '$switchName' of type '$switchType' </br> is not supported on current host OS | When using Windows client SKUs, external/default switches are supported. However, when using Windows Server SKUs, external/internal switches are supported. | For more information about networking configurations, see [Azure IoT Edge for Linux on Windows networking](./iot-edge-for-linux-on-windows-networking.md).

+> | Cannot set Static IP on ICS type virtual switch (Default Switch) | The _default switch_ is a virtual switch that's provided in the Windows client SKUs after installing Hyper-V. This switch already has a DHCP server for *IP4Address* assignation and for security reasons doesn't support a static IP. | If using the _default switch_, you can either use the `Get-EflowVmAddr` cmdlet or use the hostname of the EFLOW VM to get the VM *IP4Address*. If using the hostname, try using _Windows-hostname_-EFLOW.mshome.net. For more information about networking configurations, see [Azure IoT Edge for Linux on Windows networking](./iot-edge-for-linux-on-windows-networking.md). |

+> | $dnsServer is not a valid IP4 address | The *Set-EflowVmDnsServers* cmdlet expects a list of valid *IP4Addresses* | Verify you provided a valid list of addresses. You can check the Windows host OS DNS servers by using the PowerShell cmdlet `ipconfig /all` and then looking for the entry _DNS Servers_. For example, if you wanted to set two DNS servers with IPs 10.0.1.2 and 10.0.1.3, use the `Set-EflowVmDnsServers -dnsServers @("10.0.1.2", "10.0.1.3")` cmdlet. |

+> | Could not retrieve IP address for virtual machine <br/> Virtual machine name could not be retrieved, failed to get IP/MAC address <br/> Failed to acquire MAC address for virtual machine <br/> Failed to acquire IP address for virtual machine <br/> Unable to obtain host routing. Connectivity test to $computerName failed. <br/> wssdagent does not have the expected vnet resource provisioned. <br/> Missing EFLOW-VM guest interface for ($vnicName) | Caused by connectivity issues with the EFLOW virtual machine. The errors are generally related to an IP address change (if using static IP) or failure to assign an IP if using DHCP server. | Make sure to use the appropriate networking configuration. If there's a valid DHCP server, you can use DHCP assignation. If using static IP, make sure the IP configuration is correct (all three parameters: _ip4Address_, _ip4GatewayAddress_ and _ip4PrefixLength_) and the address isn't being used by another device in the network. For more information about networking configurations, see [Azure IoT Edge for Linux on Windows networking](./iot-edge-for-linux-on-windows-networking.md). |

+> | No adapters associated with the switch '$vnetName' are found. <br/> No adapters associated with the device ID '$adapterGuid' are found <br/> No adapters associated with the adapter name '$name' are found. <br/> Network '$vswitchName' does not exist | Caused by a network communication error between the Windows host OS and the EFLOW virtual machine. | Ensure you can reach the EFLOW VM and establish an SSH channel. Use the `Connect-EflowVm` PowerShell cmdlet to connect to the virtual machine. If connectivity fails, reboot the EFLOW VM and check again. |

+> | ip4Address & ip4PrefixLength are required for StaticIP! | During EFLOW VM deployment or when adding multiple NICs, if using static IP, the three static ip parameters are needed: _ip4Address_, _ip4GatewayAddress_, _ip4PrefixLength_. | For more information about `Deploy-EFlow` PowerShell cmdlet, see [PowerShell functions for IoT Edge for Linux on Windows](./reference-iot-edge-for-linux-on-windows-functions.md). |

+> | Found multiple VMMS switches <br/> with name '$switchName' of type '$switchType' | There are two or more virtual switches with the same name and type. This environment conflicts with the EFLOW VM installation and lifecycle of the VM. | Use `Get-VmSwitch` PowerShell cmdlet to check the virtual switches available in the Windows host and make sure that each {name,type} is unique. |

+## Next steps

+Do you think that you found a bug in the IoT Edge for Linux on Windows? [Submit an issue](https://github.com/Azure/iotedge-eflow/issues) so that we can continue to improve.

+If you have more questions, create a [Support request](https://portal.azure.com/#create/Microsoft.Support) for help.

+1. In **Configure your new project**, name the project *TriggerReboot*, then select **Next**.

+ :::image type="content" source="./media/iot-hub-csharp-csharp-device-management-get-started/create-trigger-reboot-configure.png" alt-text="Screenshot that shows how to configure a new Visual Studio project." lightbox="./media/iot-hub-csharp-csharp-device-management-get-started/create-trigger-reboot-configure.png":::

+1. Accept the default version of the .NET Framework, then select **Create** to create the project.

+ :::image type="content" source="./media/iot-hub-csharp-csharp-device-management-get-started/create-trigger-reboot-nuget-devices.png" alt-text="Screenshot that shows how to install the Microsoft.Azure.Devices package." lightbox="./media/iot-hub-csharp-csharp-device-management-get-started/create-trigger-reboot-nuget-devices.png":::

+ :::image type="content" source="./media/iot-hub-csharp-csharp-device-management-get-started/configure-device-app.png" alt-text="Screenshot that shows how to name a new Visual Studio project." lightbox="./media/iot-hub-csharp-csharp-device-management-get-started/configure-device-app.png":::

+ :::image type="content" source="./media/iot-hub-csharp-csharp-device-management-get-started/create-device-nuget-devices-client.png" alt-text="Screenshot that shows how to install the Microsoft.Azure.Devices.Client package." lightbox="./media/iot-hub-csharp-csharp-device-management-get-started/create-device-nuget-devices-client.png":::

+Here's how to get your module connection string from the Azure portal. Sign in to the [Azure portal](https://portal.azure.com/). Navigate to your hub and select **Devices**. Find **myFirstDevice**. Select **myFirstDevice** to open it, and then select **myFirstModule** to open it. In **Module Identity Details**, copy the **Connection string (primary key)** to save it for the console app.

+1. In Visual Studio, add a new project to your solution by selecting **File** > **New** > **Project**. In **Create a new project**, select **Console App (.NET Framework)**, and select **Next**.

+1. In **Configure your new project**, name the project *UpdateModuleTwinReportedProperties*, then select **Next**.

+ :::image type="content" source="./media/iot-hub-csharp-csharp-module-twin-getstarted/configure-update-twins-csharp1.png" alt-text="Screenshot that shows the 'Configure your new project' popup." lightbox="./media/iot-hub-csharp-csharp-module-twin-getstarted/configure-update-twins-csharp1.png":::

+1. Keep the default .NET Framework option and select **Create** to create your project.

+ :::image type="content" source="./media/iot-hub-csharp-csharp-module-twin-getstarted/install-client-sdk.png" alt-text="Screenshot that shows the 'Microsoft.Azure.Devices.Client' selected and the 'Install' button highlighted." lightbox="./media/iot-hub-csharp-csharp-module-twin-getstarted/install-client-sdk.png":::

+1. In Visual Studio, select **File > New > Project**. In **Create a new project**, select **Console App (.NET Framework)**, and then select **Next**.

+1. In **Configure your new project**, name the project **AddTagsAndQuery**, the select **Next**.

+ :::image type="content" source="./media/iot-hub-csharp-csharp-twin-getstarted/config-addtagsandquery-app.png" alt-text="Screenshot of how to create a new Visual Studio project." lightbox="./media/iot-hub-csharp-csharp-twin-getstarted/config-addtagsandquery-app.png":::

+1. Accept the default version of the .NET Framework, then select **Create** to create the project.

+There are three categories of software development kits (SDKs) for working with IoT Hub:

+* [**IoT Hub device SDKs**](#azure-iot-hub-device-sdks) enable you to build apps that run on your IoT devices using device client or module client. These apps send telemetry to your IoT hub, and optionally receive messages, job, method, or twin updates from your IoT hub. You can use these SDKs to build device apps that use [Azure IoT Plug and Play](../iot-develop/overview-iot-plug-and-play.md) conventions and models to advertise their capabilities to IoT Plug and Play-enabled applications. You can also use module client to author [modules](../iot-edge/iot-edge-modules.md) for [Azure IoT Edge runtime](../iot-edge/about-iot-edge.md).

+* [**IoT Hub management SDKs**](#azure-iot-hub-management-sdks) help you build backend applications that manage the IoT hubs in your Azure subscription.

+Microsoft also provides a set of SDKs for provisioning devices through and building backend services for the [Device Provisioning Service](../iot-dps/about-iot-dps.md). To learn more, see [Microsoft SDKs for IoT Hub Device Provisioning Service](../iot-dps/libraries-sdks.md).

+Learn about the [benefits of developing using Azure IoT SDKs](https://azure.microsoft.com/blog/benefits-of-using-the-azure-iot-sdks-in-your-azure-iot-solution/).

+## Azure IoT Hub device SDKs

+The Microsoft Azure IoT device SDKs contain code that facilitates building applications that connect to and are managed by Azure IoT Hub services. These SDKs can run on a general MPU-based computing device such as a PC, tablet, smartphone, or Raspberry Pi. The SDKs support development in C and in modern managed languages including in C#, Node.JS, Python, and Java.

+The SDKs are available in **multiple languages** providing the flexibility to choose which best suits your team and scenario.

+| Language | Package | Source | Quickstarts | Samples | Reference |

+| :-- | :-- | :-- | :-- | :-- | :-- |

+| **.NET** | [NuGet](https://www.nuget.org/packages/Microsoft.Azure.Devices.Client) | [GitHub](https://github.com/Azure/azure-iot-sdk-csharp) | [Quickstart](../iot-develop/quickstart-send-telemetry-iot-hub.md?pivots=programming-language-csharp) | [Samples](https://github.com/Azure-Samples/azure-iot-samples-csharp) | [Reference](/dotnet/api/microsoft.azure.devices.client) |

+| **Python** | [pip](https://pypi.org/project/azure-iot-device/) | [GitHub](https://github.com/Azure/azure-iot-sdk-python) | [Quickstart](../iot-develop/quickstart-send-telemetry-iot-hub.md?pivots=programming-language-python) | [Samples](https://github.com/Azure/azure-iot-sdk-python/tree/main/azure-iot-device/samples) | [Reference](/python/api/azure-iot-device) |

+| **Node.js** | [npm](https://www.npmjs.com/package/azure-iot-device) | [GitHub](https://github.com/Azure/azure-iot-sdk-node) | [Quickstart](../iot-develop/quickstart-send-telemetry-iot-hub.md?pivots=programming-language-nodejs) | [Samples](https://github.com/Azure/azure-iot-sdk-node/tree/main/device/samples) | [Reference](/javascript/api/azure-iot-device/) |

+| **Java** | [Maven](https://mvnrepository.com/artifact/com.microsoft.azure.sdk.iot/iot-device-client) | [GitHub](https://github.com/Azure/azure-iot-sdk-java) | [Quickstart](../iot-develop/quickstart-send-telemetry-iot-hub.md?pivots=programming-language-java) | [Samples](https://github.com/Azure/azure-iot-sdk-java/tree/master/device/iot-device-samples) | [Reference](/java/api/com.microsoft.azure.sdk.iot.device) |

+| **C** | [packages](https://github.com/Azure/azure-iot-sdk-c/blob/master/readme.md#getting-the-sdk) | [GitHub](https://github.com/Azure/azure-iot-sdk-c) | [Quickstart](../iot-develop/quickstart-send-telemetry-iot-hub.md?pivots=programming-language-ansi-c) | [Samples](https://github.com/Azure/azure-iot-sdk-c/tree/master/iothub_client/samples) | [Reference](/azure/iot-hub/iot-c-sdk-ref/) |

+> [!WARNING]

+> The **C SDK** listed above is **not** suitable for embedded applications due to its memory management and threading model. For embedded devices, refer to the [Embedded device SDKs](#embedded-device-sdks).

+### Embedded device SDKs

+These SDKs were designed and created to run on devices with limited compute and memory resources and are implemented using the C language.

+The embedded device SDKs are available for **multiple operating systems** providing the flexibility to choose which best suits your team and scenario.

+| RTOS | SDK | Source | Samples | Reference |

+| :-- | :-- | :-- | :-- | :-- |

+| **Azure RTOS** | Azure RTOS Middleware | [GitHub](https://github.com/azure-rtos/netxduo) | [Quickstarts](../iot-develop/quickstart-devkit-mxchip-az3166.md) | [Reference](https://github.com/azure-rtos/netxduo/tree/master/addons/azure_iot) |

+| **FreeRTOS** | FreeRTOS Middleware | [GitHub](https://github.com/Azure/azure-iot-middleware-freertos) | [Samples](https://github.com/Azure-Samples/iot-middleware-freertos-samples) | [Reference](https://azure.github.io/azure-iot-middleware-freertos) |

+| **Bare Metal** | Azure SDK for Embedded C | [GitHub](https://github.com/Azure/azure-sdk-for-c/tree/master/sdk/docs/iot) | [Samples](https://github.com/Azure/azure-sdk-for-c/blob/master/sdk/samples/iot/README.md) | [Reference](https://azure.github.io/azure-sdk-for-c) |

+Learn more about the IoT Hub device SDKS in the [IoT Device Development Documentation](../iot-develop/about-iot-sdks.md).

+## Azure IoT Hub management SDKs

+The Iot Hub management SDKs help you build backend applications that manage the IoT hubs in your Azure subscription.

+| Platform | Package | Code repository | Reference |

+| --|--|--|--|

+| .NET|[NuGet](https://www.nuget.org/packages/Microsoft.Azure.Management.IotHub) |[GitHub](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/iothub)| [Reference](/dotnet/api/microsoft.azure.management.iothub) |

+| Java|[Maven](https://mvnrepository.com/artifact/com.azure.resourcemanager/azure-resourcemanager-iothub) |[GitHub](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/iothub/azure-resourcemanager-iothub)| [Reference](/java/api/overview/azure/resourcemanager-iothub-readme) |

+| Node.js|[npm](https://www.npmjs.com/package/@azure/arm-iothub)|[GitHub](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/iothub/arm-iothub)|[Reference](/javascript/api/overview/azure/arm-iothub-readme) |

+| Python|[pip](https://pypi.org/project/azure-mgmt-iothub/) |[GitHub](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/iothub/azure-mgmt-iothub)|[Reference](/python/api/azure-mgmt-iothub) |

+For more information about device SDK compatibility with specific hardware devices, see the [Azure Certified for IoT device catalog](https://devicecatalog.azure.com/) or individual repository.

+## SDKs for related Azure IoT services

+Azure IoT SDKs are also available for the following

+* [Microsoft SDKs for IoT Hub Device Provisioning Service](../iot-dps/libraries-sdks.md): To help you provision devices through and build backend services for the Device Provisioning Service.

+* [Device Update for IoT Hub SDKs](../iot-hub-device-update/understand-device-update.md): To help you deploy over-the-air (OTA) updates for IoT devices.

+* [IoT Plug and Play SDKs](../iot-develop/libraries-sdks.md): To help you build IoT Plug and Play solutions.

+* An active Azure account. If you don't have an account, you can create a [free account](https://azure.microsoft.com/pricing/free-trial/) in just a couple of minutes.

+* A registered device. Register one in the [Azure portal](iot-hub-create-through-portal.md#register-a-new-device-in-the-iot-hub).

+1. From your existing device in the Azure portal, choose **Add Module Identity** to create your first module identity.

+ :::image type="content" source="./media/iot-hub-portal-csharp-module-twin-getstarted/add-module-identity.png" alt-text="Screenshot that shows the 'Module Identity Details' page." lightbox="./media/iot-hub-portal-csharp-module-twin-getstarted/add-module-identity.png":::

+ :::image type="content" source="./media/iot-hub-portal-csharp-module-twin-getstarted/module-identity-details.png" alt-text="Screenshot that shows the Module Identity Details menu.":::

+Save the **Connection string (primary key)**. You use it in the next section to set up your module on the device in a console app.

+1. In **Configure your new project**, enter *UpdateModuleTwinReportedProperties* as the **Project name**. Select **Next** to continue.

+ :::image type="content" source="./media/iot-hub-portal-csharp-module-twin-getstarted/configure-twins-project.png" alt-text="Screenshot showing the 'Configure your new project' popup.":::

+1. Keep the default .NET framework, then select **Create**.

+ :::image type="content" source="./media/iot-hub-csharp-csharp-module-twin-getstarted/install-client-sdk.png" alt-text="Screenshot showing how to install the Microsoft.Azure.Devices.Client.":::

+ Now you have access to all the module features.

+2. Add the following fields to the **Program** class. Replace the placeholder value with the module connection string you saved previously.

+1. Get your module connection string. In [Azure portal](https://portal.azure.com/), navigate to your IoT Hub and select **Devices** in the left pane. Select **myFirstDevice** from the list of devices and open it. Under **Module identities**, select **myFirstModule**. Select the copy icon for **Connection string (primary key)**. You need this connection string in a following step.

+ :::image type="content" source="./media/iot-hub-python-python-module-twin-getstarted/module-detail.png" alt-text="Screenshot of the Module Identity Details page in the Azure portal.":::

+> [!WARNING]

+> TLS 1.0 and 1.1 is deprecated by Azure Active Directory and tokens to access key vault may not longer be issued for users or services requesting them with deprecated protocols. This may lead to loss of access to Key vaults. More information on AAD TLS support can be in [Azure AD TLS 1.1 and 1.0 deprecation](/troubleshoot/azure/active-directory/enable-support-tls-environment/#why-this-change-is-being-made)

+ </ABAPTEXT>

+ </ABAPTEXT>

+The `get-logs` command provides only the last few hundred lines of logs from an automatically selected instance. However, Log Analytics provides a way to durably store and analyze logs. For more information on using logging, see [Monitor online endpoints](how-to-monitor-online-endpoints.md#logs)

+To determine the current usage for an endpoint, [view the metrics](how-to-monitor-online-endpoints.md#metrics).

+## Metrics

+### Available metrics

+#### Metrics at endpoint scope

+**Bandwidth throttling**

+#### Metrics at deployment scope

+### Create a dashboard

+### Create an alert

+1.

+## Logs

+There are three logs that can be enabled for online endpoints:

+* **AMLOnlineEndpointTrafficLog**: You could choose to enable traffic logs if you want to check the information of your request. Below are some cases:

+ * If the response isn't 200, check the value of the column ΓÇ£ResponseCodeReasonΓÇ¥ to see what happened. Also check the reason in the "HTTPS status codes" section of the [Troubleshoot online endpoints](how-to-troubleshoot-online-endpoints.md#http-status-codes) article.

+ * You could check the response code and response reason of your model from the column ΓÇ£ModelStatusCodeΓÇ¥ and ΓÇ£ModelStatusReasonΓÇ¥.

+ * You want to check the duration of the request like total duration, the request/response duration, and the delay caused by the network throttling. You could check it from the logs to see the breakdown latency.

+ * If you want to check how many requests or failed requests recently. You could also enable the logs.

+* **AMLOnlineEndpointConsoleLog**: Contains logs that the containers output to the console. Below are some cases:

+ * If the container fails to start, the console log may be useful for debugging.

+ * Monitor container behavior and make sure that all requests are correctly handled.

+ * Write request IDs in the console log. Joining the request ID, the AMLOnlineEndpointConsoleLog, and AMLOnlineEndpointTrafficLog in the Log Analytics workspace, you can trace a request from the network entry point of an online endpoint to the container.

+ * You may also use this log for performance analysis in determining the time required by the model to process each request.

+* **AMLOnlineEndpointEventLog**: Contains event information regarding the containerΓÇÖs life cycle. Currently, we provide information on the following types of events:

+ | Name | Message |

+ | -- | -- |

+ | BackOff | Back-off restarting failed container

+ | Pulled | Container image "\<IMAGE\_NAME\>" already present on machine

+ | Killing | Container inference-server failed liveness probe, will be restarted

+ | Created | Created container image-fetcher

+ | Created | Created container inference-server

+ | Created | Created container model-mount

+ | Unhealthy | Liveness probe failed: \<FAILURE\_CONTENT\>

+ | Unhealthy | Readiness probe failed: \<FAILURE\_CONTENT\>

+ | Started | Started container image-fetcher

+ | Started | Started container inference-server

+ | Started | Started container model-mount

+ | Killing | Stopping container inference-server

+ | Killing | Stopping container model-mount

+### How to enable/disable logs

+> [!IMPORTANT]

+> Logging uses Azure Log Analytics. If you do not currently have a Log Analytics workspace, you can create one using the steps in [Create a Log Analytics workspace in the Azure portal](../azure-monitor/logs/quick-create-workspace.md#create-a-workspace).

+1. In the [Azure portal](https://portal.azure.com), go to the resource group that contains your endpoint and then select the endpoint.

+1. From the **Monitoring** section on the left of the page, select **Diagnostic settings** and then **Add settings**.

+1. Select the log categories to enable, select **Send to Log Analytics workspace**, and then select the Log Analytics workspace to use. Finally, enter a **Diagnostic setting name** and select **Save**.

+ :::image type="content" source="./media/how-to-monitor-online-endpoints/diagnostic-settings.png" alt-text="Screenshot of the diagnostic settings dialog.":::

+ > [!IMPORTANT]

+ > It may take up to an hour for the connection to the Log Analytics workspace to be enabled. Wait an hour before continuing with the next steps.

+

+1. Submit scoring requests to the endpoint. This activity should create entries in the logs.

+1. From either the online endpoint properties or the Log Analytics workspace, select **Logs** from the left of the screen.

+1. Close the **Queries** dialog that automatically opens, and then double-click the **AmlOnlineEndpointConsoleLog**. If you don't see it, use the **Search** field.

+ :::image type="content" source="./media/how-to-monitor-online-endpoints/online-endpoints-log-queries.png" alt-text="Screenshot showing the log queries.":::

+1. Select **Run**.

+ :::image type="content" source="./media/how-to-monitor-online-endpoints/query-results.png" alt-text="Screenshots of the results after running a query.":::

+### Example queries

+You can find example queries on the __Queries__ tab while viewing logs. Search for __Online endpoint__ to find example queries.

+### Log column details

+The following tables provide details on the data stored in each log:

+**AMLOnlineEndpointTrafficLog**

+| Field name | Description |

+| - | - |

+| Method | The requested method from client.

+| Path | The requested path from client.

+| SubscriptionId | The machine learning subscription ID of the online endpoint.

+| WorkspaceId | The machine learning workspace ID of the online endpoint.

+| EndpointName | The name of the online endpoint.

+| DeploymentName | The name of the online deployment.

+| Protocol | The protocol of the request.

+| ResponseCode | The final response code returned to the client.

+| ResponseCodeReason | The final response code reason returned to the client.

+| ModelStatusCode | The response status code from model.

+| ModelStatusReason | The response status reason from model.

+| RequestPayloadSize | The total bytes received from the client.

+| ResponsePayloadSize | The total bytes sent back to the client.

+| UserAgent | The user-agent header of the request.

+| XRequestId | The request ID generated by Azure Machine Learning for internal tracing.

+| XMSClientRequestId | The tracking ID generated by the client.

+| TotalDurationMs | Duration in milliseconds from the request start time to the last response byte sent back to the client. If the client disconnected, it measures from the start time to client disconnect time.

+| RequestDurationMs | Duration in milliseconds from the request start time to the last byte of the request received from the client.

+| ResponseDurationMs | Duration in milliseconds from the request start time to the first response byte read from the model.

+| RequestThrottlingDelayMs | Delay in milliseconds in request data transfer due to network throttling.

+| ResponseThrottlingDelayMs | Delay in milliseconds in response data transfer due to network throttling.

+**AMLOnlineEndpointConsoleLog**

+| Field Name | Description |

+| -- | -- |

+| TimeGenerated | The timestamp (UTC) of when the log was generated.

+| OperationName | The operation associated with log record.

+| InstanceId | The ID of the instance that generated this log record.

+| DeploymentName | The name of the deployment associated with the log record.

+| ContainerName | The name of the container where the log was generated.

+| Message | The content of the log.

+**AMLOnlineEndpointEventLog**

+| Field Name | Description |

+| -- | -- |

+| TimeGenerated | The timestamp (UTC) of when the log was generated.

+| OperationName | The operation associated with log record.

+| InstanceId | The ID of the instance that generated this log record.

+| DeploymentName | The name of the deployment associated with the log record.

+| Name | The name of the event.

+| Message | The content of the event.

+> Mirroring traffic uses your [endpoint bandwidth quota](how-to-manage-quotas.md#azure-machine-learning-managed-online-endpoints) (default 5 MBPS). Your endpoint bandwidth will be throttled if you exceed the allocated quota. For information on monitoring bandwidth throttling, see [Monitor managed online endpoints](how-to-monitor-online-endpoints.md#metrics-at-endpoint-scope).

+| Offers | Software as a service (SaaS) plans now support 2-year and 3-year billing term with upfront, monthly or annually payment options. To learn more, see [Plan a SaaS offer for the commercial marketplace](plan-saas-offer.md#saas-billing-terms-and-payment-options). | 2022-08-01 |

+ Title: Autovacuum Tuning

+description: Troubleshooting guide for autovacuum in Azure Database for PostgreSQL - Flexible Server

+# Autovacuum Tuning in Azure Database for PostgreSQL - Flexible Server

+This article provides an overview of the autovacuum feature for [Azure Database for PostgreSQL - Flexible Server](overview.md).

+## What is autovacuum

+Internal data consistency in PostgreSQL is based on the Multi-Version Concurrency Control (MVCC) mechanism, which allows the database engine to maintain multiple versions of a row and provides greater concurrency with minimal blocking between the different processes.

+PostgreSQL databases need appropriate maintenance. For example, when a row is deleted, it is not removed physically. Instead, the row is marked as ΓÇ£deadΓÇ¥. Similarly for updates, the row is marked as "dead" and a new version of the row is inserted. These operations leave behind dead records, called dead tuples, even after all the transactions that might see those versions finish. Unless cleaned up, dead tuples remain, consuming disk space and bloating tables and indexes which result in slow query performance.

+PostgreSQL uses a process called autovacuum to automatically clean up dead tuples.

+## Autovacuum internals

+Autovacuum reads pages looking for dead tuples, and if none are found, autovacuum discard the page. When autovacuum finds dead tuples, it removes them. The cost is based on:

+- `vacuum_cost_page_hit`: Cost of reading a page that is already in shared buffers and does not need a disk read. The default value is set to 1.

+- `vacuum_cost_page_miss`: Cost of fetching a page that is not in shared buffers. The default value is set to 10.

+- `vacuum_cost_page_dirty`: Cost of writing to a page when dead tuples are found in it. The default value is set to 20.

+The amount of work autovacuum does depends on two parameters:

+- `autovacuum_vacuum_cost_limit` is the amount of work autovacuum does in one go and once the cleanup process is done, the amount of time autovacuum is asleep.

+- `autovacuum_vacuum_cost_delay` number of milliseconds.

+In Postgres versions 9.6, 10 and 11 the default for `autovacuum_vacuum_cost_limit` is 200 and `autovacuum_vacuum_cost_delay` is 20 milliseconds.

+In Postgres versions 12 and above the default `autovacuum_vacuum_cost_limit` is 200 and `autovacuum_vacuum_cost_delay` is 2 milliseconds.

+Autovacuum wakes up 50 times (50*20 ms=1000 ms) every second. Every time it wakes up, autovacuum reads 200 pages.

+That means in one-second autovacuum can do:

+- ~80 MB/Sec [ (200 pages/`vacuum_cost_page_hit`) * 50 * 8 KB per page] if all pages with dead tuples are found in shared buffers.

+- ~8 MB/Sec [ (200 pages/`vacuum_cost_page_miss`) * 50 * 8 KB per page] if all pages with dead tuples are read from disk.

+- ~4 MB/Sec [ (200 pages/`vacuum_cost_page_dirty`) * 50 * 8 KB per page] autovacuum can write up to 4 MB/sec.

+## Monitoring autovacuum

+Use the following queries to monitor autovacuum:

+```postgresql

+select schemaname,relname,n_dead_tup,n_live_tup,round(n_dead_tup::float/n_live_tup::float*100) dead_pct,autovacuum_count,last_vacuum,last_autovacuum,last_autoanalyze,last_analyze from pg_stat_all_tables where n_live_tup >0;

+```

+ΓÇ»

+The following columns help determine if autovacuum is catching up to table activity:

+- **Dead_pct**: percentage of dead tuples when compared to live tuples.

+- **Last_autovacuum**: The date of the last time the table was autovacuumed.

+- **Last_autoanalyze**: The date of the last time the table was automatically analyzed.

+## When does PostgreSQL trigger autovacuum

+An autovacuum action (either *ANALYZE* or *VACUUM*) triggers when the number of dead tuples exceeds a particular number that is dependent on two factors: the total count of rows in a table, plus a fixed threshold. *ANALYZE*, by default, triggers when 10% of the table plus 50 rows changes, while *VACUUM* triggers when 20% of the table plus 50 rows changes. Since the *VACUUM* threshold is twice as high as the *ANALYZE* threshold, *ANALYZE* gets triggered much earlier than *VACUUM*.

+The exact equations for each action are:

+- **Autoanalyze** = autovacuum_analyze_scale_factor * tuples + autovacuum_analyze_threshold

+- **Autovacuum** = autovacuum_vacuum_scale_factor * tuples + autovacuum_vacuum_threshold

+For example, analyze triggers after 60 rows change on a table that contains 100 rows, and vacuum triggers when 70 rows change on the table, using the following equations:

+`Autoanalyze = 0.1 * 100 + 50 = 60`

+`Autovacuum = 0.2 * 100 + 50 = 70`

+Use the following query to list the tables in a database and identify the tables that qualify for the autovacuum process:

+```postgresql

+ SELECT *

+ ,n_dead_tup > av_threshold AS av_needed

+ ,CASE

+ WHEN reltuples > 0

+ THEN round(100.0 * n_dead_tup / (reltuples))

+ ELSE 0

+ END AS pct_dead

+ FROM (

+ SELECT N.nspname

+ ,C.relname

+ ,pg_stat_get_tuples_inserted(C.oid) AS n_tup_ins

+ ,pg_stat_get_tuples_updated(C.oid) AS n_tup_upd

+ ,pg_stat_get_tuples_deleted(C.oid) AS n_tup_del

+ ,pg_stat_get_live_tuples(C.oid) AS n_live_tup

+ ,pg_stat_get_dead_tuples(C.oid) AS n_dead_tup

+ ,C.reltuples AS reltuples

+ ,round(current_setting('autovacuum_vacuum_threshold')::INTEGER + current_setting('autovacuum_vacuum_scale_factor')::NUMERIC * C.reltuples) AS av_threshold

+ ,date_trunc('minute', greatest(pg_stat_get_last_vacuum_time(C.oid), pg_stat_get_last_autovacuum_time(C.oid))) AS last_vacuum

+ ,date_trunc('minute', greatest(pg_stat_get_last_analyze_time(C.oid), pg_stat_get_last_analyze_time(C.oid))) AS last_analyze

+ FROM pg_class C

+ LEFT JOIN pg_namespace N ON (N.oid = C.relnamespace)

+ WHERE C.relkind IN (

+ 'r'

+ ,'t'

+ )

+ AND N.nspname NOT IN (

+ 'pg_catalog'

+ ,'information_schema'

+ )

+ AND N.nspname ! ~ '^pg_toast'

+ ) AS av

+ ORDER BY av_needed DESC ,n_dead_tup DESC;

+```

+> [!NOTE]

+> The query does not take into consideration that autovacuum can be configured on a per-table basis using the "alter table" DDL command. 

+## Common autovacuum problems

+Review the possible common problems with the autovacuum process.

+### Not keeping up with busy server

+The autovacuum process estimates the cost of every I/O operation, accumulates a total for each operation it performs and pauses once the upper limit of the cost is reached. `autovacuum_vacuum_cost_delay` and `autovacuum_vacuum_cost_limit` are the two server parameters that are used in the process.

+By default, `autovacuum_vacuum_cost_limit` is set to –1, meaning autovacuum cost limit is the same value as the parameter `vacuum_cost_limit`, which defaults to 200. `vacuum_cost_limit` is the cost of a manual vacuum.

+If `autovacuum_vacuum_cost_limit` is set to `-1` then autovacuum uses the `vacuum_cost_limit` parameter, but if `autovacuum_vacuum_cost_limit` itself is set to greater than `-1` then `autovacuum_vacuum_cost_limit` parameter is considered.

+In case the autovacuum is not keeping up, the following parameters may be changed:

+|Parameter |Description |

+|||

+|`autovacuum_vacuum_scale_factor`| Default: `0.2`, range: `0.05 - 0.1`. The scale factor is workload-specific and should be set depending on the amount of data in the tables. Before changing the value, investigate the workload and individual table volumes. |

+|`autovacuum_vacuum_cost_limit`|Default: `200`. Cost limit may be increased. CPU and I/O utilization on the database should be monitored before and after making changes. |

+|`autovacuum_vacuum_cost_delay` | **Postgres Versions 9.6,10,11** - Default: `20 ms`. The parameter may be decreased to `2-10 ms`. </br> **Postgres Versions 12 and above** - Default: `2 ms`. |

+> [!NOTE]

+> The `autovacuum_vacuum_cost_limit` value is distributed proportionally among the running autovacuum workers, so that if there is more than one, the sum of the limits for each worker does not exceed the value of the `autovacuum_vacuum_cost_limit` parameter

+### Autovacuum constantly running

+Continuously running autovacuum may affect CPU and IO utilization on the server. The following might be possible reasons:

+#### `maintenance_work_mem`

+Autovacuum daemon uses `autovacuum_work_mem` that is by default set to `-1` meaningΓÇ»`autovacuum_work_mem` would have the same value as the parameterΓÇ»`maintenance_work_mem`. This document assumes `autovacuum_work_mem` is set to `-1` and `maintenance_work_mem` is used by the autovacuum daemon.

+If `maintenance_work_mem` is low, it may be increased to up to 2 GB on Flexible Server. A general rule of thumb is to allocate 50 MB to `maintenance_work_mem` for every 1 GB of RAM. 

+#### Large number of databases

+Autovacuum tries to start a worker on each database every `autovacuum_naptime` seconds.

+For example, if a server has 60 databases and `autovacuum_naptime` is set to 60 seconds, then the autovacuum worker starts every second [autovacuum_naptime/Number of DBs].

+It is a good idea to increase `autovacuum_naptime` if there are more databases in a cluster. At the same time, the autovacuum process can be made more aggressive by increasing the `autovacuum_cost_limit` and decreasing the `autovacuum_cost_delay` parameters and increasing the `autovacuum_max_workers` from the default of 3 to 4 or 5.

+### Out of memory errors

+Overly aggressive `maintenance_work_mem` values could periodically cause out-of-memory errors in the system. It is important to understand available RAM on the server before any change to the `maintenance_work_mem` parameter is made.

+### Autovacuum is too disruptive

+If autovacuum is consuming a lot of resources, the following can be done:

+#### Autovacuum parameters

+Evaluate the parameters `autovacuum_vacuum_cost_delay`, `autovacuum_vacuum_cost_limit`, `autovacuum_max_workers`. Improperly setting autovacuum parameters may lead to scenarios where autovacuum becomes too disruptive.

+If autovacuum is too disruptive, consider the following:

+- IncreaseΓÇ»`autovacuum_vacuum_cost_delay` and reduce `autovacuum_vacuum_cost_limit` if set higher than the default of 200.

+- Reduce the number of `autovacuum_max_workers` if it is set higher than the default of 3.ΓÇ»

+#### Too many autovacuum workersΓÇ»

+Increasing the number of autovacuum workers will not necessarily increase the speed of vacuum. Having a high number of autovacuum workers is not recommended.

+Increasing the number of autovacuum workers will result in more memory consumption, and depending on the value of `maintenance_work_mem` , could cause performance degradation.

+Each autovacuum worker process only gets (1/autovacuum_max_workers) of the total `autovacuum_cost_limit`, so having a high number of workers causes each one to go slower.

+If the number of workers is increased, `autovacuum_vacuum_cost_limit` should also be increased and/or `autovacuum_vacuum_cost_delay` should be decreased to make the vacuum process faster.

+However, if we have changed table level `autovacuum_vacuum_cost_delay` or `autovacuum_vacuum_cost_limit` parameters then the workers running on those tables are exempted from being considered in the balancing algorithm [autovacuum_cost_limit/autovacuum_max_workers].

+ΓÇ»

+### Autovacuum transaction ID (TXID) wraparound protection

+When a database runs into transaction ID wraparound protection, an error message like the following can be observed:

+```

+Database is not accepting commands to avoid wraparound data loss in database ΓÇÿxxΓÇÖ

+Stop the postmaster and vacuum that database in single-user mode.

+```

+> [!NOTE]

+> This error message is a long-standing oversight. Usually, you do not need to switch to single-user mode. Instead, you can run the required VACUUM commands and perform tuning for VACUUM to run fast. While you cannot run any data manipulation language (DML), you can still run VACUUM.

+The wraparound problem occurs when the database is either not vacuumed or there are too many dead tuples that could not be removed by autovacuum. The reasons for this might be:

+

+#### Heavy workload

+The workload could cause too many dead tuples in a brief period that makes it difficult for autovacuum to catch up. The dead tuples in the system add up over a period leading to degradation of query performance and leading to wraparound situation. One reason for this situation to arise might be because autovacuum parameters aren't adequately set and it is not keeping up with a busy server.

+#### Long-running transactions

+Any long-running transactions in the system will not allow dead tuples to be removed while autovacuum is running. They're a blocker to the vacuum process. Removing the long running transactions frees up dead tuples for deletion when autovacuum runs.

+Long-running transactions can be detected using the following query:

+```postgresql

+ SELECT pid, age(backend_xid) AS age_in_xids,

+ now () - xact_start AS xact_age,

+ now () - query_start AS query_age,

+ state,

+ query

+ FROM pg_stat_activity

+ WHERE state != 'idle'

+ ORDER BY 2 DESC

+ LIMIT 10;

+```

+#### Prepared statements

+If there are prepared statements that are not committed, they would prevent dead tuples from being removed.

+The following query helps find non-committed prepared statements:

+```postgresql

+ SELECT gid, prepared, owner, database, transaction

+ FROM pg_prepared_xacts

+ ORDER BY age(transaction) DESC;

+```

+Use COMMIT PREPARED or ROLLBACK PREPARED to commit or roll back these statements.

+#### Unused replication slots

+Unused replication slots prevent autovacuum from claiming dead tuples. The following query helps identify unused replication slots:

+```postgresql

+ SELECT slot_name, slot_type, database, xmin

+ FROM pg_replication_slots

+ ORDER BY age(xmin) DESC;

+```

+UseΓÇ»`pg_drop_replication_slot()` to delete unused replication slots.

+When the database runs into transaction ID wraparound protection, check for any blockers as mentioned previously, and remove those manually for autovacuum to continue and complete. You can also increase the speed of autovacuum by setting `autovacuum_cost_delay` to 0 and increasing the `autovacuum_cost_limit` to a value much greater than 200. However, changes to these parameters will not be applied to existing autovacuum workers. Either restart the database or kill existing workers manually to apply parameter changes.

+### Table-specific requirementsΓÇ»

+Autovacuum parameters may be set for individual tables. It is especially important for small and big tables. For example, for a small table that contains only 100 rows, autovacuum triggers VACUUM operation when 70 rows change (as calculated previously). If this table is frequently updated, you might see hundreds of autovacuum operations a day. This will prevent autovacuum from maintaining other tables on which the percentage of changes aren't as big. Alternatively, a table containing a billion rows needs to change 200 million rows to trigger autovacuum operations. Setting autovacuum parameters appropriately prevents such scenarios.

+To set autovacuum setting per table, change the server parameters as the following examples:

+```postgresql

+ ALTER TABLE <table name> SET (autovacuum_analyze_scale_factor = xx);

+ ALTER TABLE <table name> SET (autovacuum_analyze_threshold = xx);

+ ALTER TABLE <table name> SET (autovacuum_vacuum_scale_factor =xx); 

+ ALTER TABLE <table name> SET (autovacuum_vacuum_threshold = xx); 

+ ALTER TABLE <table name> SET (autovacuum_vacuum_cost_delay = xx); 

+ ALTER TABLE <table name> SET (autovacuum_vacuum_cost_limit = xx); 

+```

+### Insert-only workloadsΓÇ»

+In versions of PostgreSQL prior to 13, autovacuum will not run on tables with an insert-only workload, because if there are no updates or deletes, there are no dead tuples and no free space that needs to be reclaimed. However, autoanalyze will run for insert-only workloads since there is new data. The disadvantages of this are:

+- The visibility map of the tables is not updated, and thus query performance, especially where there are Index Only Scans, starts to suffer over time.

+- The database can run into transaction ID wraparound protection.

+- Hint bits will not be set.

+#### SolutionsΓÇ»

+##### Postgres versions prior to 13 

+Using the **pg_cron** extension, a cron job can be set up to schedule a periodic vacuum analyze on the table. The frequency of the cron job depends on the workload.  

+For step-by-step guidance using pg_cron, review [Extensions](./concepts-extensions.md).

+##### Postgres 13 and higher versions

+Autovacuum will run on tables with an insert-only workload. Two new server parameters `autovacuum_vacuum_insert_threshold` and  `autovacuum_vacuum_insert_scale_factor` help control when autovacuum can be triggered on insert-only tables. 

+## Next steps

+- Troubleshoot high CPU utilization [High CPU Utilization](./how-to-high-cpu-utilization.md).

+- Troubleshoot high memory utilization [High Memory Utilization](./how-to-high-memory-utilization.md).

+- Configure server parameters [Server Parameters](./howto-configure-server-parameters-using-portal.md).

+ Title: High CPU Utilization

+description: Troubleshooting guide for high cpu utilization in Azure Database for PostgreSQL - Flexible Server

+# Troubleshoot high CPU utilization in Azure Database for PostgreSQL - Flexible Server

+This article shows you how to quickly identify the root cause of high CPU utilization, and possible remedial actions to control CPU utilization when using [Azure Database for PostgreSQL - Flexible Server](overview.md).

+In this article, you will learn:

+- About tools to identify high CPU utilization such as Azure Metrics, Query Store, and pg_stat_statements.

+- How to identify root causes, such as long running queries and total connections.

+- How to resolve high CPU utilization by using Explain Analyze, Connection Pooling, and Vacuuming tables.

+## Tools to identify high CPU utilization

+Consider these tools to identify high CPU utilization.

+### Azure Metrics

+Azure Metrics is a good starting point to check the CPU utilization for the definite date and period. Metrics give information about the time duration during which the CPU utilization is high. Compare the graphs of Write IOPs, Read IOPs, Read Throughput, and Write Throughput with CPU utilization to find out times when the workload caused high CPU. For proactive monitoring, you can configure alerts on the metrics. For step-by-step guidance, see [Azure Metrics](./howto-alert-on-metrics.md).

+### Query Store

+Query Store automatically captures the history of queries and runtime statistics, and it retains them for your review. It slices the data by time so that you can see temporal usage patterns. Data for all users, databases and queries is stored in a database named azure_sys in the Azure Database for PostgreSQL instance. For step-by-step guidance, see [Query Store](./concepts-query-store.md).

+### pg_stat_statements

+The pg_stat_statements extension helps identify queries that consume time on the server.

+#### Mean or average execution time

+##### [Postgres v13 & above](#tab/postgres-13)

+For Postgres versions 13 and above, use the following statement to view the top five SQL statements by mean or average execution time:

+```postgresql

+SELECT userid::regrole, dbid, query, mean_exec_time

+FROM pg_stat_statements

+ORDER BY mean_exec_time

+DESC LIMIT 5;

+```

+##### [Postgres v9.6-12 & above](#tab/postgres9-12)

+For Postgres versions 9.6, 10, 11, and 12, use the following statement to view the top five SQL statements by mean or average execution time:

+```postgresql

+SELECT userid::regrole, dbid, query

+FROM pg_stat_statements

+ORDER BY mean_time

+DESC LIMIT 5;

+```

+#### Total execution time

+Execute the following statements to view the top five SQL statements by total execution time.

+##### [Postgres v13 & above](#tab/postgres-13)

+For Postgres versions 13 and above, use the following statement to view the top five SQL statements by total execution time:

+```postgresql

+SELECT userid::regrole, dbid, query

+FROM pg_stat_statements

+ORDER BY total_exec_time

+DESC LIMIT 5;

+```

+##### [Postgres v9.6-12 & above](#tab/postgres9-12)

+For Postgres versions 9.6, 10, 11, and 12, use the following statement to view the top five SQL statements by total execution time:

+```postgresql

+SELECT userid: :regrole, dbid, query,

+FROM pg_stat_statements

+ORDER BY total_time

+DESC LIMIT 5;

+```

+## Identify root causes

+If CPU consumption levels are high in general, the following could be possible root causes:

+### Long-running transactions

+Long-running transactions can consume CPU resources that can lead to high CPU utilization.

+The following query helps identify connections running for the longest time:

+```postgresql

+SELECT pid, usename, datname, query, now() - xact_start as duration

+FROM pg_stat_activity

+WHERE pid <> pg_backend_pid() and state IN ('idle in transaction', 'active')

+ORDER BY duration DESC;

+```

+### Total number of connections and number connections by state

+A large number of connections to the database is also another issue that might lead to increased CPU as well as memory utilization.

+The following query gives information about the number of connections by state:

+```postgresql

+SELECT state, count(*)

+FROM pg_stat_activity

+WHERE pid <> pg_backend_pid()

+GROUP BY 1 ORDER BY 1;

+```

+

+## Resolve high CPU utilization

+Use Explain Analyze, PG Bouncer, connection pooling and terminate long running transactions to resolve high CPU utilization.

+### Using Explain Analyze

+Once you know the query that's running for a long time, use **EXPLAIN** to further investigate the query and tune it.

+For more information about the **EXPLAIN** command, review [Explain Plan](https://www.postgresql.org/docs/current/sql-explain.html).

+### PGBouncer and connection pooling

+In situations where there are lots of idle connections or lot of connections which are consuming the CPU consider use of a connection pooler like PgBouncer.

+For more details about PgBouncer, review:

+[Connection Pooler](https://techcommunity.microsoft.com/t5/azure-database-for-postgresql/not-all-postgres-connection-pooling-is-equal/ba-p/825717)

+[Best Practices](https://techcommunity.microsoft.com/t5/azure-database-for-postgresql/connection-handling-best-practice-with-postgresql/ba-p/790883)

+Azure Database for Flexible Server offers PgBouncer as a built-in connection pooling solution. For more information, see [PgBouncer](./concepts-pgbouncer.md)

+### Terminating long running transactions

+You could consider killing a long running transaction as an option.

+To terminate a session's PID, you will need to detect the PID using the following query:

+```postgresql

+SELECT pid, usename, datname, query, now() - xact_start as duration

+FROM pg_stat_activity

+WHERE pid <> pg_backend_pid() and state IN ('idle in transaction', 'active')

+ORDER BY duration DESC;

+```

+You can also filter by other properties like `usename` (username), `datname` (database name) etc.

+Once you have the session's PID you can terminate using the following query:

+```postgresql

+SELECT pg_terminate_backend(pid);

+```

+### Monitoring vacuum and table stats

+Keeping table statistics up to date helps improve query performance. Monitor whether regular autovacuuming is being carried out.

+The following query helps to identify the tables that need vacuuming:

+```postgresql

+select schemaname,relname,n_dead_tup,n_live_tup,last_vacuum,last_analyze,last_autovacuum,last_autoanalyze

+from pg_stat_all_tables where n_live_tup > 0;  

+```

+`last_autovacuum` and `last_autoanalyze` columns give the date and time when the table was last autovacuumed or analyzed. If the tables are not being vacuumed regularly, take steps to tune autovacuum. For more information about autovacuum troubleshooting and tuning, see [Autovacuum Troubleshooting](./how-to-autovacuum-tuning.md).

+A short-term solution would be to do a manual vacuum analyze of the tables where slow queries are seen:

+```postgresql

+vacuum analyze <table_name>;

+```

+## Next steps

+- Troubleshoot and tune Autovacuum [Autovacuum Tuning](./how-to-high-cpu-utilization.md).

+- Troubleshoot High Memory Utilization [High Memory Utilization](./how-to-high-memory-utilization.md).

+ Title: High Memory Utilization

+description: Troubleshooting guide for high memory utilization in Azure Database for PostgreSQL - Flexible Server

+# High memory utilization in Azure Database for PostgreSQL - Flexible Server

+This article introduces common scenarios and root causes that might lead to high memory utilization in [Azure Database for PostgreSQL - Flexible Server](overview.md).

+In this article, you will learn:

+- Tools to identify high memory utilization.

+- Reasons for high memory & remedial actions.

+## Tools to identify high memory utilization

+Consider the following tools to identify high memory utilization.

+### Azure Metrics

+Use Azure Metrics to monitor the percentage of memory in use for the definite date and time frame.

+For proactive monitoring, configure alerts on the metrics. For step-by-step guidance, see [Azure Metrics](./howto-alert-on-metrics.md).

+### Query Store

+Query Store automatically captures the history of queries and their runtime statistics, and it retains them for your review.

+Query Store can correlate wait event information with query run time statistics. Use Query Store to identify queries that have high memory consumption during the period of interest.

+For more information on setting up and using Query Store, review [Query Store](./concepts-query-store.md).

+## Reasons and remedial actions

+Consider the following reasons and remedial actions for resolving high memory utilization.

+### Server parameters

+The following server parameters impact memory consumption and should be reviewed:

+#### Work_Mem

+The `work_mem` parameter specifies the amount of memory to be used by internal sort operations and hash tables before writing to temporary disk files. It isn't on a per-query basis rather, it's set based on the number of sort and hash operations.

+If the workload has many short-running queries with simple joins and minimal sort operations, it's advised to keep lower `work_mem`. If there are a few active queries with complex joins and sorts, then it's advised to set a higher value for work_mem.

+It is tough to get the value of `work_mem` right. If you notice high memory utilization or out-of-memory issues, consider decreasing `work_mem`.

+A safer setting for `work_mem` is `work_mem = Total RAM / Max_Connections / 16 `

+The default value of `work_mem` = 4 MB. You can set the `work_mem` value on multiple levels including at the server level via the parameters page in the Azure portal.

+A good strategy is to monitor memory consumption during peak times.

+If disk sorts are happening during this time and there is plenty of unused memory, increase `work_mem` gradually until you're able to reach a good balance between available and used memory

+Similarly, if the memory use looks high, reduce `work_mem`.

+#### Maintenance_Work_Mem

+`maintenance_work_mem` is for maintenance tasks like vacuuming, adding indexes or foreign keys. The usage of memory in this scenario is per session.

+For example, consider a scenario where there are three autovacuum workers running.

+If `maintenance_work_mem` is set to 1 GB, then all sessions combined will use 3 GB of memory.

+A high `maintenance_work_mem` value along with multiple running sessions for vacuuming/index creation/adding foreign keys can cause high memory utilization. The maximum allowed value for the `maintenance_work_mem` server parameter in Azure Database for Flexible Server is 2 GB.

+#### Shared buffers

+The `shared_buffers` parameter determines how much memory is dedicated to the server for caching data. The objective of shared buffers is to reduce DISK I/O.

+A reasonable setting for shared buffers is 25% of RAM. Setting a value of greater than 40% of RAM is not recommended for most common workloads.

+### Max connections

+All new and idle connections on a Postgres database consume up to 2 MB of memory. One way to monitor connections is by using the following query:

+```postgresql

+select count(*) from pg_stat_activity;

+```

+When the number of connections to a database is high, memory consumption also increases.

+In situations where there are a lot of database connections, consider using a connection pooler like PgBouncer.

+For more details on PgBouncer, review:

+[Connection Pooler](https://techcommunity.microsoft.com/t5/azure-database-for-postgresql/not-all-postgres-connection-pooling-is-equal/ba-p/825717).

+[Best Practices](https://techcommunity.microsoft.com/t5/azure-database-for-postgresql/connection-handling-best-practice-with-postgresql/ba-p/790883).

+Azure Database for Flexible Server offers PgBouncer as a built-in connection pooling solution. For more information, see [PgBouncer](./concepts-pgbouncer.md).

+### Explain Analyze

+Once high memory-consuming queries have been identified from Query Store, use **EXPLAIN** and **EXPLAIN ANALYZE** to investigate further and tune them.

+For more information on the **EXPLAIN** command, review [Explain Plan](https://www.postgresql.org/docs/current/sql-explain.html).

+## Next steps

+- Troubleshoot and tune Autovacuum [Autovacuum Tuning](./how-to-high-cpu-utilization.md).

+- Troubleshoot High CPU Utilization [High CPU Utilization](./how-to-high-cpu-utilization.md).

+- Configure server parameters [Server Parameters](./howto-configure-server-parameters-using-portal.md).

+ Title: Server group upgrades - Hyperscale (Citus) - Azure Database for PostgreSQL

+description: Types of upgrades, and their precautions

+# Hyperscale (Citus) server group upgrades

+The Hyperscale (Citus) managed service can handle upgrades of both the

+PostgreSQL server, and the Citus extension. You can choose these versions

+mostly independently of one another, except Citus 11 requires PostgreSQL 13 or

+higher.

+## Upgrade precautions

+Upgrading a major version of Citus can introduce changes in behavior.

+It's best to familiarize yourself with new product features and changes

+to avoid surprises.

+Noteworthy Citus 11 changes:

+* Table shards may disappear in your SQL client. Their visibility

+ is now controlled by

+ [citus.show_shards_for_app_name_prefixes](reference-parameters.md#citusshow_shards_for_app_name_prefixes-text).

+* There are several [deprecated

+ features](https://www.citusdata.com/updates/v11-0/#deprecated-features).

+## Next steps

+> [!div class="nextstepaction"]

+> [How to perform upgrades](howto-upgrade.md)

+### Types and Functions

+Creating custom SQL types and user-defined functions propogates to worker

+nodes. However, creating such database objects in a transaction with

+distributed operations involves tradeoffs.

+Hyperscale (Citus) parallelizes operations such as `create_distributed_table()`

+across shards using multiple connections per worker. Whereas, when creating a

+database object, Citus propagates it to worker nodes using a single connection

+per worker. Combining the two operations in a single transaction may cause

+issues, because the parallel connections will not be able to see the object

+that was created over a single connection but not yet committed.

+Consider a transaction block that creates a type, a table, loads data, and

+distributes the table:

+```postgresql

+BEGIN;

+-- type creation over a single connection:

+CREATE TYPE coordinates AS (x int, y int);

+CREATE TABLE positions (object_id text primary key, position coordinates);

+-- data loading thus goes over a single connection:

+SELECT create_distributed_table(ΓÇÿpositionsΓÇÖ, ΓÇÿobject_idΓÇÖ);

+\COPY positions FROM ΓÇÿpositions.csvΓÇÖ

+COMMIT;

+```

+Prior to Citus 11.0, Citus would defer creating the type on the worker nodes,

+and commit it separately when creating the distributed table. This enabled the

+data copying in `create_distributed_table()` to happen in parallel. However, it

+also meant that the type was not always present on the Citus worker nodes ΓÇô or

+if the transaction rolled back, the type would remain on the worker nodes.

+With Citus 11.0, the default behaviour changes to prioritize schema consistency

+between coordinator and worker nodes. The new behavior has a downside: if

+object propagation happens after a parallel command in the same transaction,

+then the transaction can no longer be completed, as highlighted by the ERROR in

+the code block below:

+```postgresql

+BEGIN;

+CREATE TABLE items (key text, value text);

+-- parallel data loading:

+SELECT create_distributed_table(ΓÇÿitemsΓÇÖ, ΓÇÿkeyΓÇÖ);

+\COPY items FROM ΓÇÿitems.csvΓÇÖ

+CREATE TYPE coordinates AS (x int, y int);

+ERROR: cannot run type command because there was a parallel operation on a distributed table in the transaction

+```

+If you run into this issue, there are two simple workarounds:

+1. Use set `citus.create_object_propagation` to `automatic` to defer creation

+ of the type in this situation, in which case there may be some inconsistency

+ between which database objects exist on different nodes.

+1. Use set `citus.multi_shard_modify_mode` to `sequential` to disable per-node

+ parallelism. Data load in the same transaction might be slower.

+## Next steps

+> [!div class="nextstepaction"]

+> [Useful diagnostic queries](howto-useful-diagnostic-queries.md)

+Citus version before you upgrade your production environment. Also, please see

+our list of [upgrade precautions](concepts-upgrade.md).

+* Learn more about [upgrades](concepts-upgrade.md)

+> | [citus](https://github.com/citusdata/citus) | Citus distributed database. | 9.5.11 | 10.0.7 | 10.2.6 | 11.0.4 |

+> | [tdigest](https://github.com/tvondra/tdigest) | Data type for on-line accumulation of rank-based statistics such as quantiles and trimmed means. | 1.2.0 | 1.2.0 | 1.2.0 | 1.4.0 |

+> | [pg\_partman](https://pgxn.org/dist/pg_partman/doc/pg_partman.html) | Manages partitioned tables by time or ID. | 4.6.0 | 4.6.0 | 4.6.0 | 4.6.2 |

+| [citus.create_object_propagation](reference-parameters.md#cituscreate_object_propagation-enum) | Behavior of CREATE statements in transactions for supported objects |

+| [citus.use_citus_managed_tables](reference-parameters.md#citususe_citus_managed_tables-boolean) | Allow local tables to be accessed in worker node queries |

+| [citus.show_shards_for_app_name_prefixes](reference-parameters.md#citusshow_shards_for_app_name_prefixes-text) | Allows shards to be displayed for selected clients that want to see them |

+| [citus.override_table_visibility](reference-parameters.md#citusoverride_table_visibility-boolean) | Enable/disable shard hiding |

+#### citus.show\_shards\_for\_app\_name\_prefixes (text)

+By default, Citus hides shards from the list of tables PostgreSQL gives to SQL

+clients. It does this because there are multiple shards per distributed table,

+and the shards can be distracting to the SQL client.

+The `citus.show_shards_for_app_name_prefixes` GUC allows shards to be displayed

+for selected clients that want to see them. Its default value is ''.

+```postgresql

+-- show shards to psql only (hide in other clients, like pgAdmin)

+SET citus.show_shards_for_app_name_prefixes TO 'psql';

+-- also accepts a comma separated list

+SET citus.show_shards_for_app_name_prefixes TO 'psql,pg_dump';

+```

+Shard hiding can be disabled entirely using

+[citus.override_table_visibility](#citusoverride_table_visibility-boolean).

+#### citus.override\_table\_visibility (boolean)

+Determines whether

+[citus.show_shards_for_app_name_prefixes](#citusshow_shards_for_app_name_prefixes-text)

+is active. The default value is 'true'. When set to 'false', shards are visible

+to all client applications.

+#### citus.use\_citus\_managed\_tables (boolean)

+Allow new [local tables](concepts-nodes.md#type-3-local-tables) to be accessed

+by queries on worker nodes. Adds all newly created tables to Citus metadata

+when enabled. The default value is 'false'.

+##### citus.create\_object\_propagation (enum)

+Controls the behavior of CREATE statements in transactions for supported

+objects.

+When objects are created in a multi-statement transaction block, Citus switches

+sequential mode to ensure created objects are visible to later statements on

+shards. However, the switch to sequential mode is not always desirable. By

+overriding this behavior, the user can trade off performance for full

+transactional consistency in the creation of new objects.

+The default value for this parameter is 'immediate'.

+The supported values are:

+* **immediate:** raises error in transactions where parallel operations like

+ create\_distributed\_table happen before an attempted CREATE TYPE.

+* **automatic:** defer creation of types when sharing a transaction with a

+ parallel operation on distributed tables. There may be some inconsistency

+ between which database objects exist on different nodes.

+* **deferred:** return to pre-11.0 behavior, which is like automatic but with

+ other subtle corner cases. We recommend the automatic setting over deferred,

+ unless you require true backward compatibility.

+For an example of this GUC in action, see [type

+propagation](howto-modify-distributed-tables.md#types-and-functions).

+1. In the **Function module** box, enter **Z_MITI_DOWNLOAD** in case of SAP ECC or S/4HANA and **Z_MITI_BW_DOWNLOAD** in case of SAP BW. Enter a description in the **Short Text** box.

+1. Open the **Z_MITI_DOWNLOAD** or **Z_MITI_BW_DOWNLOAD** function module you created.

+1. Go to your Microsoft Purview account -> open **Microsoft Purview governance portal** -> **Data map** -> **Monitoring**. You need to have **Data source admin** role on any collection to access this page. And you will see the scan runs that belong to the collections on which you have data source admin privilege.

+The supported SAP BW versions are 7.3 to 7.5. SAP BW/4HANA isn't supported.

+Learn about the latest updates to Azure Cognitive Search. The following links supplement this article:

+* [**Previous versions**](/previous-versions/azure/search/) is an archive of feature announcements from 2019 and 2020.

+* [**Preview features**](search-api-preview.md) are announced here in "What's New", mixed in with announcements about general availability or feature retirement. If you need to quickly determine the status of a particular feature, visit the preview features page to see if it's listed.

+> In some cases, the provider will only advertise a URL called a Discovery Endpoint. You can use the [cURL](https://en.wikipedia.org/wiki/CURL) utility to browse the discovery endpoint and request the API Root.

+- [Sync user entities from your on-premises Active Directory with Microsoft Sentinel](#sync-user-entities-from-your-on-premises-active-directory-with-microsoft-sentinel)

+### Sync user entities from your on-premises Active Directory with Microsoft Sentinel

+Until now, you've been able to bring your user account entities from your Azure Active Directory (Azure AD) into the IdentityInfo table in Microsoft Sentinel, so that User and Entity Behavior Analytics (UEBA) can use that information to provide context and give insight into user activities, to enrich your investigations.

+Now you can do the same with your on-premises (non-Azure) Active Directory as well.

+If you have Microsoft Defender for Identity, [enable and configure User and Entity Behavior Analytics (UEBA)](enable-entity-behavior-analytics.md#how-to-enable-user-and-entity-behavior-analytics) to collect and sync your Active Directory user account information into Microsoft Sentinel's IdentityInfo table, so you can get the same insight value from your on-premises users as you do from your cloud users.

+Learn more about the [requirements for using Microsoft Defender for Identity](/defender-for-identity/prerequisites) this way.

+2. **Follow this procedure only if certificates have already expired.** Login to configuration server, navigate to *C:\ProgramData\ASR\home\svsystems\bin* and execute **RenewCerts** executor tool as administrator.

+Azure Static Web Apps publishes websites to production by building apps from a code repository.

+In this quickstart, you deploy a web application to Azure Static Web apps using the Azure CLI.

+- [Azure](https://portal.azure.com) account.

+ - If you don't have an Azure subscription, you can [create a free trial account](https://azure.microsoft.com/free).

+## Deploy a static web app

+Now that the repository is generated from the template, you can deploy the app as a static web app from the Azure CLI.

+ Before you execute the following command, replace the placeholder `<YOUR_GITHUB_USER_NAME>` with your GitHub user name.

+1. Deploy a new static web app from your repository.

+ As you execute this command, the CLI starts the GitHub interactive log in experience. Look for a line in your console that resembles the following message.

+There are two aspects to deploying a static app. The first operation creates the underlying Azure resources that make up your app. The second is a workflow that builds and publishes your application.

+1. Copy the **repository URL** and paste it into your browser.

+ Copy the URL into your browser to navigate to your website.

+ Title: Tutorial - Create an NFS Azure file share and mount it on a Linux VM using the Azure portal

+# Tutorial: Create an NFS Azure file share and mount it on a Linux VM using the Azure portal

+1. Leave replication set to its default value of *Locally redundant storage (LRS)*.

+1. Select **+ Create** and then **+ Azure virtual machine**.

+1. In the **Basics** tab, under **Project details**, make sure the correct subscription and resource group are selected. Under **Instance details**, type *myVM* for the **Virtual machine name**, and select the same region as your storage account. Choose the default Ubuntu Server version for your **Image**. Leave the other defaults. The default size and pricing is only shown as an example. Size availability and pricing are dependent on your region and subscription.

+1. Under **Inbound port rules > Public inbound ports**, choose **Allow selected ports** and then select **SSH (22)** and **HTTP (80)** from the drop-down.

+1. When the **Generate new key pair** window opens, select **Download private key and create resource**. Your key file will be download as **myVM_key.pem**. Make sure you know where the .pem file was downloaded, because you'll need the path to it to connect to your VM.

+1. Leave **Subscription** and **Resource group** the same. Under **Instance**, provide a name and select a region for the new private endpoint. Your private endpoint must be in the same region as your virtual network, so use the same region as you specified when creating the VM. When all the fields are complete, select **Next: Resource**.

+1. Under **Networking**, select the virtual network associated with your VM and leave the default subnet. Under **Private IP configuration**, leave **Dynamically allocate IP address** selected. Select **Next: DNS**.

+ :::image type="content" source="media/storage-files-quick-create-use-linux/private-endpoint-virtual-network.png" alt-text="Screenshot showing how to add virtual networking and private IP configuration to a new private endpoint." lightbox="media/storage-files-quick-create-use-linux/private-endpoint-virtual-network.png" border="true":::

+1. Select **Yes** for **Integrate with private DNS zone**. Make sure the correct subscription and resource group are selected, and then select **Next: Tags**.

+ :::image type="content" source="media/storage-files-quick-create-use-linux/private-endpoint-dns.png" alt-text="Screenshot showing how to integrate your private endpoint with a private DNS zone." lightbox="media/storage-files-quick-create-use-linux/private-endpoint-dns.png" border="true":::

+>[!NOTE]

+> Result set caching should not be used in conjunction with [DECRYPTBYKEY](/sql/t-sql/functions/decryptbykey-transact-sql). If this cryptographic function must be used, ensure you have result set caching disabled (either at [session-level](/sql/t-sql/statements/set-result-set-caching-transact-sql) or [database-level](/sql/t-sql/statements/alter-database-transact-sql-set-options)) at the time of execution.

+4. Select the application with the name matching **[Storage Account] $storageAccountName.file.core.windows.net**.

+## Restart a host (Preview)

+You can restart the entire host, meaning that the host's not **completely** powered off. Because the host will be restarted, the underlying VMs will also be restarted. The host will remain on the same underlying physical hardware as it restarts and both the host ID and asset ID will remain the same after the restart. The host SKU will also remain the same after the restart.

+Note: Host restart is in preview.

+### [Portal](#tab/portal)

+1. Search for and select the host.

+1. In the top menu bar, select the **Restart** button. Note, this feature is in Preview.

+1. In the **Essentials** section of the Host Resource Pane, Host Status will switch to **Host undergoing restart** during the restart.

+1. Once the restart has completed, the Host Status will return to **Host available**.

+### [CLI](#tab/cli)

+Restart the host using [az vm host restart](/cli/azure/vm#az-vm-host-restart) (Preview).

+```azurecli-interactive

+az vm host restart --resource-group myResourceGroup --host-group myHostGroup --name myDedicatedHost

+```

+To view the status of the restart, you can use the [az vm host get-instance-view](/cli/azure/vm#az-vm-host-get-instance-view) command. The **displayStatus** will be set to **Host undergoing restart** during the restart. Once the restart has completed, the displayStatus will return to **Host available**.

+```azurecli-interactive

+az vm host get-instance-view --resource-group myResourceGroup --host-group myHostGroup --name myDedicatedHost

+```

+### [PowerShell](#tab/powershell)

+Restart the host using the [Restart-AzHost](/powershell/module/az.compute/restart-azhost) (Preview) command.

+```azurepowershell-interactive

+Restart-AzHost -ResourceGroupName myResourceGroup -HostGroupName myHostGroup -Name myDedicatedHost

+```

+To view the status of the restart, you can use the [Get-AzHost](/powershell/module/az.compute/get-azhost) commandlet using the **InstanceView** parameter. The **displayStatus** will be set to **Host undergoing restart** during the restart. Once the restart has completed, the displayStatus will return to **Host available**.

+```azurepowershell-interactive

+$hostRestartStatus = Get-AzHost -ResourceGroupName myResourceGroup -HostGroupName myHostGroup -Name myDedicatedHost -InstanceView;

+$hostRestartStatus.InstanceView.Statuses[1].DisplayStatus;

+```

+> [!IMPORTANT]

+> Premium SSD v2 managed disks can only be deployed and managed in the Azure portal from the following link: [https://portal.azure.com/?feature.premiumv2=true#home](https://portal.azure.com/?feature.premiumv2=true#home).

+1. Sign in to the Azure portal with the following link: [https://portal.azure.com/?feature.premiumv2=true#home](https://portal.azure.com/?feature.premiumv2=true#home).

+> [!IMPORTANT]

+> Premium SSD v2 managed disks can only be deployed and managed in the Azure portal from the following link: [https://portal.azure.com/?feature.premiumv2=true#home](https://portal.azure.com/?feature.premiumv2=true#home).

+1. Sign in to the Azure portal with the following link: [https://portal.azure.com/?feature.premiumv2=true#home](https://portal.azure.com/?feature.premiumv2=true#home).

+Premium SSD v2 capacities range from 1 GiB to 64 TiBs, in 1-GiB increments. You're billed on a per GiB ratio, see the [pricing page](https://azure.microsoft.com/pricing/details/managed-disks/) for details.

+Premium SSD v2 offers up to 32 TiBs per region per subscription by default in the public preview, but supports higher capacity by request. To request an increase in capacity, request a quota increase or contact Azure Support.

+All Premium SSD v2 disks have a baseline IOPS of 3000 that is free of charge. After 6 GiB, the maximum IOPS a disk can have increases at a rate of 500 per GiB, up to 80,000 IOPS. So an 8 GiB disk can have up to 4,000 IOPS, and a 10 GiB can have up to 5,000 IOPS. To be able to set 80,000 IOPS on a disk, that disk must have at least 160 GiBs. Increasing your IOPS beyond 3000 increases the price of your disk.

+|1 GiB-64 TiBs |3,000-80,000 (Increases by 500 IOPS per GiB) |125-1,200 (increases by 0.25 MB/s per set IOPS) |

+### Enable auto update

+The **recommendation** is to enable automatic update of the agent by enabling the [Automatic Extension Upgrade](../../virtual-machines/automatic-extension-upgrade.md) feature, using the following PowerShell commands.

+# [Azure CLI](#tab/azcli)

+```powershell

+az vm extension set --publisher Microsoft.Azure.Diagnostics --name LinuxDiagnostic --version 4.0 --resource-group <resource_group_name> --vm-name <vm_name> --protected-settings ProtectedSettings.json --settings PublicSettings.json --enable-auto-upgrade true

+```

+# [Powershell](#tab/powershell)

+```powershellSet-AzVMExtension -ResourceGroupName <resource_group_name> -VMName <vm_name> -Location <vm_location> -ExtensionType LinuxDiagnostic -Publisher Microsoft.Azure.Diagnostics -Name LinuxDiagnostic -SettingString $publicSettings -ProtectedSettingString $protectedSettings -TypeHandlerVersion 4.0 -EnableAutomaticUpgrade $true

+```

+## How sharing with direct shared gallery works

+> [!NOTE]

+> **Known issue**: In the Azure portal, If you get an error "Failed to update Azure compute gallery", please verify if you have owner (or) compute gallery sharing admin permission on the gallery.

+>

+Oracle Real Application Cluster (RAC) is a solution by Oracle to help customers achieve high throughputs by having many instances accessing one database storage (Shared-all architecture pattern). While Oracle RAC can also be used for high availability on-premises, Oracle RAC alone cannot be used for high availability in the cloud as it only protects against instance level failures and not against Rack-level or Data center-level failures. For this reason, Oracle recommends using Oracle Data Guard with your database (whether single instance or RAC) for high availability. Customers generally require a high SLA for running their mission critical applications. Oracle RAC is currently not certified or supported by Oracle on Azure. However, Azure offers features such as Availability Zones and planned maintenance windows to help protect against instance-level failures. In addition to this, customers can use technologies such as Oracle Data Guard, Oracle GoldenGate and Oracle Sharding for high performance and resiliency by protecting their databases from rack-level as well as datacenter-level and geo-political failures.

+Oracle Data Guard Far Sync provides zero data loss protection capability for Oracle Databases. This capability allows you to protect against data loss if your database machine fails. Oracle Data Guard Far Sync needs to be installed on a separate VM. Far Sync is a lightweight Oracle instance that only has a control file, password file, spfile, and standby logs. There are no data files or redo log files.

+## Scenario: add static routes to virtual network hub connection

+In the following steps, you will add a static route to the virtual hub default route table and virtual network connection to point to a next hop ip address (i.e NVA appliance).

+- Replace the example values to reflect your own environment.

+1. Make sure you are in the context of your parent account by running the following command:

+ ```azurepowershell-interactive

+Select-AzSubscription -SubscriptionId "[parent ID]"

+```

+2. Add route in the Virtual hub default route table without a specific ip address and next hop as the virtual hub connection by:

+ 2.1 get the connection details:

+ ```azurepowershell-interactive

+ $hubVnetConnection = Get-AzVirtualHubVnetConnection -Name "[HubconnectionName]" -ParentResourceName "[Hub Name]" -ResourceGroupName "[resource group name]"

+ ```

+ 2.2 add a static route to the virtual hub route table (next hop is hub vnet connection):

+ ```azurepowershell-interactive

+ $Route2 = New-AzVHubRoute -Name "[Route Name]" -Destination ΓÇ£[@("Destination prefix")]ΓÇ¥ -DestinationType "CIDR" -NextHop $hubVnetConnection.Id -NextHopType "ResourceId"

+ ```

+ 2.3 update the current hub default route table:

+ ```azurepowershell-interactive

+ Update-AzVHubRouteTable -ResourceGroupName "[resource group name]"-VirtualHubName [ΓÇ£Hub NameΓÇ¥] -Name "defaultRouteTable" -Route @($Route2)

+ ```

+ ## Customize static routes to specify next hop as an IP address for the virtual hub connection.

+ 2.4 update the route in the vnethub connection:

+ ```azurepowershell-interactive

+ $newroute = New-AzStaticRoute -Name "[Route Name]" -AddressPrefix "[@("Destination prefix")]" -NextHopIpAddress "[Destination NVA IP address]"

+ $newroutingconfig = New-AzRoutingConfiguration -AssociatedRouteTable $hubVnetConnection.RoutingConfiguration.AssociatedRouteTable.id -Id $hubVnetConnection.RoutingConfiguration.PropagatedRouteTables.Ids[0].id -Label @("default") -StaticRoute @($newroute)

+ Update-AzVirtualHubVnetConnection -ResourceGroupName $rgname -VirtualHubName "[Hub Name]" -Name "[Virtual hub connection name]" -RoutingConfiguration $newroutingconfig

+ ```

+ 2.5 verify static route is established to a next hop IP address:

+ ```azurepowershell-interactive

+ Get-AzVirtualHubVnetConnection -ResourceGroupName "[Resource group]" -VirtualHubName "[virtual hub name]" -Name "[Virtual hub connection name]"

+ ```

+>[!NOTE]

+>- In step 2.2 and 2.4 the route name should be same otherwise it will create two routes one without ip address one with ip address in the routing table.

+>- If you run 2.5 it will remove the previous manual config route in your routing table.

+>- Make sure you have access and are authorized to the remote subscription as well when running the above.

+>- Destination prefix can be one CIDR or multiple ones

+>- Please use this format @("10.19.2.0/24") or @("10.19.2.0/24", "10.40.0.0/16") for multiple CIDR

+>

+This article helps you securely connect individual clients running Windows, Linux, or macOS to an Azure VNet. point-to-site VPN connections are useful when you want to connect to your VNet from a remote location, such as when you're telecommuting from home or a conference. You can also use P2S instead of a Site-to-Site VPN when you have only a few clients that need to connect to a VNet. point-to-site connections don't require a VPN device or a public-facing IP address. P2S creates the VPN connection over either SSTP (Secure Socket Tunneling Protocol), or IKEv2. For more information about point-to-site VPN, see [About point-to-site VPN](point-to-site-about.md).

+* RequestBodyJSONArgNames