-1. The provisioning service is yet to update the provisioning logs with the bulk request processing details.

-| [Registration campaign](how-to-mfa-registration-campaign.md) | Beginning in July, 2023, enabled for SMS and voice call users with free and trial subscriptions. |

-As threat vectors change, Azure AD may announce default protection for a **Microsoft managed** setting in [release notes](../fundamentals/whats-new.md) and on commonly read forums like [Tech Community](https://techcommunity.microsoft.com/). For example, see our blog post [It's Time to Hang Up on Phone Transports for Authentication](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/it-s-time-to-hang-up-on-phone-transports-for-authentication/ba-p/1751752) for more information about the need to move away from using SMS and voice calls, which led to default enablement for the registration campaign to help users to set up Authenticator for modern authentication.

-To manage authentication methods for self-service password reset (SSPR), click **Password reset** > **Authentication methods**. The **Mobile phone** option in this policy allows either voice calls or SMS to be sent to a mobile phone. The **Office phone** option allows only voice calls.

-For users who are enabled for **Mobile phone** for SSPR, the independent control between policies can impact sign-in behavior. Where the other policies have separate options for SMS and voice calls, the **Mobile phone** for SSPR enables both options. As a result, anyone who uses **Mobile phone** for SSPR can also use voice calls for password reset, even if the other policies don't allow voice calls.

-Azure AD Multi-Factor Authentication (MFA) adds additional security over only using a password when a user signs in. The user can be prompted for additional forms of authentication, such as to respond to a push notification, enter a code from a software or hardware token, or respond to an SMS or phone call.

-Microsoft recommends users move away from using SMS or voice calls for multifactor authentication (MFA). Modern authentication methods like [Microsoft Authenticator](concept-authentication-authenticator-app.md) are a recommended alternative. For more information, see [It's Time to Hang Up on Phone Transports for Authentication](https://aka.ms/hangup). Users can still verify themselves using a mobile phone or office phone as secondary form of authentication used for multifactor authentication (MFA) or self-service password reset (SSPR).

-You can [configure and enable users for SMS-based authentication](howto-authentication-sms-signin.md) for direct authentication using text message. SMS-based sign-in is convenient for Frontline workers. With SMS-based sign-in, users don't need to know a username and password to access applications and services. The user instead enters their registered mobile phone number, receives a text message with a verification code, and enters that in the sign-in interface.

-For Azure AD Multi-Factor Authentication or SSPR, users can choose to receive an SMS message with a verification code to enter in the sign-in interface, or receive a phone call.

-Microsoft doesn't guarantee consistent SMS or voice-based Azure AD Multi-Factor Authentication prompt delivery by the same number. In the interest of our users, we may add or remove short codes at any time as we make route adjustments to improve SMS deliverability. Microsoft doesn't support short codes for countries/regions besides the United States and Canada.

-> Starting July 2023, we will apply delivery method optimizations such that tenants with a free or trial subscription may receive an SMS message or voice call.

-### SMS message verification

-With SMS message verification during SSPR or Azure AD Multi-Factor Authentication, a Short Message Service (SMS) text is sent to the mobile phone number containing a verification code. To complete the sign-in process, the verification code provided is entered into the sign-in interface.

-Android users can enable Rich Communication Services (RCS) on their devices. RCS offers encryption and other improvements over SMS. For Android, MFA text messages may be sent over RCS rather than SMS. The MFA text message is similar to SMS, but RCS messages have more Microsoft branding and a verified checkmark so users know they can trust the message.

-* ΓÇ£You've hit our limit on verification callsΓÇ¥ or ΓÇ£YouΓÇÖve hit our limit on text verification codesΓÇ¥ error messages during sign-in

- * Microsoft may limit or block voice or SMS authentication attempts that are performed by the same user, phone number, or organization due to high number of voice or SMS authentication attempts. If you are experiencing this error, you can try another method, such as Authenticator App or verification code, or reach out to your admin for support.

-* SMS is not subscribed on the device.

- * Have the user change methods or activate SMS on the device.

-* Faulty telecom providers such as no phone input detected, missing DTMF tones issues, blocked caller ID on multiple devices, or blocked SMS across multiple devices.

- * Microsoft uses multiple telecom providers to route phone calls and SMS messages for authentication. If you see any of the above issues, have a user attempt to use the method at least five times within 5 minutes and have that user's information available when contacting Microsoft support.

- * Or, use SMS authentication instead of phone (voice) authentication.

-Authentication strength is a Conditional Access control that allows administrators to specify which combination of authentication methods can be used to access a resource. For example, they can make only phishing-resistant authentication methods available to access a sensitive resource. But to access a nonsensitive resource, they can allow less secure multifactor authentication (MFA) combinations, such as password + SMS.

-¹ Something you have refers to one of the following methods: SMS, voice, push notification, software OATH token and Hardware OATH token.

-The authentication strength Conditional Access policy defines which methods can be used. Azure AD checks the policy during sign-in to determine the userΓÇÖs access to the resource. For example, an administrator configures a Conditional Access policy with a custom authentication strength that requires FIDO2 Security Key or Password + SMS. The user accesses a resource protected by this policy. During sign-in, all settings are checked to determine which methods are allowed, which methods are registered, and which methods are required by the Conditional Access policy. To be used, a method must be allowed, registered by the user (either before or as part of the access request), and satisfy the authentication strength.

-When a user accesses a resource protected by an authentication strength Conditional Access policy, Azure AD evaluates if the methods they have previously used satisfy the authentication strength. If a satisfactory method was used, Azure AD grants access to the resource. For example, let's say a user signs in with password + SMS. They access a resource protected by MFA authentication strength. In this case, the user can access the resource without another authentication prompt.

-|SMS as second factor | ✅ | ✅ |

- 1. Admin adds Phone Number to user account and allows Voice/SMS method for user.

- 1. Admin adds Phone Number to user account and allows Voice/SMS method for user.

- 1. Admin adds Phone Number to user account and allows Voice/SMS method for user

-| SMS as a second factor | | ΓùÅ | ΓùÅ | ΓùÅ | ΓùÅ |

-| Authenticate by phone call or SMS | ΓùÅ | ΓùÅ | ΓùÅ |

-IRSF is a type of telephony fraud where criminals exploit the billing system of telecommunication services providers to make profit for themselves. Bad actors gain unauthorized access to a telecommunication network and divert traffic to those networks to skim profit for every transaction that is sent to that network. To divert traffic, bad actors steal existing usernames and passwords, create new usernames and passwords, or try a host of other things to send SMS messages and voice calls through their telecommunication network. Bad actors take advantage of multifactor authentication screens, which require an SMS or voice call before a user can access their account. This activity causes exorbitant charges and makes services unreliable for our customers, causing downtime, and system errors.

-1. A bad actor uses automated scripts to request voice calls or SMS messages. The bad actor is colluding with number providers and the telecommunication network to drive more traffic to those services. The bad actor skims some of the profits of the increased traffic.

-For Voice verification, the following region codes require an opt-in.

- 1. Authenticator app is now successfully set up as the userΓÇÖs default sign-in method.

-1. Sign in to Graph Explorer and ensure youΓÇÖve consented to the **Policy.Read.All** and **Policy.ReadWrite.AuthenticationMethod** permissions.

-> When Azure AD Multi-Factor Authentication calls are placed through the public telephone network, sometimes the calls are routed through a carrier that doesn't support caller ID. Because of this, caller ID isn't guaranteed, even though Azure AD Multi-Factor Authentication always sends it. This applies both to phone calls and text messages provided by Azure AD Multi-Factor Authentication. If you need to validate that a text message is from Azure AD Multi-Factor Authentication, see [What SMS short codes are used for sending messages?](multi-factor-authentication-faq.yml#what-sms-short-codes-are-used-for-sending-sms-messages-to-my-users-).

-> When Azure AD Multi-Factor Authentication calls are placed through the public telephone network, sometimes the calls are routed through a carrier that doesn't support caller ID. Because of this, caller ID isn't guaranteed, even though Azure AD Multi-Factor Authentication always sends it. This applies both to phone calls and text messages provided by Azure AD Multi-Factor Authentication. If you need to validate that a text message is from Azure AD Multi-Factor Authentication, see [What SMS short codes are used for sending messages?](multi-factor-authentication-faq.yml#what-sms-short-codes-are-used-for-sending-sms-messages-to-my-users-).

-1. Navigate to the [Microsoft Entra admin center](https://entra.microsoft.com/#home).

-1. Navigate to the Microsoft [Entra admin center](https://entra.microsoft.com/#home).

-1. Go to **Enter Your AWS Account IDs**, and then select **Add** (the plus **+** sign).

-1. Go to **Azure subscription IDs**, and then select **Edit** (the pencil icon).

-1. Go to **Enter your Azure Subscription IDs**, and then select **Add subscription** (the plus **+** sign).

-> A *global administrator* or *super admin* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable Microsoft Entra Permissions Management on your Azure Active Directory tenant](onboard-enable-tenant.md).

- > Perform the next 6 steps for each account ID you add.

-> A *global administrator* or *root user* (an admin for all authorization system types) can perform the tasks in this article after the global administrator has initially completed the steps provided in [Enable Permissions Management on your Azure Active Directory tenant](onboard-enable-tenant.md).

-To add Permissions Management to your Azure AD tenant:

-This option allows subscriptions to be automatically detected and monitored without further work required. A key benefit of automatic management is that any current or future subscriptions found will be onboarded automatically. The steps to detect a list of subscriptions and onboard for collection are as follows:

-1. Navigate to data collectors tab

-1. Ensure 'Azure' is selected

-1. Click ΓÇÿCreate ConfigurationΓÇÖ

-1. For onboarding mode, select ΓÇÿAutomatically ManageΓÇÖ

- > The steps listed on the screen outline how to create the role assignment for the Cloud Infrastructure Entitlements Management application. This can be performed manually in the Entra console, or programmatically with PowerShell or the Azure CLI.

-1. Collectors will now be listed and change through status types. For each collector listed with a status of ΓÇ£Collected InventoryΓÇ¥, click on that status to view further information.

-1. You can then view subscriptions on the In Progress page

-You have the ability to specify only certain subscriptions to manage and monitor with MEPM (up to 100 per collector). Follow the steps below to configure these subscriptions to be monitored:

-1. Navigate to data collectors tab

-1. Navigate to data collectors tab.

-1. View subscriptions on the In Progress page

-1. In the EPM portal, click the cog on the top right-hand side.

-1. Navigate to data collectors tab

-1. Ensure 'Azure' is selected

-1. Click ΓÇÿCreate ConfigurationΓÇÖ

-1. For onboarding mode, select ΓÇÿAutomatically ManageΓÇÖ

-1. Navigate to newly create Data Collector row under Azure data collectors.

-1. Click on Status column when the row has ΓÇ£PendingΓÇ¥ status

-1. Sign in to the AWS console of the member account in a separate browser window.

-1. Go to the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab.

-1. On the **Data Collectors** dashboard, select **AWS**, and then select **Create Configuration**.

-1. On **Permissions Management Onboarding ΓÇô Summary** page, review the information you've added, and then select **Verify Now & Save**.

-1. To add the administrative role assignment, return to the **Access control (IAM)** page, and then select **Add role assignment**.

-1. Go to the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab.

-1. On the **Data Collectors** dashboard, select **Azure**, and then select **Create Configuration**.

-1. On the **Permissions Management Onboarding - Azure Subscription Details** page, enter the **Subscription ID**, and then select **Next**.

-1. On **Permissions Management Onboarding ΓÇô Summary** page, review the controller permissions, and then select **Verify Now & Save**.

-1. Go to the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab.

-1. On the **Permissions Management Onboarding - GCP Project IDs** page, enter the **Project IDs**, and then select **Next**.

-1. On the **Permissions Management Onboarding ΓÇô Summary** page, review the information you've added, and then select **Verify Now & Save**.

- 1. Go to [Entra services](https://entra.microsoft.com) and use your credentials to sign in to [Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview).

- 1. If you aren't already authenticated, sign in as a *Permissions Management Administrator* user.

- 1. If needed, activate the *Permissions Management Administrator* role in your Azure AD tenant.

- 1. In the Azure portal, select **Permissions Management**, and then select the link to purchase a license or begin a trial.

- - Sign in with *Global Admin* or *Billing Admin* credentials for your tenant.

- - Go to Setup and sign up for an Entra Permissions Management trial.

- - For self-service, navigate to the [Microsoft 365 portal](https://aka.ms/TryPermissionsManagement) to sign up for a 45-day free trial or to purchase licenses.

- - In the Permissions Management home page, select **Settings** (the gear icon), and then select the **Data Collectors** subtab.

-Ensure you're a *Global Administrator* or *Permissions Management Administrator*. Learn more about [Permissions Management roles and permissions](product-roles-permissions.md).

-1. In Permissions Management, navigate to the data collectors page.

-2. Select a cloud environment: AWS, Azure, or GCP.

-> Keep role assignments permanent if a user has a an additional Microsoft account (for example, an account they use to sign in to Microsoft services like Skype, or Outlook.com). If you require multi-factor authentication to activate a role assignment, a user with an additional Microsoft account will be locked out.

-# customerintent: As a cloud administer, I want to understand Permissions Management role assignments, so that I can effectively assign the correct permissions to users.

-See [Microsoft Entra ID built-in roles to learn more.](product-privileged-role-insights.md)

-In this quickstart, you download and run a code sample that demonstrates how a JavaScript Angular single-page application (SPA) can sign in users and call Microsoft Graph using the authorization code flow. The code sample demonstrates how to get an access token to call the Microsoft Graph API or any web API.

-See [How the sample works](#how-the-sample-works) for an illustration.

-This quickstart uses MSAL Angular v2 with the authorization code flow.

-* Azure subscription - [Create an Azure subscription for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F)

-* [Visual Studio Code](https://code.visualstudio.com/download) or another code editor

-## Register your quickstart application

-1. Enter a **Name** for your application. Users of your app might see this name, and you can change it later.

-1. Select **Register**. On the app **Overview** page, note the **Application (client) ID** value for later use.

-1. Under **Platform configurations**, select **Add a platform**. In the pane that opens select **Single-page application**.

-1. Confirm that under **Grant types**  Your Redirect URI is eligible for the Authorization Code Flow with PKCE.

-#### Step 2: Download the project

-To run the project with a web server by using Node.js, [download the core project files](https://github.com/Azure-Samples/ms-identity-javascript-angular-spa/archive/main.zip).

-#### Step 3: Configure your JavaScript app

-In the *src* folder, open the *app* folder then open the *app.module.ts* file and update the `clientID`, `authority`, and `redirectUri` values in the `auth` object.

-```javascript

-// MSAL instance to be passed to msal-angular

-export function MSALInstanceFactory(): IPublicClientApplication {

- return new PublicClientApplication({

- auth: {

- clientId: 'Enter_the_Application_Id_Here',

- authority: 'Enter_the_Cloud_Instance_Id_Here/Enter_the_Tenant_Info_Here',

- redirectUri: 'Enter_the_Redirect_Uri_Here'

- },

- cache: {

- cacheLocation: BrowserCacheLocation.LocalStorage,

- storeAuthStateInCookie: isIE, // set to true for IE 11 },

- });

-}

-```

-Modify the values in the `auth` section as described here:

- To find the value of **Application (client) ID**, go to the app registration's **Overview** page.

- - If your application supports *accounts in this organizational directory*, replace this value with the **Tenant ID** or **Tenant name**. For example, `contoso.microsoft.com`.

- To find the value of the **Directory (tenant) ID**, go to the app registration's **Overview** page.

- - If your application supports *accounts in any organizational directory*, replace this value with `organizations`.

- - If your application supports *accounts in any organizational directory and personal Microsoft accounts*, replace this value with `common`. **For this quickstart**, use `common`.

- - To restrict support to *personal Microsoft accounts only*, replace this value with `consumers`.

- To find the value of **Supported account types**, go to the app registration's **Overview** page.

-The `authority` value in your *app.module.ts* should be similar to the following if you're using the main (global) Azure cloud:

-```javascript

-authority: "https://login.microsoftonline.com/common",

-```

-Scroll down in the same file and update the `graphMeEndpoint`.

-```javascript

-export function MSALInterceptorConfigFactory(): MsalInterceptorConfiguration {

- const protectedResourceMap = new Map<string, Array<string>>();

- protectedResourceMap.set('Enter_the_Graph_Endpoint_Herev1.0/me', ['user.read']);

- return {

- interactionType: InteractionType.Redirect,

- protectedResourceMap

- };

-}

-```

- #### Step 4: Run the project

-1. Browse to `http://localhost:4200/`.

-1. Select **Login** to start the sign-in process and then call the Microsoft Graph API.

- The first time you sign in, you're prompted to provide your consent to allow the application to access your profile and sign you in. After you're signed in successfully, click the **Profile** button to display your user information on the page.

-## More information

-### How the sample works

-

-### msal.js

-The MSAL.js library signs in users and requests the tokens that are used to access an API that's protected by the Microsoft identity platform.

-If you have Node.js installed, you can download the latest version by using the Node.js Package Manager (npm):

-```console

-npm install @azure/msal-browser @azure/msal-angular@2

-```

-## Next steps

-For a detailed step-by-step guide on building the auth code flow application using vanilla JavaScript, see the following tutorial:

-> [!div class="nextstepaction"]

-> [Tutorial to sign in users and call Microsoft Graph](tutorial-v2-javascript-auth-code.md)

-In this quickstart, you download and run a code sample that demonstrates how a JavaScript single-page application (SPA) can sign in users and call Microsoft Graph using the authorization code flow with Proof Key for Code Exchange (PKCE). The code sample demonstrates how to get an access token to call the Microsoft Graph API or any web API.

-See [How the sample works](#how-the-sample-works) for an illustration.

-* Azure subscription - [Create an Azure subscription for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F)

-* [Visual Studio Code](https://code.visualstudio.com/download) or another code editor

-## Register and download your quickstart application

-### Step 1: Register your application

-1. Browse to **Identity** > **Applications** > **Application registrations**.

-1. Enter a **Name** for your application. Users of your app might see this name, and you can change it later.

-1. Select **Register**. On the app **Overview** page, note the **Application (client) ID** value for later use.

-1. Under **Manage**, select **Authentication**.

-1. Under **Platform configurations**, select **Add a platform**. In the pane that opens select **Single-page application**.

-1. Set the **Redirect URI** value to `http://localhost:3000/`.

-1. Select **Configure**.

-### Step 2: Download the project

-To run the project with a web server by using Node.js, [download the core project files](https://github.com/Azure-Samples/ms-identity-javascript-v2/archive/master.zip).

-### Step 3: Configure your JavaScript app

-In the *app* folder, open the *authConfig.js* file, and then update the `clientID`, `authority`, and `redirectUri` values in the `msalConfig` object.

-```javascript

-// Config object to be passed to MSAL on creation

-const msalConfig = {

- auth: {

- clientId: "Enter_the_Application_Id_Here",

- authority: "Enter_the_Cloud_Instance_Id_Here/Enter_the_Tenant_Info_Here",

- redirectUri: "Enter_the_Redirect_Uri_Here",

- },

- cache: {

- cacheLocation: "sessionStorage", // This configures where your cache will be stored

- storeAuthStateInCookie: false, // Set this to "true" if you are having issues on IE11 or Edge

- }

-};

-```

-Modify the values in the `msalConfig` section:

- To find the value of **Application (client) ID**, go to the app registration's **Overview** page.

- - If your application supports *accounts in this organizational directory*, replace this value with the **Tenant ID** or **Tenant name**. For example, `contoso.microsoft.com`.

- To find the value of the **Directory (tenant) ID**, go to the app registration's **Overview** page.

- - If your application supports *accounts in any organizational directory*, replace this value with `organizations`.

- - If your application supports *accounts in any organizational directory and personal Microsoft accounts*, replace this value with `common`. **For this quickstart**, use `common`.

- - To restrict support to *personal Microsoft accounts only*, replace this value with `consumers`.

- To find the value of **Supported account types**, go to the app registration's **Overview** page.

-The `authority` value in your *authConfig.js* should be similar to the following if you're using the main (global) Azure cloud:

-```javascript

-authority: "https://login.microsoftonline.com/common",

-```

-Next, open the *graphConfig.js* file to update the `graphMeEndpoint` and `graphMailEndpoint` values in the `apiConfig` object.

-```javascript

- // Add here the endpoints for MS Graph API services you would like to use.

- const graphConfig = {

- graphMeEndpoint: "Enter_the_Graph_Endpoint_Herev1.0/me",

- graphMailEndpoint: "Enter_the_Graph_Endpoint_Herev1.0/me/messages"

- };

- // Add here scopes for access token to be used at MS Graph API endpoints.

- const tokenRequest = {

- scopes: ["Mail.Read"]

- };

-```

-`Enter_the_Graph_Endpoint_Here` is the endpoint that API calls are made against. For the main (global) Microsoft Graph API service, enter `https://graph.microsoft.com/` (include the trailing forward-slash). For more information about Microsoft Graph on national clouds, see [National cloud deployment](/graph/deployments).

-If you're using the main (global) Microsoft Graph API service, the `graphMeEndpoint` and `graphMailEndpoint` values in the *graphConfig.js* file should be similar to the following:

-```javascript

-graphMeEndpoint: "https://graph.microsoft.com/v1.0/me",

-graphMailEndpoint: "https://graph.microsoft.com/v1.0/me/messages"

-```

-### Step 4: Run the project

-Run the project with a web server by using Node.js.

-1. Go to `http://localhost:3000/`.

-1. Select **Sign In** to start the sign-in process and then call the Microsoft Graph API.

- The first time you sign in, you're prompted to provide your consent to allow the application to access your profile and sign you in. After you're signed in successfully, your user profile information is displayed on the page.

-## More information

-### How the sample works

-

-### MSAL.js

-The MSAL.js library signs in users and requests the tokens that are used to access an API that's protected by Microsoft identity platform. The sample's *https://docsupdatetracker.net/index.html* file contains a reference to the library:

-```html

-<script type="text/javascript" src="https://alcdn.msauth.net/browser/2.0.0-beta.0/js/msal-browser.js" integrity=

-"sha384-r7Qxfs6PYHyfoBR6zG62DGzptfLBxnREThAlcJyEfzJ4dq5rqExc1Xj3TPFE/9TH" crossorigin="anonymous"></script>

-```

-If you have Node.js installed, you can download the latest version by using the Node.js Package Manager (npm):

-```console

-npm install @azure/msal-browser

-```

-## Next steps

-For a more detailed step-by-step guide on building the application used in this quickstart, see the following tutorial:

-> [!div class="nextstepaction"]

-> [Tutorial to sign in users and call Microsoft Graph](tutorial-v2-javascript-auth-code.md)

-In this quickstart, you download and run a code sample that demonstrates how a JavaScript React single-page application (SPA) can sign in users and call Microsoft Graph using the authorization code flow. The code sample demonstrates how to get an access token to call the Microsoft Graph API or any web API.

-See [How the sample works](#how-the-sample-works) for an illustration.

-* Azure subscription - [Create an Azure subscription for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F)

-* [Visual Studio Code](https://code.visualstudio.com/download) or another code editor

-## Register and download your quickstart application

-### Step 1: Register your application

-1. When the **Register an application** page appears, enter a name for your application.

-1. Select **Register**. On the app **Overview** page, note the **Application (client) ID** value for later use.

-1. Under **Platform configurations**, select **Add a platform**. In the pane that opens select **Single-page application**.

-1. Set the **Redirect URIs** value to `http://localhost:3000/`. This is the default port NodeJS will listen on your local machine. WeΓÇÖll return the authentication response to this URI after successfully authenticating the user.

-1. Confirm that under **Grant types**  Your Redirect URI is eligible for the Authorization Code Flow with PKCE.

-### Step 2: Download the project

-To run the project with a web server by using Node.js, [download the core project files](https://github.com/Azure-Samples/ms-identity-javascript-react-spa/archive/main.zip).

-### Step 3: Configure your JavaScript app

-In the *src* folder, open the *authConfig.js* file and update the `clientID`, `authority`, and `redirectUri` values in the `msalConfig` object.

-```javascript

-/**

-* Configuration object to be passed to MSAL instance on creation.

-* For a full list of MSAL.js configuration parameters, visit:

-* https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/configuration.md

-*/

-export const msalConfig = {

- auth: {

- clientId: "Enter_the_Application_Id_Here",

- authority: "Enter_the_Cloud_Instance_Id_Here/Enter_the_Tenant_Info_Here",

- redirectUri: "Enter_the_Redirect_Uri_Here"

- },

- cache: {

- cacheLocation: "sessionStorage", // This configures where your cache will be stored

- storeAuthStateInCookie: false, // Set this to "true" if you are having issues on IE11 or Edge

- },

-```

-Modify the values in the `msalConfig` section as described here:

- To find the value of **Application (client) ID**, go to the app registration's **Overview** page.

- - If your application supports *accounts in this organizational directory*, replace this value with the **Tenant ID** or **Tenant name**. For example, `contoso.microsoft.com`.

- To find the value of the **Directory (tenant) ID**, go to the app registration's **Overview** page.

- - If your application supports *accounts in any organizational directory*, replace this value with `organizations`.

- - If your application supports *accounts in any organizational directory and personal Microsoft accounts*, replace this value with `common`. **For this quickstart**, use `common`.

- - To restrict support to *personal Microsoft accounts only*, replace this value with `consumers`.

- To find the value of **Supported account types**, go to the app registration's **Overview** page.

-The `authority` value in your *authConfig.js* should be similar to the following if you're using the main (global) Azure cloud:

-```javascript

-authority: "https://login.microsoftonline.com/common",

-```

-Scroll down in the same file and update the `graphMeEndpoint`.

-```javascript

- // Add here the endpoints for MS Graph API services you would like to use.

- export const graphConfig = {

- graphMeEndpoint: "Enter_the_Graph_Endpoint_Herev1.0/me"

- };

-```

-### Step 4: Run the project

-1. Browse to `http://localhost:3000/`.

-1. Select **Sign In** to start the sign-in process and then call the Microsoft Graph API.

- The first time you sign in, you're prompted to provide your consent to allow the application to access your profile and sign you in. After you're signed in successfully, click on the **Request Profile Information** to display your profile information on the page.

-## More information

-### How the sample works

-

-### msal.js

-The MSAL.js library signs in users and requests the tokens that are used to access an API that's protected by the Microsoft identity platform.

-If you have Node.js installed, you can download the latest version by using the Node.js Package Manager (npm):

-```console

-npm install @azure/msal-browser @azure/msal-react

-```

-## Next steps

-Next, try a step-by-step tutorial to learn how to build a React SPA from scratch that signs in users and calls the Microsoft Graph API to get user profile data:

-> [!div class="nextstepaction"]

-> [Tutorial: Sign in users and call Microsoft Graph](./single-page-app-tutorial-01-register-app.md)

-description: Learn how an ASP.NET Core web app leverages Microsoft.Identity.Web to implement Microsoft sign-in using OpenID Connect and call Microsoft Graph

-The following quickstart uses a ASP.NET Core web app code sample to demonstrate how to sign in users from any Azure Active Directory (Azure AD) organization.

-See [How the sample works](#how-the-sample-works) for an illustration.

-* [Visual Studio 2022](https://visualstudio.microsoft.com/vs/) or [Visual Studio Code](https://code.visualstudio.com/)

-## Register and download your quickstart application

-### Step 1: Register your application

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. If access to multiple tenants is available, use the **Directories + subscriptions** filter :::image type="icon" source="media/common/portal-directory-subscription-filter.png" border="false"::: in the top menu to switch to the tenant in which to register the application.

-1. Search for and select **Azure Active Directory**.

-1. Under **Manage**, select **App registrations** > **New registration**.

-1. For **Name**, enter a name for the application. For example, enter **AspNetCore-Quickstart**. Users of the app will see this name, and can be changed later.

-1. Set the **Redirect URI** type to **Web** and value to `https://localhost:44321/signin-oidc`.

-1. Under **Manage**, select **Authentication**.

-1. For **Front-channel logout URL**, enter **https://localhost:44321/signout-oidc**.

-1. Under **Implicit grant and hybrid flows**, select **ID tokens**.

-1. Select **Save**.

-1. Under **Manage**, select **Certificates & secrets** > **Client secrets** > **New client secret**.

-1. Enter a **Description**, for example `clientsecret1`.

-1. Select **In 1 year** for the secret's expiration.

-1. Select **Add** and immediately record the secret's **Value** for use in a later step. The secret value is *never displayed again* and is irretrievable by any other means. Record it in a secure location as you would any password.

-### Step 2: Download the ASP.NET Core project

-[Download the ASP.NET Core solution](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/archive/aspnetcore3-1-callsgraph.zip)

-### Step 3: Configure your ASP.NET Core project

-1. Extract the *.zip* file to a local folder that's close to the root of the disk to avoid errors caused by path length limitations on Windows. For example, extract to *C:\Azure-Samples*.

-1. Open the solution in the chosen code editor.

-1. In *appsettings.json*, replace the values of `ClientId`, and `TenantId`. The value for the application (client) ID and the directory (tenant) ID, can be found in the app's **Overview** page on the Azure portal.

- ```json

- "Domain": "[Enter the domain of your tenant, e.g. contoso.onmicrosoft.com]",

- "ClientId": "Enter_the_Application_Id_here",

- "TenantId": "common",

- ```

- - `Enter_the_Application_Id_Here` is the application (client) ID for the registered application.

- - Replace `Enter_the_Tenant_Info_Here` with one of the following:

- - If the application supports **Accounts in this organizational directory only**, replace this value with the directory (tenant) ID (a GUID) or tenant name (for example, `contoso.onmicrosoft.com`). The directory (tenant) ID can be found on the app's **Overview** page.

- - If the application supports **Accounts in any organizational directory**, replace this value with `organizations`.

- - If the application supports **All Microsoft account users**, leave this value as `common`.

- - Replace `Enter_the_Client_Secret_Here` with the **Client secret** that was created and recorded in an earlier step.

-For this quickstart, don't change any other values in the *appsettings.json* file.

-

-### Step 4: Build and run the application

-Build and run the app in Visual Studio by selecting the **Debug** menu > **Start Debugging**, or by pressing the F5 key.

-A prompt for credentials will appear, and then a request for consent to the permissions that the app requires. Select **Accept** on the consent prompt.

-After consenting to the requested permissions, the app displays that sign-in has been successful using correct Azure Active Directory credentials. The user's account email address will be displayed in the *API result* section of the page. This was extracted using the Microsoft Graph API.

-## More information

-This section gives an overview of the code required to sign in users and call the Microsoft Graph API on their behalf. This overview can be useful to understand how the code works, main arguments, and also if you want to add sign-in to an existing ASP.NET Core application and call Microsoft Graph. It uses [Microsoft.Identity.Web](microsoft-identity-web.md), which is a wrapper around [MSAL.NET](msal-overview.md).

-### How the sample works

-

-### Startup class

-The *Microsoft.AspNetCore.Authentication* middleware uses a `Startup` class that's executed when the hosting process starts:

-```csharp

- // Get the scopes from the configuration (appsettings.json)

- var initialScopes = Configuration.GetValue<string>("DownstreamApi:Scopes")?.Split(' ');

- public void ConfigureServices(IServiceCollection services)

- {

- // Add sign-in with Microsoft

- services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)

- .AddMicrosoftIdentityWebApp(Configuration.GetSection("AzureAd"))

- // Add the possibility of acquiring a token to call a protected web API

- .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)

- // Enables controllers and pages to get GraphServiceClient by dependency injection

- // And use an in memory token cache

- .AddMicrosoftGraph(Configuration.GetSection("DownstreamApi"))

- .AddInMemoryTokenCaches();

- services.AddControllersWithViews(options =>

- {

- var policy = new AuthorizationPolicyBuilder()

- .RequireAuthenticatedUser()

- .Build();

- options.Filters.Add(new AuthorizeFilter(policy));

- });

- // Enables a UI and controller for sign in and sign out.

- services.AddRazorPages()

- .AddMicrosoftIdentityUI();

- }

-```

-The `AddAuthentication()` method configures the service to add cookie-based authentication. This authentication is used in browser scenarios and to set the challenge to OpenID Connect.

-The line that contains `.AddMicrosoftIdentityWebApp` adds Microsoft identity platform authentication to the application. The application is then configured to sign in users based on the following information in the `AzureAD` section of the *appsettings.json* configuration file:

-| *appsettings.json* key | Description |

-||-|

-| `ClientId` | Application (client) ID of the application registered in the Azure portal. |

-| `Instance` | Security token service (STS) endpoint for the user to authenticate. This value is typically `https://login.microsoftonline.com/`, indicating the Azure public cloud. |

-| `TenantId` | Name of your tenant or the tenant ID (a GUID), or `common` to sign in users with work or school accounts or Microsoft personal accounts. |

-The `EnableTokenAcquisitionToCallDownstreamApi` method enables the application to acquire a token to call protected web APIs. `AddMicrosoftGraph` enables the controllers or Razor pages to benefit directly the `GraphServiceClient` (by dependency injection) and the `AddInMemoryTokenCaches` methods enables your app to benefit from a token cache.

-The `Configure()` method contains two important methods, `app.UseAuthentication()` and `app.UseAuthorization()`, that enable their named functionality. Also in the `Configure()` method, you must register Microsoft Identity Web routes with at least one call to `endpoints.MapControllerRoute()` or a call to `endpoints.MapControllers()`:

-```csharp

-app.UseAuthentication();

-app.UseAuthorization();

-app.UseEndpoints(endpoints =>

-{

- endpoints.MapControllerRoute(

- name: "default",

- pattern: "{controller=Home}/{action=Index}/{id?}");

- endpoints.MapRazorPages();

-});

-```

-### Protect a controller or a controller's method

-The controller or its methods can be protected by applying the `[Authorize]` attribute to the controller's class or one or more of its methods. This `[Authorize]` attribute restricts access by allowing only authenticated users. If the user isn't already authenticated, an authentication challenge can be started to access the controller. In this quickstart, the scopes are read from the configuration file:

-```csharp

-[AuthorizeForScopes(ScopeKeySection = "DownstreamApi:Scopes")]

-public async Task<IActionResult> Index()

-{

- var user = await _graphServiceClient.Me.GetAsync();

- ViewData["ApiResult"] = user.DisplayName;

- return View();

-}

-```

-## Next steps

-The following GitHub repository contains the ASP.NET Core code sample referenced in this quickstart and more samples that show how to achieve the following:

-> [!div class="nextstepaction"]

-> [ASP.NET Core web app tutorials on GitHub](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/)

-> Tenant restrictions V2 on Windows is a partial solution that protects the authentication and data planes for some scenarios. It works on managed Windows devices and does not protect .NET stack, Chrome, or Firefox. The Windows solution provides a temporary solution until general availability of Universal tenant restrictions in Global Secure Access (preview).

-description: Learn about the available features of Azure AD Multi-Factor Authentication for your organization based on your license model

-# Overview of Azure AD Multi-Factor Authentication for your organization

-There are multiple ways to enable Azure AD Multi-Factor Authentication for your Azure Active Directory (AD) users based on the licenses that your organization owns.

-

-Based on our studies, your account is more than 99.9% less likely to be compromised if you use multi-factor authentication (MFA).

-So how does your organization turn on MFA even for free, before becoming a statistic?

-## Free option

-Customers who are utilizing the free benefits of Azure AD can use [security defaults](../fundamentals/security-defaults.md) to enable multi-factor authentication in their environment.

-## Microsoft 365 Business, E3, or E5

-For customers with Microsoft 365, there are two options:

-* Azure AD Multi-Factor Authentication is either enabled or disabled for all users, for all sign-in events. There is no ability to only enable multi-factor authentication for a subset of users, or only under certain scenarios. Management is through the Office 365 portal.

-* For an improved user experience, upgrade to Azure AD Premium P1 or P2 and use Conditional Access. For more information, see secure Microsoft 365 resources with multi-factor authentication.

-## Azure AD Premium P1

-For customers with Azure AD Premium P1 or similar licenses that include this functionality such as Enterprise Mobility + Security E3, Microsoft 365 F1, or Microsoft 365 E3:

-Use [Azure AD Conditional Access](../authentication/tutorial-enable-azure-mfa.md) to prompt users for multi-factor authentication during certain scenarios or events to fit your business requirements.

-## Azure AD Premium P2

-For customers with Azure AD Premium P2 or similar licenses that include this functionality such as Enterprise Mobility + Security E5 or Microsoft 365 E5:

-Provides the strongest security position and improved user experience. Adds [risk-based Conditional Access](../conditional-access/howto-conditional-access-policy-risk.md) to the Azure AD Premium P1 features that adapts to user's patterns and minimizes multi-factor authentication prompts.

-## Authentication methods

-| Method | Security defaults | All other methods |

-| | | |

-| Notification through mobile app | X | X |

-| Verification code from mobile app or hardware token | | X |

-| Text message to phone | | X |

-| Call to phone | | X |

-## Next steps

-To get started, see the tutorial to [secure user sign-in events with Azure AD Multi-Factor Authentication](../authentication/tutorial-enable-azure-mfa.md).

-For more information on licensing, see [Features and licenses for Azure AD Multi-Factor Authentication](../authentication/concept-mfa-licensing.md).

-Azure AD role-assignable group feature is not part of Azure AD Privileged Identity Management (Azure AD PIM). It requires a Microsoft Entra Premium P1, P2, or Microsoft Entra ID Governance license.

-> [!VIDEO https://www.youtube.com/embed/9T6lKEloq0Q]

-# Understand the Privileged Identity Management APIs

-You can perform Privileged Identity Management (PIM) tasks using the Microsoft Graph APIs for Azure Active Directory (Azure AD) roles and groups, and the Azure Resource Manager API for Azure resource roles. This article describes important concepts for using the APIs for Privileged Identity Management.

-For requests and other details about PIM APIs, check out:

-There have been several iterations of the PIM APIs over the past few years. You'll find some overlaps in functionality, but they don't represent a linear progression of versions.

-Under the `/beta/privilegedRoles` endpoint, Microsoft had a classic version of the PIM APIs which only supported Azure AD roles. Access to this API was retired in June 2021.

-Under the `/beta/privilegedAccess` endpoint, Microsoft supported both `/aadRoles` and `/azureResources`. The `/aadRoles` endpoint has been retired but the `/azureResources` endpoint is still available in your tenant. Microsoft recommends against starting any new development with the APIs available through the `/azureResources` endpoint. This API will never be released to general availability and will be eventually deprecated and retired.

-### Current iteration ΓÇô Azure AD roles and groups in Microsoft Graph and Azure resource roles in Azure Resource Manager

-Currently, in general availability, this is the final iteration of the PIM APIs. Based on customer feedback, the PIM APIs for managing Azure AD roles are now under the **unifiedRoleManagement** set of APIs and the Azure Resource PIM APIs is now under the Azure Resource Manager role assignment APIs. These locations also provide a few additional benefits including:

-This iteration also includes PIM APIs for managing ownership and membership of groups as well as security alerts for PIM for Azure AD roles.

-## Current permissions required

-### Azure AD roles

-To understand the permissions that you need to call the PIM Microsoft Graph API for Azure AD roles, see [Role management permissions](/graph/permissions-reference#role-management-permissions).

-The easiest way to specify the required permissions is to use the Azure AD consent framework.

-### Azure resource roles

- The PIM API for Azure resource roles is developed on top of the Azure Resource Manager framework. You will need to give consent to Azure Resource Management but wonΓÇÖt need any Microsoft Graph API permission. You will also need to make sure the user or the service principal calling the API has at least the Owner or User Access Administrator role on the resource you are trying to administer.

-## Calling PIM API with an app-only token

-### Azure AD roles

- PIM API now supports app-only permissions on top of delegated permissions.

-### Azure resource roles

- PIM API for Azure resources supports both user only and application only calls. Simply make sure the service principal has either the owner or user access administrator role on the resource.

-## Design of current API iteration

-PIM API consists of two categories that are consistent for both the API for Azure AD roles and Azure resource roles: assignment and activation API requests, and policy settings.

-### Assignment and activation APIs

-To make eligible assignments, time-bound eligible or active assignments, and to activate eligible assignments, PIM provides the following resources:

-These entities work alongside pre-existing **roleDefinition** and **roleAssignment** resources for both Azure AD roles and Azure roles to allow you to create end to end scenarios.

-Each of the request objects would create the following read-only objects:

-The **unifiedRoleAssignmentSchedule** and **unifiedRoleEligibilitySchedule** objects show a schedule of all the current and future assignments.

-When an eligible assignment is activated, the **unifiedRoleEligibilityScheduleInstance** continues to exist. The **unifiedRoleAssignmentScheduleRequest** for the activation would create a separate **unifiedRoleAssignmentSchedule** object and a **unifiedRoleAssignmentScheduleInstance** for that activated duration.

-The instance objects are the actual assignments that currently exist whether it is an eligible assignment or an active assignment. You should use the GET operation on the instance entity to retrieve a list of eligible assignments / active assignments to a role/user.

-For more information about assignment and activation APIs, see [PIM API for managing role assignments and eligibilities](/graph/api/resources/privilegedidentitymanagementv3-overview#pim-api-for-managing-role-assignment).

-### Policy settings APIs

-To manage the settings of Azure AD roles, we provide the following entities:

-The [unifiedroleManagementPolicy](/graph/api/resources/unifiedrolemanagementpolicy) resource through it's **rules** relationship defines the rules or settings of the Azure AD role. For example, whether MFA/approval is required, whether and who to send the email notifications to, or whether permanent assignments are allowed or not. The [unifiedroleManagementPolicyAssignment](/graph/api/resources/unifiedrolemanagementpolicyassignment) object attaches the policy to a specific role.

-Use the APIs supported by these resources retrieve role management policy assignments for all Azure AD role or filter the list by a **roleDefinitionId**, and then update the rules or settings in the policy associated with the Azure AD role.

-For more information about the policy settings APIs, see [role settings and PIM](/graph/api/resources/privilegedidentitymanagementv3-overview#role-settings-and-pim).

-The only link between the PIM entity and the role assignment entity for persistent (active) assignment for either Azure AD roles or Azure roles is the unifiedRoleAssignmentScheduleInstance. There is a one-to-one mapping between the two entities. That mapping means roleAssignment and unifiedRoleAssignmentScheduleInstance would both include:

-1. Find and select the request that you want to approve. An approve or deny page appears.

- 

-1. In the **Justification** box, enter the business justification.

-1. Select **Approve**. You will receive an Azure notification of your approval.

- 

- "reviewResult": "Approve",

- "justification": "abcdefg"

-1. Find and select the request that you want to deny. An approve or deny page appears.

- 

-1. In the **Justification** box, enter the business justification.

-1. Select **Deny**. A notification appears with your denial.

-1. Find and select the request that you want to approve. An approve or deny page appears.

- 

-1. In the **Justification** box, enter the business justification.

-1. Select **Approve**. You will receive an Azure notification of your approval.

- 

-## Deny requests

-1. Find and select the request that you want to deny. An approve or deny page appears.

- 

-1. In the **Justification** box, enter the business justification.

-1. Select **Deny**. A notification appears with your denial.

-[!code-csharp[](~/azure-ai-vision-sdk/docs/learn.microsoft.com/csharp/image-analysis/1/Program.cs?name=vision_service_options)]

-[!code-python[](~/azure-ai-vision-sdk/docs/learn.microsoft.com/python/image-analysis/1/main.py?name=vision_service_options)]

-[!code-cpp[](~/azure-ai-vision-sdk/docs/learn.microsoft.com/cpp/image-analysis/1/1.cpp?name=vision_service_options)]

-[!code-cpp[](~/azure-ai-vision-sdk/docs/learn.microsoft.com/cpp/image-analysis/1/1.cpp?name=get_env_var)]

-[!code-csharp[](~/azure-ai-vision-sdk/docs/learn.microsoft.com/csharp/image-analysis/1/Program.cs?name=vision_source)]

-> You can also analyze a local image by passing in the full-path image file name. See [VisionSource.FromFile](/dotnet/api/azure.ai.vision.common.visionsource.fromfile).

-[!code-python[](~/azure-ai-vision-sdk/docs/learn.microsoft.com/python/image-analysis/1/main.py?name=vision_source)]

-> You can also analyze a local image by passing in the full-path image file name to the **VisionSource** constructor instead of the image URL.

-[!code-cpp[](~/azure-ai-vision-sdk/docs/learn.microsoft.com/cpp/image-analysis/1/1.cpp?name=vision_source)]

-> You can also analyze a local image by passing in the full-path image file name. See [VisionSource::FromFile](/cpp/cognitive-services/vision/input-visionsource#fromfile).

-Storage accounts in virtual networks and private endpoints are currently not supported by Azure OpenAI on your data.

-| 1.11.0 | `mcr.microsoft.com/azure-cognitive-services/speechservices/language-detection:1.11.0-amd64-preview` |

-The [Transliterate operation](reference/v3-0-transliterate.md) in the Text Translation feature supports the following languages. In the "To/From", "<-->" indicates that the language can be transliterated from or to either of the scripts listed. The "-->" indicates that the language can only be transliterated from one script to the other.

-# [Python 3.10 (preview)](#tab/py10)

-**Limitations**

-2. Set the `spec.connectionStringReference` property to the name of the Secret in the following sample `AzureAppConfigurationProvider` resource and deploy it to the Kubernetes cluster.

-### Upgrade Arc data controller extension

-Upgrade the Arc data controller extension first.

-Retrieve the name of your extension and its version:

-1. Go to the Azure portal

-1. Select **Overview** for your Azure Arc enabled Kubernetes cluster

-1. Selecting the **Extensions** tab on the left.

-Alternatively, you can use `az` CLI to get the name of your extension and its version running.

-```azurecli

-az k8s-extension list --resource-group <resource-group> --cluster-name <connected cluster name> --cluster-type connectedClusters

-```

-Example:

-```azurecli

-az k8s-extension list --resource-group rg-arcds --cluster-name aks-arc --cluster-type connectedClusters

-```

-After you retrieve the extension name and its version, upgrade the extension.

-```azurecli

-az k8s-extension update --resource-group <resource-group> --cluster-name <connected cluster name> --cluster-type connectedClusters --name <name of extension> --version <extension version> --release-train stable --config systemDefaultValues.image="<registry>/<repository>/arc-bootstrapper:<imageTag>"

-```

-Example:

-```azurecli

-az k8s-extension update --resource-group rg-arcds --cluster-name aks-arc --cluster-type connectedClusters --name aks-arc-ext --version

-1.2.19581002 --release-train stable --config systemDefaultValues.image="mcr.microsoft.com/arcdata/arc-bootstrapper:v1.7.0_2022-05-24"

-```

-* CPU socket, physical core and logical core counts

-[azcmagent check](azcmagent-check.md) validates a new endpoint in this release: `<geography>-ats.his.arc.azure.com`. This endpoint is reserved for future use and not required for the Azure Connected Machine agent to operate successfully. However, if you are using a private endpoint, this endpoint will fail the network connectivity check. You can safely ignore this endpoint in the results and should instead confirm that all other endpoints are reachable.

-## Version 1.30 - May 2023

-Download for [Windows](https://download.microsoft.com/download/7/7/9/779eae73-a12b-4170-8c5e-abec71bc14cf/AzureConnectedMachineAgent.msi) or [Linux](manage-agent.md#installing-a-specific-version-of-the-agent)

-### New features

-### Fixed

-* [Update Manager (preview)](../../update-center/overview.md) - Unified management and governance of update compliance that includes not only Azure and hybrid machines, but also ESU update compliance for all your Windows Server 2012/2012 R2 machines.

- >Activation of ESU is planned for the third quarter of 2023. Using Azure services such as Update Manager (preview) and Azure Policy to support managing ESU-eligible Windows Server 2012/2012 R2 machines are also planned for the third quarter.

-There's an industry-wide push toward the exclusive use of Transport Layer Security (TLS) version 1.2 or later. TLS versions 1.0 and 1.1 are known to be susceptible to attacks such as BEAST and POODLE, and to have other Common Vulnerabilities and Exposures (CVE) weaknesses. They also don't support the modern encryption methods and cipher suites recommended by Payment Card Industry (PCI) compliance standards. This [TLS security blog](https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/) explains some of these vulnerabilities in more detail.

-As a part of this effort, we'll be making the following changes to Azure Cache for Redis:

-* **Phase 1:** We'll configure the default minimum TLS version to be 1.2 for newly created cache instances (previously, it was TLS 1.0). Existing cache instances won't be updated at this point. You can still use the Azure portal or other management APIs to [change the minimum TLS version](cache-configure.md#access-ports) to 1.0 or 1.1 for backward compatibility.

-* **Phase 2:** We'll stop supporting TLS 1.1 and TLS 1.0. After this change, your application must use TLS 1.2 or later to communicate with your cache. The Azure Cache for Redis service is expected to be available while we migrate it to support only TLS 1.2 or later.

- > [!WARNING]

- > Phase 2 is postponed because of COVID-19. We strongly recommend that you begin planning for this change now and proactively update clients to support TLS 1.2 or later.

- >

- > The content in this article does not apply to Azure Cache for Redis Enterprise/Enterprise Flash as the Enterprise tiers support TLS 1.2 only.

-As part of this change, we'll also remove support for older cypher suites that aren't secure. Our supported cypher suites are restricted to the following suites when the cache is configured with a minimum of TLS 1.2:

-* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384

-* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256

-This article provides general guidance about how to detect dependencies on these earlier TLS versions and remove them from your application.

-The dates when these changes take effect are:

-| Cloud | Phase 1 Start Date | Phase 2 Start Date |

-|-|--|-|

-| Azure (global) | January 13, 2020 | Postponed because of COVID-19 |

-| Azure Government | March 13, 2020 | Postponed because of COVID-19 |

-| Azure Germany | March 13, 2020 | Postponed because of COVID-19 |

-| Microsoft Azure operated by 21Vianet | March 13, 2020 | Postponed because of COVID-19 |

-> [!NOTE]

-> Phase 2 is postponed because of COVID-19. This article will be updated when specific dates are set.

->

-You can find out whether your application works with TLS 1.2 by setting the **Minimum TLS version** value to TLS 1.2 on a test or staging cache, then running tests. The **Minimum TLS version** setting is in the [Advanced settings](cache-configure.md#advanced-settings) of your cache instance in the Azure portal. If the application continues to function as expected after this change, it's probably compliant. You might need to configure the Redis client library used by your application to enable TLS 1.2 to connect to Azure Cache for Redis.

-* **StackExchange.Redis:** Set `ssl=true` and `sslProtocols=tls12` in the connection string.

-* **ServiceStack.Redis:** Follow the [ServiceStack.Redis](https://github.com/ServiceStack/ServiceStack.Redis#servicestackredis-ssl-support) instructions and requires ServiceStack.Redis v5.6 at a minimum.

-Redis .NET Core clients default to the OS default TLS version, which depends on the OS itself.

-``` Java

-The Lettuce and Redisson clients don't yet support specifying the TLS version. They'll break if the cache accepts only TLS 1.2 connections. Fixes for these clients are being reviewed, so check with those packages for an updated version with this support.

-

-* Versions earlier than PHP 7: Predis supports only TLS 1.0. These versions don't work with TLS 1.2; you must upgrade to use TLS 1.2.

-

-* PHP 7.0 to PHP 7.2.1: Predis uses only TLS 1.0 or 1.1 by default. You can use the following workaround to use TLS 1.2. Specify TLS 1.2 when you create the client instance:

-* PHP 7.3 and later versions: Predis uses the latest TLS version.

-Azure Active Directory for authentication and role-based access control are available across regions that support Azure Cache for Redis.

-A new metric is available to track the worst-case latency of server-side commands in Azure Cache for Redis instances. Latency is measured by using `PING` commands and tracking response times. This metric can be used to track the health of your cache instance and to see if long-running commands are compromising latency performance.

-+ [Node.js](https://nodejs.org/) version 18 or 16.

- The [az functionapp create](/cli/azure/functionapp#az-functionapp-create) command creates the function app in Azure. It's recommended that you use the latest version of Node.js, which is currently 18. You can specify the version by setting `--runtime-version` to `18`.

- The [New-AzFunctionApp](/powershell/module/az.functions/new-azfunctionapp) cmdlet creates the function app in Azure. It's recommended that you use the latest version of Node.js, which is currently 18. You can specify the version by setting `--runtime-version` to `18`.

-The extension can be used with the following languages, which are supported by the Azure Functions runtime starting with version 2.x:

-* [C# compiled](functions-dotnet-class-library.md)

-* [C# script](functions-reference-csharp.md)^*

-* [JavaScript](functions-reference-node.md?tabs=javascript)

-* [Java](functions-reference-java.md)

-* [PowerShell](functions-reference-powershell.md)

-* [Python](functions-reference-python.md)

-* [TypeScript](functions-reference-node.md?tabs=typescript)

-^*Requires that you [set C# script as your default project language](#c-script-projects).

-In this article, examples are currently available only for JavaScript (Node.js) and C# class library functions.

-This article provides details about how to use the Azure Functions extension to develop functions and publish them to Azure. Before you read this article, you should [create your first function by using Visual Studio Code](./create-first-function-vs-code-csharp.md).

-# [C\#](#tab/csharp)

-* The [Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools) version 2.x or later. The Core Tools package is downloaded and installed automatically when you start the project locally. Core Tools includes the entire Azure Functions runtime, so download and installation might take some time.

-* The [C# extension](https://marketplace.visualstudio.com/items?itemName=ms-dotnettools.csharp) for Visual Studio Code.

-* [.NET Core CLI tools](/dotnet/core/tools/?tabs=netcore2x).

-# [Java](#tab/java)

-* The [Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools) version 2.x or later. The Core Tools package is downloaded and installed automatically when you start the project locally. Core Tools includes the entire Azure Functions runtime, so download and installation might take some time.

-* [Debugger for Java extension](https://marketplace.visualstudio.com/items?itemName=vscjava.vscode-java-debug).

-* [Java](/azure/developer/jav#java-versions).

-* [Maven 3 or later](https://maven.apache.org/).

-# [JavaScript](#tab/nodejs)

-* The [Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools) version 2.x or later. The Core Tools package is downloaded and installed automatically when you start the project locally. Core Tools includes the entire Azure Functions runtime, so download and installation might take some time.

-* [Node.js](https://nodejs.org/), one of the [supported versions](functions-reference-node.md#node-version). Use the `node --version` command to check your version.

-# [PowerShell](#tab/powershell)

-* The [Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools) version 2.x or later. The Core Tools package is downloaded and installed automatically when you start the project locally. Core Tools include the entire Azure Functions runtime, so download and installation might take some time.

-* [PowerShell 7.2](/powershell/scripting/install/installing-powershell-core-on-windows) recommended. For version information, see [PowerShell versions](functions-reference-powershell.md#powershell-versions).

-* [.NET 6.0 runtime](https://dotnet.microsoft.com/download).

-* The [PowerShell extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=ms-vscode.PowerShell).

-# [Python](#tab/python)

-* The [Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools) version 2.x or later. The Core Tools package is downloaded and installed automatically when you start the project locally. Core Tools include the entire Azure Functions runtime, so download and installation might take some time.

-* [Python](https://www.python.org/downloads/), one of the [supported versions](functions-reference-python.md#python-version).

-* [Python extension](https://marketplace.visualstudio.com/items?itemName=ms-python.python) for Visual Studio Code.

- :::image type="content" source="./media/functions-develop-vs-code/new-function-created.png" alt-text="Screenshot for H T T P-triggered function template in Visual Studio Code.":::

-# [C\#](#tab/csharp)

-* [HttpExample.cs class library file](functions-dotnet-class-library.md#functions-class-library-project) that implements the function.

-# [Java](#tab/java)

-* A pom.xml file in the root folder that defines the project and deployment parameters, including project dependencies and the [Java version](functions-reference-java.md#java-versions). The pom.xml also contains information about the Azure resources that are created during a deployment.

-* A [Functions.java file](functions-reference-java.md#triggers-and-annotations) in your src path that implements the function.

-# [JavaScript](#tab/nodejs)

-* A package.json file in the root folder.

-* An HttpExample folder that contains the [function.json definition file](functions-reference-node.md#folder-structure) and the [index.js file](functions-reference-node.md#exporting-a-function), a Node.js file that contains the function code.

-# [PowerShell](#tab/powershell)

-* An HttpExample folder that contains the [function.json definition file](functions-reference-powershell.md#folder-structure) and the run.ps1 file, which contains the function code.

-# [Python](#tab/python)

-* A project-level requirements.txt file that lists packages required by Functions.

-* An HttpExample folder that contains the [function.json definition file](functions-reference-python.md#folder-structure) and the \_\_init\_\_.py file, which contains the function code.

-At this point, you can [add input and output bindings](#add-input-and-output-bindings) to your function.

-You can also [add a new function to your project](#add-a-function-to-your-project).

-## Install binding extensions

-Except for HTTP and timer triggers, bindings are implemented in extension packages. You must install the extension packages for the triggers and bindings that need them. The process for installing binding extensions depends on your project's language.

-# [C\#](#tab/csharp)

-Run the [dotnet add package](/dotnet/core/tools/dotnet-add-package) command in the Terminal window to install the extension packages that you need in your project. The following example demonstrates how you add a binding for an [in-process class library](functions-dotnet-class-library.md):

-```terminal

-dotnet add package Microsoft.Azure.WebJobs.Extensions.<BINDING_TYPE_NAME> --version <TARGET_VERSION>

-```

-The following example demonstrates how you add a binding for an [isolated-process class library](dotnet-isolated-process-guide.md):

-```terminal

-dotnet add package Microsoft.Azure.Functions.Worker.Extensions.<BINDING_TYPE_NAME> --version <TARGET_VERSION>

-```

-In either case, replace `<BINDING_TYPE_NAME>` with the name of the package that contains the binding you need. You can find the desired binding reference article in the [list of supported bindings](./functions-triggers-bindings.md#supported-bindings).

-Replace `<TARGET_VERSION>` in the example with a specific version of the package, such as `3.0.0-beta5`. Valid versions are listed on the individual package pages at [NuGet.org](https://nuget.org). The major versions that correspond to Functions runtime 1.x or 2.x are specified in the reference article for the binding.

-# [Java](#tab/java)

-# [JavaScript](#tab/nodejs)

-# [PowerShell](#tab/powershell)

-# [Python](#tab/python)

-The results of this action depend on your project's language:

-# [C\#](#tab/csharp)

-A new C# class library (.cs) file is added to your project.

-# [Java](#tab/java)

-A new Java (.java) file is added to your project.

-# [JavaScript](#tab/nodejs)

-# [PowerShell](#tab/powershell)

-A new folder is created in the project. The folder contains a new function.json file and the new PowerShell code file.

-# [Python](#tab/python)

-The results depend on the Python programming model. For more information, see the [Azure Functions Python developer guide](./functions-reference-python.md).

-**Python v1**: A new folder is created in the project. The folder contains a new function.json file and the new Python code file.

-**Python v2**: New function code is added either to the default function_app.py file or to another Python file you selected.

-## <a name="add-input-and-output-bindings"></a>Connect to services

-You can connect your function to other Azure services by adding input and output bindings. Bindings connect your function to other services without you having to write the connection code. The process for adding bindings depends on your project's language. To learn more about bindings, see [Azure Functions triggers and bindings concepts](functions-triggers-bindings.md).

-The following examples connect to a storage queue named `outqueue`, where the connection string for the storage account is set in the `MyStorageConnection` application setting in local.settings.json.

-# [C\#](#tab/csharp)

-Update the function method to add the following parameter to the `Run` method definition:

-The `msg` parameter is an `ICollector<T>` type, which represents a collection of messages that are written to an output binding when the function completes. The following code adds a message to the collection:

- Messages are sent to the queue when the function completes.

-To learn more, see the [Queue storage output binding reference article](functions-bindings-storage-queue-output.md?tabs=csharp) documentation. To learn more in general about which bindings can be added to a function, see [Add bindings to an existing function in Azure Functions](add-bindings-existing-function.md?tabs=csharp).

-# [Java](#tab/java)

-Update the function method to add the following parameter to the `Run` method definition:

-The `msg` parameter is an `OutputBinding<T>` type, where `T` is a string that is written to an output binding when the function completes. The following code sets the message in the output binding:

-This message is sent to the queue when the function completes.

-To learn more, see the [Queue storage output binding reference article](functions-bindings-storage-queue-output.md?tabs=java) documentation. To learn more in general about which bindings can be added to a function, see [Add bindings to an existing function in Azure Functions](add-bindings-existing-function.md?tabs=java).

-# [JavaScript](#tab/nodejs)

-In your function code, the `msg` binding is accessed from the `context`, as in this example:

-This message is sent to the queue when the function completes.

-To learn more, see the [Queue storage output binding reference article](functions-bindings-storage-queue-output.md?tabs=javascript) documentation. To learn more in general about which bindings can be added to a function, see [Add bindings to an existing function in Azure Functions](add-bindings-existing-function.md?tabs=javascript).

-# [PowerShell](#tab/powershell)

-This message is sent to the queue when the function completes.

-To learn more, see the [Queue storage output binding reference article](functions-bindings-storage-queue-output.md?tabs=powershell) documentation. To learn more in general about which bindings can be added to a function, see [Add bindings to an existing function in Azure Functions](add-bindings-existing-function.md?tabs=powershell).

-# [Python](#tab/python)

-Update the `Main` definition to add an output parameter `msg: func.Out[func.QueueMessage]` so that the definition looks like the following example:

-The following code adds string data from the request to the output queue:

-This message is sent to the queue when the function completes.

-To learn more, see the [Queue storage output binding reference article](functions-bindings-storage-queue-output.md?tabs=python) documentation. To learn more in general about which bindings can be added to a function, see [Add bindings to an existing function in Azure Functions](add-bindings-existing-function.md?tabs=python).

-When you create a function app in Azure, you can choose either a quick function app create path using defaults or an advanced path. This way you'll have more control over the remote resources created.

-Running functions locally doesn't require using keys.

-The function application settings values can also be read in your code as environment variables. For more information, see the Environment variables sections of these language-specific reference articles:

-* [C# precompiled](functions-dotnet-class-library.md#environment-variables)

-* [C# script (.csx)](functions-reference-csharp.md#environment-variables)

-* [Java](functions-reference-java.md#environment-variables)

-* [JavaScript](functions-reference-node.md#environment-variables)

-* [PowerShell](functions-reference-powershell.md#environment-variables)

-* [Python](functions-reference-python.md#environment-variables)

-To learn more, see [Streaming logs](functions-monitoring.md#streaming-logs).

-> [!NOTE]

-> Streaming logs support only a single instance of the Functions host. When your function is scaled to multiple instances, data from other instances isn't shown in the log stream. [Live Metrics Stream](../azure-monitor/app/live-stream.md) in Application Insights does support multiple instances. While also in near-real time, streaming analytics is based on [sampled data](configure-monitoring.md#configure-sampling).

-We recommend that you monitor the execution of your functions by integrating your function app with Application Insights. When you create a function app in the Azure portal, this integration occurs by default. When you create your function app during Visual Studio publishing, you need to integrate Application Insights yourself. To learn how, see [Enable Application Insights integration](configure-monitoring.md#enable-application-insights-integration).

-| **Encrypt settings** | Encrypts individual items in the `Values` array in the [local settings](#local-settings). In this file, `IsEncrypted` is also set to `true`, which specifies that the local runtime will decrypt settings before using them. Encrypt local settings to reduce the risk of leaking valuable information. In Azure, application settings are always stored encrypted. |

-* Shared assemblies are shared across all functions within a function app. To reference a custom assembly, upload the assembly to a folder named `bin` in your [function app root folder](functions-reference.md#folder-structure) (wwwroot).

-| 4.x | Preview | 4.16+ | 18.x | Supports a flexible file structure and code-centric approach to triggers and bindings. |

-| 3.x | GA | 4.x | 18.x, 16.x, 14.x | Requires a specific file structure with your triggers and bindings declared in a "function.json" file |

-In Azure Functions, specific functions share a few core technical concepts and components, regardless of the language or binding you use. Before you jump into learning details specific to a given language or binding, be sure to read through this overview that applies to all of them.

-## Function code

-A *function* is the primary concept in Azure Functions. A function contains two important pieces - your code, which can be written in various languages, and some config, the function.json file. For compiled languages, this config file is generated automatically from annotations in your code. For scripting languages, you must provide the config file yourself.

-The function.json file defines the function's trigger, bindings, and other configuration settings. Every function has one and only one trigger. The runtime uses this config file to determine the events to monitor and how to pass data into and return data from a function execution. The following is an example function.json file.

-```json

-{

- "disabled":false,

- "bindings":[

- // ... bindings here

- {

- "type": "bindingType",

- "direction": "in",

- "name": "myParamName",

- // ... more depending on binding

- }

- ]

-}

-```

-For more information, see [Azure Functions triggers and bindings concepts](functions-triggers-bindings.md).

-The `bindings` property is where you configure both triggers and bindings. Each binding shares a few common settings and some settings, which are specific to a particular type of binding. Every binding requires the following settings:

-| Property | Values | Type | Comments|

-|||||

-| type | Name of binding.<br><br>For example, `queueTrigger`. | string | |

-| direction | `in`, `out` | string | Indicates whether the binding is for receiving data into the function or sending data from the function. |

-| name | Function identifier.<br><br>For example, `myQueue`. | string | The name that is used for the bound data in the function. For C#, this is an argument name; for JavaScript, it's the key in a key/value list. |

-## Function app

-A function app provides an execution context in Azure in which your functions run. As such, it's the unit of deployment and management for your functions. A function app is composed of one or more individual functions that are managed, deployed, and scaled together. All of the functions in a function app share the same pricing plan, deployment method, and runtime version. Think of a function app as a way to organize and collectively manage your functions. To learn more, see [How to manage a function app](functions-how-to-use-azure-function-app-settings.md).

-> [!NOTE]

-> All functions in a function app must be authored in the same language. In [previous versions](functions-versions.md) of the Azure Functions runtime, this wasn't required.

-## Folder structure

-The above is the default (and recommended) folder structure for a Function app. If you wish to change the file location of a function's code, modify the `scriptFile` section of the _function.json_ file. We also recommend using [package deployment](deployment-zip-push.md) to deploy your project to your function app in Azure. You can also use existing tools like [continuous integration and deployment](functions-continuous-deployment.md) and Azure DevOps.

-> [!NOTE]

-> If deploying a package manually, make sure to deploy your _host.json_ file and function folders directly to the `wwwroot` folder. Do not include the `wwwroot` folder in your deployments. Otherwise, you end up with `wwwroot\wwwroot` folders.

-#### Use local tools and publishing

-Function apps can be authored and published using a variety of tools, including [Visual Studio](./functions-develop-vs.md), [Visual Studio Code](./create-first-function-vs-code-csharp.md), [IntelliJ](./functions-create-maven-intellij.md), [Eclipse](./functions-create-maven-eclipse.md), and the [Azure Functions Core Tools](./functions-develop-local.md). For more information, see [Code and test Azure Functions locally](./functions-develop-local.md).

-<!--NOTE: I've removed documentation on FTP, because it does not sync triggers on the consumption plan --glenga -->

-## <a id="fileupdate"></a> How to edit functions in the Azure portal

-The Functions editor built into the Azure portal lets you update your code and your *function.json* file directly inline. This is recommended only for small changes or proofs of concept - best practice is to use a local development tool like VS Code.

-## Parallel execution

-When multiple triggering events occur faster than a single-threaded function runtime can process them, the runtime may invoke the function multiple times in parallel. If a function app is using the [Consumption hosting plan](event-driven-scaling.md), the function app could scale out automatically. Each instance of the function app, whether the app runs on the Consumption hosting plan or a regular [App Service hosting plan](../app-service/overview-hosting-plans.md), might process concurrent function invocations in parallel using multiple threads. The maximum number of concurrent function invocations in each function app instance varies based on the type of trigger being used as well as the resources used by other functions within the function app.

-## Functions runtime versioning

-You can configure the version of the Functions runtime using the `FUNCTIONS_EXTENSION_VERSION` app setting. For example, the value "~4" indicates that your function app uses 4.x as its major version. Function apps are upgraded to each new minor version as they're released. For more information, including how to view the exact version of your function app, see [How to target Azure Functions runtime versions](set-runtime-version.md).

-## Repositories

-The code for Azure Functions is open source and stored in GitHub repositories:

-* [Azure Functions](https://github.com/Azure/Azure-Functions)

-* [Azure Functions host](https://github.com/Azure/azure-functions-host/)

-* [Azure Functions portal](https://github.com/azure/azure-functions-ux)

-* [Azure Functions templates](https://github.com/azure/azure-functions-templates)

-* [Azure WebJobs SDK](https://github.com/Azure/azure-webjobs-sdk/)

-* [Azure WebJobs SDK Extensions](https://github.com/Azure/azure-webjobs-sdk-extensions/)

-## Bindings

-Here's a table of all supported bindings.

-Having issues with errors coming from the bindings? Review the [Azure Functions Binding Error Codes](functions-bindings-error-pages.md) documentation.

-Your function project references connection information by name from its configuration provider. It doesn't directly accept the connection details, allowing them to be changed across environments. For example, a trigger definition might include a `connection` property. This might refer to a connection string, but you can't set the connection string directly in a `function.json`. Instead, you would set `connection` to the name of an environment variable that contains the connection string.

-The default configuration provider uses environment variables. These might be set by [Application Settings](./functions-how-to-use-azure-function-app-settings.md?tabs=portal#settings) when running in the Azure Functions service, or from the [local settings file](functions-develop-local.md#local-settings-file) when developing locally.

-When the connection name resolves to a single exact value, the runtime identifies the value as a _connection string_, which typically includes a secret. The details of a connection string are defined by the service to which you wish to connect.

-Choose a tab below to learn about permissions for each component:

-| Client ID | `<CONNECTION_NAME_PREFIX>__clientId` | When `credential` is set to `managedidentity`, this property can be set to specify the user-assigned identity to be used when obtaining a token. The property accepts a client ID corresponding to a user-assigned identity assigned to the application. It is invalid to specify both a Resource ID and a client ID. If not specified, the system-assigned identity is used. This property is used differently in [local development scenarios](#local-development-with-identity-based-connections), when `credential` shouldn't be set. |

-Additional options may be supported for a given connection type. Refer to the documentation for the component making the connection.

-> Local development with identity-based connections requires updated versions of the [Azure Functions Core Tools](./functions-run-local.md). You can check your currently installed version by running `func -v`. For Functions v3, use version `3.0.3904` or later. For Functions v4, use version `4.0.3904` or later.

-In some cases, you may wish to specify use of a different identity. You can add configuration properties for the connection that point to the alternate identity based on a client ID and client Secret for an Azure Active Directory service principal. **This configuration option is not supported when hosted in the Azure Functions service.** To use an ID and secret on your local machine, define the connection with the following additional properties:

-The Azure Functions host uses the `AzureWebJobsStorage` connection for core behaviors such as coordinating singleton execution of timer triggers and default app key storage. This can be configured to use an identity as well.

-If you're configuring `AzureWebJobsStorage` using a storage account that uses the default DNS suffix and service name for global Azure, following the `https://<accountName>.blob/queue/file/table.core.windows.net` format, you can instead set `AzureWebJobsStorage__accountName` to the name of your storage account. The endpoints for each storage service will be inferred for this account. This won't work if the storage account is in a sovereign cloud or has a custom DNS.

-* [Azure Functions triggers and bindings](functions-triggers-bindings.md)

-* [Code and test Azure Functions locally](./functions-develop-local.md)

-* [Best Practices for Azure Functions](functions-best-practices.md)

-* [Azure Functions C# developer reference](functions-dotnet-class-library.md)

-* [Azure Functions Node.js developer reference](functions-reference-node.md)

-<a name="top"></a>Azure Functions currently supports several versions of the runtime host. The following table details the available versions, their support level, and when they should be used:

-| 3.x | GA^* | Reached the end of life (EOL) for extended support on December 13, 2022. We highly recommend you [migrate your apps to version 4.x](migrate-version-3-version-4.md) for full support. |

-| 2.x | GA^* | Reached the end of life (EOL) on December 13, 2022. We highly recommend you [migrate your apps to version 4.x](migrate-version-3-version-4.md) for full support. |

-^*For a detailed support statement about end-of-life versions, see [this migration article](migrate-version-3-version-4.md).

-This article details some of the differences between these versions, how you can create each version, and how to change the version on which your functions run.

-All functions in a function app must share the same language. You chose the language of functions in your function app when you create the app. The language of your function app is maintained in the [FUNCTIONS\_WORKER\_RUNTIME](functions-app-settings.md#functions_worker_runtime) setting, and shouldn't be changed when there are existing functions.

-The following table indicates which programming languages are currently supported in each runtime version.

-In Visual Studio, you select the runtime version when you create a project. Azure Functions tools for Visual Studio supports the three major runtime versions. The correct version is used when debugging and publishing based on project settings. The version settings are defined in the `.csproj` file in the following properties:

-# [Version 3.x](#tab/v3)

-Reached the end of life (EOL) on December 13, 2022. We highly recommend you [migrating your apps to version 4.x](migrate-version-3-version-4.md) for full support.

-# [Version 2.x](#tab/v2)

-Reached the end of life (EOL) on December 13, 2022. We highly recommend you [migrating your apps to version 4.x](migrate-version-3-version-4.md) for full support.

-### VS Code and Azure Functions Core Tools

-Azure Functions runtime is built around various components, including operating systems, the Azure Functions host, and language-specific workers. To maintain full-support coverages for function apps, Functions support aligns with end-of-life support for a given language. To achieve this, Functions implements a phased reduction in support as programming language versions reach their end-of-life dates. For most language versions, the retirement date coincides with the community end-of-life date.

-We'll send notification emails to function app users about upcoming language version retirements. The notifications will be at least one year before the date of retirement. Upon the notification, you should prepare to upgrade the language version that your functions apps use to a supported version.

-After the language end-of-life date, function apps that use retired language versions can still be created and deployed, and they continue to run on the platform. However your apps won't be eligible for new features, security patches, and performance optimizations until you upgrade them to a supported language version.

-There are few exceptions to the retirement policy outlined above. Here is a list of languages that are approaching or have reached their end-of-life (EOL) dates but continue to be supported on the platform until further notice. When these languages versions reach their end-of-life dates, they are no longer updated or patched. Because of this, we discourage you from developing and running your function apps on these language versions.

-# <a name="top"></a>Migrate apps from Azure Functions version 3.x to version 4.x

-> As of December 13, 2022, function apps running on versions 2.x and 3.x of the Azure Functions runtime have reached the end of life (EOL) of extended support.

->

-> Apps using versions 2.x and 3.x can still be created and deployed from your CI/CD DevOps pipeline, and all existing apps continue to run without breaking changes. However, your apps are not eligible for new features, security patches, and performance optimizations. You'll only get related service support once you upgrade them to version 4.x.

->

-> End of support for these older runtime versions is due to the end of support for .NET Core 3.1, which they had as a core dependency. This requirement affects all [languages supported by Azure Functions](supported-languages.md).

->

-> We highly recommend that you migrate your function apps to version 4.x of the Functions runtime by following this article.

-* **Built-in log streaming**: the App Service platform lets you view a stream of your application log files. This is equivalent to the output seen when you debug your functions during [local development](functions-develop-local.md) and when you use the **Test** tab in the portal. All log-based information is displayed. For more information, see [Stream logs](../app-service/troubleshoot-diagnostic-logs.md#stream-logs). This streaming method supports only a single instance, and can't be used with an app running on Linux in a Consumption plan.

-description: Learn which languages are supported (GA) and which are in preview, and ways to extend Functions development to other languages.

-This article explains the levels of support offered for languages that you can use with Azure Functions. It also describes strategies for creating functions using languages not natively supported.

-[Several versions of the Azure Functions runtime](functions-versions.md) are available. The following table shows which languages are supported in each runtime version.

->

-## Next steps

-To learn more about how to develop functions in the supported languages, see the following resources:

-+ [C# class library developer reference](functions-dotnet-class-library.md)

-+ [C# script developer reference](functions-reference-csharp.md)

-+ [Java developer reference](functions-reference-java.md)

-+ [JavaScript developer reference](functions-reference-node.md?tabs=javascript)

-+ [PowerShell developer reference](functions-reference-powershell.md)

-+ [Python developer reference](functions-reference-python.md)

-+ [TypeScript developer reference](functions-reference-node.md?tabs=typescript)

- |Override query time range| If you want the alert evaluation period to be different than the query time range, enter a time range here.<br> The alert time range is limited to a maximum of two days. Even if the query contains an **ago** command with a time range of longer than two days, the two-day maximum time range is applied. For example, even if the query text contains **ago(7d)**, the query only scans up to two days of data.<br> If the query requires more data than the alert evaluation you can change the time range manually.

-If the query contains **ago** command in the query, it will be cahnged automatically to 2 days (48 hours).|

-Within the profiler user interface (see [profiler settings](../profiler/profiler-settings.md)) there's a **Profile now** button. Selecting this button will immediately request a profile in all agents that are attached to the Application Insights instance.

-In this scenario, a profile will occur in the following circumstances:

-SLA triggers are based on OpenTelemetry (otel) and they will initiate a profile if certain criteria is fulfilled.

-The following steps will guide you through enabling the profiling component on the agent and configuring resource limits that will trigger a profile if breached.

-1. Configure the resource thresholds that will cause a profile to be collected:

-After these steps have been completed, the agent will monitor the resource usage of your process and trigger a profile when the threshold is exceeded. When a profile has been triggered and completed, it will be viewable from the

-`memoryTriggeredSettings` This configuration will be used if a memory profile is requested. This value can be one of:

-`cpuTriggeredSettings` This configuration will be used if a cpu profile is requested.

-`manualTriggeredSettings` This configuration will be used if a manual profile is requested.

-This article provides examples of telemetry processors in Application Insights for Java. You'll find samples for include and exclude configurations. You'll also find samples for attribute processors and span processors.

-This section shows how to include spans for an attribute processor. Spans that don't match the properties aren't processed by the processor.

-This section demonstrates how to exclude spans for an attribute processor. Spans that match the properties aren't processed by this processor.

-This section demonstrates how to exclude spans for an attribute processor. Spans that match the properties aren't processed by this processor.

-Let's assume the input log message body is `User account with userId 123456xx failed to login`. The log processor updates output message body to `User account with userId {redactedUserId} failed to login` and the attribute processor deletes the new attribute `redactedUserId` which was adding in the previous step.

- const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

- const appInsights = new ApplicationInsightsClient(new ApplicationInsightsConfig());

- const traceHandler = appInsights.getTraceHandler();

- traceHandler.addInstrumentation(new ExpressInstrumentation());

- const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

- const appInsights = new ApplicationInsightsClient(new ApplicationInsightsConfig());

- const customMetricsHandler = appInsights.getMetricHandler().getCustomMetricsHandler();

- const meter = customMetricsHandler.getMeter();

- const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

- const appInsights = new ApplicationInsightsClient(new ApplicationInsightsConfig());

- const customMetricsHandler = appInsights.getMetricHandler().getCustomMetricsHandler();

- const meter = customMetricsHandler.getMeter();

- const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

- const appInsights = new ApplicationInsightsClient(new ApplicationInsightsConfig());

- const customMetricsHandler = appInsights.getMetricHandler().getCustomMetricsHandler();

- const meter = customMetricsHandler.getMeter();

-const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

-const appInsights = new ApplicationInsightsClient(new ApplicationInsightsConfig());

-const tracer = appInsights.getTraceHandler().getTracer();

-let span = tracer.startSpan("hello");

-try{

- throw new Error("Test Error");

-}

-catch(error){

- span.recordException(error);

-}

-const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

-const appInsights = new ApplicationInsightsClient(new ApplicationInsightsConfig());

-const tracer = appInsights.getTraceHandler().getTracer();

-let span = tracer.startSpan("hello");

-span.end();

-First, get the `LogHandler`:

-const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

-const appInsights = new ApplicationInsightsClient(new ApplicationInsightsConfig());

-const logHandler = appInsights.getLogHandler();

-Then use the `LogHandler` to send custom telemetry:

-let eventTelemetry = {

- name: "testEvent"

-};

-logHandler.trackEvent(eventTelemetry);

-let traceTelemetry = {

- message: "testMessage",

- severity: "Information"

-};

-logHandler.trackTrace(traceTelemetry);

-try {

- ...

-} catch (error) {

- let exceptionTelemetry = {

- exception: error,

- severity: "Critical"

- };

- logHandler.trackException(exceptionTelemetry);

-}

-const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

-const { ReadableSpan, Span, SpanProcessor } = require("@opentelemetry/sdk-trace-base");

-const { SemanticAttributes } = require("@opentelemetry/semantic-conventions");

-const appInsights = new ApplicationInsightsClient(new ApplicationInsightsConfig());

-class SpanEnrichingProcessor implements SpanProcessor{

- forceFlush(): Promise<void>{

- return Promise.resolve();

- }

- shutdown(): Promise<void>{

- return Promise.resolve();

- }

- onStart(_span: Span): void{}

- onEnd(span: ReadableSpan){

- span.attributes["CustomDimension1"] = "value1";

- span.attributes["CustomDimension2"] = "value2";

-}

-appInsights.getTraceHandler().addSpanProcessor(new SpanEnrichingProcessor());

-const { SemanticAttributes } = require("@opentelemetry/semantic-conventions");

-class SpanEnrichingProcessor implements SpanProcessor{

- ...

- onEnd(span){

- span.attributes[SemanticAttributes.HTTP_CLIENT_IP] = "<IP Address>";

-}

-import { SemanticAttributes } from "@opentelemetry/semantic-conventions";

-class SpanEnrichingProcessor implements SpanProcessor{

- ...

- onEnd(span: ReadableSpan){

- span.attributes[SemanticAttributes.ENDUSER_ID] = "<User ID>";

-}

-```javascript

-const config = new ApplicationInsightsConfig();

-config.instrumentations.http = httpInstrumentationConfig;

-const appInsights = new ApplicationInsightsClient(config);

-const logHandler = appInsights.getLogHandler();

-const attributes = {

- "testAttribute1": "testValue1",

- "testAttribute2": "testValue2",

- "testAttribute3": "testValue3"

-};

-logHandler.trackEvent({

- name: "testEvent",

- properties: attributes

-});

- const { ApplicationInsightsClient, ApplicationInsightsConfig } = require("applicationinsights");

- const config = new ApplicationInsightsConfig();

- config.instrumentations.http = httpInstrumentationConfig;

- const appInsights = new ApplicationInsightsClient(config);

-You can set the connection string either programmatically or by setting the environment variable `APPLICATIONINSIGHTS_CONNECTION_STRING`. In the event that both have been set, the programmatic connection string will take precedence.

-You might want to update the [Cloud Role Name](app-map.md#understand-the-cloud-role-name-within-the-context-of-an-application-map) and the Cloud Role Instance from the default values to something that makes sense to your team. They'll appear on the Application Map as the name underneath a node.

-The OpenTelemetry API offers six metric "instruments" to cover various metric scenarios and you'll need to pick the correct "Aggregation Type" when visualizing metrics in Metrics Explorer. This requirement is true when using the OpenTelemetry Metric API to send metrics and when using an instrumentation library.

-You can populate the _user_Id_ or _user_AuthenticatedId_ field for requests by using the guidance below. User ID is an anonymous user identifier. Authenticated User ID is a known user identifier.

-description: Recommendations for deployment of Azure Monitor alerts and automated actions.

-# Deploy Azure Monitor: Alerts and automated actions

-This article is part of the scenario [Recommendations for configuring Azure Monitor](best-practices.md). It provides guidance on alerts in Azure Monitor. Alerts proactively notify you of important data or patterns identified in your monitoring data. You can view alerts in the Azure portal. You can create alerts that:

-## Alerting strategy

-An alerting strategy defines your organization's standards for:

-Defining an alert strategy assists you in defining the configuration of alert rules including alert severity and action groups.

-For factors to consider as you develop an alerting strategy, see [Successful alerting strategy](/azure/cloud-adoption-framework/manage/monitor/alerting#successful-alerting-strategy).

-## Alert rule types

-Alerts in Azure Monitor are created by alert rules that you must create. For guidance on recommended alert rules, see the monitoring documentation for each Azure service. Azure Monitor doesn't have any alert rules by default.

-Multiple types of alert rules are defined by the type of data they use. Each has different capabilities and a different cost. The basic strategy is to use the alert rule type with the lowest cost that provides the logic you require.

-## Alert severity

-Each alert rule defines the severity of the alerts that it creates based on the following table. Alerts in the Azure portal are grouped by level so that you can manage similar alerts together and quickly identify alerts that require the greatest urgency.

-| Level | Name | Description |

-|:|:|:|

-| Sev 0 | Critical | Loss of service or application availability or severe degradation of performance. Requires immediate attention. |

-| Sev 1 | Error | Degradation of performance or loss of availability of some aspect of an application or service. Requires attention but not immediate. |

-| Sev 2 | Warning | A problem that doesn't include any current loss in availability or performance, although it has the potential to lead to more severe problems if unaddressed. |

-| Sev 3 | Informational | Doesn't indicate a problem but provides interesting information to an operator, such as successful completion of a regular process. |

-| Sev 4 | Verbose | Doesn't indicate a problem but provides detailed information that is verbose.

-Assess the severity of the condition each rule is identifying to assign an appropriate level. Define the types of issues you assign to each severity level and your standard response to each in your alerts strategy.

-## Action groups

-Automated responses to alerts in Azure Monitor are defined in [action groups](alerts/action-groups.md). An action group is a collection of one or more notifications and actions that are fired when an alert is triggered. A single action group can be used with multiple alert rules and contain one or more of the following items:

-## Notifications

-Notifications are messages sent to one or more users to notify them that an alert has been created. Because a single action group can be used with multiple alert rules, you should design a set of action groups for different sets of administrators and users who will receive the same sets of alerts. Use any of the following types of notifications depending on the preferences of your operators and your organizational standards:

-## Actions

-Actions are automated responses to an alert. You can use the available actions for any scenario that they support, but the following sections describe how each action is typically used.

-### Automated remediation

-Use the following actions to attempt automated remediation of the issue identified by the alert:

-### ITSM and on-call management

-## Minimize alert activity

-You want to create alerts for any important information in your environment. But you don't want to create excessive alerts and notifications for issues that don't warrant them. To minimize your alert activity to ensure that critical issues are surfaced while you don't generate excess information and notifications for administrators, follow these guidelines:

-## Create alert rules at scale

-Typically, you'll want to alert on issues for all your critical Azure applications and resources. Use the following methods for creating alert rules at scale:

-> [!NOTE]

-> Resource-centric log query alert rules currently in public preview allow you to use all resources in a subscription or resource group as a target for a log query alert.

-## Next steps

-[Optimize cost in Azure Monitor](best-practices-cost.md)

-Azure Monitor cross-service queries support functions for Application Insights, Log Analytics, Azure Data Explorer, and Azure Resource Graph.

-| [InstallDependencyAgent-Windows.exe](https://aka.ms/dependencyagentwindows) | Windows | 9.10.16.22650 | BE537D4396625ADD93B8C1D5AF098AE9D9472D8A20B2682B32920C5517F1C041 |

-| [InstallDependencyAgent-Linux64.bin](https://aka.ms/dependencyagentlinux) | Linux | 9.10.16.22650 | FF86D821BA845833C9FE5F6D5C8A5F7A60617D3AD7D84C75143F3E244ABAAB74 |

- > Selecting the **Enable Continuous Availability** option alone does not automatically make the existing SMB sessions continuously available. After selecting the option, be sure to reboot the server for the change to take effect.

-1. Once you enable SMB Continuous Availability, reboot the server for the change to take effect.

-* Azure Active Directory authentication and custom ports and protocols aren't currently supported when connecting to a VM via native client.

-* UDR is not supported on Bastion subnet, including with IP-based connection.

- token=$(curl http://localhost:50342/oauth2/token --data "resource=https://management.azure.com/" -H Metadata:true -s | jq -r ".accessToken")

- $token= ((Invoke-WebRequest @parameters ).content | ConvertFrom-Json).accessToken

- TOKEN=$(az account get-access-token --resource "https://management.azure.com/" | jq -r ".accessToken")

-Azure Communication Services stores chat messages for 90 days. Chat thread participants can use `ListMessages` to view message history for a particular thread. However, the API does not return messages once the 90 day period has passed. Users that are removed from a chat thread are able to view previous message history for 90 days but cannot send or receive new messages. To learn more about data being stored in Azure Communication Services chat service, refer to the [data residency and privacy page](../privacy.md).

-Chat messages are stored for 90 days. Submit [a request to Azure Support](../../azure-portal/supportability/how-to-create-azure-support-request.md) if you require storage for longer time period. If the time period is less than 90 days for chat messages, use the delete chat thread APIs.

-No. Texting to a toll-free number from a short code is not supported. You also wont be able to receive a message from a toll-free number to a short code.

-Communication Services connections require internet connectivity to specific ports and IP addresses to deliver high-quality multimedia experiences. Without access to these ports and IP addresses, Communication Services can still work. The optimal experience is provided when the recommended ports and IP ranges are open.

-The diagram below will guide different offerings in this portfolio

-**Confidential VM worker nodes on AKS)** supporting full AKS features with node level VM based Trusted Execution Environment (TEE). Also support remote guest attestation. [Get started with CVM worker nodes with a lift and shift workload to CVM node pool.](../aks/use-cvm.md)

-**Unmodified containers with serverless offering** [confidential containers on Azure Container Instance (ACI)](./confidential-containers.md#vm-isolated-confidential-containers-on-azure-container-instances-acipublic-preview) supporting existing Linux containers with remote guest attestation flow.

-## VM Isolated Confidential containers on Azure Container Instances (ACI) - Public preview

- "offer": "UbuntuServer",

- "offer": "UbuntuServer",

-```java

-##### [JavaScript SDK v4](#tab/javascript-v4)

-String id = "f7da01b0-090b-41d2-8416-dacae09fbb4a";

-PartitionKey partitionKey = new PartitionKeyBuilder()

- .add("Microsoft") //TenantId

- .add("8411f20f-be3e-416a-a3e7-dcd5a3c1f28b") //UserId

- .add("0000-11-0000-1111") //SessionId

-

-Mono<CosmosItemResponse<UserSession>> readResponse = container.readItem(id, partitionKey, UserSession.class);

-> [!TIP]

-> Want to try the Azure Cosmos DB for MongoDB with no commitment? Create an Azure Cosmos DB account using [Try Azure Cosmos DB](../try-free.md) for free.

-| `path_to_property` | string | Path to the property that contains the vector. This path can be a top-level property or a dot notation path to the property. If a dot notation path is used, then all the nonleaf elements can't be arrays. |

-* Learn how to [generate embeddings using Azure OpenAI](../../../ai-services/openai/tutorials/embeddings.md)

- changeFeedStartFrom: ChangeFeedStartFrom.Beginning()

- >[!NOTE]

- > Export to storage accounts behind firewall is in preview.

- . Locate the alert titled **Malicious file uploaded to storage account**.

- 1. Select on the alertΓÇÖs **View full details** button to see all the related details.

- 1. Learn more about Defender for Storage security alerts in the [reference table for all security alerts in Microsoft Defender for Cloud](alerts-reference.md#alerts-azurestorage).

-# New Custom Recommendations for AWS and GCP in Defender for Cloud

-> [Understanding data aware security posture capability](episode-thirty-one.md)

-This new trigger is available today for some customers, and will be available to all customers by mid-September.

-To publish the function app to Azure, you'll need to create a storage account, then create the function app in Azure, and finally publish the functions to the Azure function app. This section completes these actions using the Azure CLI.

- az functionapp create --name <name-for-new-function-app> --storage-account <name-of-storage-account-from-previous-step> --functions-version 4 --consumption-plan-location <location> --runtime dotnet --runtime-version 6 --resource-group <resource-group>

- dotnet publish -c Release

- This command publishes the project to the *digital-twins-samples-main\AdtSampleApp\SampleFunctionsApp\bin\Release\netcoreapp3.1\publish* directory.

- 1. Using your preferred method, create a zip of the published files that are located in the *digital-twins-samples-main\AdtSampleApp\SampleFunctionsApp\bin\Release\netcoreapp3.1\publish* directory. Name the zipped folder *publish.zip*.

- >[!TIP]

- >If you're using PowerShell, you can create the zip by copying the full path to that *\publish* directory and pasting it into the following command:

- >

- >```powershell

- >Compress-Archive -Path <full-path-to-publish-directory>\* -DestinationPath .\publish.zip

- >```

- > The cmdlet will create the *publish.zip* file in the directory location of your console.

- Your *publish.zip* file should contain folders for *bin*, *ProcessDTRoutedData*, and *ProcessHubToDTEvents*, and there should also be a *host.json* file.

-#### Configure application settings

-Begin by getting the IoT hub connection string with this command:

-# Azure Event HubsΓÇöA big data streaming platform and event ingestion service

-Event Hubs represents the "front door" for an event pipeline, often called an **event ingestor** in solution architectures. An event ingestor is a component or service that sits between event publishers and event consumers to decouple the production of an event stream from the consumption of those events. Event Hubs provides a unified streaming platform with time retention buffer, decoupling event producers from event consumers.

-[Event Hubs for Apache Kafka ecosystems](azure-event-hubs-kafka-overview.md) furthermore enables [Apache Kafka (1.0 and later)](https://kafka.apache.org/) clients and applications to talk to Event Hubs. You don't need to set up, configure, and manage your own Kafka and Zookeeper clusters or use some Kafka-as-a-Service offering not native to Azure.

-[Azure Schema Registry](schema-registry-overview.md) in Event Hubs provides a centralized repository for managing schemas of events streaming applications. Azure Schema Registry comes free with every Event Hubs namespace, and it integrates seamlessly with you Kafka applications or Event Hubs SDK based applications.

-It ensures data compatibility and consistency across event producers and consumers, enabling seamless schema evolution, validation, and governance, and promoting efficient data exchange and interoperability.

-[Capture](event-hubs-capture-overview.md) your data in near-real time in an [Azure Blob storage](https://azure.microsoft.com/services/storage/blobs/) or [Azure Data Lake Storage](https://azure.microsoft.com/services/data-lake-store/) for long-term retention or micro-batch processing. You can achieve this behavior on the same stream you use for deriving real-time analytics. Setting up capture of event data is fast. There are no administrative costs to run it, and it scales automatically with Event Hubs [throughput units](event-hubs-scalability.md#throughput-units) or [processing units](event-hubs-scalability.md#processing-units). Event Hubs enables you to focus on data processing rather than on data capture.

-With Event Hubs, you can start with data streams in megabytes, and grow to gigabytes or terabytes. The [Auto-inflate](event-hubs-auto-inflate.md) feature is one of the many options available to scale the number of throughput units or processing units to meet your usage needs.

-Event Hubs **premium** caters to high-end streaming needs that require superior performance, better isolation with predictable latency and minimal interference in a managed multitenant PaaS environment. On top of all the features of the standard offering, the premium tier offers several extra features such as [dynamic partition scale up](dynamically-add-partitions.md), extended retention, and [customer-managed-keys](configure-customer-managed-key.md). For more information, see [Event Hubs Premium](event-hubs-premium-overview.md).

-| Event producers | Any entity that sends data to an event hub. Event publishers can publish events using HTTPS or AMQP 1.0 or Apache Kafka (1.0 and above). |

-| [Throughput units (standard tier)](event-hubs-scalability.md#throughput-units) or [processing units (premium tier)](event-hubs-scalability.md#processing-units) or [capacity units (dedicated)](event-hubs-dedicated-overview.md) | Pre-purchased units of capacity that control the throughput capacity of Event Hubs. |

-description: A quickstart to create a .NET Core application that sends events to Azure Event Hubs and then receive those events by using the Azure.Messaging.EventHubs package.

- The SAS URL must have READ permissions so the firewall can upload the file. If changes are made to the PAC file, a new SAS URL needs to be generated and configured on the firewall **Enable explicit proxy** page.

- HDInsight currently allocates quota to customer subscriptions at a regional level. The cores allocated to customers are generic and not classified at a VM family level (For example, Dv2, Ev3, Eav4, etc.).

- * log4j 1.x replaced with reload4j.

- * Mirror Maker2 improvements.

-* HDInsight has moved away from Azul Zulu Java JDK 8 to Adoptium Temurin JDK 8, which supports high-quality TCK certified runtimes, and associated technology for use across the Java ecosystem.

-* HDInsight has migrated to reload4j. The log4j changes are applicable to

-|[HIVE-24322](https://issues.apache.org/jira/browse/HIVE-24322)| If there's direct insert, the attempt ID has to be checked when reading the manifest fails|

-|[HIVE-25920](https://issues.apache.org/jira/browse/HIVE-25920)| Bump Xerce2 to 2.12.2.|

-1. Yarn logΓÇÖs CLI failed to retrieve the logs if any TFile is corrupt or empty.

-|Wrong FS Exception when warehouse and scratchdir are on different FS|[TEZ-4406](https://issues.apache.org/jira/browse/TEZ-4406)|

-1. Yarn logΓÇÖs CLI failed to retrieve the logs if any TFile is corrupt or empty.

-|Wrong FS Exception when warehouse and scratchdir are on different FS|[TEZ-4406](https://issues.apache.org/jira/browse/TEZ-4406)|

-|TableSnapshotInputFormat should use ReadType.STREAM for scanning HFiles |[HBASE-26273](https://issues.apache.org/jira/browse/HBASE-26273)|

-| Hive query with large size via knox fails with Broken pipe Write failed|[HIVE-22231](https://issues.apache.org/jira/browse/HIVE-22231)|

-| Remove expensive logging from the LLAP cache hotpath|[HIVE-22168](https://issues.apache.org/jira/browse/HIVE-22168)|

-| switch Hive UDFs to use Re2J regex engine|[HIVE-19661](https://issues.apache.org/jira/browse/HIVE-19661)|

-|Prevent LLAP shutdown on AMReporter related RuntimeException|[HIVE-22113](https://issues.apache.org/jira/browse/HIVE-22113)|

-| JDBC: HiveConnection shades log4j interfaces|[HIVE-18874](https://issues.apache.org/jira/browse/HIVE-18874)|

-| Update repo URLs in poms - branch 3.1 version|[HIVE-21786](https://issues.apache.org/jira/browse/HIVE-21786)|

-| DBInstall tests broken on master and branch-3.1|[HIVE-21758](https://issues.apache.org/jira/browse/HIVE-21758)|

-Other features include MirrorMaker 2 availability, new metric category AtMinIsr topic partition, Improved broker start-up time by lazy on demand mmap of index files, More consumer metrics to observe user poll behavior.

-| Upgrade log4j 2.16.0 to 2.17.0 | [HIVE-25825](https://issues.apache.org/jira/browse/HIVE-25825) |

-| Update Flatbuffer version | [HIVE-22827](https://issues.apache.org/jira/browse/HIVE-22827) |

-Starting from March 01, 2022, HDInsight will only support manual scale for HBase, there's no impact on running clusters. New HBase clusters won't be able to enable schedule based Autoscaling. For more information on how to  manually scale your HBase cluster, refer our documentation on [Manually scaling Azure HDInsight clusters](./hdinsight-scaling-best-practices.md)

-HDInsight 4.0 image has been updated to mitigate Log4j vulnerability as described in [MicrosoftΓÇÖs Response to CVE-2021-44228 Apache Log4j 2.](https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/)

-> * Any HDI 4.0 clusters created post 27 Dec 2021 00:00 UTC are created with an updated version of the image which mitigates the log4j vulnerabilities. Hence, customers need not patch/reboot these clusters.

-### Price Correction for HDInsight Dv2 Virtual Machines

-A pricing error was corrected on April 25, 2021, for the Dv2 VM series on HDInsight. The pricing error resulted in a reduced charge on some customer's bills prior to April 25, and with the correction, prices now match what had been advertised on the HDInsight pricing page and the HDInsight pricing calculator. The pricing error impacted customers in the following regions who used Dv2 VMs:

-Starting on April 25, 2021, the corrected amount for the Dv2 VMs will be on your account. Customer notifications were sent to subscription owners prior to the change. You can use the Pricing calculator, HDInsight pricing page, or the Create HDInsight cluster blade in the Azure portal to see the corrected costs for Dv2 VMs in your region.

-No other action is needed from you. The price correction will only apply for usage on or after April 25, 2021 in the specified regions, and not to any usage prior to this date. To ensure you have the most performant and cost-effective solution, we recommended that you review the pricing, VCPU, and RAM for your Dv2 clusters and compare the Dv2 specifications to the Ev3 VMs to see if your solution would benefit from utilizing one of the newer VM series.

-#### Eav4-series support

-HDInsight added Eav4-series support in this release.

-#### Default cluster VM sizes are changed to Ev3-series

-Default cluster VM sizes are changed from D-series to Ev3-series. This change applies to head nodes and worker nodes. To avoid this change impacting your tested workflows, specify the VM sizes that you want to use in the ARM template.

-#### Default cluster VM size changes to Ev3-series

-Default cluster VM sizes will be changed from D-series to Ev3-series. This change applies to head nodes and worker nodes. To avoid this change impacting your tested workflows, specify the VM sizes that you want to use in the ARM template.

-After the **operational** stage, the cluster waits another 60 minutes for the remaining 20% worker nodes. At the end of this 60 minutes, the cluster moves to the **running** stage, even if all of worker nodes are still not available. Once a cluster enters the **running** stage, you can use it as normal. Both control plan operations like scaling up/down, and data plan operations like running scripts and jobs are accepted. If some of the requested worker nodes aren't available, the cluster will be marked as partial success. You are charged for the nodes that were deployed successfully.

-Previously, with cluster creation, customers can create a new service principal to access the connected ADLS Gen 1 account in Azure portal. Starting June 15 2020, customers can't create new service principal in HDInsight creation workflow, only existing service principal is supported. See [Create Service Principal and Certificates using Azure Active Directory](../active-directory/develop/howto-create-service-principal-portal.md).

-#### Dv1 virtual machine deprecation

-From this release, the use of Dv1 VMs with HDInsight is deprecated. Any customer request for Dv1 will be served with Dv2 automatically. There's no price difference between Dv1 and Dv2 VMs.

-| **Summary:** handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop) |

-| BUG-95259 | [HADOOP-15185](https://issues.apache.org/jira/browse/HADOOP-15185), [HADOOP-15186](https://issues.apache.org/jira/browse/HADOOP-15186) | Update adls connector to use the current version of ADLS SDK |

-| BUG-97223 | [SPARK-23434](https://issues.apache.org/jira/browse/SPARK-23434) | Spark shouldn't warn \`metadata directory\` for a HDFS file path |

-| BUG-94869 | [PHOENIX-4290](https://issues.apache.org/jira/browse/PHOENIX-4290), [PHOENIX-4373](https://issues.apache.org/jira/browse/PHOENIX-4373) | Requested row out of range for Get on HRegion for local indexed salted phoenix table. |

-| BUG-95669 | [HIVE-18577](https://issues.apache.org/jira/browse/HIVE-18577), [HIVE-18643](https://issues.apache.org/jira/browse/HIVE-18643) | When run update/delete query on ACID partitioned table, HS2 read all each partitions. |

-| BUG-100422 | [HIVE-19085](https://issues.apache.org/jira/browse/HIVE-19085) | FastHiveDecimal abs(0) sets sign to +ve |

-| BUG-93136 | [HIVE-18189](https://issues.apache.org/jira/browse/HIVE-18189) | Order by position does not work when cbo is disabled |

-| BUG-94144 | [HIVE-17063](https://issues.apache.org/jira/browse/HIVE-17063) | insert overwrite partition into an external table fail when drop partition first |

-| BUG-97741 | [HIVE-18944](https://issues.apache.org/jira/browse/HIVE-18944) | Groupping sets position is set incorrectly during DPP |

-| BUG-98082 | [HIVE-18597](https://issues.apache.org/jira/browse/HIVE-18597) | LLAP: Always package the log4j2 API jar for org.apache.log4j |

-| BUG-100436 | [RANGER-2060](https://issues.apache.org/jira/browse/RANGER-2060) | Knox proxy with knox-sso isn't working for ranger |

-| BUG-95823 | N/A | Knox: Upgrade Beanutils |

-| BUG-96714 | [FLUME-2050](https://issues.apache.org/jira/browse/FLUME-2050) | Upgrade to log4j2 (when GA) |

-| BUG-96977 | [FLUME-3132](https://issues.apache.org/jira/browse/FLUME-3132) | Upgrade tomcat jasper library dependencies |

-| BUG-100073 | N/A | too many close\_wait connections from hiveserver to data node |

-| BUG-100448 | [SPARK-23637](https://issues.apache.org/jira/browse/SPARK-23637), [SPARK-23802](https://issues.apache.org/jira/browse/SPARK-23802), [SPARK-23809](https://issues.apache.org/jira/browse/SPARK-23809), [SPARK-23816](https://issues.apache.org/jira/browse/SPARK-23816), [SPARK-23822](https://issues.apache.org/jira/browse/SPARK-23822), [SPARK-23823](https://issues.apache.org/jira/browse/SPARK-23823), [SPARK-23838](https://issues.apache.org/jira/browse/SPARK-23838), [SPARK-23881](https://issues.apache.org/jira/browse/SPARK-23881) | Update Spark2 to 2.3.0+ (4/11) |

-| BUG-100937 | [MAPREDUCE-6889](https://issues.apache.org/jira/browse/MAPREDUCE-6889) | Add Job\#close API to shutdown MR client services. |

-| BUG-101065 | [ATLAS-2587](https://issues.apache.org/jira/browse/ATLAS-2587) | Set read ACL for /apache\_atlas/active\_server\_info znode in HA for Knox proxy to read. |

-| BUG-102064 | N/A | Hive Replication \[ onprem to onprem \] tests failed in ReplCopyTask |

-| BUG-102137 | [HIVE-19423](https://issues.apache.org/jira/browse/HIVE-19423) | Hive Replication \[ Onprem to Cloud \] tests failed in ReplCopyTask |

-| BUG-102361 | N/A | multiple insert results in single insert replicated to target hive cluster ( onprem - s3 ) |

-| BUG-92586 | [SPARK-17920](https://issues.apache.org/jira/browse/SPARK-17920), [SPARK-20694](https://issues.apache.org/jira/browse/SPARK-20694), [SPARK-21642](https://issues.apache.org/jira/browse/SPARK-21642), [SPARK-22162](https://issues.apache.org/jira/browse/SPARK-22162), [SPARK-22289](https://issues.apache.org/jira/browse/SPARK-22289), [SPARK-22373](https://issues.apache.org/jira/browse/SPARK-22373), [SPARK-22495](https://issues.apache.org/jira/browse/SPARK-22495), [SPARK-22574](https://issues.apache.org/jira/browse/SPARK-22574), [SPARK-22591](https://issues.apache.org/jira/browse/SPARK-22591), [SPARK-22595](https://issues.apache.org/jira/browse/SPARK-22595), [SPARK-22601](https://issues.apache.org/jira/browse/SPARK-22601), [SPARK-22603](https://issues.apache.org/jira/browse/SPARK-22603), [SPARK-22607](https://issues.apache.org/jira/browse/SPARK-22607), [SPARK-22635](https://issues.apache.org/jira/browse/SPARK-22635), [SPARK-22637](https://issues.apache.org/jira/browse/SPARK-22637), [SPARK-22653](https://issues.apache.org/jira/browse/SPARK-22653), [SPARK-22654](https://issues.apache.org/jira/browse/SPARK-22654), [SPARK-22686](https://issues.apache.org/jira/browse/SPARK-22686), [SPARK-22688](https://issues.apache.org/jira/browse/SPARK-22688), [SPARK-22817](https://issues.apache.org/jira/browse/SPARK-22817), [SPARK-22862](https://issues.apache.org/jira/browse/SPARK-22862), [SPARK-22889](https://issues.apache.org/jira/browse/SPARK-22889), [SPARK-22972](https://issues.apache.org/jira/browse/SPARK-22972), [SPARK-22975](https://issues.apache.org/jira/browse/SPARK-22975), [SPARK-22982](https://issues.apache.org/jira/browse/SPARK-22982), [SPARK-22983](https://issues.apache.org/jira/browse/SPARK-22983), [SPARK-22984](https://issues.apache.org/jira/browse/SPARK-22984), [SPARK-23001](https://issues.apache.org/jira/browse/SPARK-23001), [SPARK-23038](https://issues.apache.org/jira/browse/SPARK-23038), [SPARK-23095](https://issues.apache.org/jira/browse/SPARK-23095) | Update Spark2 up-to-date to 2.2.1 (Jan. 16) |

-| BUG-93485 | N/A | can'tcan'tCan't get table mytestorg.apache.hadoop.hive.ql.metadata.InvalidTableException: Table not found when running analyze table on columns in LLAP |

-| BUG-94081 | [HIVE-18384](https://issues.apache.org/jira/browse/HIVE-18384) | ConcurrentModificationException in log4j2.x library |

-| BUG-94330 | [HADOOP-13190](https://issues.apache.org/jira/browse/HADOOP-13190), [HADOOP-14104](https://issues.apache.org/jira/browse/HADOOP-14104), [HADOOP-14814](https://issues.apache.org/jira/browse/HADOOP-14814), [HDFS-10489](https://issues.apache.org/jira/browse/HDFS-10489), [HDFS-11689](https://issues.apache.org/jira/browse/HDFS-11689) | HDFS should support for multiple KMS Uris |

-| BUG-95200 | [HDFS-13061](https://issues.apache.org/jira/browse/HDFS-13061) | SaslDataTransferClient\#checkTrustAndSend shouldn'tshould'n trust a partially trusted channel |

-| BUG-96019 | [HIVE-18548](https://issues.apache.org/jira/browse/HIVE-18548) | Fix log4j import |

-| BUG-96720 | [SLIDER-1262](https://issues.apache.org/jira/browse/SLIDER-1262) | Slider functests are failing in Kerberized environment |

-| BUG-96931 | [SPARK-23053](https://issues.apache.org/jira/browse/SPARK-23053), [SPARK-23186](https://issues.apache.org/jira/browse/SPARK-23186), [SPARK-23230](https://issues.apache.org/jira/browse/SPARK-23230), [SPARK-23358](https://issues.apache.org/jira/browse/SPARK-23358), [SPARK-23376](https://issues.apache.org/jira/browse/SPARK-23376), [SPARK-23391](https://issues.apache.org/jira/browse/SPARK-23391) | Update Spark2 up-to-date (Feb. 19) |

-| BUG-97869 | [KNOX-1190](https://issues.apache.org/jira/browse/KNOX-1190) | Knox SSO support for Google OIDC is broken. |

-| BUG-98705 | [KNOX-1230](https://issues.apache.org/jira/browse/KNOX-1230) | Many Concurrent Requests to Knox causes URL Mangling |

-| BUG-99618 | [SPARK-23599](https://issues.apache.org/jira/browse/SPARK-23599), [SPARK-23806](https://issues.apache.org/jira/browse/SPARK-23806) | Update Spark2 to 2.3.0+ (3/28) |

-| BUG-91293 | [RANGER-2060](https://issues.apache.org/jira/browse/RANGER-2060) | Knox proxy with knox-sso isn't working for ranger |

-| BUG-96082 | [RANGER-1982](https://issues.apache.org/jira/browse/RANGER-1982) | Error Improvement for Analytics Metric of Ranger Admin and Ranger Kms |

-| BUG-96479 | [HDFS-12781](https://issues.apache.org/jira/browse/HDFS-12781) | After Datanode down, In Namenode UI Datanode tab is throwing warning message. |

-| BUG-95823 | N/A | Knox: Upgrade Beanutils |

-| BUG-100139 | [KNOX-1243](https://issues.apache.org/jira/browse/KNOX-1243) | Normalize the required DNs that are Configured in KnoxToken Service |

-| BUG-100570 | [ATLAS-2557](https://issues.apache.org/jira/browse/ATLAS-2557) | Fix to allow to lookup hadoop ldap groups when are groups from UGI are wrongly set or aren't empty |

-| BUG-100750 | [KNOX-1246](https://issues.apache.org/jira/browse/KNOX-1246) | Update service config in Knox to support latest configurations for Ranger. |