-1. The provisioning service is yet to update the provisioning logs with the bulk request processing details.

-| [Registration campaign](how-to-mfa-registration-campaign.md) | Beginning in July, 2023, enabled for SMS and voice call users with free and trial subscriptions. |

-As threat vectors change, Azure AD may announce default protection for a **Microsoft managed** setting in [release notes](../fundamentals/whats-new.md) and on commonly read forums like [Tech Community](https://techcommunity.microsoft.com/). For example, see our blog post [It's Time to Hang Up on Phone Transports for Authentication](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/it-s-time-to-hang-up-on-phone-transports-for-authentication/ba-p/1751752) for more information about the need to move away from using SMS and voice calls, which led to default enablement for the registration campaign to help users to set up Authenticator for modern authentication.

-To manage authentication methods for self-service password reset (SSPR), click **Password reset** > **Authentication methods**. The **Mobile phone** option in this policy allows either voice calls or SMS to be sent to a mobile phone. The **Office phone** option allows only voice calls.

-For users who are enabled for **Mobile phone** for SSPR, the independent control between policies can impact sign-in behavior. Where the other policies have separate options for SMS and voice calls, the **Mobile phone** for SSPR enables both options. As a result, anyone who uses **Mobile phone** for SSPR can also use voice calls for password reset, even if the other policies don't allow voice calls.

-Azure AD Multi-Factor Authentication (MFA) adds additional security over only using a password when a user signs in. The user can be prompted for additional forms of authentication, such as to respond to a push notification, enter a code from a software or hardware token, or respond to an SMS or phone call.

-Microsoft recommends users move away from using SMS or voice calls for multifactor authentication (MFA). Modern authentication methods like [Microsoft Authenticator](concept-authentication-authenticator-app.md) are a recommended alternative. For more information, see [It's Time to Hang Up on Phone Transports for Authentication](https://aka.ms/hangup). Users can still verify themselves using a mobile phone or office phone as secondary form of authentication used for multifactor authentication (MFA) or self-service password reset (SSPR).

-You can [configure and enable users for SMS-based authentication](howto-authentication-sms-signin.md) for direct authentication using text message. SMS-based sign-in is convenient for Frontline workers. With SMS-based sign-in, users don't need to know a username and password to access applications and services. The user instead enters their registered mobile phone number, receives a text message with a verification code, and enters that in the sign-in interface.

-For Azure AD Multi-Factor Authentication or SSPR, users can choose to receive an SMS message with a verification code to enter in the sign-in interface, or receive a phone call.

-Microsoft doesn't guarantee consistent SMS or voice-based Azure AD Multi-Factor Authentication prompt delivery by the same number. In the interest of our users, we may add or remove short codes at any time as we make route adjustments to improve SMS deliverability. Microsoft doesn't support short codes for countries/regions besides the United States and Canada.

-> Starting July 2023, we will apply delivery method optimizations such that tenants with a free or trial subscription may receive an SMS message or voice call.

-### SMS message verification

-With SMS message verification during SSPR or Azure AD Multi-Factor Authentication, a Short Message Service (SMS) text is sent to the mobile phone number containing a verification code. To complete the sign-in process, the verification code provided is entered into the sign-in interface.

-Android users can enable Rich Communication Services (RCS) on their devices. RCS offers encryption and other improvements over SMS. For Android, MFA text messages may be sent over RCS rather than SMS. The MFA text message is similar to SMS, but RCS messages have more Microsoft branding and a verified checkmark so users know they can trust the message.

-* ΓÇ£You've hit our limit on verification callsΓÇ¥ or ΓÇ£YouΓÇÖve hit our limit on text verification codesΓÇ¥ error messages during sign-in

- * Microsoft may limit or block voice or SMS authentication attempts that are performed by the same user, phone number, or organization due to high number of voice or SMS authentication attempts. If you are experiencing this error, you can try another method, such as Authenticator App or verification code, or reach out to your admin for support.

-* SMS is not subscribed on the device.

- * Have the user change methods or activate SMS on the device.

-* Faulty telecom providers such as no phone input detected, missing DTMF tones issues, blocked caller ID on multiple devices, or blocked SMS across multiple devices.

- * Microsoft uses multiple telecom providers to route phone calls and SMS messages for authentication. If you see any of the above issues, have a user attempt to use the method at least five times within 5 minutes and have that user's information available when contacting Microsoft support.

- * Or, use SMS authentication instead of phone (voice) authentication.

-Authentication strength is a Conditional Access control that allows administrators to specify which combination of authentication methods can be used to access a resource. For example, they can make only phishing-resistant authentication methods available to access a sensitive resource. But to access a nonsensitive resource, they can allow less secure multifactor authentication (MFA) combinations, such as password + SMS.

-¹ Something you have refers to one of the following methods: SMS, voice, push notification, software OATH token and Hardware OATH token.

-The authentication strength Conditional Access policy defines which methods can be used. Azure AD checks the policy during sign-in to determine the userΓÇÖs access to the resource. For example, an administrator configures a Conditional Access policy with a custom authentication strength that requires FIDO2 Security Key or Password + SMS. The user accesses a resource protected by this policy. During sign-in, all settings are checked to determine which methods are allowed, which methods are registered, and which methods are required by the Conditional Access policy. To be used, a method must be allowed, registered by the user (either before or as part of the access request), and satisfy the authentication strength.

-When a user accesses a resource protected by an authentication strength Conditional Access policy, Azure AD evaluates if the methods they have previously used satisfy the authentication strength. If a satisfactory method was used, Azure AD grants access to the resource. For example, let's say a user signs in with password + SMS. They access a resource protected by MFA authentication strength. In this case, the user can access the resource without another authentication prompt.

-|SMS as second factor | ✅ | ✅ |

- 1. Admin adds Phone Number to user account and allows Voice/SMS method for user.

- 1. Admin adds Phone Number to user account and allows Voice/SMS method for user.

- 1. Admin adds Phone Number to user account and allows Voice/SMS method for user

-| SMS as a second factor | | ΓùÅ | ΓùÅ | ΓùÅ | ΓùÅ |

-| Authenticate by phone call or SMS | ΓùÅ | ΓùÅ | ΓùÅ |

-IRSF is a type of telephony fraud where criminals exploit the billing system of telecommunication services providers to make profit for themselves. Bad actors gain unauthorized access to a telecommunication network and divert traffic to those networks to skim profit for every transaction that is sent to that network. To divert traffic, bad actors steal existing usernames and passwords, create new usernames and passwords, or try a host of other things to send SMS messages and voice calls through their telecommunication network. Bad actors take advantage of multifactor authentication screens, which require an SMS or voice call before a user can access their account. This activity causes exorbitant charges and makes services unreliable for our customers, causing downtime, and system errors.

-1. A bad actor uses automated scripts to request voice calls or SMS messages. The bad actor is colluding with number providers and the telecommunication network to drive more traffic to those services. The bad actor skims some of the profits of the increased traffic.

-For Voice verification, the following region codes require an opt-in.

- 1. Authenticator app is now successfully set up as the userΓÇÖs default sign-in method.

-1. Sign in to Graph Explorer and ensure youΓÇÖve consented to the **Policy.Read.All** and **Policy.ReadWrite.AuthenticationMethod** permissions.

-> When Azure AD Multi-Factor Authentication calls are placed through the public telephone network, sometimes the calls are routed through a carrier that doesn't support caller ID. Because of this, caller ID isn't guaranteed, even though Azure AD Multi-Factor Authentication always sends it. This applies both to phone calls and text messages provided by Azure AD Multi-Factor Authentication. If you need to validate that a text message is from Azure AD Multi-Factor Authentication, see [What SMS short codes are used for sending messages?](multi-factor-authentication-faq.yml#what-sms-short-codes-are-used-for-sending-sms-messages-to-my-users-).

-> When Azure AD Multi-Factor Authentication calls are placed through the public telephone network, sometimes the calls are routed through a carrier that doesn't support caller ID. Because of this, caller ID isn't guaranteed, even though Azure AD Multi-Factor Authentication always sends it. This applies both to phone calls and text messages provided by Azure AD Multi-Factor Authentication. If you need to validate that a text message is from Azure AD Multi-Factor Authentication, see [What SMS short codes are used for sending messages?](multi-factor-authentication-faq.yml#what-sms-short-codes-are-used-for-sending-sms-messages-to-my-users-).

-1. Navigate to the [Microsoft Entra admin center](https://entra.microsoft.com/#home).

-1. Navigate to the Microsoft [Entra admin center](https://entra.microsoft.com/#home).

-1. Go to **Enter Your AWS Account IDs**, and then select **Add** (the plus **+** sign).

-1. Go to **Azure subscription IDs**, and then select **Edit** (the pencil icon).

-1. Go to **Enter your Azure Subscription IDs**, and then select **Add subscription** (the plus **+** sign).

-> A *global administrator* or *super admin* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable Microsoft Entra Permissions Management on your Azure Active Directory tenant](onboard-enable-tenant.md).

- > Perform the next 6 steps for each account ID you add.

-> A *global administrator* or *root user* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable Permissions Management on your Azure Active Directory tenant](onboard-enable-tenant.md).

-To add Permissions Management to your Azure AD tenant:

-This option allows subscriptions to be automatically detected and monitored without further work required. A key benefit of automatic management is that any current or future subscriptions found will be onboarded automatically. The steps to detect a list of subscriptions and onboard for collection are as follows:

-1. Navigate to data collectors tab

-1. Ensure 'Azure' is selected

-1. Click ΓÇÿCreate ConfigurationΓÇÖ

-1. For onboarding mode, select ΓÇÿAutomatically ManageΓÇÖ

- > The steps listed on the screen outline how to create the role assignment for the Cloud Infrastructure Entitlements Management application. This can be performed manually in the Entra console, or programmatically with PowerShell or the Azure CLI.

-1. Collectors will now be listed and change through status types. For each collector listed with a status of ΓÇ£Collected InventoryΓÇ¥, click on that status to view further information.

-1. You can then view subscriptions on the In Progress page

-You have the ability to specify only certain subscriptions to manage and monitor with MEPM (up to 100 per collector). Follow the steps below to configure these subscriptions to be monitored:

-1. Navigate to data collectors tab

-1. Navigate to data collectors tab.

-1. View subscriptions on the In Progress page

-1. In the EPM portal, click the cog on the top right-hand side.

-1. Navigate to data collectors tab

-1. Ensure 'Azure' is selected

-1. Click ΓÇÿCreate ConfigurationΓÇÖ

-1. For onboarding mode, select ΓÇÿAutomatically ManageΓÇÖ

-1. Navigate to newly create Data Collector row under Azure data collectors.

-1. Click on Status column when the row has ΓÇ£PendingΓÇ¥ status

-1. Sign in to the AWS console of the member account in a separate browser window.

-1. Go to the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab.

-1. On the **Data Collectors** dashboard, select **AWS**, and then select **Create Configuration**.

-1. On **Permissions Management Onboarding ΓÇô Summary** page, review the information you've added, and then select **Verify Now & Save**.

-1. To add the administrative role assignment, return to the **Access control (IAM)** page, and then select **Add role assignment**.

-1. Go to the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab.

-1. On the **Data Collectors** dashboard, select **Azure**, and then select **Create Configuration**.

-1. On the **Permissions Management Onboarding - Azure Subscription Details** page, enter the **Subscription ID**, and then select **Next**.

-1. On **Permissions Management Onboarding ΓÇô Summary** page, review the controller permissions, and then select **Verify Now & Save**.

-1. Go to the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab.

-1. On the **Permissions Management Onboarding - GCP Project IDs** page, enter the **Project IDs**, and then select **Next**.

-1. On the **Permissions Management Onboarding ΓÇô Summary** page, review the information you've added, and then select **Verify Now & Save**.

- 1. Go to [Entra services](https://entra.microsoft.com) and use your credentials to sign in to [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview).

- 1. If you aren't already authenticated, sign in as a *Permissions Management Administrator* user.

- 1. If needed, activate the *Permissions Management Administrator* role in your Azure AD tenant.

- 1. In the Azure portal, select **Permissions Management**, and then select the link to purchase a license or begin a trial.

- - Sign in with *Global Admin* or *Billing Admin* credentials for your tenant.

- - Go to Setup and sign up for an Entra Permissions Management trial.

- - For self-service, navigate to the [Microsoft 365 portal](https://aka.ms/TryPermissionsManagement) to sign up for a 45-day free trial or to purchase licenses.

- - In the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab.

-Ensure you're a *Global Administrator* or *Permissions Management Administrator*. Learn more about [Permissions Management roles and permissions](product-roles-permissions.md).

-1. In Permissions Management, navigate to the data collectors page.

-2. Select a cloud environment: AWS, Azure, or GCP.

-> Keep role assignments permanent if a user has a an additional Microsoft account (for example, an account they use to sign in to Microsoft services like Skype, or Outlook.com). If you require multi-factor authentication to activate a role assignment, a user with an additional Microsoft account will be locked out.

-# customerintent: As a cloud administer, I want to understand Permissions Management role assignments, so that I can effectively assign the correct permissions to users.

-See [Microsoft Entra ID built-in roles to learn more.](product-privileged-role-insights.md)

-In this quickstart, you download and run a code sample that demonstrates how a JavaScript Angular single-page application (SPA) can sign in users and call Microsoft Graph using the authorization code flow. The code sample demonstrates how to get an access token to call the Microsoft Graph API or any web API.

-See [How the sample works](#how-the-sample-works) for an illustration.

-This quickstart uses MSAL Angular v2 with the authorization code flow.

-* Azure subscription - [Create an Azure subscription for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F)

-* [Visual Studio Code](https://code.visualstudio.com/download) or another code editor

-## Register your quickstart application

-1. Enter a **Name** for your application. Users of your app might see this name, and you can change it later.

-1. Select **Register**. On the app **Overview** page, note the **Application (client) ID** value for later use.

-1. Under **Platform configurations**, select **Add a platform**. In the pane that opens select **Single-page application**.

-1. Confirm that under **Grant types**  Your Redirect URI is eligible for the Authorization Code Flow with PKCE.

-#### Step 2: Download the project

-To run the project with a web server by using Node.js, [download the core project files](https://github.com/Azure-Samples/ms-identity-javascript-angular-spa/archive/main.zip).

-#### Step 3: Configure your JavaScript app

-In the *src* folder, open the *app* folder then open the *app.module.ts* file and update the `clientID`, `authority`, and `redirectUri` values in the `auth` object.

-```javascript

-// MSAL instance to be passed to msal-angular

-export function MSALInstanceFactory(): IPublicClientApplication {

- return new PublicClientApplication({

- auth: {

- clientId: 'Enter_the_Application_Id_Here',

- authority: 'Enter_the_Cloud_Instance_Id_Here/Enter_the_Tenant_Info_Here',

- redirectUri: 'Enter_the_Redirect_Uri_Here'

- },

- cache: {

- cacheLocation: BrowserCacheLocation.LocalStorage,

- storeAuthStateInCookie: isIE, // set to true for IE 11 },

- });

-}

-```

-Modify the values in the `auth` section as described here:

- To find the value of **Application (client) ID**, go to the app registration's **Overview** page.

- - If your application supports *accounts in this organizational directory*, replace this value with the **Tenant ID** or **Tenant name**. For example, `contoso.microsoft.com`.

- To find the value of the **Directory (tenant) ID**, go to the app registration's **Overview** page.

- - If your application supports *accounts in any organizational directory*, replace this value with `organizations`.

- - If your application supports *accounts in any organizational directory and personal Microsoft accounts*, replace this value with `common`. **For this quickstart**, use `common`.

- - To restrict support to *personal Microsoft accounts only*, replace this value with `consumers`.

- To find the value of **Supported account types**, go to the app registration's **Overview** page.

-The `authority` value in your *app.module.ts* should be similar to the following if you're using the main (global) Azure cloud:

-```javascript

-authority: "https://login.microsoftonline.com/common",

-```

-Scroll down in the same file and update the `graphMeEndpoint`.

-```javascript

-export function MSALInterceptorConfigFactory(): MsalInterceptorConfiguration {

- const protectedResourceMap = new Map<string, Array<string>>();

- protectedResourceMap.set('Enter_the_Graph_Endpoint_Herev1.0/me', ['user.read']);

- return {

- interactionType: InteractionType.Redirect,

- protectedResourceMap

- };

-}

-```

- #### Step 4: Run the project

-1. Browse to `http://localhost:4200/`.

-1. Select **Login** to start the sign-in process and then call the Microsoft Graph API.

- The first time you sign in, you're prompted to provide your consent to allow the application to access your profile and sign you in. After you're signed in successfully, click the **Profile** button to display your user information on the page.

-## More information

-### How the sample works

-

-### msal.js

-The MSAL.js library signs in users and requests the tokens that are used to access an API that's protected by the Microsoft identity platform.

-If you have Node.js installed, you can download the latest version by using the Node.js Package Manager (npm):

-```console

-npm install @azure/msal-browser @azure/msal-angular@2

-```

-## Next steps

-For a detailed step-by-step guide on building the auth code flow application using vanilla JavaScript, see the following tutorial:

-> [!div class="nextstepaction"]

-> [Tutorial to sign in users and call Microsoft Graph](tutorial-v2-javascript-auth-code.md)

-In this quickstart, you download and run a code sample that demonstrates how a JavaScript single-page application (SPA) can sign in users and call Microsoft Graph using the authorization code flow with Proof Key for Code Exchange (PKCE). The code sample demonstrates how to get an access token to call the Microsoft Graph API or any web API.

-See [How the sample works](#how-the-sample-works) for an illustration.

-* Azure subscription - [Create an Azure subscription for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F)

-* [Visual Studio Code](https://code.visualstudio.com/download) or another code editor

-## Register and download your quickstart application

-### Step 1: Register your application

-1. Browse to **Identity** > **Applications** > **Application registrations**.

-1. Enter a **Name** for your application. Users of your app might see this name, and you can change it later.

-1. Select **Register**. On the app **Overview** page, note the **Application (client) ID** value for later use.

-1. Under **Manage**, select **Authentication**.

-1. Under **Platform configurations**, select **Add a platform**. In the pane that opens select **Single-page application**.

-1. Set the **Redirect URI** value to `http://localhost:3000/`.

-1. Select **Configure**.

-### Step 2: Download the project

-To run the project with a web server by using Node.js, [download the core project files](https://github.com/Azure-Samples/ms-identity-javascript-v2/archive/master.zip).

-### Step 3: Configure your JavaScript app

-In the *app* folder, open the *authConfig.js* file, and then update the `clientID`, `authority`, and `redirectUri` values in the `msalConfig` object.

-```javascript

-// Config object to be passed to MSAL on creation

-const msalConfig = {

- auth: {

- clientId: "Enter_the_Application_Id_Here",

- authority: "Enter_the_Cloud_Instance_Id_Here/Enter_the_Tenant_Info_Here",

- redirectUri: "Enter_the_Redirect_Uri_Here",

- },

- cache: {

- cacheLocation: "sessionStorage", // This configures where your cache will be stored

- storeAuthStateInCookie: false, // Set this to "true" if you are having issues on IE11 or Edge

- }

-};

-```

-Modify the values in the `msalConfig` section:

- To find the value of **Application (client) ID**, go to the app registration's **Overview** page.

- - If your application supports *accounts in this organizational directory*, replace this value with the **Tenant ID** or **Tenant name**. For example, `contoso.microsoft.com`.

- To find the value of the **Directory (tenant) ID**, go to the app registration's **Overview** page.

- - If your application supports *accounts in any organizational directory*, replace this value with `organizations`.

- - If your application supports *accounts in any organizational directory and personal Microsoft accounts*, replace this value with `common`. **For this quickstart**, use `common`.

- - To restrict support to *personal Microsoft accounts only*, replace this value with `consumers`.

- To find the value of **Supported account types**, go to the app registration's **Overview** page.

-The `authority` value in your *authConfig.js* should be similar to the following if you're using the main (global) Azure cloud:

-```javascript

-authority: "https://login.microsoftonline.com/common",

-```

-Next, open the *graphConfig.js* file to update the `graphMeEndpoint` and `graphMailEndpoint` values in the `apiConfig` object.

-```javascript

- // Add here the endpoints for MS Graph API services you would like to use.

- const graphConfig = {

- graphMeEndpoint: "Enter_the_Graph_Endpoint_Herev1.0/me",

- graphMailEndpoint: "Enter_the_Graph_Endpoint_Herev1.0/me/messages"

- };

- // Add here scopes for access token to be used at MS Graph API endpoints.

- const tokenRequest = {

- scopes: ["Mail.Read"]

- };

-```

-`Enter_the_Graph_Endpoint_Here` is the endpoint that API calls are made against. For the main (global) Microsoft Graph API service, enter `https://graph.microsoft.com/` (include the trailing forward-slash). For more information about Microsoft Graph on national clouds, see [National cloud deployment](/graph/deployments).

-If you're using the main (global) Microsoft Graph API service, the `graphMeEndpoint` and `graphMailEndpoint` values in the *graphConfig.js* file should be similar to the following:

-```javascript

-graphMeEndpoint: "https://graph.microsoft.com/v1.0/me",

-graphMailEndpoint: "https://graph.microsoft.com/v1.0/me/messages"

-```

-### Step 4: Run the project

-Run the project with a web server by using Node.js.

-1. Go to `http://localhost:3000/`.

-1. Select **Sign In** to start the sign-in process and then call the Microsoft Graph API.

- The first time you sign in, you're prompted to provide your consent to allow the application to access your profile and sign you in. After you're signed in successfully, your user profile information is displayed on the page.

-## More information

-### How the sample works

-

-### MSAL.js

-The MSAL.js library signs in users and requests the tokens that are used to access an API that's protected by Microsoft identity platform. The sample's *https://docsupdatetracker.net/index.html* file contains a reference to the library:

-```html

-<script type="text/javascript" src="https://alcdn.msauth.net/browser/2.0.0-beta.0/js/msal-browser.js" integrity=

-"sha384-r7Qxfs6PYHyfoBR6zG62DGzptfLBxnREThAlcJyEfzJ4dq5rqExc1Xj3TPFE/9TH" crossorigin="anonymous"></script>

-```

-If you have Node.js installed, you can download the latest version by using the Node.js Package Manager (npm):

-```console

-npm install @azure/msal-browser

-```

-## Next steps

-For a more detailed step-by-step guide on building the application used in this quickstart, see the following tutorial:

-> [!div class="nextstepaction"]

-> [Tutorial to sign in users and call Microsoft Graph](tutorial-v2-javascript-auth-code.md)

-In this quickstart, you download and run a code sample that demonstrates how a JavaScript React single-page application (SPA) can sign in users and call Microsoft Graph using the authorization code flow. The code sample demonstrates how to get an access token to call the Microsoft Graph API or any web API.

-See [How the sample works](#how-the-sample-works) for an illustration.

-* Azure subscription - [Create an Azure subscription for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F)

-* [Visual Studio Code](https://code.visualstudio.com/download) or another code editor

-## Register and download your quickstart application

-### Step 1: Register your application

-1. When the **Register an application** page appears, enter a name for your application.

-1. Select **Register**. On the app **Overview** page, note the **Application (client) ID** value for later use.

-1. Under **Platform configurations**, select **Add a platform**. In the pane that opens select **Single-page application**.

-1. Set the **Redirect URIs** value to `http://localhost:3000/`. This is the default port NodeJS will listen on your local machine. WeΓÇÖll return the authentication response to this URI after successfully authenticating the user.

-1. Confirm that under **Grant types**  Your Redirect URI is eligible for the Authorization Code Flow with PKCE.

-### Step 2: Download the project

-To run the project with a web server by using Node.js, [download the core project files](https://github.com/Azure-Samples/ms-identity-javascript-react-spa/archive/main.zip).

-### Step 3: Configure your JavaScript app

-In the *src* folder, open the *authConfig.js* file and update the `clientID`, `authority`, and `redirectUri` values in the `msalConfig` object.

-```javascript

-/**

-* Configuration object to be passed to MSAL instance on creation.

-* For a full list of MSAL.js configuration parameters, visit:

-* https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/configuration.md

-*/

-export const msalConfig = {

- auth: {

- clientId: "Enter_the_Application_Id_Here",

- authority: "Enter_the_Cloud_Instance_Id_Here/Enter_the_Tenant_Info_Here",

- redirectUri: "Enter_the_Redirect_Uri_Here"

- },

- cache: {

- cacheLocation: "sessionStorage", // This configures where your cache will be stored

- storeAuthStateInCookie: false, // Set this to "true" if you are having issues on IE11 or Edge

- },

-```

-Modify the values in the `msalConfig` section as described here:

- To find the value of **Application (client) ID**, go to the app registration's **Overview** page.

- - If your application supports *accounts in this organizational directory*, replace this value with the **Tenant ID** or **Tenant name**. For example, `contoso.microsoft.com`.

- To find the value of the **Directory (tenant) ID**, go to the app registration's **Overview** page.

- - If your application supports *accounts in any organizational directory*, replace this value with `organizations`.

- - If your application supports *accounts in any organizational directory and personal Microsoft accounts*, replace this value with `common`. **For this quickstart**, use `common`.

- - To restrict support to *personal Microsoft accounts only*, replace this value with `consumers`.

- To find the value of **Supported account types**, go to the app registration's **Overview** page.

-The `authority` value in your *authConfig.js* should be similar to the following if you're using the main (global) Azure cloud:

-```javascript

-authority: "https://login.microsoftonline.com/common",

-```

-Scroll down in the same file and update the `graphMeEndpoint`.

-```javascript

- // Add here the endpoints for MS Graph API services you would like to use.

- export const graphConfig = {

- graphMeEndpoint: "Enter_the_Graph_Endpoint_Herev1.0/me"

- };

-```

-### Step 4: Run the project

-1. Browse to `http://localhost:3000/`.

-1. Select **Sign In** to start the sign-in process and then call the Microsoft Graph API.

- The first time you sign in, you're prompted to provide your consent to allow the application to access your profile and sign you in. After you're signed in successfully, click on the **Request Profile Information** to display your profile information on the page.

-## More information

-### How the sample works

-

-### msal.js

-The MSAL.js library signs in users and requests the tokens that are used to access an API that's protected by the Microsoft identity platform.

-If you have Node.js installed, you can download the latest version by using the Node.js Package Manager (npm):

-```console

-npm install @azure/msal-browser @azure/msal-react

-```

-## Next steps

-Next, try a step-by-step tutorial to learn how to build a React SPA from scratch that signs in users and calls the Microsoft Graph API to get user profile data:

-> [!div class="nextstepaction"]

-> [Tutorial: Sign in users and call Microsoft Graph](./single-page-app-tutorial-01-register-app.md)

-description: Learn how an ASP.NET Core web app leverages Microsoft.Identity.Web to implement Microsoft sign-in using OpenID Connect and call Microsoft Graph

-The following quickstart uses a ASP.NET Core web app code sample to demonstrate how to sign in users from any Azure Active Directory (Azure AD) organization.

-See [How the sample works](#how-the-sample-works) for an illustration.

-* [Visual Studio 2022](https://visualstudio.microsoft.com/vs/) or [Visual Studio Code](https://code.visualstudio.com/)

-## Register and download your quickstart application

-### Step 1: Register your application

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which to register the application.

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations** > **New registration**.

-1. For **Name**, enter a name for the application. For example, enter **AspNetCore-Quickstart**. Users of the app will see this name, and can be changed later.

-1. Set the **Redirect URI** type to **Web** and value to `https://localhost:44321/signin-oidc`.

-1. Under **Manage**, select **Authentication**.

-1. For **Front-channel logout URL**, enter **https://localhost:44321/signout-oidc**.

-1. Under **Implicit grant and hybrid flows**, select **ID tokens**.

-1. Select **Save**.

-1. Under **Manage**, select **Certificates & secrets** > **Client secrets** > **New client secret**.

-1. Enter a **Description**, for example `clientsecret1`.

-1. Select **In 1 year** for the secret's expiration.

-1. Select **Add** and immediately record the secret's **Value** for use in a later step. The secret value is *never displayed again* and is irretrievable by any other means. Record it in a secure location as you would any password.

-### Step 2: Download the ASP.NET Core project

-[Download the ASP.NET Core solution](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/archive/aspnetcore3-1-callsgraph.zip)

-### Step 3: Configure your ASP.NET Core project

-1. Extract the *.zip* file to a local folder that's close to the root of the disk to avoid errors caused by path length limitations on Windows. For example, extract to *C:\Azure-Samples*.

-1. Open the solution in the chosen code editor.

-1. In *appsettings.json*, replace the values of `ClientId`, and `TenantId`. The value for the application (client) ID and the directory (tenant) ID, can be found in the app's **Overview** page on the Azure portal.

- ```json

- "Domain": "[Enter the domain of your tenant, e.g. contoso.onmicrosoft.com]",

- "ClientId": "Enter_the_Application_Id_here",

- "TenantId": "common",

- ```

- - `Enter_the_Application_Id_Here` is the application (client) ID for the registered application.

- - Replace `Enter_the_Tenant_Info_Here` with one of the following:

- - If the application supports **Accounts in this organizational directory only**, replace this value with the directory (tenant) ID (a GUID) or tenant name (for example, `contoso.onmicrosoft.com`). The directory (tenant) ID can be found on the app's **Overview** page.

- - If the application supports **Accounts in any organizational directory**, replace this value with `organizations`.

- - If the application supports **All Microsoft account users**, leave this value as `common`.

- - Replace `Enter_the_Client_Secret_Here` with the **Client secret** that was created and recorded in an earlier step.

-For this quickstart, don't change any other values in the *appsettings.json* file.

-

-### Step 4: Build and run the application

-Build and run the app in Visual Studio by selecting the **Debug** menu > **Start Debugging**, or by pressing the F5 key.

-A prompt for credentials will appear, and then a request for consent to the permissions that the app requires. Select **Accept** on the consent prompt.

-After consenting to the requested permissions, the app displays that sign-in has been successful using correct Azure Active Directory credentials. The user's account email address will be displayed in the *API result* section of the page. This was extracted using the Microsoft Graph API.

-## More information

-This section gives an overview of the code required to sign in users and call the Microsoft Graph API on their behalf. This overview can be useful to understand how the code works, main arguments, and also if you want to add sign-in to an existing ASP.NET Core application and call Microsoft Graph. It uses [Microsoft.Identity.Web](microsoft-identity-web.md), which is a wrapper around [MSAL.NET](msal-overview.md).

-### How the sample works

-

-### Startup class

-The *Microsoft.AspNetCore.Authentication* middleware uses a `Startup` class that's executed when the hosting process starts:

-```csharp

- // Get the scopes from the configuration (appsettings.json)

- var initialScopes = Configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');

- public void ConfigureServices(IServiceCollection services)

- {

- // Add sign-in with Microsoft

- services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)

- .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"))

- // Add the possibility of acquiring a token to call a protected web API

- .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)

- // Enables controllers and pages to get GraphServiceClient by dependency injection

- // And use an in memory token cache

- .AddMicrosoftGraph(Configuration.GetSection("DownstreamApi"))

- .AddInMemoryTokenCaches();

- services.AddControllersWithViews(options =>

- {

- var policy = new AuthorizationPolicyBuilder()

- .RequireAuthenticatedUser()

- .Build();

- options.Filters.Add(new AuthorizeFilter(policy));

- });

- // Enables a UI and controller for sign in and sign out.

- services.AddRazorPages()

- .AddMicrosoftIdentityUI();

- }

-```

-The `AddAuthentication()` method configures the service to add cookie-based authentication. This authentication is used in browser scenarios and to set the challenge to OpenID Connect.

-The line that contains `.AddMicrosoftIdentityWebApp` adds Microsoft identity platform authentication to the application. The application is then configured to sign in users based on the following information in the `AzureAD` section of the *appsettings.json* configuration file:

-| *appsettings.json* key | Description |

-||-|

-| `ClientId` | Application (client) ID of the application registered in the Azure portal. |

-| `Instance` | Security token service (STS) endpoint for the user to authenticate. This value is typically `https://login.microsoftonline.com/`, indicating the Azure public cloud. |

-| `TenantId` | Name of your tenant or the tenant ID (a GUID), or `common` to sign in users with work or school accounts or Microsoft personal accounts. |

-The `EnableTokenAcquisitionToCallDownstreamApi` method enables the application to acquire a token to call protected web APIs. `AddMicrosoftGraph` enables the controllers or Razor pages to benefit directly the `GraphServiceClient` (by dependency injection) and the `AddInMemoryTokenCaches` methods enables your app to benefit from a token cache.

-The `Configure()` method contains two important methods, `app.UseAuthentication()` and `app.UseAuthorization()`, that enable their named functionality. Also in the `Configure()` method, you must register Microsoft Identity Web routes with at least one call to `endpoints.MapControllerRoute()` or a call to `endpoints.MapControllers()`:

-```csharp

-app.UseAuthentication();

-app.UseAuthorization();

-app.UseEndpoints(endpoints =>

-{

- endpoints.MapControllerRoute(

- name: "default",

- pattern: "{controller=Home}/{action=Index}/{id?}");

- endpoints.MapRazorPages();

-});

-```

-### Protect a controller or a controller's method

-The controller or its methods can be protected by applying the `[Authorize]` attribute to the controller's class or one or more of its methods. This `[Authorize]` attribute restricts access by allowing only authenticated users. If the user isn't already authenticated, an authentication challenge can be started to access the controller. In this quickstart, the scopes are read from the configuration file:

-```csharp

-[AuthorizeForScopes(ScopeKeySection = "DownstreamApi:Scopes")]

-public async Task<IActionResult> Index()

-{

- var user = await _graphServiceClient.Me.GetAsync();

- ViewData["ApiResult"] = user.DisplayName;

- return View();

-}

-```

-## Next steps

-The following GitHub repository contains the ASP.NET Core code sample referenced in this quickstart and more samples that show how to achieve the following:

-> [!div class="nextstepaction"]

-> [ASP.NET Core web app tutorials on GitHub](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/)

-> Tenant restrictions V2 on Windows is a partial solution that protects the authentication and data planes for some scenarios. It works on managed Windows devices and does not protect .NET stack, Chrome, or Firefox. The Windows solution provides a temporary solution until general availability of Universal tenant restrictions in Global Secure Access (preview).

-description: Learn about the available features of Azure AD Multi-Factor Authentication for your organization based on your license model

-# Overview of Azure AD Multi-Factor Authentication for your organization

-There are multiple ways to enable Azure AD Multi-Factor Authentication for your Azure Active Directory (AD) users based on the licenses that your organization owns.

-

-Based on our studies, your account is more than 99.9% less likely to be compromised if you use multi-factor authentication (MFA).

-So how does your organization turn on MFA even for free, before becoming a statistic?

-## Free option

-Customers who are utilizing the free benefits of Azure AD can use [security defaults](../fundamentals/security-defaults.md) to enable multi-factor authentication in their environment.

-## Microsoft 365 Business, E3, or E5

-For customers with Microsoft 365, there are two options:

-* Azure AD Multi-Factor Authentication is either enabled or disabled for all users, for all sign-in events. There is no ability to only enable multi-factor authentication for a subset of users, or only under certain scenarios. Management is through the Office 365 portal.

-* For an improved user experience, upgrade to Azure AD Premium P1 or P2 and use Conditional Access. For more information, see secure Microsoft 365 resources with multi-factor authentication.

-## Azure AD Premium P1

-For customers with Azure AD Premium P1 or similar licenses that include this functionality such as Enterprise Mobility + Security E3, Microsoft 365 F1, or Microsoft 365 E3:

-Use [Azure AD Conditional Access](../authentication/tutorial-enable-azure-mfa.md) to prompt users for multi-factor authentication during certain scenarios or events to fit your business requirements.

-## Azure AD Premium P2

-For customers with Azure AD Premium P2 or similar licenses that include this functionality such as Enterprise Mobility + Security E5 or Microsoft 365 E5:

-Provides the strongest security position and improved user experience. Adds [risk-based Conditional Access](../conditional-access/howto-conditional-access-policy-risk.md) to the Azure AD Premium P1 features that adapts to user's patterns and minimizes multi-factor authentication prompts.

-## Authentication methods

-| Method | Security defaults | All other methods |

-| | | |

-| Notification through mobile app | X | X |

-| Verification code from mobile app or hardware token | | X |

-| Text message to phone | | X |

-| Call to phone | | X |

-## Next steps

-To get started, see the tutorial to [secure user sign-in events with Azure AD Multi-Factor Authentication](../authentication/tutorial-enable-azure-mfa.md).

-For more information on licensing, see [Features and licenses for Azure AD Multi-Factor Authentication](../authentication/concept-mfa-licensing.md).

-Azure AD role-assignable group feature is not part of Azure AD Privileged Identity Management (Azure AD PIM). It requires a Microsoft Entra Premium P1, P2, or Microsoft Entra ID Governance license.

-> [!VIDEO https://www.youtube.com/embed/9T6lKEloq0Q]

-# Understand the Privileged Identity Management APIs

-You can perform Privileged Identity Management (PIM) tasks using the Microsoft Graph APIs for Azure Active Directory (Azure AD) roles and groups, and the Azure Resource Manager API for Azure resource roles. This article describes important concepts for using the APIs for Privileged Identity Management.

-For requests and other details about PIM APIs, check out:

-There have been several iterations of the PIM APIs over the past few years. You'll find some overlaps in functionality, but they don't represent a linear progression of versions.

-Under the `/beta/privilegedRoles` endpoint, Microsoft had a classic version of the PIM APIs which only supported Azure AD roles. Access to this API was retired in June 2021.

-Under the `/beta/privilegedAccess` endpoint, Microsoft supported both `/aadRoles` and `/azureResources`. The `/aadRoles` endpoint has been retired but the `/azureResources` endpoint is still available in your tenant. Microsoft recommends against starting any new development with the APIs available through the `/azureResources` endpoint. This API will never be released to general availability and will be eventually deprecated and retired.

-### Current iteration ΓÇô Azure AD roles and groups in Microsoft Graph and Azure resource roles in Azure Resource Manager

-Currently, in general availability, this is the final iteration of the PIM APIs. Based on customer feedback, the PIM APIs for managing Azure AD roles are now under the **unifiedRoleManagement** set of APIs and the Azure Resource PIM APIs is now under the Azure Resource Manager role assignment APIs. These locations also provide a few additional benefits including:

-This iteration also includes PIM APIs for managing ownership and membership of groups as well as security alerts for PIM for Azure AD roles.

-## Current permissions required

-### Azure AD roles

-To understand the permissions that you need to call the PIM Microsoft Graph API for Azure AD roles, see [Role management permissions](/graph/permissions-reference#role-management-permissions).

-The easiest way to specify the required permissions is to use the Azure AD consent framework.

-### Azure resource roles

- The PIM API for Azure resource roles is developed on top of the Azure Resource Manager framework. You will need to give consent to Azure Resource Management but wonΓÇÖt need any Microsoft Graph API permission. You will also need to make sure the user or the service principal calling the API has at least the Owner or User Access Administrator role on the resource you are trying to administer.

-## Calling PIM API with an app-only token

-### Azure AD roles

- PIM API now supports app-only permissions on top of delegated permissions.

-### Azure resource roles

- PIM API for Azure resources supports both user only and application only calls. Simply make sure the service principal has either the owner or user access administrator role on the resource.

-## Design of current API iteration

-PIM API consists of two categories that are consistent for both the API for Azure AD roles and Azure resource roles: assignment and activation API requests, and policy settings.

-### Assignment and activation APIs

-To make eligible assignments, time-bound eligible or active assignments, and to activate eligible assignments, PIM provides the following resources:

-These entities work alongside pre-existing **roleDefinition** and **roleAssignment** resources for both Azure AD roles and Azure roles to allow you to create end to end scenarios.

-Each of the request objects would create the following read-only objects:

-The **unifiedRoleAssignmentSchedule** and **unifiedRoleEligibilitySchedule** objects show a schedule of all the current and future assignments.

-When an eligible assignment is activated, the **unifiedRoleEligibilityScheduleInstance** continues to exist. The **unifiedRoleAssignmentScheduleRequest** for the activation would create a separate **unifiedRoleAssignmentSchedule** object and a **unifiedRoleAssignmentScheduleInstance** for that activated duration.

-The instance objects are the actual assignments that currently exist whether it is an eligible assignment or an active assignment. You should use the GET operation on the instance entity to retrieve a list of eligible assignments / active assignments to a role/user.

-For more information about assignment and activation APIs, see [PIM API for managing role assignments and eligibilities](/graph/api/resources/privilegedidentitymanagementv3-overview#pim-api-for-managing-role-assignment).

-### Policy settings APIs

-To manage the settings of Azure AD roles, we provide the following entities:

-The [unifiedroleManagementPolicy](/graph/api/resources/unifiedrolemanagementpolicy) resource through it's **rules** relationship defines the rules or settings of the Azure AD role. For example, whether MFA/approval is required, whether and who to send the email notifications to, or whether permanent assignments are allowed or not. The [unifiedroleManagementPolicyAssignment](/graph/api/resources/unifiedrolemanagementpolicyassignment) object attaches the policy to a specific role.

-Use the APIs supported by these resources retrieve role management policy assignments for all Azure AD role or filter the list by a **roleDefinitionId**, and then update the rules or settings in the policy associated with the Azure AD role.

-For more information about the policy settings APIs, see [role settings and PIM](/graph/api/resources/privilegedidentitymanagementv3-overview#role-settings-and-pim).

-The only link between the PIM entity and the role assignment entity for persistent (active) assignment for either Azure AD roles or Azure roles is the unifiedRoleAssignmentScheduleInstance. There is a one-to-one mapping between the two entities. That mapping means roleAssignment and unifiedRoleAssignmentScheduleInstance would both include:

-1. Find and select the request that you want to approve. An approve or deny page appears.

- 

-1. In the **Justification** box, enter the business justification.

-1. Select **Approve**. You will receive an Azure notification of your approval.

- 

- "reviewResult": "Approve",

- "justification": "abcdefg"

-1. Find and select the request that you want to deny. An approve or deny page appears.

- 

-1. In the **Justification** box, enter the business justification.

-1. Select **Deny**. A notification appears with your denial.

-1. Find and select the request that you want to approve. An approve or deny page appears.

- 

-1. In the **Justification** box, enter the business justification.

-1. Select **Approve**. You will receive an Azure notification of your approval.

- 

-## Deny requests

-1. Find and select the request that you want to deny. An approve or deny page appears.

- 

-1. In the **Justification** box, enter the business justification.

-1. Select **Deny**. A notification appears with your denial.

-[!code-csharp[](~/azure-ai-vision-sdk/docs/learn.microsoft.com/csharp/image-analysis/1/Program.cs?name=vision_service_options)]

-[!code-python[](~/azure-ai-vision-sdk/docs/learn.microsoft.com/python/image-analysis/1/main.py?name=vision_service_options)]

-[!code-cpp[](~/azure-ai-vision-sdk/docs/learn.microsoft.com/cpp/image-analysis/1/1.cpp?name=vision_service_options)]

-[!code-cpp[](~/azure-ai-vision-sdk/docs/learn.microsoft.com/cpp/image-analysis/1/1.cpp?name=get_env_var)]

-[!code-csharp[](~/azure-ai-vision-sdk/docs/learn.microsoft.com/csharp/image-analysis/1/Program.cs?name=vision_source)]

-> You can also analyze a local image by passing in the full-path image file name. See [VisionSource.FromFile](/dotnet/api/azure.ai.vision.common.visionsource.fromfile).

-[!code-python[](~/azure-ai-vision-sdk/docs/learn.microsoft.com/python/image-analysis/1/main.py?name=vision_source)]

-> You can also analyze a local image by passing in the full-path image file name to the **VisionSource** constructor instead of the image URL.

-[!code-cpp[](~/azure-ai-vision-sdk/docs/learn.microsoft.com/cpp/image-analysis/1/1.cpp?name=vision_source)]

-> You can also analyze a local image by passing in the full-path image file name. See [VisionSource::FromFile](/cpp/cognitive-services/vision/input-visionsource#fromfile).

-Storage accounts in virtual networks and private endpoints are currently not supported by Azure OpenAI on your data.

-| 1.11.0 | `mcr.microsoft.com/azure-cognitive-services/speechservices/language-detection:1.11.0-amd64-preview` |

-The [Transliterate operation](reference/v3-0-transliterate.md) in the Text Translation feature supports the following languages. In the "To/From", "<-->" indicates that the language can be transliterated from or to either of the scripts listed. The "-->" indicates that the language can only be transliterated from one script to the other.

-# [Python 3.10 (preview)](#tab/py10)

-**Limitations**

-2. Set the `spec.connectionStringReference` property to the name of the Secret in the following sample `AzureAppConfigurationProvider` resource and deploy it to the Kubernetes cluster.

-### Upgrade Arc data controller extension

-Upgrade the Arc data controller extension first.

-Retrieve the name of your extension and its version:

-1. Go to the Azure portal

-1. Select **Overview** for your Azure Arc enabled Kubernetes cluster

-1. Selecting the **Extensions** tab on the left.

-Alternatively, you can use `az` CLI to get the name of your extension and its version running.

-```azurecli

-az k8s-extension list --resource-group <resource-group> --cluster-name <connected cluster name> --cluster-type connectedClusters

-```

-Example:

-```azurecli

-az k8s-extension list --resource-group rg-arcds --cluster-name aks-arc --cluster-type connectedClusters

-```

-After you retrieve the extension name and its version, upgrade the extension.

-```azurecli

-az k8s-extension update --resource-group <resource-group> --cluster-name <connected cluster name> --cluster-type connectedClusters --name <name of extension> --version <extension version> --release-train stable --config systemDefaultValues.image="<registry>/<repository>/arc-bootstrapper:<imageTag>"

-```

-Example:

-```azurecli

-az k8s-extension update --resource-group rg-arcds --cluster-name aks-arc --cluster-type connectedClusters --name aks-arc-ext --version

-1.2.19581002 --release-train stable --config systemDefaultValues.image="mcr.microsoft.com/arcdata/arc-bootstrapper:v1.7.0_2022-05-24"

-```

-* CPU socket, physical core and logical core counts

-[azcmagent check](azcmagent-check.md) validates a new endpoint in this release: `<geography>-ats.his.arc.azure.com`. This endpoint is reserved for future use and not required for the Azure Connected Machine agent to operate successfully. However, if you are using a private endpoint, this endpoint will fail the network connectivity check. You can safely ignore this endpoint in the results and should instead confirm that all other endpoints are reachable.

-## Version 1.30 - May 2023

-Download for [Windows](https://download.microsoft.com/download/7/7/9/779eae73-a12b-4170-8c5e-abec71bc14cf/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

-### New features

-### Fixed

-* [Update Manager (preview)](../../update-center/overview.md) - Unified management and governance of update compliance that includes not only Azure and hybrid machines, but also ESU update compliance for all your Windows Server 2012/2012 R2 machines.

- >Activation of ESU is planned for the third quarter of 2023. Using Azure services such as Update Manager (preview) and Azure Policy to support managing ESU-eligible Windows Server 2012/2012 R2 machines are also planned for the third quarter.

-There's an industry-wide push toward the exclusive use of Transport Layer Security (TLS) version 1.2 or later. TLS versions 1.0 and 1.1 are known to be susceptible to attacks such as BEAST and POODLE, and to have other Common Vulnerabilities and Exposures (CVE) weaknesses. They also don't support the modern encryption methods and cipher suites recommended by Payment Card Industry (PCI) compliance standards. This [TLS security blog](https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/) explains some of these vulnerabilities in more detail.

-As a part of this effort, we'll be making the following changes to Azure Cache for Redis:

-* **Phase 1:** We'll configure the default minimum TLS version to be 1.2 for newly created cache instances (previously, it was TLS 1.0). Existing cache instances won't be updated at this point. You can still use the Azure portal or other management APIs to [change the minimum TLS version](cache-configure.md#access-ports) to 1.0 or 1.1 for backward compatibility.

-* **Phase 2:** We'll stop supporting TLS 1.1 and TLS 1.0. After this change, your application must use TLS 1.2 or later to communicate with your cache. The Azure Cache for Redis service is expected to be available while we migrate it to support only TLS 1.2 or later.

- > [!WARNING]

- > Phase 2 is postponed because of COVID-19. We strongly recommend that you begin planning for this change now and proactively update clients to support TLS 1.2 or later.

- >

- > The content in this article does not apply to Azure Cache for Redis Enterprise/Enterprise Flash as the Enterprise tiers support TLS 1.2 only.

-As part of this change, we'll also remove support for older cypher suites that aren't secure. Our supported cypher suites are restricted to the following suites when the cache is configured with a minimum of TLS 1.2:

-* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384

-* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256

-This article provides general guidance about how to detect dependencies on these earlier TLS versions and remove them from your application.

-The dates when these changes take effect are:

-| Cloud | Phase 1 Start Date | Phase 2 Start Date |

-|-|--|-|

-| Azure (global) | January 13, 2020 | Postponed because of COVID-19 |

-| Azure Government | March 13, 2020 | Postponed because of COVID-19 |

-| Azure Germany | March 13, 2020 | Postponed because of COVID-19 |

-| Microsoft Azure operated by 21Vianet | March 13, 2020 | Postponed because of COVID-19 |

-> [!NOTE]

-> Phase 2 is postponed because of COVID-19. This article will be updated when specific dates are set.

->

-You can find out whether your application works with TLS 1.2 by setting the **Minimum TLS version** value to TLS 1.2 on a test or staging cache, then running tests. The **Minimum TLS version** setting is in the [Advanced settings](cache-configure.md#advanced-settings) of your cache instance in the Azure portal. If the application continues to function as expected after this change, it's probably compliant. You might need to configure the Redis client library used by your application to enable TLS 1.2 to connect to Azure Cache for Redis.

-* **StackExchange.Redis:** Set `ssl=true` and `sslProtocols=tls12` in the connection string.

-* **ServiceStack.Redis:** Follow the [ServiceStack.Redis](https://github.com/ServiceStack/ServiceStack.Redis#servicestackredis-ssl-support) instructions and requires ServiceStack.Redis v5.6 at a minimum.

-Redis .NET Core clients default to the OS default TLS version, which depends on the OS itself.

-``` Java

-The Lettuce and Redisson clients don't yet support specifying the TLS version. They'll break if the cache accepts only TLS 1.2 connections. Fixes for these clients are being reviewed, so check with those packages for an updated version with this support.

-

-* Versions earlier than PHP 7: Predis supports only TLS 1.0. These versions don't work with TLS 1.2; you must upgrade to use TLS 1.2.

-

-* PHP 7.0 to PHP 7.2.1: Predis uses only TLS 1.0 or 1.1 by default. You can use the following workaround to use TLS 1.2. Specify TLS 1.2 when you create the client instance:

-* PHP 7.3 and later versions: Predis uses the latest TLS version.

-Azure Active Directory for authentication and role-based access control are available across regions that support Azure Cache for Redis.

-A new metric is available to track the worst-case latency of server-side commands in Azure Cache for Redis instances. Latency is measured by using `PING` commands and tracking response times. This metric can be used to track the health of your cache instance and to see if long-running commands are compromising latency performance.

-+ [Node.js](https://nodejs.org/) version 18 or 16.

- The [az functionapp create](/cli/azure/functionapp#az-functionapp-create) command creates the function app in Azure. It's recommended that you use the latest version of Node.js, which is currently 18. You can specify the version by setting `--runtime-version` to `18`.

- The [New-AzFunctionApp](/powershell/module/az.functions/new-azfunctionapp) cmdlet creates the function app in Azure. It's recommended that you use the latest version of Node.js, which is currently 18. You can specify the version by setting `--runtime-version` to `18`.

-The extension can be used with the following languages, which are supported by the Azure Functions runtime starting with version 2.x:

-* [C# compiled](functions-dotnet-class-library.md)

-* [C# script](functions-reference-csharp.md)^*

-* [JavaScript](functions-reference-node.md?tabs=javascript)

-* [Java](functions-reference-java.md)

-* [PowerShell](functions-reference-powershell.md)

-* [Python](functions-reference-python.md)

-* [TypeScript](functions-reference-node.md?tabs=typescript)

-^*Requires that you [set C# script as your default project language](#c-script-projects).

-In this article, examples are currently available only for JavaScript (Node.js) and C# class library functions.

-This article provides details about how to use the Azure Functions extension to develop functions and publish them to Azure. Before you read this article, you should [create your first function by using Visual Studio Code](./create-first-function-vs-code-csharp.md).

-# [C\#](#tab/csharp)

-* The [Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools) version 2.x or later. The Core Tools package is downloaded and installed automatically when you start the project locally. Core Tools includes the entire Azure Functions runtime, so download and installation might take some time.

-* The [C# extension](https://marketplace.visualstudio.com/items?itemName=ms-dotnettools.csharp) for Visual Studio Code.

-* [.NET Core CLI tools](/dotnet/core/tools/?tabs=netcore2x).

-# [Java](#tab/java)

-* The [Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools) version 2.x or later. The Core Tools package is downloaded and installed automatically when you start the project locally. Core Tools includes the entire Azure Functions runtime, so download and installation might take some time.

-* [Debugger for Java extension](https://marketplace.visualstudio.com/items?itemName=vscjava.vscode-java-debug).

-* [Java](/azure/developer/jav#java-versions).

-* [Maven 3 or later](https://maven.apache.org/).

-# [JavaScript](#tab/nodejs)

-* The [Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools) version 2.x or later. The Core Tools package is downloaded and installed automatically when you start the project locally. Core Tools includes the entire Azure Functions runtime, so download and installation might take some time.

-* [Node.js](https://nodejs.org/), one of the [supported versions](functions-reference-node.md#node-version). Use the `node --version` command to check your version.

-# [PowerShell](#tab/powershell)

-* The [Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools) version 2.x or later. The Core Tools package is downloaded and installed automatically when you start the project locally. Core Tools include the entire Azure Functions runtime, so download and installation might take some time.

-* [PowerShell 7.2](/powershell/scripting/install/installing-powershell-core-on-windows) recommended. For version information, see [PowerShell versions](functions-reference-powershell.md#powershell-versions).

-* [.NET 6.0 runtime](https://dotnet.microsoft.com/download).

-* The [PowerShell extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=ms-vscode.PowerShell).

-# [Python](#tab/python)

-* The [Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools) version 2.x or later. The Core Tools package is downloaded and installed automatically when you start the project locally. Core Tools include the entire Azure Functions runtime, so download and installation might take some time.

-* [Python](https://www.python.org/downloads/), one of the [supported versions](functions-reference-python.md#python-version).

-* [Python extension](https://marketplace.visualstudio.com/items?itemName=ms-python.python) for Visual Studio Code.

- :::image type="content" source="./media/functions-develop-vs-code/new-function-created.png" alt-text="Screenshot for H T T P-triggered function template in Visual Studio Code.":::

-# [C\#](#tab/csharp)

-* [HttpExample.cs class library file](functions-dotnet-class-library.md#functions-class-library-project) that implements the function.

-# [Java](#tab/java)

-* A pom.xml file in the root folder that defines the project and deployment parameters, including project dependencies and the [Java version](functions-reference-java.md#java-versions). The pom.xml also contains information about the Azure resources that are created during a deployment.

-* A [Functions.java file](functions-reference-java.md#triggers-and-annotations) in your src path that implements the function.

-# [JavaScript](#tab/nodejs)

-* A package.json file in the root folder.

-* An HttpExample folder that contains the [function.json definition file](functions-reference-node.md#folder-structure) and the [index.js file](functions-reference-node.md#exporting-a-function), a Node.js file that contains the function code.

-# [PowerShell](#tab/powershell)

-* An HttpExample folder that contains the [function.json definition file](functions-reference-powershell.md#folder-structure) and the run.ps1 file, which contains the function code.

-# [Python](#tab/python)

-* A project-level requirements.txt file that lists packages required by Functions.

-* An HttpExample folder that contains the [function.json definition file](functions-reference-python.md#folder-structure) and the \_\_init\_\_.py file, which contains the function code.

-At this point, you can [add input and output bindings](#add-input-and-output-bindings) to your function.

-You can also [add a new function to your project](#add-a-function-to-your-project).

-## Install binding extensions

-Except for HTTP and timer triggers, bindings are implemented in extension packages. You must install the extension packages for the triggers and bindings that need them. The process for installing binding extensions depends on your project's language.

-# [C\#](#tab/csharp)

-Run the [dotnet add package](/dotnet/core/tools/dotnet-add-package) command in the Terminal window to install the extension packages that you need in your project. The following example demonstrates how you add a binding for an [in-process class library](functions-dotnet-class-library.md):

-```terminal

-dotnet add package Microsoft.Azure.WebJobs.Extensions.<BINDING_TYPE_NAME> --version <TARGET_VERSION>

-```

-The following example demonstrates how you add a binding for an [isolated-process class library](dotnet-isolated-process-guide.md):

-```terminal

-dotnet add package Microsoft.Azure.Functions.Worker.Extensions.<BINDING_TYPE_NAME> --version <TARGET_VERSION>

-```

-In either case, replace `<BINDING_TYPE_NAME>` with the name of the package that contains the binding you need. You can find the desired binding reference article in the [list of supported bindings](./functions-triggers-bindings.md#supported-bindings).

-Replace `<TARGET_VERSION>` in the example with a specific version of the package, such as `3.0.0-beta5`. Valid versions are listed on the individual package pages at [NuGet.org](https://nuget.org). The major versions that correspond to Functions runtime 1.x or 2.x are specified in the reference article for the binding.

-# [Java](#tab/java)

-# [JavaScript](#tab/nodejs)

-# [PowerShell](#tab/powershell)

-# [Python](#tab/python)

-The results of this action depend on your project's language:

-# [C\#](#tab/csharp)

-A new C# class library (.cs) file is added to your project.

-# [Java](#tab/java)

-A new Java (.java) file is added to your project.

-# [JavaScript](#tab/nodejs)

-# [PowerShell](#tab/powershell)

-A new folder is created in the project. The folder contains a new function.json file and the new PowerShell code file.

-# [Python](#tab/python)

-The results depend on the Python programming model. For more information, see the [Azure Functions Python developer guide](./functions-reference-python.md).

-**Python v1**: A new folder is created in the project. The folder contains a new function.json file and the new Python code file.

-**Python v2**: New function code is added either to the default function_app.py file or to another Python file you selected.

-## <a name="add-input-and-output-bindings"></a>Connect to services

-You can connect your function to other Azure services by adding input and output bindings. Bindings connect your function to other services without you having to write the connection code. The process for adding bindings depends on your project's language. To learn more about bindings, see [Azure Functions triggers and bindings concepts](functions-triggers-bindings.md).

-The following examples connect to a storage queue named `outqueue`, where the connection string for the storage account is set in the `MyStorageConnection` application setting in local.settings.json.

-# [C\#](#tab/csharp)

-Update the function method to add the following parameter to the `Run` method definition:

-The `msg` parameter is an `ICollector<T>` type, which represents a collection of messages that are written to an output binding when the function completes. The following code adds a message to the collection:

- Messages are sent to the queue when the function completes.

-To learn more, see the [Queue storage output binding reference article](functions-bindings-storage-queue-output.md?tabs=csharp) documentation. To learn more in general about which bindings can be added to a function, see [Add bindings to an existing function in Azure Functions](add-bindings-existing-function.md?tabs=csharp).

-# [Java](#tab/java)

-Update the function method to add the following parameter to the `Run` method definition:

-The `msg` parameter is an `OutputBinding<T>` type, where `T` is a string that is written to an output binding when the function completes. The following code sets the message in the output binding:

-This message is sent to the queue when the function completes.

-To learn more, see the [Queue storage output binding reference article](functions-bindings-storage-queue-output.md?tabs=java) documentation. To learn more in general about which bindings can be added to a function, see [Add bindings to an existing function in Azure Functions](add-bindings-existing-function.md?tabs=java).

-# [JavaScript](#tab/nodejs)

-In your function code, the `msg` binding is accessed from the `context`, as in this example:

-This message is sent to the queue when the function completes.

-To learn more, see the [Queue storage output binding reference article](functions-bindings-storage-queue-output.md?tabs=javascript) documentation. To learn more in general about which bindings can be added to a function, see [Add bindings to an existing function in Azure Functions](add-bindings-existing-function.md?tabs=javascript).

-# [PowerShell](#tab/powershell)

-This message is sent to the queue when the function completes.

-To learn more, see the [Queue storage output binding reference article](functions-bindings-storage-queue-output.md?tabs=powershell) documentation. To learn more in general about which bindings can be added to a function, see [Add bindings to an existing function in Azure Functions](add-bindings-existing-function.md?tabs=powershell).

-# [Python](#tab/python)

-Update the `Main` definition to add an output parameter `msg: func.Out[func.QueueMessage]` so that the definition looks like the following example:

-The following code adds string data from the request to the output queue:

-This message is sent to the queue when the function completes.

-To learn more, see the [Queue storage output binding reference article](functions-bindings-storage-queue-output.md?tabs=python) documentation. To learn more in general about which bindings can be added to a function, see [Add bindings to an existing function in Azure Functions](add-bindings-existing-function.md?tabs=python).

-When you create a function app in Azure, you can choose either a quick function app create path using defaults or an advanced path. This way you'll have more control over the remote resources created.

-Running functions locally doesn't require using keys.

-The function application settings values can also be read in your code as environment variables. For more information, see the Environment variables sections of these language-specific reference articles:

-* [C# precompiled](functions-dotnet-class-library.md#environment-variables)

-* [C# script (.csx)](functions-reference-csharp.md#environment-variables)

-* [Java](functions-reference-java.md#environment-variables)

-* [JavaScript](functions-reference-node.md#environment-variables)

-* [PowerShell](functions-reference-powershell.md#environment-variables)

-* [Python](functions-reference-python.md#environment-variables)

-To learn more, see [Streaming logs](functions-monitoring.md#streaming-logs).

-> [!NOTE]

-> Streaming logs support only a single instance of the Functions host. When your function is scaled to multiple instances, data from other instances isn't shown in the log stream. [Live Metrics Stream](../azure-monitor/app/live-stream.md) in Application Insights does support multiple instances. While also in near-real time, streaming analytics is based on [sampled data](configure-monitoring.md#configure-sampling).

-We recommend that you monitor the execution of your functions by integrating your function app with Application Insights. When you create a function app in the Azure portal, this integration occurs by default. When you create your function app during Visual Studio publishing, you need to integrate Application Insights yourself. To learn how, see [Enable Application Insights integration](configure-monitoring.md#enable-application-insights-integration).

-| **Encrypt settings** | Encrypts individual items in the `Values` array in the [local settings](#local-settings). In this file, `IsEncrypted` is also set to `true`, which specifies that the local runtime will decrypt settings before using them. Encrypt local settings to reduce the risk of leaking valuable information. In Azure, application settings are always stored encrypted. |

-* Shared assemblies are shared across all functions within a function app. To reference a custom assembly, upload the assembly to a folder named `bin` in your [function app root folder](functions-reference.md#folder-structure) (wwwroot).

-| 4.x | Preview | 4.16+ | 18.x | Supports a flexible file structure and code-centric approach to triggers and bindings. |

-| 3.x | GA | 4.x | 18.x, 16.x, 14.x | Requires a specific file structure with your triggers and bindings declared in a "function.json" file |

-In Azure Functions, specific functions share a few core technical concepts and components, regardless of the language or binding you use. Before you jump into learning details specific to a given language or binding, be sure to read through this overview that applies to all of them.

-## Function code

-A *function* is the primary concept in Azure Functions. A function contains two important pieces - your code, which can be written in various languages, and some config, the function.json file. For compiled languages, this config file is generated automatically from annotations in your code. For scripting languages, you must provide the config file yourself.

-The function.json file defines the function's trigger, bindings, and other configuration settings. Every function has one and only one trigger. The runtime uses this config file to determine the events to monitor and how to pass data into and return data from a function execution. The following is an example function.json file.

-```json

-{

- "disabled":false,

- "bindings":[

- // ... bindings here

- {

- "type": "bindingType",

- "direction": "in",

- "name": "myParamName",

- // ... more depending on binding

- }

- ]

-}

-```

-For more information, see [Azure Functions triggers and bindings concepts](functions-triggers-bindings.md).

-The `bindings` property is where you configure both triggers and bindings. Each binding shares a few common settings and some settings, which are specific to a particular type of binding. Every binding requires the following settings:

-| Property | Values | Type | Comments|

-|||||

-| type | Name of binding.<br><br>For example, `queueTrigger`. | string | |

-| direction | `in`, `out` | string | Indicates whether the binding is for receiving data into the function or sending data from the function. |

-| name | Function identifier.<br><br>For example, `myQueue`. | string | The name that is used for the bound data in the function. For C#, this is an argument name; for JavaScript, it's the key in a key/value list. |

-## Function app

-A function app provides an execution context in Azure in which your functions run. As such, it's the unit of deployment and management for your functions. A function app is composed of one or more individual functions that are managed, deployed, and scaled together. All of the functions in a function app share the same pricing plan, deployment method, and runtime version. Think of a function app as a way to organize and collectively manage your functions. To learn more, see [How to manage a function app](functions-how-to-use-azure-function-app-settings.md).

-> [!NOTE]

-> All functions in a function app must be authored in the same language. In [previous versions](functions-versions.md) of the Azure Functions runtime, this wasn't required.

-## Folder structure

-The above is the default (and recommended) folder structure for a Function app. If you wish to change the file location of a function's code, modify the `scriptFile` section of the _function.json_ file. We also recommend using [package deployment](deployment-zip-push.md) to deploy your project to your function app in Azure. You can also use existing tools like [continuous integration and deployment](functions-continuous-deployment.md) and Azure DevOps.

-> [!NOTE]

-> If deploying a package manually, make sure to deploy your _host.json_ file and function folders directly to the `wwwroot` folder. Do not include the `wwwroot` folder in your deployments. Otherwise, you end up with `wwwroot\wwwroot` folders.

-#### Use local tools and publishing

-Function apps can be authored and published using a variety of tools, including [Visual Studio](./functions-develop-vs.md), [Visual Studio Code](./create-first-function-vs-code-csharp.md), [IntelliJ](./functions-create-maven-intellij.md), [Eclipse](./functions-create-maven-eclipse.md), and the [Azure Functions Core Tools](./functions-develop-local.md). For more information, see [Code and test Azure Functions locally](./functions-develop-local.md).

-<!--NOTE: I've removed documentation on FTP, because it does not sync triggers on the consumption plan --glenga -->

-## <a id="fileupdate"></a> How to edit functions in the Azure portal

-The Functions editor built into the Azure portal lets you update your code and your *function.json* file directly inline. This is recommended only for small changes or proofs of concept - best practice is to use a local development tool like VS Code.

-## Parallel execution

-When multiple triggering events occur faster than a single-threaded function runtime can process them, the runtime may invoke the function multiple times in parallel. If a function app is using the [Consumption hosting plan](event-driven-scaling.md), the function app could scale out automatically. Each instance of the function app, whether the app runs on the Consumption hosting plan or a regular [App Service hosting plan](../app-service/overview-hosting-plans.md), might process concurrent function invocations in parallel using multiple threads. The maximum number of concurrent function invocations in each function app instance varies based on the type of trigger being used as well as the resources used by other functions within the function app.

-## Functions runtime versioning

-You can configure the version of the Functions runtime using the `FUNCTIONS_EXTENSION_VERSION` app setting. For example, the value "~4" indicates that your function app uses 4.x as its major version. Function apps are upgraded to each new minor version as they're released. For more information, including how to view the exact version of your function app, see [How to target Azure Functions runtime versions](set-runtime-version.md).

-## Repositories

-The code for Azure Functions is open source and stored in GitHub repositories:

-* [Azure Functions](https://github.com/Azure/Azure-Functions)

-* [Azure Functions host](https://github.com/Azure/azure-functions-host/)

-* [Azure Functions portal](https://github.com/azure/azure-functions-ux)

-* [Azure Functions templates](https://github.com/azure/azure-functions-templates)

-* [Azure WebJobs SDK](https://github.com/Azure/azure-webjobs-sdk/)

-* [Azure WebJobs SDK Extensions](https://github.com/Azure/azure-webjobs-sdk-extensions/)

-## Bindings

-Here's a table of all supported bindings.

-Having issues with errors coming from the bindings? Review the [Azure Functions Binding Error Codes](functions-bindings-error-pages.md) documentation.

-Your function project references connection information by name from its configuration provider. It doesn't directly accept the connection details, allowing them to be changed across environments. For example, a trigger definition might include a `connection` property. This might refer to a connection string, but you can't set the connection string directly in a `function.json`. Instead, you would set `connection` to the name of an environment variable that contains the connection string.

-The default configuration provider uses environment variables. These might be set by [Application Settings](./functions-how-to-use-azure-function-app-settings.md?tabs=portal#settings) when running in the Azure Functions service, or from the [local settings file](functions-develop-local.md#local-settings-file) when developing locally.

-When the connection name resolves to a single exact value, the runtime identifies the value as a _connection string_, which typically includes a secret. The details of a connection string are defined by the service to which you wish to connect.

-Choose a tab below to learn about permissions for each component:

-| Client ID | `<CONNECTION_NAME_PREFIX>__clientId` | When `credential` is set to `managedidentity`, this property can be set to specify the user-assigned identity to be used when obtaining a token. The property accepts a client ID corresponding to a user-assigned identity assigned to the application. It is invalid to specify both a Resource ID and a client ID. If not specified, the system-assigned identity is used. This property is used differently in [local development scenarios](#local-development-with-identity-based-connections), when `credential` shouldn't be set. |

-Additional options may be supported for a given connection type. Refer to the documentation for the component making the connection.

-> Local development with identity-based connections requires updated versions of the [Azure Functions Core Tools](./functions-run-local.md). You can check your currently installed version by running `func -v`. For Functions v3, use version `3.0.3904` or later. For Functions v4, use version `4.0.3904` or later.

-In some cases, you may wish to specify use of a different identity. You can add configuration properties for the connection that point to the alternate identity based on a client ID and client Secret for an Azure Active Directory service principal. **This configuration option is not supported when hosted in the Azure Functions service.** To use an ID and secret on your local machine, define the connection with the following additional properties:

-The Azure Functions host uses the `AzureWebJobsStorage` connection for core behaviors such as coordinating singleton execution of timer triggers and default app key storage. This can be configured to use an identity as well.

-If you're configuring `AzureWebJobsStorage` using a storage account that uses the default DNS suffix and service name for global Azure, following the `https://<accountName>.blob/queue/file/table.core.windows.net` format, you can instead set `AzureWebJobsStorage__accountName` to the name of your storage account. The endpoints for each storage service will be inferred for this account. This won't work if the storage account is in a sovereign cloud or has a custom DNS.

-* [Azure Functions triggers and bindings](functions-triggers-bindings.md)

-* [Code and test Azure Functions locally](./functions-develop-local.md)

-* [Best Practices for Azure Functions](functions-best-practices.md)

-* [Azure Functions C# developer reference](functions-dotnet-class-library.md)

-* [Azure Functions Node.js developer reference](functions-reference-node.md)

-<a name="top"></a>Azure Functions currently supports several versions of the runtime host. The following table details the available versions, their support level, and when they should be used:

-| 3.x | GA^* | Reached the end of life (EOL) for extended support on December 13, 2022. We highly recommend you [migrate your apps to version 4.x](migrate-version-3-version-4.md) for full support. |

-| 2.x | GA^* | Reached the end of life (EOL) on December 13, 2022. We highly recommend you [migrate your apps to version 4.x](migrate-version-3-version-4.md) for full support. |

-^*For a detailed support statement about end-of-life versions, see [this migration article](migrate-version-3-version-4.md).

-This article details some of the differences between these versions, how you can create each version, and how to change the version on which your functions run.

-All functions in a function app must share the same language. You chose the language of functions in your function app when you create the app. The language of your function app is maintained in the [FUNCTIONS\_WORKER\_RUNTIME](functions-app-settings.md#functions_worker_runtime) setting, and shouldn't be changed when there are existing functions.

-The following table indicates which programming languages are currently supported in each runtime version.

-In Visual Studio, you select the runtime version when you create a project. Azure Functions tools for Visual Studio supports the three major runtime versions. The correct version is used when debugging and publishing based on project settings. The version settings are defined in the `.csproj` file in the following properties:

-# [Version 3.x](#tab/v3)

-Reached the end of life (EOL) on December 13, 2022. We highly recommend you [migrating your apps to version 4.x](migrate-version-3-version-4.md) for full support.

-# [Version 2.x](#tab/v2)

-Reached the end of life (EOL) on December 13, 2022. We highly recommend you [migrating your apps to version 4.x](migrate-version-3-version-4.md) for full support.

-### VS Code and Azure Functions Core Tools

-Azure Functions runtime is built around various components, including operating systems, the Azure Functions host, and language-specific workers. To maintain full-support coverages for function apps, Functions support aligns with end-of-life support for a given language. To achieve this, Functions implements a phased reduction in support as programming language versions reach their end-of-life dates. For most language versions, the retirement date coincides with the community end-of-life date.

-We'll send notification emails to function app users about upcoming language version retirements. The notifications will be at least one year before the date of retirement. Upon the notification, you should prepare to upgrade the language version that your functions apps use to a supported version.

-After the language end-of-life date, function apps that use retired language versions can still be created and deployed, and they continue to run on the platform. However your apps won't be eligible for new features, security patches, and performance optimizations until you upgrade them to a supported language version.

-There are few exceptions to the retirement policy outlined above. Here is a list of languages that are approaching or have reached their end-of-life (EOL) dates but continue to be supported on the platform until further notice. When these languages versions reach their end-of-life dates, they are no longer updated or patched. Because of this, we discourage you from developing and running your function apps on these language versions.

-# <a name="top"></a>Migrate apps from Azure Functions version 3.x to version 4.x

-> As of December 13, 2022, function apps running on versions 2.x and 3.x of the Azure Functions runtime have reached the end of life (EOL) of extended support.

->

-> Apps using versions 2.x and 3.x can still be created and deployed from your CI/CD DevOps pipeline, and all existing apps continue to run without breaking changes. However, your apps are not eligible for new features, security patches, and performance optimizations. You'll only get related service support once you upgrade them to version 4.x.

->

-> End of support for these older runtime versions is due to the end of support for .NET Core 3.1, which they had as a core dependency. This requirement affects all [languages supported by Azure Functions](supported-languages.md).

->

-> We highly recommend that you migrate your function apps to version 4.x of the Functions runtime by following this article.

-* **Built-in log streaming**: the App Service platform lets you view a stream of your application log files. This is equivalent to the output seen when you debug your functions during [local development](functions-develop-local.md) and when you use the **Test** tab in the portal. All log-based information is displayed. For more information, see [Stream logs](../app-service/troubleshoot-diagnostic-logs.md#stream-logs). This streaming method supports only a single instance, and can't be used with an app running on Linux in a Consumption plan.

-description: Learn which languages are supported (GA) and which are in preview, and ways to extend Functions development to other languages.

-This article explains the levels of support offered for languages that you can use with Azure Functions. It also describes strategies for creating functions using languages not natively supported.

-[Several versions of the Azure Functions runtime](functions-versions.md) are available. The following table shows which languages are supported in each runtime version.

->

-## Next steps

-To learn more about how to develop functions in the supported languages, see the following resources:

-+ [C# class library developer reference](functions-dotnet-class-library.md)

-+ [C# script developer reference](functions-reference-csharp.md)

-+ [Java developer reference](functions-reference-java.md)

-+ [JavaScript developer reference](functions-reference-node.md?tabs=javascript)

-+ [PowerShell developer reference](functions-reference-powershell.md)

-+ [Python developer reference](functions-reference-python.md)

-+ [TypeScript developer reference](functions-reference-node.md?tabs=typescript)

- |Override query time range| If you want the alert evaluation period to be different than the query time range, enter a time range here.<br> The alert time range is limited to a maximum of two days. Even if the query contains an **ago** command with a time range of longer than two days, the two-day maximum time range is applied. For example, even if the query text contains **ago(7d)**, the query only scans up to two days of data.<br> If the query requires more data than the alert evaluation you can change the time range manually.

-If the query contains **ago** command in the query, it will be cahnged automatically to 2 days (48 hours).|

-Within the profiler user interface (see [profiler settings](../profiler/profiler-settings.md)) there's a **Profile now** button. Selecting this button will immediately request a profile in all agents that are attached to the Application Insights instance.

-In this scenario, a profile will occur in the following circumstances:

-SLA triggers are based on OpenTelemetry (otel) and they will initiate a profile if certain criteria is fulfilled.

-The following steps will guide you through enabling the profiling component on the agent and configuring resource limits that will trigger a profile if breached.

-1. Configure the resource thresholds that will cause a profile to be collected:

-After these steps have been completed, the agent will monitor the resource usage of your process and trigger a profile when the threshold is exceeded. When a profile has been triggered and completed, it will be viewable from the

-`memoryTriggeredSettings` This configuration will be used if a memory profile is requested. This value can be one of:

-`cpuTriggeredSettings` This configuration will be used if a cpu profile is requested.

-`manualTriggeredSettings` This configuration will be used if a manual profile is requested.

-This article provides examples of telemetry processors in Application Insights for Java. You'll find samples for include and exclude configurations. You'll also find samples for attribute processors and span processors.

-This section shows how to include spans for an attribute processor. Spans that don't match the properties aren't processed by the processor.

-This section demonstrates how to exclude spans for an attribute processor. Spans that match the properties aren't processed by this processor.

-This section demonstrates how to exclude spans for an attribute processor. Spans that match the properties aren't processed by this processor.

-Let's assume the input log message body is `User account with userId 123456xx failed to login`. The log processor updates output message body to `User account with userId {redactedUserId} failed to login` and the attribute processor deletes the new attribute `redactedUserId` which was adding in the previous step.

- const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

- const appInsights = new ApplicationInsightsClient(new ApplicationInsightsConfig());

- const traceHandler = appInsights.getTraceHandler();

- traceHandler.addInstrumentation(new ExpressInstrumentation());

- const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

- const appInsights = new ApplicationInsightsClient(new ApplicationInsightsConfig());

- const customMetricsHandler = appInsights.getMetricHandler().getCustomMetricsHandler();

- const meter = customMetricsHandler.getMeter();

- const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

- const appInsights = new ApplicationInsightsClient(new ApplicationInsightsConfig());

- const customMetricsHandler = appInsights.getMetricHandler().getCustomMetricsHandler();

- const meter = customMetricsHandler.getMeter();

- const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

- const appInsights = new ApplicationInsightsClient(new ApplicationInsightsConfig());

- const customMetricsHandler = appInsights.getMetricHandler().getCustomMetricsHandler();

- const meter = customMetricsHandler.getMeter();

-const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

-const appInsights = new ApplicationInsightsClient(new ApplicationInsightsConfig());

-const tracer = appInsights.getTraceHandler().getTracer();

-let span = tracer.startSpan("hello");

-try{

- throw new Error("Test Error");

-}

-catch(error){

- span.recordException(error);

-}

-const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

-const appInsights = new ApplicationInsightsClient(new ApplicationInsightsConfig());

-const tracer = appInsights.getTraceHandler().getTracer();

-let span = tracer.startSpan("hello");

-span.end();

-First, get the `LogHandler`:

-const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

-const appInsights = new ApplicationInsightsClient(new ApplicationInsightsConfig());

-const logHandler = appInsights.getLogHandler();

-Then use the `LogHandler` to send custom telemetry:

-let eventTelemetry = {

- name: "testEvent"

-};

-logHandler.trackEvent(eventTelemetry);

-let traceTelemetry = {

- message: "testMessage",

- severity: "Information"

-};

-logHandler.trackTrace(traceTelemetry);

-try {

- ...

-} catch (error) {

- let exceptionTelemetry = {

- exception: error,

- severity: "Critical"

- };

- logHandler.trackException(exceptionTelemetry);

-}

-const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

-const { ReadableSpan, Span, SpanProcessor } = require("@opentelemetry/sdk-trace-base");

-const { SemanticAttributes } = require("@opentelemetry/semantic-conventions");

-const appInsights = new ApplicationInsightsClient(new ApplicationInsightsConfig());

-class SpanEnrichingProcessor implements SpanProcessor{

- forceFlush(): Promise<void>{

- return Promise.resolve();

- }

- shutdown(): Promise<void>{

- return Promise.resolve();

- }

- onStart(_span: Span): void{}

- onEnd(span: ReadableSpan){

- span.attributes["CustomDimension1"] = "value1";

- span.attributes["CustomDimension2"] = "value2";

-}

-appInsights.getTraceHandler().addSpanProcessor(new SpanEnrichingProcessor());

-const { SemanticAttributes } = require("@opentelemetry/semantic-conventions");

-class SpanEnrichingProcessor implements SpanProcessor{

- ...

- onEnd(span){

- span.attributes[SemanticAttributes.HTTP_CLIENT_IP] = "<IP Address>";

-}

-import { SemanticAttributes } from "@opentelemetry/semantic-conventions";

-class SpanEnrichingProcessor implements SpanProcessor{

- ...

- onEnd(span: ReadableSpan){

- span.attributes[SemanticAttributes.ENDUSER_ID] = "<User ID>";

-}

-```javascript

-const config = new ApplicationInsightsConfig();

-config.instrumentations.http = httpInstrumentationConfig;

-const appInsights = new ApplicationInsightsClient(config);

-const logHandler = appInsights.getLogHandler();

-const attributes = {

- "testAttribute1": "testValue1",

- "testAttribute2": "testValue2",

- "testAttribute3": "testValue3"

-};

-logHandler.trackEvent({

- name: "testEvent",

- properties: attributes

-});

- const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

- const config = new ApplicationInsightsConfig();

- config.instrumentations.http = httpInstrumentationConfig;

- const appInsights = new ApplicationInsightsClient(config);

-You can set the connection string either programmatically or by setting the environment variable `APPLICATIONINSIGHTS_CONNECTION_STRING`. In the event that both have been set, the programmatic connection string will take precedence.

-You might want to update the [Cloud Role Name](app-map.md#understand-the-cloud-role-name-within-the-context-of-an-application-map) and the Cloud Role Instance from the default values to something that makes sense to your team. They'll appear on the Application Map as the name underneath a node.

-The OpenTelemetry API offers six metric "instruments" to cover various metric scenarios and you'll need to pick the correct "Aggregation Type" when visualizing metrics in Metrics Explorer. This requirement is true when using the OpenTelemetry Metric API to send metrics and when using an instrumentation library.

-You can populate the _user_Id_ or _user_AuthenticatedId_ field for requests by using the guidance below. User ID is an anonymous user identifier. Authenticated User ID is a known user identifier.

-description: Recommendations for deployment of Azure Monitor alerts and automated actions.

-# Deploy Azure Monitor: Alerts and automated actions

-This article is part of the scenario [Recommendations for configuring Azure Monitor](best-practices.md). It provides guidance on alerts in Azure Monitor. Alerts proactively notify you of important data or patterns identified in your monitoring data. You can view alerts in the Azure portal. You can create alerts that:

-## Alerting strategy

-An alerting strategy defines your organization's standards for:

-Defining an alert strategy assists you in defining the configuration of alert rules including alert severity and action groups.

-For factors to consider as you develop an alerting strategy, see [Successful alerting strategy](/azure/cloud-adoption-framework/manage/monitor/alerting#successful-alerting-strategy).

-## Alert rule types

-Alerts in Azure Monitor are created by alert rules that you must create. For guidance on recommended alert rules, see the monitoring documentation for each Azure service. Azure Monitor doesn't have any alert rules by default.

-Multiple types of alert rules are defined by the type of data they use. Each has different capabilities and a different cost. The basic strategy is to use the alert rule type with the lowest cost that provides the logic you require.

-## Alert severity

-Each alert rule defines the severity of the alerts that it creates based on the following table. Alerts in the Azure portal are grouped by level so that you can manage similar alerts together and quickly identify alerts that require the greatest urgency.

-| Level | Name | Description |

-|:|:|:|

-| Sev 0 | Critical | Loss of service or application availability or severe degradation of performance. Requires immediate attention. |

-| Sev 1 | Error | Degradation of performance or loss of availability of some aspect of an application or service. Requires attention but not immediate. |

-| Sev 2 | Warning | A problem that doesn't include any current loss in availability or performance, although it has the potential to lead to more severe problems if unaddressed. |

-| Sev 3 | Informational | Doesn't indicate a problem but provides interesting information to an operator, such as successful completion of a regular process. |

-| Sev 4 | Verbose | Doesn't indicate a problem but provides detailed information that is verbose.

-Assess the severity of the condition each rule is identifying to assign an appropriate level. Define the types of issues you assign to each severity level and your standard response to each in your alerts strategy.

-## Action groups

-Automated responses to alerts in Azure Monitor are defined in [action groups](alerts/action-groups.md). An action group is a collection of one or more notifications and actions that are fired when an alert is triggered. A single action group can be used with multiple alert rules and contain one or more of the following items:

-## Notifications

-Notifications are messages sent to one or more users to notify them that an alert has been created. Because a single action group can be used with multiple alert rules, you should design a set of action groups for different sets of administrators and users who will receive the same sets of alerts. Use any of the following types of notifications depending on the preferences of your operators and your organizational standards:

-## Actions

-Actions are automated responses to an alert. You can use the available actions for any scenario that they support, but the following sections describe how each action is typically used.

-### Automated remediation

-Use the following actions to attempt automated remediation of the issue identified by the alert:

-### ITSM and on-call management

-## Minimize alert activity

-You want to create alerts for any important information in your environment. But you don't want to create excessive alerts and notifications for issues that don't warrant them. To minimize your alert activity to ensure that critical issues are surfaced while you don't generate excess information and notifications for administrators, follow these guidelines:

-## Create alert rules at scale

-Typically, you'll want to alert on issues for all your critical Azure applications and resources. Use the following methods for creating alert rules at scale:

-> [!NOTE]

-> Resource-centric log query alert rules currently in public preview allow you to use all resources in a subscription or resource group as a target for a log query alert.

-## Next steps

-[Optimize cost in Azure Monitor](best-practices-cost.md)

-Azure Monitor cross-service queries support functions for Application Insights, Log Analytics, Azure Data Explorer, and Azure Resource Graph.

-| [InstallDependencyAgent-Windows.exe](https://aka.ms/dependencyagentwindows) | Windows | 9.10.16.22650 | BE537D4396625ADD93B8C1D5AF098AE9D9472D8A20B2682B32920C5517F1C041 |

-| [InstallDependencyAgent-Linux64.bin](https://aka.ms/dependencyagentlinux) | Linux | 9.10.16.22650 | FF86D821BA845833C9FE5F6D5C8A5F7A60617D3AD7D84C75143F3E244ABAAB74 |

- > Selecting the **Enable Continuous Availability** option alone does not automatically make the existing SMB sessions continuously available. After selecting the option, be sure to reboot the server for the change to take effect.

-1. Once you enable SMB Continuous Availability, reboot the server for the change to take effect.

-* Azure Active Directory authentication and custom ports and protocols aren't currently supported when connecting to a VM via native client.

-* UDR is not supported on Bastion subnet, including with IP-based connection.

- token=$(curl http://localhost:50342/oauth2/token --data "resource=https://management.azure.com/" -H Metadata:true -s | jq -r ".accessToken")

- $token= ((Invoke-WebRequest @parameters ).content | ConvertFrom-Json).accessToken

- TOKEN=$(az account get-access-token --resource "https://management.azure.com/" | jq -r ".accessToken")

-Azure Communication Services stores chat messages for 90 days. Chat thread participants can use `ListMessages` to view message history for a particular thread. However, the API does not return messages once the 90 day period has passed. Users that are removed from a chat thread are able to view previous message history for 90 days but cannot send or receive new messages. To learn more about data being stored in Azure Communication Services chat service, refer to the [data residency and privacy page](../privacy.md).

-Chat messages are stored for 90 days. Submit [a request to Azure Support](../../azure-portal/supportability/how-to-create-azure-support-request.md) if you require storage for longer time period. If the time period is less than 90 days for chat messages, use the delete chat thread APIs.

-No. Texting to a toll-free number from a short code is not supported. You also wont be able to receive a message from a toll-free number to a short code.

-Communication Services connections require internet connectivity to specific ports and IP addresses to deliver high-quality multimedia experiences. Without access to these ports and IP addresses, Communication Services can still work. The optimal experience is provided when the recommended ports and IP ranges are open.

-The diagram below will guide different offerings in this portfolio

-**Confidential VM worker nodes on AKS)** supporting full AKS features with node level VM based Trusted Execution Environment (TEE). Also support remote guest attestation. [Get started with CVM worker nodes with a lift and shift workload to CVM node pool.](../aks/use-cvm.md)

-**Unmodified containers with serverless offering** [confidential containers on Azure Container Instance (ACI)](./confidential-containers.md#vm-isolated-confidential-containers-on-azure-container-instances-acipublic-preview) supporting existing Linux containers with remote guest attestation flow.

-## VM Isolated Confidential containers on Azure Container Instances (ACI) - Public preview

- "offer": "UbuntuServer",

- "offer": "UbuntuServer",

-```java

-##### [JavaScript SDK v4](#tab/javascript-v4)

-String id = "f7da01b0-090b-41d2-8416-dacae09fbb4a";

-PartitionKey partitionKey = new PartitionKeyBuilder()

- .add("Microsoft") //TenantId

- .add("8411f20f-be3e-416a-a3e7-dcd5a3c1f28b") //UserId

- .add("0000-11-0000-1111") //SessionId

-

-Mono<CosmosItemResponse<UserSession>> readResponse = container.readItem(id, partitionKey, UserSession.class);

-> [!TIP]

-> Want to try the Azure Cosmos DB for MongoDB with no commitment? Create an Azure Cosmos DB account using [Try Azure Cosmos DB](../try-free.md) for free.

-| `path_to_property` | string | Path to the property that contains the vector. This path can be a top-level property or a dot notation path to the property. If a dot notation path is used, then all the nonleaf elements can't be arrays. |

-* Learn how to [generate embeddings using Azure OpenAI](../../../ai-services/openai/tutorials/embeddings.md)

- changeFeedStartFrom: ChangeFeedStartFrom.Beginning()

- >[!NOTE]

- > Export to storage accounts behind firewall is in preview.

- . Locate the alert titled **Malicious file uploaded to storage account**.

- 1. Select on the alertΓÇÖs **View full details** button to see all the related details.

- 1. Learn more about Defender for Storage security alerts in the [reference table for all security alerts in Microsoft Defender for Cloud](alerts-reference.md#alerts-azurestorage).

-# New Custom Recommendations for AWS and GCP in Defender for Cloud

-> [Understanding data aware security posture capability](episode-thirty-one.md)

-This new trigger is available today for some customers, and will be available to all customers by mid-September.

-To publish the function app to Azure, you'll need to create a storage account, then create the function app in Azure, and finally publish the functions to the Azure function app. This section completes these actions using the Azure CLI.

- az functionapp create --name <name-for-new-function-app> --storage-account <name-of-storage-account-from-previous-step> --functions-version 4 --consumption-plan-location <location> --runtime dotnet --runtime-version 6 --resource-group <resource-group>

- dotnet publish -c Release

- This command publishes the project to the *digital-twins-samples-main\AdtSampleApp\SampleFunctionsApp\bin\Release\netcoreapp3.1\publish* directory.

- 1. Using your preferred method, create a zip of the published files that are located in the *digital-twins-samples-main\AdtSampleApp\SampleFunctionsApp\bin\Release\netcoreapp3.1\publish* directory. Name the zipped folder *publish.zip*.

- >[!TIP]

- >If you're using PowerShell, you can create the zip by copying the full path to that *\publish* directory and pasting it into the following command:

- >

- >```powershell

- >Compress-Archive -Path <full-path-to-publish-directory>\* -DestinationPath .\publish.zip

- >```

- > The cmdlet will create the *publish.zip* file in the directory location of your console.

- Your *publish.zip* file should contain folders for *bin*, *ProcessDTRoutedData*, and *ProcessHubToDTEvents*, and there should also be a *host.json* file.

-#### Configure application settings

-Begin by getting the IoT hub connection string with this command:

-# Azure Event HubsΓÇöA big data streaming platform and event ingestion service

-Event Hubs represents the "front door" for an event pipeline, often called an **event ingestor** in solution architectures. An event ingestor is a component or service that sits between event publishers and event consumers to decouple the production of an event stream from the consumption of those events. Event Hubs provides a unified streaming platform with time retention buffer, decoupling event producers from event consumers.

-[Event Hubs for Apache Kafka ecosystems](azure-event-hubs-kafka-overview.md) furthermore enables [Apache Kafka (1.0 and later)](https://kafka.apache.org/) clients and applications to talk to Event Hubs. You don't need to set up, configure, and manage your own Kafka and Zookeeper clusters or use some Kafka-as-a-Service offering not native to Azure.

-[Azure Schema Registry](schema-registry-overview.md) in Event Hubs provides a centralized repository for managing schemas of events streaming applications. Azure Schema Registry comes free with every Event Hubs namespace, and it integrates seamlessly with you Kafka applications or Event Hubs SDK based applications.

-It ensures data compatibility and consistency across event producers and consumers, enabling seamless schema evolution, validation, and governance, and promoting efficient data exchange and interoperability.

-[Capture](event-hubs-capture-overview.md) your data in near-real time in an [Azure Blob storage](https://azure.microsoft.com/services/storage/blobs/) or [Azure Data Lake Storage](https://azure.microsoft.com/services/data-lake-store/) for long-term retention or micro-batch processing. You can achieve this behavior on the same stream you use for deriving real-time analytics. Setting up capture of event data is fast. There are no administrative costs to run it, and it scales automatically with Event Hubs [throughput units](event-hubs-scalability.md#throughput-units) or [processing units](event-hubs-scalability.md#processing-units). Event Hubs enables you to focus on data processing rather than on data capture.

-With Event Hubs, you can start with data streams in megabytes, and grow to gigabytes or terabytes. The [Auto-inflate](event-hubs-auto-inflate.md) feature is one of the many options available to scale the number of throughput units or processing units to meet your usage needs.

-Event Hubs **premium** caters to high-end streaming needs that require superior performance, better isolation with predictable latency and minimal interference in a managed multitenant PaaS environment. On top of all the features of the standard offering, the premium tier offers several extra features such as [dynamic partition scale up](dynamically-add-partitions.md), extended retention, and [customer-managed-keys](configure-customer-managed-key.md). For more information, see [Event Hubs Premium](event-hubs-premium-overview.md).

-| Event producers | Any entity that sends data to an event hub. Event publishers can publish events using HTTPS or AMQP 1.0 or Apache Kafka (1.0 and above). |

-| [Throughput units (standard tier)](event-hubs-scalability.md#throughput-units) or [processing units (premium tier)](event-hubs-scalability.md#processing-units) or [capacity units (dedicated)](event-hubs-dedicated-overview.md) | Pre-purchased units of capacity that control the throughput capacity of Event Hubs. |

-description: A quickstart to create a .NET Core application that sends events to Azure Event Hubs and then receive those events by using the Azure.Messaging.EventHubs package.

- The SAS URL must have READ permissions so the firewall can upload the file. If changes are made to the PAC file, a new SAS URL needs to be generated and configured on the firewall **Enable explicit proxy** page.

- HDInsight currently allocates quota to customer subscriptions at a regional level. The cores allocated to customers are generic and not classified at a VM family level (For example, Dv2, Ev3, Eav4, etc.).

- * log4j 1.x replaced with reload4j.

- * Mirror Maker2 improvements.

-* HDInsight has moved away from Azul Zulu Java JDK 8 to Adoptium Temurin JDK 8, which supports high-quality TCK certified runtimes, and associated technology for use across the Java ecosystem.

-* HDInsight has migrated to reload4j. The log4j changes are applicable to

-|[HIVE-24322](https://issues.apache.org/jira/browse/HIVE-24322)| If there's direct insert, the attempt ID has to be checked when reading the manifest fails|

-|[HIVE-25920](https://issues.apache.org/jira/browse/HIVE-25920)| Bump Xerce2 to 2.12.2.|

-1. Yarn logΓÇÖs CLI failed to retrieve the logs if any TFile is corrupt or empty.

-|Wrong FS Exception when warehouse and scratchdir are on different FS|[TEZ-4406](https://issues.apache.org/jira/browse/TEZ-4406)|

-1. Yarn logΓÇÖs CLI failed to retrieve the logs if any TFile is corrupt or empty.

-|Wrong FS Exception when warehouse and scratchdir are on different FS|[TEZ-4406](https://issues.apache.org/jira/browse/TEZ-4406)|

-|TableSnapshotInputFormat should use ReadType.STREAM for scanning HFiles |[HBASE-26273](https://issues.apache.org/jira/browse/HBASE-26273)|

-| Hive query with large size via knox fails with Broken pipe Write failed|[HIVE-22231](https://issues.apache.org/jira/browse/HIVE-22231)|

-| Remove expensive logging from the LLAP cache hotpath|[HIVE-22168](https://issues.apache.org/jira/browse/HIVE-22168)|

-| switch Hive UDFs to use Re2J regex engine|[HIVE-19661](https://issues.apache.org/jira/browse/HIVE-19661)|

-|Prevent LLAP shutdown on AMReporter related RuntimeException|[HIVE-22113](https://issues.apache.org/jira/browse/HIVE-22113)|

-| JDBC: HiveConnection shades log4j interfaces|[HIVE-18874](https://issues.apache.org/jira/browse/HIVE-18874)|

-| Update repo URLs in poms - branch 3.1 version|[HIVE-21786](https://issues.apache.org/jira/browse/HIVE-21786)|

-| DBInstall tests broken on master and branch-3.1|[HIVE-21758](https://issues.apache.org/jira/browse/HIVE-21758)|

-Other features include MirrorMaker 2 availability, new metric category AtMinIsr topic partition, Improved broker start-up time by lazy on demand mmap of index files, More consumer metrics to observe user poll behavior.

-| Upgrade log4j 2.16.0 to 2.17.0 | [HIVE-25825](https://issues.apache.org/jira/browse/HIVE-25825) |

-| Update Flatbuffer version | [HIVE-22827](https://issues.apache.org/jira/browse/HIVE-22827) |

-Starting from March 01, 2022, HDInsight will only support manual scale for HBase, there's no impact on running clusters. New HBase clusters won't be able to enable schedule based Autoscaling. For more information on how to  manually scale your HBase cluster, refer our documentation on [Manually scaling Azure HDInsight clusters](./hdinsight-scaling-best-practices.md)

-HDInsight 4.0 image has been updated to mitigate Log4j vulnerability as described in [MicrosoftΓÇÖs Response to CVE-2021-44228 Apache Log4j 2.](https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/)

-> * Any HDI 4.0 clusters created post 27 Dec 2021 00:00 UTC are created with an updated version of the image which mitigates the log4j vulnerabilities. Hence, customers need not patch/reboot these clusters.

-### Price Correction for HDInsight Dv2 Virtual Machines

-A pricing error was corrected on April 25, 2021, for the Dv2 VM series on HDInsight. The pricing error resulted in a reduced charge on some customer's bills prior to April 25, and with the correction, prices now match what had been advertised on the HDInsight pricing page and the HDInsight pricing calculator. The pricing error impacted customers in the following regions who used Dv2 VMs:

-Starting on April 25, 2021, the corrected amount for the Dv2 VMs will be on your account. Customer notifications were sent to subscription owners prior to the change. You can use the Pricing calculator, HDInsight pricing page, or the Create HDInsight cluster blade in the Azure portal to see the corrected costs for Dv2 VMs in your region.

-No other action is needed from you. The price correction will only apply for usage on or after April 25, 2021 in the specified regions, and not to any usage prior to this date. To ensure you have the most performant and cost-effective solution, we recommended that you review the pricing, VCPU, and RAM for your Dv2 clusters and compare the Dv2 specifications to the Ev3 VMs to see if your solution would benefit from utilizing one of the newer VM series.

-#### Eav4-series support

-HDInsight added Eav4-series support in this release.

-#### Default cluster VM sizes are changed to Ev3-series

-Default cluster VM sizes are changed from D-series to Ev3-series. This change applies to head nodes and worker nodes. To avoid this change impacting your tested workflows, specify the VM sizes that you want to use in the ARM template.

-#### Default cluster VM size changes to Ev3-series

-Default cluster VM sizes will be changed from D-series to Ev3-series. This change applies to head nodes and worker nodes. To avoid this change impacting your tested workflows, specify the VM sizes that you want to use in the ARM template.

-After the **operational** stage, the cluster waits another 60 minutes for the remaining 20% worker nodes. At the end of this 60 minutes, the cluster moves to the **running** stage, even if all of worker nodes are still not available. Once a cluster enters the **running** stage, you can use it as normal. Both control plan operations like scaling up/down, and data plan operations like running scripts and jobs are accepted. If some of the requested worker nodes aren't available, the cluster will be marked as partial success. You are charged for the nodes that were deployed successfully.

-Previously, with cluster creation, customers can create a new service principal to access the connected ADLS Gen 1 account in Azure portal. Starting June 15 2020, customers can't create new service principal in HDInsight creation workflow, only existing service principal is supported. See [Create Service Principal and Certificates using Azure Active Directory](../active-directory/develop/howto-create-service-principal-portal.md).

-#### Dv1 virtual machine deprecation

-From this release, the use of Dv1 VMs with HDInsight is deprecated. Any customer request for Dv1 will be served with Dv2 automatically. There's no price difference between Dv1 and Dv2 VMs.

-| **Summary:** handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop) |

-| BUG-95259 | [HADOOP-15185](https://issues.apache.org/jira/browse/HADOOP-15185), [HADOOP-15186](https://issues.apache.org/jira/browse/HADOOP-15186) | Update adls connector to use the current version of ADLS SDK |

-| BUG-97223 | [SPARK-23434](https://issues.apache.org/jira/browse/SPARK-23434) | Spark shouldn't warn \`metadata directory\` for a HDFS file path |

-| BUG-94869 | [PHOENIX-4290](https://issues.apache.org/jira/browse/PHOENIX-4290), [PHOENIX-4373](https://issues.apache.org/jira/browse/PHOENIX-4373) | Requested row out of range for Get on HRegion for local indexed salted phoenix table. |

-| BUG-95669 | [HIVE-18577](https://issues.apache.org/jira/browse/HIVE-18577), [HIVE-18643](https://issues.apache.org/jira/browse/HIVE-18643) | When run update/delete query on ACID partitioned table, HS2 read all each partitions. |

-| BUG-100422 | [HIVE-19085](https://issues.apache.org/jira/browse/HIVE-19085) | FastHiveDecimal abs(0) sets sign to +ve |

-| BUG-93136 | [HIVE-18189](https://issues.apache.org/jira/browse/HIVE-18189) | Order by position does not work when cbo is disabled |

-| BUG-94144 | [HIVE-17063](https://issues.apache.org/jira/browse/HIVE-17063) | insert overwrite partition into an external table fail when drop partition first |

-| BUG-97741 | [HIVE-18944](https://issues.apache.org/jira/browse/HIVE-18944) | Groupping sets position is set incorrectly during DPP |

-| BUG-98082 | [HIVE-18597](https://issues.apache.org/jira/browse/HIVE-18597) | LLAP: Always package the log4j2 API jar for org.apache.log4j |

-| BUG-100436 | [RANGER-2060](https://issues.apache.org/jira/browse/RANGER-2060) | Knox proxy with knox-sso isn't working for ranger |

-| BUG-95823 | N/A | Knox: Upgrade Beanutils |

-| BUG-96714 | [FLUME-2050](https://issues.apache.org/jira/browse/FLUME-2050) | Upgrade to log4j2 (when GA) |

-| BUG-96977 | [FLUME-3132](https://issues.apache.org/jira/browse/FLUME-3132) | Upgrade tomcat jasper library dependencies |

-| BUG-100073 | N/A | too many close\_wait connections from hiveserver to data node |

-| BUG-100448 | [SPARK-23637](https://issues.apache.org/jira/browse/SPARK-23637), [SPARK-23802](https://issues.apache.org/jira/browse/SPARK-23802), [SPARK-23809](https://issues.apache.org/jira/browse/SPARK-23809), [SPARK-23816](https://issues.apache.org/jira/browse/SPARK-23816), [SPARK-23822](https://issues.apache.org/jira/browse/SPARK-23822), [SPARK-23823](https://issues.apache.org/jira/browse/SPARK-23823), [SPARK-23838](https://issues.apache.org/jira/browse/SPARK-23838), [SPARK-23881](https://issues.apache.org/jira/browse/SPARK-23881) | Update Spark2 to 2.3.0+ (4/11) |

-| BUG-100937 | [MAPREDUCE-6889](https://issues.apache.org/jira/browse/MAPREDUCE-6889) | Add Job\#close API to shutdown MR client services. |

-| BUG-101065 | [ATLAS-2587](https://issues.apache.org/jira/browse/ATLAS-2587) | Set read ACL for /apache\_atlas/active\_server\_info znode in HA for Knox proxy to read. |

-| BUG-102064 | N/A | Hive Replication \[ onprem to onprem \] tests failed in ReplCopyTask |

-| BUG-102137 | [HIVE-19423](https://issues.apache.org/jira/browse/HIVE-19423) | Hive Replication \[ Onprem to Cloud \] tests failed in ReplCopyTask |

-| BUG-102361 | N/A | multiple insert results in single insert replicated to target hive cluster ( onprem - s3 ) |

-| BUG-92586 | [SPARK-17920](https://issues.apache.org/jira/browse/SPARK-17920), [SPARK-20694](https://issues.apache.org/jira/browse/SPARK-20694), [SPARK-21642](https://issues.apache.org/jira/browse/SPARK-21642), [SPARK-22162](https://issues.apache.org/jira/browse/SPARK-22162), [SPARK-22289](https://issues.apache.org/jira/browse/SPARK-22289), [SPARK-22373](https://issues.apache.org/jira/browse/SPARK-22373), [SPARK-22495](https://issues.apache.org/jira/browse/SPARK-22495), [SPARK-22574](https://issues.apache.org/jira/browse/SPARK-22574), [SPARK-22591](https://issues.apache.org/jira/browse/SPARK-22591), [SPARK-22595](https://issues.apache.org/jira/browse/SPARK-22595), [SPARK-22601](https://issues.apache.org/jira/browse/SPARK-22601), [SPARK-22603](https://issues.apache.org/jira/browse/SPARK-22603), [SPARK-22607](https://issues.apache.org/jira/browse/SPARK-22607), [SPARK-22635](https://issues.apache.org/jira/browse/SPARK-22635), [SPARK-22637](https://issues.apache.org/jira/browse/SPARK-22637), [SPARK-22653](https://issues.apache.org/jira/browse/SPARK-22653), [SPARK-22654](https://issues.apache.org/jira/browse/SPARK-22654), [SPARK-22686](https://issues.apache.org/jira/browse/SPARK-22686), [SPARK-22688](https://issues.apache.org/jira/browse/SPARK-22688), [SPARK-22817](https://issues.apache.org/jira/browse/SPARK-22817), [SPARK-22862](https://issues.apache.org/jira/browse/SPARK-22862), [SPARK-22889](https://issues.apache.org/jira/browse/SPARK-22889), [SPARK-22972](https://issues.apache.org/jira/browse/SPARK-22972), [SPARK-22975](https://issues.apache.org/jira/browse/SPARK-22975), [SPARK-22982](https://issues.apache.org/jira/browse/SPARK-22982), [SPARK-22983](https://issues.apache.org/jira/browse/SPARK-22983), [SPARK-22984](https://issues.apache.org/jira/browse/SPARK-22984), [SPARK-23001](https://issues.apache.org/jira/browse/SPARK-23001), [SPARK-23038](https://issues.apache.org/jira/browse/SPARK-23038), [SPARK-23095](https://issues.apache.org/jira/browse/SPARK-23095) | Update Spark2 up-to-date to 2.2.1 (Jan. 16) |

-| BUG-93485 | N/A | can'tcan'tCan't get table mytestorg.apache.hadoop.hive.ql.metadata.InvalidTableException: Table not found when running analyze table on columns in LLAP |

-| BUG-94081 | [HIVE-18384](https://issues.apache.org/jira/browse/HIVE-18384) | ConcurrentModificationException in log4j2.x library |

-| BUG-94330 | [HADOOP-13190](https://issues.apache.org/jira/browse/HADOOP-13190), [HADOOP-14104](https://issues.apache.org/jira/browse/HADOOP-14104), [HADOOP-14814](https://issues.apache.org/jira/browse/HADOOP-14814), [HDFS-10489](https://issues.apache.org/jira/browse/HDFS-10489), [HDFS-11689](https://issues.apache.org/jira/browse/HDFS-11689) | HDFS should support for multiple KMS Uris |

-| BUG-95200 | [HDFS-13061](https://issues.apache.org/jira/browse/HDFS-13061) | SaslDataTransferClient\#checkTrustAndSend shouldn'tshould'n trust a partially trusted channel |

-| BUG-96019 | [HIVE-18548](https://issues.apache.org/jira/browse/HIVE-18548) | Fix log4j import |

-| BUG-96720 | [SLIDER-1262](https://issues.apache.org/jira/browse/SLIDER-1262) | Slider functests are failing in Kerberized environment |

-| BUG-96931 | [SPARK-23053](https://issues.apache.org/jira/browse/SPARK-23053), [SPARK-23186](https://issues.apache.org/jira/browse/SPARK-23186), [SPARK-23230](https://issues.apache.org/jira/browse/SPARK-23230), [SPARK-23358](https://issues.apache.org/jira/browse/SPARK-23358), [SPARK-23376](https://issues.apache.org/jira/browse/SPARK-23376), [SPARK-23391](https://issues.apache.org/jira/browse/SPARK-23391) | Update Spark2 up-to-date (Feb. 19) |

-| BUG-97869 | [KNOX-1190](https://issues.apache.org/jira/browse/KNOX-1190) | Knox SSO support for Google OIDC is broken. |

-| BUG-98705 | [KNOX-1230](https://issues.apache.org/jira/browse/KNOX-1230) | Many Concurrent Requests to Knox causes URL Mangling |

-| BUG-99618 | [SPARK-23599](https://issues.apache.org/jira/browse/SPARK-23599), [SPARK-23806](https://issues.apache.org/jira/browse/SPARK-23806) | Update Spark2 to 2.3.0+ (3/28) |

-| BUG-91293 | [RANGER-2060](https://issues.apache.org/jira/browse/RANGER-2060) | Knox proxy with knox-sso isn't working for ranger |

-| BUG-96082 | [RANGER-1982](https://issues.apache.org/jira/browse/RANGER-1982) | Error Improvement for Analytics Metric of Ranger Admin and Ranger Kms |

-| BUG-96479 | [HDFS-12781](https://issues.apache.org/jira/browse/HDFS-12781) | After Datanode down, In Namenode UI Datanode tab is throwing warning message. |

-| BUG-95823 | N/A | Knox: Upgrade Beanutils |

-| BUG-100139 | [KNOX-1243](https://issues.apache.org/jira/browse/KNOX-1243) | Normalize the required DNs that are Configured in KnoxToken Service |

-| BUG-100570 | [ATLAS-2557](https://issues.apache.org/jira/browse/ATLAS-2557) | Fix to allow to lookup hadoop ldap groups when are groups from UGI are wrongly set or aren't empty |

-| BUG-100750 | [KNOX-1246](https://issues.apache.org/jira/browse/KNOX-1246) | Update service config in Knox to support latest configurations for Ranger. |

-| BUG-90979 | [KNOX-1224](https://issues.apache.org/jira/browse/KNOX-1224) | Knox Proxy HADispatcher to support Atlas in HA. |

-| BUG-91293 | [RANGER-2060](https://issues.apache.org/jira/browse/RANGER-2060) | Knox proxy with knox-sso isn't working for ranger |

-| BUG-93136 | [HIVE-18189](https://issues.apache.org/jira/browse/HIVE-18189) | Order by position doesn't work when cbo is disabled |

-| BUG-93495 | [RANGER-1937](https://issues.apache.org/jira/browse/RANGER-1937) | Ranger tagsync should process ENTITY\_CREATE notification, to support Atlas import feature |

-| BUG-93944 | [ATLAS-2318](https://issues.apache.org/jira/browse/ATLAS-2318) | UI: Clicking on child tag twice , parent tag is selected |

-| BUG-94428 | N/A | Dataplane Profiler Agent REST API Knox support |

-| BUG-94518 | [ATLAS-2329](https://issues.apache.org/jira/browse/ATLAS-2329) | Atlas UI Multiple Hovers appears if user click on another tag which is incorrect |

-| BUG-94627 | [HIVE-17731](https://issues.apache.org/jira/browse/HIVE-17731) | add a backward compat option for external users to HIVE-11985 |

-| BUG-94786 | [HIVE-6091](https://issues.apache.org/jira/browse/HIVE-6091) | Empty pipeout files are created for connection create/close |

-| BUG-95314 | [YARN-7699](https://issues.apache.org/jira/browse/YARN-7699) | queueUsagePercentage is coming as INF for getApp REST api call |

-| BUG-95593 | N/A | Extend Oozie DB utils to support Spark2 sharelib creation |

-| BUG-96019 | [HIVE-18548](https://issues.apache.org/jira/browse/HIVE-18548) | Fix log4j import |

-| BUG-96313 | [KNOX-1119](https://issues.apache.org/jira/browse/KNOX-1119) | Pac4J OAuth/OpenID Principal Needs to be Configurable |

-| BUG-96479 | [HDFS-12781](https://issues.apache.org/jira/browse/HDFS-12781) | After Datanode down, In Namenode UI Datanode tab is throwing warning message. |

-| BUG-96821 | [HBASE-18212](https://issues.apache.org/jira/browse/HBASE-18212) | In Standalone mode with local filesystem HBase logs Warning message:Failed to invoke 'unbuffer' method in class class org.apache.hadoop.fs.FSDataInputStream |

-| BUG-96880 | [SPARK-23230](https://issues.apache.org/jira/browse/SPARK-23230) | When hive.default.fileformat is other kinds of file types, create textfile table cause a serde error |

-| BUG-97742 | [OOZIE-1624](https://issues.apache.org/jira/browse/OOZIE-1624) | Exclusion pattern for sharelib JARs |

-| BUG-98705 | [KNOX-1230](https://issues.apache.org/jira/browse/KNOX-1230) | Many Concurrent Requests to Knox causes URL Mangling |

-| BUG-99650 | [KNOX-1223](https://issues.apache.org/jira/browse/KNOX-1223) | Zeppelin's Knox proxy doesn't redirect /api/ticket as expected |

-| BUG-99807 | [OOZIE-2844](https://issues.apache.org/jira/browse/OOZIE-2844) | Increase stability of Oozie actions when log4j.properties is missing or not readable |

-|**HDFS**|**N/A** |HDFS should support for multiple KMS Uris |**Previous Behavior:** dfs.encryption.key.provider.uri property was used to configure the KMS provider path.<br /><br />**New Behavior:** dfs.encryption.key.provider.uri is now deprecated in favor of hadoop.security.key.provider.path to configure the KMS provider path.|

- 1. Home directories for users aren't getting created on Head Node 1. As a workaround, create the directories manually and change ownership to the respective userΓÇÖs UPN.

- 2. Permissions on /hdp directory are currently not set to 751. This needs to be set to

- 1. Home directories for users aren't getting created on Head Node 1. Workaround is to create these manually and change ownership to the respective userΓÇÖs UPN.

-## Release date: July 25, 2023

-This release applies to HDInsight 4.x and 5.x HDInsight release will be available to all regions over several days. This release is applicable for image number **2307201242**. [How to check the image number?](./view-hindsight-cluster-image-version.md)

-##  What's new

-* HDInsight 5.1 is now supported with ESP cluster.

-* Upgraded version of Ranger 2.3.0 and Oozie 5.2.1 are now part of HDInsight 5.1

-* The Spark 3.3.1 (HDInsight 5.1) cluster comes with Hive Warehouse Connector (HWC) 2.1, which works together with the Interactive Query (HDInsight 5.1) cluster.

-> This release addresses the following CVEs released by [MSRC](https://msrc.microsoft.com/update-guide/vulnerability) on August 8, 2023. The action is to update to the latest image **2307201242**. Customers are advised to plan accordingly.

-|[CVE-2023-35393](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35393)| Important|Azure Apache Hive Spoofing Vulnerability|

-|[CVE-2023-35394](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35394)| Important|Azure HDInsight Jupyter Notebook Spoofing Vulnerability|

-|[CVE-2023-36877](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36877)| Important|Azure Apache Oozie Spoofing Vulnerability|

-|[CVE-2023-36881](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36881)| Important|Azure Apache Ambari Spoofing Vulnerability|

-|[CVE-2023-38188](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38188)| Important|Azure Apache Hadoop Spoofing Vulnerability|

-

-* The max length of cluster name will be changed to 45 from 59 characters, to improve the security posture of clusters. Customers need to plan for the updates before 30, September 2023.

- * To improve the overall security posture of the HDInsight clusters, HDInsight clusters using custom VNETs need to ensure that the user needs to have permission for `Microsoft Network/virtualNetworks/subnets/join/action` to perform create operations. Customers would need to plan accordingly as this change would be a mandatory check to avoid cluster creation failures before 30, September 2023.ΓÇ»

- * On 31 August 2024, we'll retire Basic and Standard A-series VMs. Before that date, you need to migrate your workloads to Av2-series VMs, which provide more memory per vCPU and faster storage on solid-state drives (SSDs). To avoid service disruptions, [migrate your workloads](https://aka.ms/Av1retirement) from Basic and Standard A-series VMs to Av2-series VMs before 31, August 2024.

- * Plan to introduce a change in non-ESP ABFS clusters, which restricts non-Hadoop group users from executing Hadoop commands for storage operations. This change to improve cluster security posture. Customers need to plan for the updates before 30 September 2023.ΓÇ»

-YouΓÇÖre welcome to add more proposals and ideas and other topics here and vote for them - [HDInsight Community (azure.com)](https://feedback.azure.com/d365community/search/?q=HDInsight) and follow us for more updates on [twitter](https://twitter.com/AzureHDInsight)

-# How to disable the events and delete Azure Health Data Services workspaces

-> The FHIR service will automatically go into an **Updating** status to disable the Events extension when a full delete of Event Subscriptions is executed. The FHIR service will remain online while the operation is completing.

-| Name | Name of the health probe. This is a naame you get to define for your health probe |

-The interval value determines how frequently the health probe checks for a response from your backend pool instances. If the health probe fails, your backend pool instances are immediately marked as unhealthy. If the health probe succeeds on the next healthy probe up, Azure Load Balancer marks your backend pool instances as healthy. The health probe attempts to check the configured health probe port every 15 seconds by default but can be explicitly set to another value.

-description: Create loops that repeat workflow actions or process arrays in Azure Logic Apps.

-# Create loops that repeat workflow actions or process arrays in Azure Logic Apps

-To process an array in your logic app workflow, you can create a [For each loop](#foreach-loop). This loop repeats one or more actions on each item in the array. For the limit on the number of array items that a "For each" loop can process, see [Concurrency, looping, and debatching limits](../logic-apps/logic-apps-limits-and-config.md#looping-debatching-limits).

-To repeat actions until a condition gets met or a state changes, you can create an [Until loop](#until-loop). Your workflow first runs all the actions inside the loop, and then checks the condition or state. If the condition is met, the loop stops. Otherwise, the loop repeats. For the default and maximum limits on the number of "Until" loops that a workflow can have, see [Concurrency, looping, and debatching limits](../logic-apps/logic-apps-limits-and-config.md#looping-debatching-limits).

-> [!TIP]

-> If you have a trigger that receives an array and want to run a workflow for each array item, you can *debatch* that array

-> with the [**SplitOn** trigger property](../logic-apps/logic-apps-workflow-actions-triggers.md#split-on-debatch).

-* An Azure account and subscription. If you don't have a subscription, [sign up for a free Azure account](https://azure.microsoft.com/free/).

-## "For each" loop

-A "For each" loop repeats one or more actions on each array item and works only on arrays. Here are some considerations when you use "For each" loops:

-* The "For each" loop can process a limited number of array items. For this limit, see [Concurrency, looping, and debatching limits](../logic-apps/logic-apps-limits-and-config.md#looping-debatching-limits).

-* By default, iterations in a "For each" loop run at the same time, or in parallel. This behavior differs from [Power Automate's **Apply to each** loop](/power-automate/apply-to-each) where iterations run one at a time, or sequentially. However, you can [set up sequential "For each" loop iterations](#sequential-foreach-loop). For example, if you want to pause the next iteration in a "Foreach" loop by using the [Delay action](../connectors/connectors-native-delay.md), you need to set the loop to run sequentially.

- The exception to the default behavior are nested loops where iterations always run sequentially, not in parallel. To run operations in parallel for items in a nested loop, create and [call a child logic app workflow](../logic-apps/logic-apps-http-endpoint.md).

-* To get predictable results from operations on variables during each loop iteration, run those loops sequentially. For example, when a concurrently running loop ends, the increment, decrement, and append to variable operations return predictable results. However, during each iteration in the concurrently running loop, these operations might return unpredictable results.

-* Actions in a "For each" loop use the [`@item()`](../logic-apps/workflow-definition-language-functions-reference.md#item) expression to reference and process each item in the array. If you specify data that's not in an array,

-the logic app workflow fails.

-This example logic app workflow sends a daily summary for a website RSS feed. The workflow uses a "For each" loop that sends an email for each new item.

-1. [Create this example Consumption logic app workflow](../logic-apps/quickstart-create-example-consumption-workflow.md) with an Outlook.com account or a work or school account.

-2. Between the RSS trigger and send email action, add a "For each" loop.

- 1. To add a loop between steps, move your pointer over the arrow between those steps. Select the **plus sign** (**+**) that appears, then select **Add an action**.

- 

- 1. Under the search box, select **All**. In the search box, enter **for each**. From the actions list,

- select the Control action named **For each**.

- 

-3. Now build the loop. Under **Select an output from previous steps**

-after the **Add dynamic content** list appears,

-select the **Feed links** array, which is output from the RSS trigger.

- 

- > [!NOTE]

- > You can select *only* array outputs from the previous step.

- The selected array now appears here:

- 

-4. To run an action on each array item, drag the **Send an email** action into the loop.

- Your workflow might look something like this example:

- 

-5. Save your workflow. To manually test your logic app, on the designer toolbar, select **Run Trigger** > **Run**.

-## "Foreach" loop definition (JSON)

-If you're working in code view for your logic app,

-you can define the `Foreach` loop in your

-logic app's JSON definition instead, for example:

- "myForEachLoopName": {

- "type": "Foreach",

- "Send_an_email": {

- "api": {

- "runtimeUrl": "https://logic-apis-westus.azure-apim.net/apim/office365"

- },

- "path": "/Mail"

- "runAfter": {}

-}

-## "Foreach" loop: Sequential

-By default, cycles in a "Foreach" loop run in parallel.

-To run each cycle sequentially, set the loop's **Sequential** option.

-"Foreach" loops must run sequentially when you have nested

-loops or variables inside loops where you expect predictable results.

-1. In the loop's upper right corner, choose **ellipses** (**...**) > **Settings**.

- 

-1. Under **Concurrency Control**, turn the

-**Concurrency Control** setting to **On**.

-Move the **Degree of Parallelism** slider to **1**,

-and choose **Done**.

- 

-If you're working with your logic app's JSON definition,

-you can use the `Sequential` option by adding the

-`operationOptions` parameter, for example:

- "myForEachLoopName": {

- "type": "Foreach",

- "Send_an_email": { }

-## "Until" loop

-

-To run and repeat actions until a condition gets met or a state changes, put those actions in an "Until" loop. Your logic app first runs any and all actions inside the loop, and then checks the condition or state. If the condition is met, the loop stops. Otherwise, the loop repeats. For the default and maximum limits on the number of "Until" loops that a logic app run can have, see [Concurrency, looping, and debatching limits](../logic-apps/logic-apps-limits-and-config.md#looping-debatching-limits).

-Here are some common scenarios where you can use an "Until" loop:

-* Create a record in a database. Wait until a specific field in that record gets approved. Continue processing.

-Starting at 8:00 AM each day, this example logic app increments a variable until the variable's value equals 10. The logic app then sends an email that confirms the current value.

-> These steps use Office 365 Outlook, but you can

-> use any email provider that Logic Apps supports.

-> [Check the connectors list here](/connectors/).

-> If you use another email account, the general steps stay the same,

-> but your UI might look slightly different.

-1. Create a blank logic app. In Logic App Designer,

- under the search box, choose **All**. Search for "recurrence".

- From the triggers list, select this trigger: **Recurrence - Schedule**

- 

-1. Specify when the trigger fires by setting the interval, frequency,

- and hour of the day. To set the hour, choose **Show advanced options**.

- 

- | -- | -- |

- | **Interval** | 1 |

- | **Frequency** | Day |

- | **At these hours** | 8 |

- |||

-1. Under the trigger, choose **New step**.

- Search for "variables", and select this action:

- **Initialize variable - Variables**

- 

-1. Set up your variable with these values:

- 

- | -- | -- | -- |

- | **Name** | Limit | Your variable's name |

- | **Type** | Integer | Your variable's data type |

- | **Value** | 0 | Your variable's starting value |

- ||||

-1. Under the **Initialize variable** action, choose **New step**.

-1. Under the search box, choose **All**. Search for "until",

- and select this action: **Until - Control**

- 

-1. Build the loop's exit condition by selecting

- the **Limit** variable and the **is equal** operator.

- Enter **10** as the comparison value.

- 

-1. Inside the loop, choose **Add an action**.

-1. Under the search box, choose **All**. Search for "variables",

- and select this action: **Increment variable - Variables**

- 

-1. For **Name**, select the **Limit** variable. For **Value**,

- enter "1".

- 

-1. Outside and under the loop, choose **New step**.

-1. Under the search box, choose **All**.

- Find and add an action that sends email,

- for example:

- 

-1. If prompted, sign in to your email account.

-1. Set the email action's properties. Add the **Limit**

- variable to the subject. That way, you can confirm the

- variable's current value meets your specified condition,

- for example:

- 

- | Property | Value | Description |

- | -- | -- | -- |

- | **To** | *\<email-address\@domain>* | The recipient's email address. For testing, use your own email address. |

- | **Subject** | Current value for "Limit" is **Limit** | Specify the email subject. For this example, make sure that you include the **Limit** variable. |

- | **Body** | <*email-content*> | Specify the email message content you want to send. For this example, enter whatever text you like. |

- ||||

-1. Save your logic app. To manually test your logic app,

- on the designer toolbar, choose **Run**.

- After your logic starts running, you get an email with the content that you specified:

- 

-<a name="prevent-endless-loops"></a>

-## Prevent endless loops

-The "Until" loop stops execution based on these properties, so make sure that you set their values accordingly:

-* **Count**: This value is the highest number of loops that run before the loop exits. For the default and maximum limits on the number of "Until" loops that a logic app run can have, see [Concurrency, looping, and debatching limits](../logic-apps/logic-apps-limits-and-config.md#looping-debatching-limits).

-* **Timeout**: This value is the most amount of time that the "Until" action, including all the loops, runs before exiting and is specified in [ISO 8601 format](https://en.wikipedia.org/wiki/ISO_8601). For the default and maximum limits on the **Timeout** value, see [Concurrency, looping, and debatching limits](../logic-apps/logic-apps-limits-and-config.md#looping-debatching-limits).

- The timeout value is evaluated for each loop cycle. If any action in the loop takes longer than the timeout limit, the current cycle doesn't stop. However, the next cycle doesn't start because the limit condition isn't met.

-To change these limits, in the loop action, select **Change limits**.

-If you're working in code view for your logic app,

-you can define an `Until` loop in your logic app's

-JSON definition instead, for example:

-This example "Until" loop calls an HTTP endpoint,

-which creates a resource. The loop stops when the

-HTTP response body returns with `Completed` status.

-To prevent endless loops, the loop also stops

-if any of these conditions happen:

-* The loop ran 10 times as specified by the `count` attribute.

-The default is 60 times.

-* The loop ran for two hours as specified by the `timeout` attribute in ISO 8601 format.

-The default is one hour.

-

-## Get support

-* For questions, visit the

-[Microsoft Q&A question page for Azure Logic Apps](/answers/topics/azure-logic-apps.html).

-* To submit or vote on features and suggestions,

-[Azure Logic Apps user feedback site](https://aka.ms/logicapps-wish).

-* [Run steps based on a condition (condition action)](../logic-apps/logic-apps-control-flow-conditional-statement.md)

-* [Run steps based on different values (switch action)](../logic-apps/logic-apps-control-flow-switch-statement.md)

-* [Run or merge parallel steps (branches)](../logic-apps/logic-apps-control-flow-branches.md)

-* [Run steps based on grouped action status (scopes)](../logic-apps/logic-apps-control-flow-run-steps-group-scopes.md)

-Typically the beginning of a machine learning project involves exploratory data analysis (EDA), data-preprocessing (cleaning, feature engineering), and building prototypes of ML models to validate hypotheses. This *prototyping* phase of the project is highly interactive in nature that lends itself to developing in a Jupyter notebook or an IDE with a *Python interactive console*. In this article you'll learn how to:

-> The guidance in this article to access data during interactive development applies to any host that can run a Python session - for example: your local machine, a cloud VM, a GitHub Codespace, etc. We recommend using an Azure Machine Learning compute instance - a fully managed and pre-configured cloud workstation. For more information, see [Create an Azure Machine Learning compute instance](how-to-create-compute-instance.md).

->

-An Azure Machine Learning datastore is a *reference* to an *existing* storage account on Azure. The benefits of creating and using a datastore include:

-> * A common and easy-to-use API to interact with different storage types (Blob/Files/ADLS).

-> * Easier to discover useful datastores when working as a team.

-> * Supports both credential-based (for example, SAS token) and identity-based (use Azure Active Directory or Manged identity) to access data.

-> * When using credential-based access, the connection information is secured so you don't expose keys in scripts.

-A *Datastore URI* is a Uniform Resource Identifier, which is a *reference* to a storage *location* (path) on your Azure storage account. The format of the datastore URI is:

-path_on_datastore = '<path>'

-uri = f'azureml://subscriptions/{subscription}/resourcegroups/{resource_group}/workspaces/{workspace}/datastores/{datastore_name}/paths/{path_on_datastore}'

-These Datastore URIs are a known implementation of [Filesystem spec](https://filesystem-spec.readthedocs.io/en/latest/https://docsupdatetracker.net/index.html) (`fsspec`): A unified pythonic interface to local, remote and embedded file systems and bytes storage.

-You can pip install the `azureml-fsspec`package and its dependency `azureml-dataprep` package. And then you can use the Azure Machine Learning Datastore implementation of `fsspec`.

-The Azure Machine Learning Datastore implementation of `fsspec` automatically handles credential/identity passthrough used by the Azure Machine Learning datastore. This means you don't need to expose account keys in your scripts or do additional sign-in procedures on a compute instance.

-For example, you can directly use Datastore URIs in Pandas - below is an example of reading a CSV file:

-```

-> Rather than remember the datastore URI format, you can copy-and-paste the datastore URI from the Studio UI by following these steps:

-> 1. Select **Data** from the left-hand menu followed by the **Datastores** tab.

-> 1. Select your datastore name and then **Browse**.

-> 1. Find the file/folder you want to read into pandas, select the elipsis (**...**) next to it. Select from the menu **Copy URI**. You can select the **Datastore URI** to copy into your notebook/script.

-You can also instantiate an Azure Machine Learning filesystem and do filesystem-like commands like `ls`, `glob`, `exists`, `open`.

-We support 3 modes for 'overwrite':

-In this section we provide some examples of how to use Filesystem spec, for some common scenarios.

-#### Read a single CSV file into pandas

-If you have a *single* CSV file, then as outlined above you can read that into pandas with:

-#### Read a folder of CSV files into pandas

-The Pandas `read_csv()` method doesn't support reading a folder of CSV files. You need to glob csv paths and concatenate them to a data frame using Pandas `concat()` method. The code below demonstrates how to achieve this concatenation with the Azure Machine Learning filesystem:

-Below is an example of reading a CSV file into a Dask data frame:

-```

-#### Read a folder of parquet files into pandas

-Parquet files are typically written to a folder as part of an ETL process, which can emit files pertaining to the ETL such as progress, commits, etc. Below is an example of files created from an ETL process (files beginning with `_`) to produce a parquet file of data.

-In these scenarios, you'll only want to read the parquet files in the folder and ignore the ETL process files. The code below shows how you can use glob patterns to read only parquet files in a folder:

-Filesystem spec (`fsspec`) has a range of [known implementations](https://filesystem-spec.readthedocs.io/en/stable/_modules/https://docsupdatetracker.net/index.html), one of which is the Databricks Filesystem (`dbfs`).

-To access data from `dbfs` you will need:

-Once you have these, you will need to create an environment variable on your compute instance for the PAT token:

-You can then access data in Pandas using:

-In this example, you create a PyTorch custom dataset for processing images. The assumption is that an annotations file (in CSV format) exists that looks like:

-The images are stored in subfolders according to their label:

-A custom Dataset class in PyTorch must implement three functions: `__init__`, `__len__`, and `__getitem__`, which are implemented below:

-You can then instantiate the dataset using:

-# Preparing your data for training with DataLoaders

-Another method for accessing data in cloud storage is to use the `mltable` library. The general format for reading data into pandas using `mltable` is:

-# materialize to pandas

-You'll notice the `mltable` library supports reading tabular data from different path types:

-> `mltable` does user credential passthrough for paths on Azure Storage and Azure Machine Learning datastores. If you do not have permission to the data on the underlying storage then you will not be able to access the data.

-The flexibility of `mltable` allows you to materialize data into a single dataframe from a combination of local/cloud storage and combinations of files/folder/globs. For example:

-Update the placeholders (`<>`) in the code snippet with your details.

-Update the placeholders (`<>`) in the code snippet with your details.

-Update the placeholders (`<>`) in the code snippet with your details.

-> Rather than remember the datastore URI format, you can copy-and-paste the datastore URI from the Studio UI by following these steps:

-> 1. Select **Data** from the left-hand menu followed by the **Datastores** tab.

-> 1. Select your datastore name and then **Browse**.

-> 1. Find the file/folder you want to read into pandas, select the elipsis (**...**) next to it. Select from the menu **Copy URI**. You can select the **Datastore URI** to copy into your notebook/script.

-The example code below shows how `mltable` can use [glob](https://wikipedia.org/wiki/Glob_(programming)) patterns - such as wildcards - to ensure only the parquet files are read.

-Update the placeholders (`<>`) in the code snippet with your details.

-Update the placeholders (`<>`) in the code snippet with your details.

-Update the placeholders (`<>`) in the code snippet with your details.

-> Rather than remember the datastore URI format, you can copy-and-paste the datastore URI from the Studio UI by following these steps:

-> 1. Select **Data** from the left-hand menu followed by the **Datastores** tab.

-> 1. Select your datastore name and then **Browse**.

-> 1. Find the file/folder you want to read into pandas, select the elipsis (**...**) next to it. Select from the menu **Copy URI**. You can select the **Datastore URI** to copy into your notebook/script.

-Update the placeholders (`<>`) in the code snippet with your details.

-> To glob the pattern on a public HTTP server, there must be access at the **folder** level.

-In this section, you'll learn how to access your Azure Machine Learning data assets into pandas.

-If you've previously created a Table asset in Azure Machine Learning (an `mltable`, or a V1 `TabularDataset`), you can load that into pandas using:

-If you've registered a File asset that you want to read into Pandas data frame - for example, a CSV file - you can achieve this using:

-If you've registered a Folder asset (`uri_folder` or a V1 `FileDataset`) that you want to read into Pandas data frame - for example, a folder containing CSV file - you can achieve this using:

-> Pandas is not designed to handle large datasets - you will only be able to process data that can fit into the memory of the compute instance.

-> For large datasets we recommend that you use Azure Machine Learning managed Spark, which provides the [PySpark Pandas API](https://spark.apache.org/docs/latest/api/python/user_guide/pandas_on_spark/https://docsupdatetracker.net/index.html).

-You may wish to iterate quickly on a smaller subset of a large dataset before scaling up to a remote asynchronous job. `mltable` provides in-built functionality to get samples of large data using the [take_random_sample](/python/api/mltable/mltable.mltable.mltable#mltable-mltable-mltable-take-random-sample) method:

-You can also take subsets of large data by using:

-You may want to download the data to the local SSD of your host (local machine, cloud VM, Azure Machine Learning Compute Instance) and use the local filesystem. You can do this with the `azcopy` utility, which is pre-installed on an Azure Machine Learning compute instance. If you are **not** using an Azure Machine Learning compute instance or a Data Science Virtual Machine (DSVM), you may need to install `azcopy`. For more information please read [azcopy](../storage/common/storage-ref-azcopy.md).

-> We do not recommend downloading data in the `/home/azureuser/cloudfiles/code` location on a compute instance. This is designed to store notebook and code artifacts, **not** data. Reading data from this location will incur significant performance overhead when training. Instead we recommend storing your data in `home/azureuser`, which is the local SSD of the compute node.

-A quick video tutorial can be found here: [Prompt flow get started video tutorial](https://www.youtube.com/watch?v=kYqRtjDBci8).

-Then a right-hand panel will appear. Here, you'll need to provide the connection name, API key, API base, API type, and API version before selecting the **Save** button.

-In this guide, we'll use **Web Classification** sample to walk you through the main user journey, so select **View detail** on Web Classification tile to preview the sample.

-Then a preview window is popped up. You can browse the sample introduction to see if the sample is similar to your scenario. You can select Clone to clone the sample, then check the flow, test it, modify it.

-At the right, it's the graph view for visualization only. You can zoom in, zoom out, auto layout, etc.

-### Bulk test

-Select **Bulk test** button, then a right panel pops up. It's a wizard that guides you to submit a bulk test and to select the evaluation method (optional).ΓÇïΓÇïΓÇïΓÇïΓÇïΓÇïΓÇï

-You need to set a bulk test name, description, then select a runtime first.

-Then select **Upload new data** to upload the data you just downloaded. After uploading the data or if your colleagues in the workspace already created a dataset, you can choose the dataset from the drop-down and preview first 50 rows.

-The dataset selection drop down supports search and autosuggestion.

-Select **Next**, then you can use an evaluation method to evaluate your flow. The evaluation methods are also flows that use Python or LLM etc., to calculate metrics like accuracy, relevance score. The built-in evaluation flows and customized ones are listed in the drop-down.

-Since Web classification is a classification scenario, it's suitable to select the **Classification Accuracy Evaluation** to evaluate.

-After selecting **Classification Accuracy Evaluation** as evaluation method, you can set interface mapping to map the ground truth to flow input and category to flow output.

-Then select **Submit** to submit a bulk test and the selected evaluation.

-### Check evaluation results

-When completed, select the link, go to bulk test detail page.

-Select **Refresh** until the evaluation run is completed.

-Then go to the **Metrics** tab, check accuracy.

-To understand in which case the flow classifies incorrectly, you need to see the evaluation results for each row of data. Go to **Outputs** tab, select the evaluation run, you can see in the table below for most cases the flow classifies correctly except for few rows.

-You can adjust column width, hide/unhide columns, and export table to csv file for further investigation.

-After you build a flow and test it properly, you may want to deploy it as an endpoint so that you can invoke the endpoint for real-time inference.

-When you are in the bulk test **Overview** tab, select bulk test link.

-Then you're directed to the bulk test detail page, select **Deploy**. A wizard pops up to allow you to configure the endpoint. Specify an endpoint name, use the default settings, set connections, and select a virtual machine, select **Deploy** to start the deployment.

-If you're a Workspace Owner or Subscription Owner, see [Deploy a flow as a managed online endpoint for real-time inference](how-to-deploy-for-real-time-inference.md#grant-permissions-to-the-endpoint) to grant permissions to the endpoint. If not, go ask your Workspace Owner or Subscription Owner to it for you.

-description: Learn how to submit bulk test and use built-in evaluation methods in prompt flow to evaluate how well your flow performs with a large dataset with Azure Machine Learning studio.

-# Submit bulk test and evaluate a flow (preview)

-To evaluate how well your flow performs with a large dataset, you can submit bulk test and use built-in evaluation methods in Prompt flow.

-You can quickly start testing and evaluating your flow by following this video tutorial [submit bulk test and evaluate a flow video tutorial](https://www.youtube.com/watch?v=5Khu_zmYMZk).

-To run a bulk test and use an evaluation method, you need to have the following ready:

-## Submit a bulk test and use a built-in evaluation method

-A bulk test allows you to run your flow with a large dataset and generate outputs for each data row. You can also choose an evaluation method to compare the output of your flow with certain criteria and goals. An evaluation method **is a special type of flow** that calculates metrics for your flow output based on different aspects. An evaluation run will be executed to calculate the metrics when submitted with the bulk test.

-To start a bulk test with evaluation, you can select on the **"Bulk test"** button on the top right corner of your flow page.

-To submit bulk test, you can select a dataset to test your flow with. You can also select an evaluation method to calculate metrics for your flow output. If you don't want to use an evaluation method, you can skip this step and run the bulk test without calculating any metrics. You can also start a new round of evaluation later.

-First, select or upload a dataset that you want to test your flow with. An available runtime that can run your bulk test is also needed. You also give your bulk test a descriptive and recognizable name. After you finish the configuration, select **"Next"** to continue.

-Second, you can decide to use an evaluation method to validate your flow performance either immediately or later. If you have already completed a bulk test, you can start a new round of evaluation with a different method or subset of variants.

-If you want to run bulk test with evaluation now, you can select an evaluation method from the dropdown box based on the description provided. After you selected an evaluation method, you can select **"View detail"** button to see more information about the selected method, such as the metrics it generates and the connections and inputs it requires.

-In the **"input mapping"** section, you need to specify the sources of the input data that are needed for the evaluation method. The sources can be from the current flow output or from your test dataset, even if some columns in your dataset aren't used by your flow. For example, if your evaluation method requires a _ground truth_ column, you need to provide it in your dataset and select it in this section.

-You can also manually type in the source of the data column.

-If an evaluation method uses Large Language Models (LLMs) to measure the performance of the flow response, you're required to set connections for the LLM nodes in the evaluation methods.

-> Some evaluation methods require GPT-4 or GPT-3 to run. You must provide valid connections for these evaluation methods before using them.

-After you finish the input mapping, select on **"Next"** to review your settings and select on **"Submit"** to start the bulk test with evaluation.

-In the bulk test detail page, you can check the status of the bulk test you submitted. In the **"Evaluation History"** section, you can find the records of the evaluation for this bulk test. The link of the evaluation navigates to the snapshot of the evaluation run that executed for calculating the metrics.

-When the evaluation run is completed, you can go to the **Outputs** tab in the bulk test detail page to check the outputs/responses generated by the flow with the dataset that you provided. You can also select **"Export"** to export and download the outputs in a .csv file.

-You can **select an evaluation run** from the dropdown box and you'll see additional columns appended at the end of the table showing the evaluation result for each row of data. In this screenshot, you can locate the result that is falsely predicted with the output column "grade".

-To view the overall performance, you can select the **"Metrics"** tab, and you can see various metrics that indicate the quality of each variant.

-To learn more about the metrics calculated by the built-in evaluation methods, please navigate to [understand the built-in evaluation metrics](#understand-the-built-in-evaluation-metrics).

-## Start a new round of evaluation

-If you have already completed a bulk test, you can start another round of evaluation to submit a new evaluation run to calculate metrics for the outputs **without running your flow again**. This is helpful and can save your cost to rerun your flow when:

-You can select **"New evaluation"** to start another round of evaluation. The process is similar to that in submitting bulk test, except that you're asked to specify the output from which variants you would like to evaluate on in this new round.

-After setting up the configuration, you can select **"Submit"** for this new round of evaluation. After submission, you'll be able to see a new record in the "Evaluation History" Section.

-After the evaluation run completed, similarly, you can check the result of evaluation in the **"Output"** tab of the bulk test detail page. You need select the new evaluation run to view its result.

-When multiple different evaluation runs are submitted for a bulk test, you can go to the **"Metrics"** tab of the bulk test detail page to compare all the metrics.

-## Check bulk test history and compare metrics

-In some scenarios, you'll modify your flow to improve its performance. You can submit multiple bulk tests to compare the performance of your flow with different versions. You can also compare the metrics calculated by different evaluation methods to see which one is more suitable for your flow.

-To check the bulk test history of your flow, you can select the **"Bulk test"** button on the top right corner of your flow page. You'll see a list of bulk tests that you have submitted for this flow.

-You can select on each bulk test to check the detail. You can also select multiple bulk tests and select on the **"Compare Metrics"** to compare the metrics of these bulk tests.

-In Prompt flow, we provide multiple built-in evaluation methods to help you measure the performance of your flow output. Each evaluation method calculates different metrics. Now we provide nine built-in evaluation methods available, you can check the following table for a quick reference:

-| QnA Ada Similarity Evaluation | Similarity | Measures similarity between user-provided ground truth answers and the model predicted answer. | Yes | question, answer, ground truth (context not needed) | in the range [0, 1]. |

-In this document, you learned how to run a bulk test and use a built-in evaluation method to measure the quality of your flow output. You also learned how to view the evaluation result and metrics, and how to start a new round of evaluation with a different method or subset of variants. We hope this document helps you improve your flow performance and achieve your goals with Prompt flow.

-## Runtime type

-You can choose between two types of runtimes for Prompt flow: [managed online endpoint/deployment](../concept-endpoints-online.md) and [compute instance (CI)](../concept-compute-instance.md). Here are some differences between them to help you decide which one suits your needs.

-| Runtime type | Managed online deployment runtime | Compute instance runtime |

-|-|--|--|

-| Team shared | Y | N |

-| User isolation | N | Y |

-| OBO/identity support | N | Y |

-| Easily manually customization of environment | N | Y |

-| Multiple runtimes on single resource | N | Y |

-If you're new to Prompt flow, we recommend you to start with compute instance runtime first.

-> Prompt flow is **not supported** in workspaces that enable managed VNet. Managed VNet is a private preview feature.

->

->Prompt flow is **not supported** if you secure your Azure AI services account (Azure openAI, Azure cognitive search, Azure content safety) with virtual networks. If you want to use these as connection in prompt flow please allow access from all networks.

- This is recommended for most users of Prompt flow. The Prompt flow system will create a new custom application on a compute instance as a runtime.

- - If you want to install additional packages in your project, you should create a custom environment. To learn how to build your own custom environment, see [Customize environment with docker context for runtime](how-to-customize-environment-runtime.md#customize-environment-with-docker-context-for-runtime).

-### Create managed online endpoint runtime in UI

-1. Specify the runtime name.

- :::image type="content" source="./media/how-to-create-manage-runtime/runtime-creation-mir-runtime-runtime-name.png" alt-text="Screenshot of add managed online deployment runtime. " lightbox = "./media/how-to-create-manage-runtime/runtime-creation-mir-runtime-runtime-name.png":::

-1. Select existing or create a new deployment as runtime

- 1. Select create new deployment as runtime.

- :::image type="content" source="./media/how-to-create-manage-runtime/runtime-creation-mir-runtime-deployment-new.png" alt-text="Screenshot of add managed online deployment runtime with deployment highlighted. " lightbox = "./media/how-to-create-manage-runtime/runtime-creation-mir-runtime-deployment-new.png":::

- There are two options for deployment as runtime: `new` and `existing`. If you choose `new`, we'll create a new deployment for you. If you choose `existing`, you need to provide the name of an existing deployment as runtime.

- If you're new to Prompt flow, select `new` and we'll create a new deployment for you.

- - Select identity type of endpoint.

- :::image type="content" source="./media/how-to-create-manage-runtime/runtime-creation-mir-runtime-identity.png" alt-text="Screenshot of add managed online deployment runtime with endpoint identity type highlighted. " lightbox = "./media/how-to-create-manage-runtime/runtime-creation-mir-runtime-identity.png":::

-

- You need [assign sufficient permission](#grant-sufficient-permissions-to-use-the-runtime) to system assigned identity or user assigned identity.

-

- To learn more, see [Access Azure resources from an online endpoint with a managed identity](../how-to-access-resources-from-endpoints-managed-identities.md)

- - Select environment used for this runtime.

- :::image type="content" source="./media/how-to-create-manage-runtime/runtime-creation-mir-runtime-env.png" alt-text="Screenshot of add managed online deployment runtime wizard on the environment page. " lightbox = "./media/how-to-create-manage-runtime/runtime-creation-mir-runtime-env.png":::

-

- Follow [Customize environment with docker context for runtime](how-to-customize-environment-runtime.md#customize-environment-with-docker-context-for-runtime) to build your custom environment.

- - Choose the appropriate SKU and instance count.

-

- > [!NOTE]

- > For **Virtual machine**, since the Prompt flow runtime is memory-bound, itΓÇÖs better to select a virtual machine SKU with more than 8GB of memory. For the list of supported sizes, see [Managed online endpoints SKU list](../reference-managed-online-endpoints-vm-sku-list.md).

-

- :::image type="content" source="./media/how-to-create-manage-runtime/runtime-creation-mir-runtime-compute.png" alt-text="Screenshot of add managed online deployment runtime wizard on the compute page. " lightbox = "./media/how-to-create-manage-runtime/runtime-creation-mir-runtime-compute.png":::

- > [!NOTE]

- > Creating a managed online deployment runtime using new deployment may take several minutes.

- 1. Select existing deployment as runtime.

- - To use an existing managed online deployment as a runtime, you can choose it from the available options. Each runtime corresponds to one managed online deployment.

- :::image type="content" source="./media/how-to-create-manage-runtime/runtime-creation-mir-runtime-existing-deployment.png" alt-text="Screenshot of add managed online deployment runtime wizard on the runtime page. " lightbox = "./media/how-to-create-manage-runtime/runtime-creation-mir-runtime-existing-deployment.png":::

- - You can select from existing endpoint and existing deployment as runtime.

- :::image type="content" source="./media/how-to-create-manage-runtime/runtime-creation-mir-runtime-existing-deployment-select-endpoint.png" alt-text="Screenshot of add managed online deployment runtime on the endpoint page with an endpoint selected. " lightbox = "./media/how-to-create-manage-runtime/runtime-creation-mir-runtime-existing-deployment-select-endpoint.png":::

- - We'll verify that this deployment meets the runtime requirements.

- :::image type="content" source="./media/how-to-create-manage-runtime/runtime-creation-mir-runtime-existing-deployment-select-deployment.png" alt-text="Screenshot of add managed online deployment runtime on the deployment page. " lightbox = "./media/how-to-create-manage-runtime/runtime-creation-mir-runtime-existing-deployment-select-deployment.png":::

- To learn, see [[how to create managed online deployment, which can be used as Prompt flow runtime](how-to-customize-environment-runtime.md#create-managed-online-deployment-that-can-be-used-as-prompt-flow-runtime).]

-### Assign built-in roles

-To use runtime, assigning the following roles to user (if using Compute instance as runtime) or endpoint (if using managed online endpoint as runtime).

-| Resource | Role | Why do I need this? |

-||||

-| Workspace | Azure Machine Learning Data Scientist | Used to write to run history, log metrics |

-| Workspace default ACR | AcrPull | Pull image from ACR |

-| Workspace default storage | Storage Blob Data Contributor | Write intermediate data and tracing data |

-| Workspace default storage | Storage Table Data Contributor | Write intermediate data and tracing data |

-You can use this Azure Resource Manager template to assign these roles to your user or endpoint.

-[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fcloga%2Fazure-quickstart-templates%2Flochen%2Fpromptflow%2Fquickstarts%2Fmicrosoft.machinelearningservices%2Fmachine-learning-prompt-flow%2Fassign-built-in-roles%2Fazuredeploy.json)

-To find the minimal permissions required, and use an Azure Resource Manager template to create a custom role and assign relevant permissions, visit: [Permissions/roles need to use runtime](./how-to-create-manage-runtime.md#permissionsroles-need-to-use-runtime)

-You can also assign these permissions manually through the UI.

- :::image type="content" source="./media/how-to-create-manage-runtime/mir-without-acr-runtime-workspace-top-right.png" alt-text="Screenshot of the Azure Machine Learning workspace detail page. " lightbox = "./media/how-to-create-manage-runtime/mir-without-acr-runtime-workspace-top-right.png":::

- :::image type="content" source="./media/how-to-create-manage-runtime/runtime-permission-workspace-detail-storage-acr.png" alt-text="Screenshot of Azure Machine Learning workspace detail page with storage account and ACR highlighted. " lightbox = "./media/how-to-create-manage-runtime/runtime-permission-workspace-detail-storage-acr.png":::

- :::image type="content" source="./media/how-to-create-manage-runtime/runtime-permission-workspace-access-control.png" alt-text="Screenshot of the access control page highlighting the add role assignment button. " lightbox = "./media/how-to-create-manage-runtime/runtime-permission-workspace-access-control.png":::

- :::image type="content" source="./media/how-to-create-manage-runtime/runtime-permission-rbac-user.png" alt-text="Screenshot of add role assignment with assign access to highlighted. " lightbox = "./media/how-to-create-manage-runtime/runtime-permission-rbac-user.png":::

- :::image type="content" source="./media/how-to-create-manage-runtime/runtime-permission-rbac-msi.png" alt-text="Screenshot of add role assignment with assign access to highlighted and managed identity selected. " lightbox = "./media/how-to-create-manage-runtime/runtime-permission-rbac-msi.png":::

- > [!NOTE]

- > This operation may take several minutes to take effect.

- > If your compute instance behind VNet, please follow [Compute instance behind VNet](#compute-instance-behind-vnet) to configure the network.

-To learn more:

-## Using runtime in Prompt flow authoring

-#### Failed to perform workspace run operations due to invalid authentication

-This means the identity of the managed endpoint doesn't have enough permissions, see [Grant sufficient permissions to use the runtime](#grant-sufficient-permissions-to-use-the-runtime) to grant sufficient permissions to the identity or user.

-If you just assigned the permissions, it will take a few minutes to take effect.

- Please contact the Prompt Flow team ([promptflow-eng](mailto:aml-pt-eng@microsoft.com)) with the runtime logs. We'll try to identify the root cause.

-#### Compute instance behind VNet

-If your compute instance is behind a VNet, you need to make the following changes to ensure that your compute instance can be used in prompt flow:

-> [!NOTE]

-> This only works if your AOAI and other Azure AI services allow access from all networks.

-### Managed endpoint runtime related

-#### Managed endpoint failed with an internal server error. Endpoint creation was successful, but failed to create deployment for the newly created workspace.

- :::image type="content" source="./media/how-to-create-manage-runtime/mir-without-acr-runtime-detail-error.png" alt-text="Screenshot of the runtime status showing failed on the runtime detail page. " lightbox = "./media/how-to-create-manage-runtime/mir-without-acr-runtime-detail-error.png":::

- :::image type="content" source="./media/how-to-create-manage-runtime/mir-without-acr-runtime-detail-endpoint.png" alt-text="Screenshot of the runtime detail page, highlighting the managed endpoint. " lightbox = "./media/how-to-create-manage-runtime/mir-without-acr-runtime-detail-endpoint.png":::

- :::image type="content" source="./media/how-to-create-manage-runtime/mir-without-acr-runtime-endpoint-detail.png" alt-text="Screenshot of the endpoint detail page with successful creation. " lightbox = "./media/how-to-create-manage-runtime/mir-without-acr-runtime-endpoint-detail.png":::

-##### Potential root cause and solution

-The issue may occur when you create a managed endpoint using a system-assigned identity. The system tries to grant ACR pull permission to this identity, but for a newly created workspace, please go to the workspace detail page in Azure to check whether the workspace has a linked ACR.

-If there's no ACR, you can create a new custom environment from curated environments on the environment page.

-After creating a new custom environment, a linked ACR will be automatically created for the workspace. You can return to the workspace detail page in Azure to confirm.

-Delete the failed managed endpoint runtime and create a new one to test.

-#### We are unable to connect to this deployment as runtime. Please make sure this deployment is ready to use.

-If you encounter with this issue, please check the deployment status and make sure it's build on top of runtime base image.

-| |--environment-build.yaml

-### Step 2: Use Azure Machine Learning environment to build image

-#### Define your environment in `environment_build.yaml`

-Open the `environment_build.yaml` file and add the following content. Replace the <environment_name_docker_build> placeholder with your desired environment name.

-name: <environment_name_docker_build>

-az ml environment create -f environment_build.yaml --subscription <sub-id> -g <resource-group> -w <workspace>

-#### Locate the image in ACR

-Go to the environment page to find the built image in your workspace Azure Container Registry (ACR).

-Find the image in ACR.

-> [!IMPORTANT]

-> Make sure the `Environment image build status` is `Succeeded` before using it in the next step.

-### Step 3: Create a custom Azure Machine Learning environment for runtime

-Open the `environment.yaml` file and add the following content. Replace the `<environment_name>` placeholder with your desired environment name and change `<image_build_in_acr>` to the ACR image found in the step 2.3.

-```yaml

-$schema: https://azuremlschemas.azureedge.net/latest/environment.schema.json

-name: <environment_name>

-image: <image_build_in_acr>

-inference_config:

- liveness_route:

- port: 8080

- path: /health

- readiness_route:

- port: 8080

- path: /health

- scoring_route:

- port: 8080

- path: /score

-```

-Using following CLI command to create the environment:

-```bash

-cd image_build # optional if you already in this folder

-az login(optional)

-az ml environment create -f environment.yaml --subscription <sub-id> -g <resource-group> -w <workspace>

-```

-Go to your workspace UI page, go to the `environment` page, and locate the custom environment you created. You can now use it to create a runtime in your Prompt flow. To learn more, see:

-To Learn more about environment CLI, see [Manage environments](../how-to-manage-environments-v2.md#manage-environments).

-## Create managed online deployment that can be used as Prompt flow runtime

-Follow [Create managed online endpoint runtime in UI](how-to-create-manage-runtime.md#create-managed-online-endpoint-runtime-in-ui) to select this deployment as Prompt flow runtime.

-> [!NOTE]

-> Currently Prompt flow only supports **single deployment** of managed online endpoints, so we will simplify the *deployment* configuration in the UI.

-#### Allow sharing sample input data for testing purpose only

-If the checkbox is selected, the first row of your input data will be used as sample input data for testing the endpoint later.

-## View metrics using Azure Monitor (optional)

-## Develop a chat flow

-## Authoring page - flatten view and graph view

-At the left, it's the flatten view, the main working area where you can author the flow, for example add tools in your flow, edit the prompt, set the flow input data, run your flow, view the output, etc.

-At the right, it's the graph view for visualization only. It shows the flow structure you're developing, including the tools and their links. You can zoom in, zoom out, auto layout, etc.

-Select **Edit** next to prompt box to define inputs using `{{input_name}}`.

-2. Select **Edit** next to the prompt box, add an input by `{{url}}`, then you'll see an input called URL is created in inputs section.

-1. Select **Edit** next to the prompt box, add another input by `{{summary}}`, then you'll see an input called summary is created in inputs section.

-description: Learn how to customize or create your own evaluation flow tailored to your tasks and objectives, and then use in a bulk test as an evaluation method in Prompt flow with Azure Machine Learning studio.

-Evaluation flows are special types of flows that assess how well the outputs of a flow align with specific criteria and goals.

-In Prompt flow, you can customize or create your own evaluation flow tailored to your tasks and objectives, and then use in a bulk test as an evaluation method. This document you'll learn:

-### Customize built-in evaluation method to measure the performance of a flow

-Find the built-in evaluation methods by selecting the **"Create"** button on the homepage and navigating to the Create from gallery -\> Evaluation tab. View more details about the evaluation method by selecting **"View details"**.

-Alternatively, you can customize a built-in evaluation method used in a bulk test by clicking the **"Clone"** icon when viewing its snapshot from the bulk test detail page.

-In Prompt flow, a flow is a sequence of nodes that process an input and generate an output. Evaluation methods also take required inputs and produce corresponding outputs.

-1. They need to handle outputs from flows that contain multiple variants.

-2. They usually run after a flow being tested, so there's a field mapping process when submitting an evaluation.

-Different from a standard flow, evaluation methods run after a flow being tested, which may have multiple variants. Therefore, evaluation needs to distinguish the sources of the received flow output in a bulk test, including the data sample and variant the output is generated from.

-To build an evaluation method that can be used in a bulk test, two additional inputs are required: line\_number and variant\_id(s).

-There are two types of evaluation methods based on how to process outputs from different variants:

-| Field name | Type | Description | Examples |

-| | | | |

-| line\_number | int | The line number of the test data. | 0, 1, ... |

-| **variant\_id** | **string** | **The variant name.** | **"variant\_0", "variant\_1", ...** |

-| Field name | Type | Description | Examples |

-| | | | |

-| line\_number | int | The line number of the test data. | 0, 1, ... |

-| **variant\_ids** | **List[string]** | **The variant name list.** | **["variant\_0", "variant\_1", ...]**|

-See "QnA Relevance Scores Pairwise Evaluation" flow in "Create from gallery" for reference.

-#### Input mapping

-In this context, the inputs are the subjects of evaluation, which are the outputs of a flow. Other inputs may also be required, such as ground truth, which may come from the test dataset you provided. Therefore, to run an evaluation, you need to indicate the sources of these required input test data. To do so, when submitting an evaluation, you'll see an **"input mapping"** section.

-To demonstrate the relationship of how the inputs and outputs are passed between flow and evaluation methods, here's a diagram showing the schema:

-Here's a diagram showing the example how data are passed between test dataset and flow outputs:

-To remind what inputs are needed to calculate metrics, you can add a description for each required input. The descriptions will be displayed when mapping the sources in bulk test submission.

-Then this description will be displayed to when using this evaluation method in bulk test submission.

-#### Instance-level metricsΓÇöoutputs

-In Prompt flow, the flow processes each sample dataset one at a time and generates an output record. Similarly, in most evaluation cases, there will be a metric for each flow output, allowing you to check how the flow performs on each individual data input.

-To record the score for each data sample, calculate the score for each output, and log the score **as a flow output** by setting it in the output section. This is the same as defining a standard flow output.

-When this evaluation method is used in a bulk test, the instance-level score can be viewed in the **Output** tab.

-In addition, it's also important to provide an overall score for the run. You can check the **"set as aggregation"** of a Python node to turn it into a "reduce" node, allowing the node to take in the inputs **as a list** and process them in batch.

-See the following example for using the log_metric API:

-> If your compute instance is behind a VNet, see [Compute instance behind VNet](how-to-create-manage-runtime.md#compute-instance-behind-vnet).

- :::image type="content" source="./media/how-to-tune-prompts-using-variants/flow-graph.png" alt-text="Screenshot of the graph view of a Web Classification sample flow. " lightbox = "./media/how-to-tune-prompts-using-variants/flow-graph.png":::

-1. Use the following prompt as a baseline prompt in the **classify_with_llm** node.

- :::image type="content" source="./media/how-to-tune-prompts-using-variants/show-variants.png" alt-text="Screenshot of Web Classification highlighting the show variants button. " lightbox = "./media/how-to-tune-prompts-using-variants/show-variants.png":::

-1. Select the **Clone** button on variant_0 to generate variant_1, then you can configure parameters to different values, or update the prompt on variant_1.

- :::image type="content" source="./media/how-to-tune-prompts-using-variants/clone-variant.png" alt-text="Screenshot of Web Classification highlighting the clone button. " lightbox = "./media/how-to-tune-prompts-using-variants/clone-variant.png":::

-1. Repeat the step to create more variants.

-1. Select **Hide variants** to stop adding more variants. And all variants are folded. The default variant is shown for the node.

- :::image type="content" source="./media/how-to-tune-prompts-using-variants/run-select-variants.png" alt-text="Screenshot of Submit flow run where you can select an LLM node. " lightbox = "./media/how-to-tune-prompts-using-variants/run-select-variants.png":::

-1. Submit the flow run.

-1. After the flow run is completed, you can check the corresponding result for each variant.

- :::image type="content" source="./media/how-to-tune-prompts-using-variants/run-variant-output.png" alt-text="Screenshot of Web Classification showing a completed run. " lightbox = "./media/how-to-tune-prompts-using-variants/run-variant-output.png":::

-1. Submit another flow run with the other LLM node with variants, and check the outputs.

-1. You can change another input data (for example, use a Wikipedia page URL) and repeat the steps above to test variants for different data.ΓÇïΓÇïΓÇïΓÇïΓÇïΓÇïΓÇï

-You can submit a bulk test, which allows you test the variants with a large amount of data and evaluate them with metrics, to help you find the best fit.

-2. Select **Bulk test** on the top right of the page.

-3. A wizard for **Bulk test & Evaluate** occurs. The first step is to select a node to run all its variants.

- To test how well different variants work for each node in a flow, you need to run a bulk test for each node with variants one by one. This helps you avoid the influence of other nodes' variants and focus on the results of this node's variants. This follows the rule of the controlled experiment, which means that you only change one thing at a time and keep everything else the same.

- For example, you can select **classify_with_llm** node to run all variants, the **summarize_text_content** node will use it default variant for this bulk test.

-3. Next in **Bulk test settings**, you can set bulk test name, choose a runtime, upload the prepared data.

-4. Next, in **Evaluation settings**, select an evaluation method.

-5. After reviewing all the settings, you can submit the bulk test.

-6. After the run is submitted, select the link, go to the run detail page.

-### Compare metrics

-1. After the bulk run and evaluation run complete, in the bulk run detail page, switch to **Metrics** tab, you can see the metrics of 3 variants for the **classify_with_llm** node. It validates the hypothesis that lower temperature and few-shot examples can improve classification accuracy.

- :::image type="content" source="./media/how-to-tune-prompts-using-variants/bulk-test-metrics.png" alt-text="Screenshot of the bulk detail page on the metrics tab. " lightbox = "./media/how-to-tune-prompts-using-variants/bulk-test-metrics.png":::

- > [!NOTE]

- > You may fail to reproduce the same results as shown in the screenshots, it is because of the randomness of LLM output and the limited 30 records of data.

-1. To further investigate how different variants predict, you can go to **Outputs** tab, select an evaluation run, check prediction results for each row of data.

- :::image type="content" source="./media/how-to-tune-prompts-using-variants/bulk-test-outputs.png" alt-text="Screenshot of the bulk detail page on the outputs tab. " lightbox = "./media/how-to-tune-prompts-using-variants/bulk-test-outputs.png":::

-1. After you identify that which variant is the best, you can go back to the flow authoring page and set that variant as default variant of the node

-1. You can repeat the above steps to evaluate the variants of **summarize_text_content** node as well.