+| \<builtInUserAttribute> | \<attribute-type> | No | They can be returned in the token if selected as an **Application claim**. |

+ Title: Tutorial - Test your SCIM endpoint for compatibility with the Azure Active Directory (Azure AD) provisioning service.

+description: This tutorial describes how to use the Azure AD SCIM Validator to validate that your provisioning server is compatible with the Azure SCIM client.

+# Tutorial: Validate a SCIM endpoint

+This tutorial describes how to use the Azure AD SCIM Validator to validate that your provisioning server is compatible with the Azure SCIM client. The tutorial is intended for developers who want to build a SCIM compatible server to manage their identities with the Azure AD provisioning service.

+In this tutorial, you learn how to:

+> [!div class="checklist"]

+> * Select a testing method

+> * Configure the testing method

+> * Validate your SCIM endpoint

+## Prerequisites

+- An Azure Active Directory account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- A SCIM endpoint that conforms to the SCIM 2.0 standard and meets the provision service requirements. To learn more, see [Tutorial: Develop and plan provisioning for a SCIM endpoint in Azure Active Directory](use-scim-to-provision-users-and-groups.md).

+## Select a testing method

+The first step is to select a testing method to validate your SCIM endpoint.

+1. Open your web browser and navigate to the SCIM Validator: [https://scimvalidator.microsoft.com/](https://scimvalidator.microsoft.com/).

+1. Select one of the three test options. You can use default attributes, automatically discover the schema, or upload a schema.

+ :::image type="content" source="./media/scim-validator-tutorial/scim-validator.png" alt-text="Screenshot of SCIM Validator main page." lightbox="./media/scim-validator-tutorial/scim-validator.png":::

+**Use default attributes** - The system provides the default attributes, and you modify them to meet your need.

+**Discover schema** - If your end point supports /Schema, this option will allow the tool to discover the supported attributes. We recommend this option as it reduces the overhead of updating your app as you build it out.

+**Upload Azure AD Schema** - Upload the schema you've downloaded from your sample app on Azure AD.

+## Configure the testing method

+Now that you've selected a testing method, the next step is to configure it.

+1. If you're using the default attributes option, then fill in all of the indicated fields.

+2. If you're using the discover schema option, then enter the SCIM endpoint URL and token.

+3. If you're uploading a schema, then select your .json file to upload. The option accepts a .json file exported from your sample app on the Azure portal. To learn how to export a schema, see [How-to: Export provisioning configuration and roll back to a known good state](export-import-provisioning-configuration.md#export-your-provisioning-configuration).

+> [!NOTE]

+> To test *group attributes*, make sure to select **Enable Group Tests**.

+4. Edit the list attributes as desired for both the user and group types using the ΓÇÿAdd AttributeΓÇÖ option at the end of the attribute list and minus (-) sign on the right side of the page.

+5. Select the joining property from both the user and group attributes list.

+> [!NOTE]

+> The joining property, also known as matching attribute, is an attribute that user and group resources can be uniquely queried on at the source and matched in the target system.

+## Validate your SCIM endpoint

+Finally, you need to test and validate your endpoint.

+1. Select **Test Schema** to begin the test.

+1. Review the results with a summary of passed and failed tests.

+1. Select the **show details** tab and review and fix issues.

+1. Continue to test your schema until all tests pass.

+ :::image type="content" source="./media/scim-validator-tutorial/scim-validator-results.png" alt-text="Screenshot of SCIM Validator results page." lightbox="./media/scim-validator-tutorial/scim-validator-results.png":::

+### Use Postman to test endpoints (optional)

+In addition to using the SCIM Validator tool, you can also use Postman to validate an endpoint. This example provides a set of tests in Postman that validate CRUD (create, read, update, and delete) operations on users and groups, filtering, updates to group membership, and disabling users.

+The endpoints are in the `{host}/scim/` directory, and you can use standard HTTP requests to interact with them. To modify the `/scim/` route, see *ControllerConstant.cs* in **AzureADProvisioningSCIMreference** > **ScimReferenceApi** > **Controllers**.

+> [!NOTE]

+> You can only use HTTP endpoints for local tests. The Azure AD provisioning service requires that your endpoint support HTTPS.

+1. Download [Postman](https://www.getpostman.com/downloads/) and start the application.

+1. Copy and paste this link into Postman to import the test collection: `https://aka.ms/ProvisioningPostman`.

+ 

+1. Create a test environment that has these variables:

+ |Environment|Variable|Value|

+ |-|-|-|

+ |Run the project locally by using IIS Express|||

+ ||**Server**|`localhost`|

+ ||**Port**|`:44359` *(don't forget the **`:`**)*|

+ ||**Api**|`scim`|

+ |Run the project locally by using Kestrel|||

+ ||**Server**|`localhost`|

+ ||**Port**|`:5001` *(don't forget the **`:`**)*|

+ ||**Api**|`scim`|

+ |Host the endpoint in Azure|||

+ ||**Server**|*(input your SCIM URL)*|

+ ||**Port**|*(leave blank)*|

+ ||**Api**|`scim`|

+1. Use **Get Key** from the Postman collection to send a **GET** request to the token endpoint and retrieve a security token to be stored in the **token** variable for subsequent requests.

+ 

+ > [!NOTE]

+ > To make a SCIM endpoint secure, you need a security token before you connect. The tutorial uses the `{host}/scim/token` endpoint to generate a self-signed token.

+That's it! You can now run the **Postman** collection to test the SCIM endpoint functionality.

+## Clean up resources

+If you created any Azure resources in your testing that are no longer needed, don't forget to delete them.

+## Known Issues with Azure AD SCIM Validator

+- Soft deletes (disables) arenΓÇÖt yet supported.

+- The time zone format is randomly generated and will fail for systems that try to validate it.

+- The preferred language format is randomly generated and will fail for systems that try to validate it.

+- The patch user remove attributes may attempt to remove mandatory/required attributes for certain systems. Such failures should be ignored.

+## Next steps

+- [Learn how to add an app that is not in the Azure AD app gallery](../manage-apps/overview-application-gallery.md)

+- [Tutorial: Validate a SCIM endpoint](scim-validator-tutorial.md)

+- [Tutorial: Develop and plan provisioning for a SCIM endpoint](use-scim-to-provision-users-and-groups.md)

+- [Tutorial: Configure provisioning for a gallery app](configure-automatic-user-provisioning-portal.md)

+|**Pre-requisite**| Windows 10, version 1809 or later<br>Azure Active Directory| Authenticator app<br>Phone (iOS and Android devices)|Windows 10, version 1903 or later<br>Azure Active Directory|

+- Latest version of Microsoft Authenticator installed on devices running iOS or Android.

+* A working Azure AD tenant with Azure AD Premium P1 or trial licenses enabled.

+In this preview, admins can block self-service BitLocker key access to the registered owner of the device. Default users without the BitLocker read permission will be unable to view or copy their BitLocker key(s) for their owned devices.

+- **Users may register their devices with Azure AD**: You need to configure this setting to allow users to register Windows 10 or newer personal, iOS, Android, and macOS devices with Azure AD. If you select **None**, devices aren't allowed to register with Azure AD. Enrollment with Microsoft Intune or mobile device management for Microsoft 365 requires registration. If you've configured either of these services, **ALL** is selected, and **NONE** is unavailable.

+- **Require Multi-Factor Authentication to register or join devices with Azure AD**:

+ - We recommend organizations use the [Register or join devices user](../conditional-access/concept-conditional-access-cloud-apps.md#user-actions) action in Conditional Access to enforce multifactor authentication. You must configure this toggle to **No** if you use a Conditional Access policy to require multifactor authentication.

+ - This setting allows you to specify whether users are required to provide another authentication factor to join or register their devices to Azure AD. The default is **No**. We recommend that you require multifactor authentication when a device is registered or joined. Before you enable multifactor authentication for this service, you must ensure that multifactor authentication is configured for users that register their devices. For more information on Azure AD Multi-Factor Authentication services, see [getting started with Azure AD Multi-Factor Authentication](../authentication/concept-mfa-howitworks.md). This setting may not work with third-party identity providers.

+Applications have an attack surface for security breaches and must be monitored. While not targeted as often as user accounts, breaches can occur. Because applications often run without human intervention, the attacks may be harder to detect.

+This article provides guidance to monitor and alert on application events. It's regularly updated to help ensure you:

+* Prevent malicious applications from getting unwarranted access to data

+* Prevent applications from being compromised by bad actors

+* Gather insights that enable you to build and configure new applications more securely

+As you monitor your application logs for security incidents, review the following list to help differentiate normal activity from malicious activity. The following events might indicate security concerns. Each is covered in the article.

+* Any changes occurring outside normal business processes and schedules

+ * Service principal assigned to an Azure AD or an Azure role-based access control (RBAC) role

+ * Applications granted highly privileged permissions

+ * Azure Key Vault changes

+ * End user granting applications consent

+ * Stopped end-user consent based on level of risk

+ * Universal resource identifier (URI) changed or non-standard

+ * Changes to application owners

+ * Log-out URLs modified

+From the Azure portal, you can view the Azure AD Audit logs and download as comma-separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Azure AD logs with other tools, which allow more automation of monitoring and alerting:

+* **[Microsoft Sentinel](../../sentinel/overview.md)** ΓÇô enables intelligent security analytics at the enterprise level with security information and event management (SIEM) capabilities.

+* **[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)** - Sigma is an evolving open standard for writing rules and templates that automated management tools can use to parse log files. Where there are Sigma templates for our recommended search criteria, we've added a link to the Sigma repo. The Sigma templates aren't written, tested, and managed by Microsoft. Rather, the repo and templates are created and collected by the worldwide IT security community.

+* **[Azure Monitor](../../azure-monitor/overview.md)** ΓÇô automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.

+* **[Azure Event Hubs](../../event-hubs/event-hubs-about.md) integrated with a SIEM**- [Azure AD logs can be integrated to other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar, and Sumo Logic via the Azure Event Hubs integration.

+* **[Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security)** ΓÇô discover and manage apps, govern across apps and resources, and check your cloud appsΓÇÖ compliance.

+* **[Securing workload identities with Identity Protection Preview](..//identity-protection/concept-workload-identity-risk.md)** - detects risk on workload identities across sign-in behavior and offline indicators of compromise.

+Much of what you monitor and alert on are the effects of your Conditional Access policies. You can use the [Conditional Access insights and reporting workbook](../conditional-access/howto-conditional-access-insights-reporting.md) to examine the effects of one or more Conditional Access policies on your sign-ins, and the results of policies, including device state. Use the workbook to view a summary, and identify the effects over a time period. You can use the workbook to investigate the sign-ins of a specific user.

+The remainder of this article is what we recommend you monitor and alert on. It's organized by the type of threat. Where there are pre-built solutions, we link to them or provide samples after the table. Otherwise, you can build alerts using the preceding tools.

+## Application credentials

+Many applications use credentials to authenticate in Azure AD. Any other credentials added outside expected processes could be a malicious actor using those credentials. We recommend using X509 certificates issued by trusted authorities or Managed Identities instead of using client secrets. However, if you need to use client secrets, follow good hygiene practices to keep applications safe. Note, application and service principal updates are logged as two entries in the audit log.

+* Monitor applications to identify long credential expiration times.

+* Replace long-lived credentials with a short life span. Ensure credentials don't get committed in code repositories, and are stored securely.

+| Added credentials to existing applications| High| Azure AD Audit logs| Service-Core Directory, Category-ApplicationManagement <br>Activity: Update Application-Certificates and secrets management<br>-and-<br>Activity: Update Service principal/Update Application| Alert when credentials are: added outside of normal business hours or workflows, of types not used in your environment, or added to a non-SAML flow supporting service principal.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NewAppOrServicePrincipalCredential.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Credentials with a lifetime longer than your policies allow.| Medium| Microsoft Graph| State and end date of Application Key credentials<br>-and-<br>Application password credentials| You can use MS Graph API to find the start and end date of credentials, and evaluate longer-than-allowed lifetimes. See PowerShell script following this table. |

+ The following pre-built monitoring and alerts are available:

+* Microsoft Sentinel ΓÇô [Alert when new app or service principle credentials added](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NewAppOrServicePrincipalCredential.yaml)

+Like an administrator account, applications can be assigned privileged roles. Apps can be assigned Azure AD roles, such as Global Administrator, or Azure RBAC roles such as Subscription Owner. Because they can run without a user, and as a background service, closely monitor when an application is granted a highly privileged role or permission.

+| App assigned to Azure RBAC role, or Azure AD Role| High to Medium| Azure AD Audit logs| Type: service principal<br>Activity: ΓÇ£Add member to roleΓÇ¥ or ΓÇ£Add eligible member to roleΓÇ¥<br>-or-<br>ΓÇ£Add scoped member to role.ΓÇ¥| For highly privileged roles such as Global Administrator, risk is high. For lower privileged roles risk is medium. Alert anytime an application is assigned to an Azure role or Azure AD role outside of normal change management or configuration procedures.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ServicePrincipalAssignedPrivilegedRole.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+Applications should follow the principle of least privilege. Investigate application permissions to ensure they're needed. You can create an [app consent grant report](https://aka.ms/getazureadpermissions) to help identify applications and highlight privileged permissions.

+| App granted highly privileged permissions, such as permissions with ΓÇ£*.AllΓÇ¥ (Directory.ReadWrite.All) or wide ranging permissions (Mail.*)| High |Azure AD Audit logs| ΓÇ£Add app role assignment to service principalΓÇ¥, <br>- where-<br> Target(s) identifies an API with sensitive data (such as Microsoft Graph) <br>-and-<br>AppRole.Value identifies a highly privileged application permission (app role).| Apps granted broad permissions such as ΓÇ£*.AllΓÇ¥ (Directory.ReadWrite.All) or wide ranging permissions (Mail.*)<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ServicePrincipalAssignedAppRoleWithSensitiveAccess.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Administrator granting either application permissions (app roles) or highly privileged delegated permissions |High| Microsoft 365 portal| ΓÇ£Add app role assignment to service principalΓÇ¥, <br>-where-<br>Target(s) identifies an API with sensitive data (such as Microsoft Graph)<br>ΓÇ£Add delegated permission grantΓÇ¥, <br>-where-<br>Target(s) identifies an API with sensitive data (such as Microsoft Graph) <br>-and-<br>DelegatedPermissionGrant.Scope includes high-privilege permissions.| Alert when a global administrator, application administrator, or cloud application administrator consents to an application. Especially look for consent outside of normal activity and change procedures.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ServicePrincipalAssignedAppRoleWithSensitiveAccess.yaml)<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AzureADRoleManagementPermissionGrant.yaml)<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/MailPermissionsAddedToApplication.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Application is granted permissions for Microsoft Graph, Exchange, SharePoint, or Azure AD. |High| Azure AD Audit logs| ΓÇ£Add delegated permission grantΓÇ¥ <br>-or-<br>ΓÇ£Add app role assignment to service principalΓÇ¥, <br>-where-<br>Target(s) identifies an API with sensitive data (such as Microsoft Graph, Exchange Online, and so on)| Alert as in the preceding row.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ServicePrincipalAssignedAppRoleWithSensitiveAccess.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Application permissions (app roles) for other APIs are granted |Medium| Azure AD Audit logs| ΓÇ£Add app role assignment to service principalΓÇ¥, <br>-where-<br>Target(s) identifies any other API.| Alert as in the preceding row.<br>[Link to Sigma repo](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Highly privileged delegated permissions are granted on behalf of all users |High| Azure AD Audit logs| ΓÇ£Add delegated permission grantΓÇ¥, where Target(s) identifies an API with sensitive data (such as Microsoft Graph), <br> DelegatedPermissionGrant.Scope includes high-privilege permissions, <br>-and-<br>DelegatedPermissionGrant.ConsentType is ΓÇ£AllPrincipalsΓÇ¥.| Alert as in the preceding row.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ServicePrincipalAssignedAppRoleWithSensitiveAccess.yaml)<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AzureADRoleManagementPermissionGrant.yaml)<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousOAuthApp_OfflineAccess.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+Use Azure Key Vault to store your tenantΓÇÖs secrets. We recommend you pay attention to any changes to Key Vault configuration and activities.

+| How and when your Key Vaults are accessed and by whom| Medium| [Azure Key Vault logs](../../key-vault/general/logging.md?tabs=Vault)| Resource type: Key Vaults| Look for: any access to Key Vault outside regular processes and hours, any changes to Key Vault ACL.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureDiagnostics/AzureKeyVaultAccessManipulation.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+After you set up Azure Key Vault, [enable logging](../../key-vault/general/howto-logging.md?tabs=azure-cli). See [how and when your Key Vaults are accessed](../../key-vault/general/logging.md?tabs=Vault), and [configure alerts](../../key-vault/general/alert.md) on Key Vault to notify assigned users or distribution lists via email, phone, text, or [Event Grid](../../key-vault/general/event-grid-overview.md) notification, if health is affected. In addition, setting up [monitoring](../../key-vault/general/alert.md) with Key Vault insights gives you a snapshot of Key Vault requests, performance, failures, and latency. [Log Analytics](../../azure-monitor/logs/log-analytics-overview.md) also has some [example queries](../../azure-monitor/logs/queries.md) for Azure Key Vault that can be accessed after selecting your Key Vault and then under ΓÇ£MonitoringΓÇ¥ selecting ΓÇ£LogsΓÇ¥.

+| End-user consent to application| Low| Azure AD Audit logs| Activity: Consent to application / ConsentContext.IsAdminConsent = false| Look for: high profile or highly privileged accounts, app requests high-risk permissions, apps with suspicious names, for example generic, misspelled, etc.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AuditLogs/ConsentToApplicationDiscovery.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+The act of consenting to an application isn't malicious. However, investigate new end-user consent grants looking for suspicious applications. You can [restrict user consent operations](../../security/fundamentals/steps-secure-identity.md).

+### End user stopped due to risk-based consent

+| End-user consent stopped due to risk-based consent| Medium| Azure AD Audit logs| Core Directory / ApplicationManagement / Consent to application<br> Failure status reason = Microsoft.online.Security.userConsent<br>BlockedForRiskyAppsExceptions| Monitor and analyze any time consent is stopped due to risk. Look for: high profile or highly privileged accounts, app requests high-risk permissions, or apps with suspicious names, for example generic, misspelled, etc.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/End-userconsentstoppedduetorisk-basedconsent.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+## Application authentication flows

+There are several flows in the OAuth 2.0 protocol. The recommended flow for an application depends on the type of application being built. In some cases, there's a choice of flows available to the application. For this case, some authentication flows are recommended over others. Specifically, avoid resource owner password credentials (ROPC) because these require the user to expose their current password credentials to the application. The application then uses the credentials to authenticate the user against the identity provider. Most applications should use the auth code flow, or auth code flow with Proof Key for Code Exchange (PKCE), because this flow is recommended.

+The only scenario where ROPC is suggested is for automated application testing. See [Run automated integration tests](../develop/test-automate-integration-testing.md) for details.

+Device code flow is another OAuth 2.0 protocol flow for input-constrained devices and isn't used in all environments. When device code flow appears in the environment, and isn't used in an input constrained device scenario. More investigation is warranted for a misconfigured application or potentially something malicious.

+| Applications that are using the ROPC authentication flow|Medium | Azure AD Sign-ins log|Status=Success<br><br>Authentication Protocol-ROPC| High level of trust is being placed in this application as the credentials can be cached or stored. Move if possible to a more secure authentication flow. This should only be used in automated testing of applications, if at all. For more information, see [Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials](../develop/v2-oauth-ropc.md)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|

+|Applications using the Device code flow |Low to medium|Azure AD Sign-ins log|Status=Success<br><br>Authentication Protocol-Device Code|Device code flows are used for input constrained devices, which may not be in all environments. If successful device code flows appear, without a need for them, investigate for validity. For more information, see [Microsoft identity platform and the OAuth 2.0 device authorization grant flow](../develop/v2-oauth2-device-code.md)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|

+Monitor changes to application configuration. Specifically, configuration changes to the uniform resource identifier (URI), ownership, and log-out URL.

+### Dangling URI and Redirect URI changes

+| Dangling URI| High| Azure AD Logs and Application Registration| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update Application<br>Success ΓÇô Property Name AppAddress| For example, look for dangling URIs that point to a domain name that no longer exists or one that you donΓÇÖt explicitly own.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/URLAddedtoApplicationfromUnknownDomain.yaml)<br><br>[Link to Sigma repo](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Redirect URI configuration changes| High| Azure AD logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update Application<br>Success ΓÇô Property Name AppAddress| Look for URIs not using HTTPS*, URIs with wildcards at the end or the domain of the URL, URIs that are NOT unique to the application, URIs that point to a domain you don't control.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ApplicationRedirectURLUpdate.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+Alert when these changes are detected.

+| Changes to AppID URI| High| Azure AD logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update<br>Application<br>Activity: Update Service principal| Look for any AppID URI modifications, such as adding, modifying, or removing the URI.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ApplicationIDURIChanged.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+Alert when these changes are detected outside approved change management procedures.

+### New owner

+| Changes to application ownership| Medium| Azure AD logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Add owner to application| Look for any instance of a user being added as an application owner outside of normal change management activities.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ChangestoApplicationOwnership.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+### Log-out URL modified or removed

+| Changes to log-out URL| Low| Azure AD logs| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update Application<br>-and-<br>Activity: Update service principle| Look for any modifications to a sign-out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ChangestoApplicationLogoutURL.yaml) |

+## Resources

+* Azure AD monitoring configuration information for SIEMs - [Partner tools with Azure Monitor integration](../..//azure-monitor/essentials/stream-monitoring-data-event-hubs.md)

+## Next steps

+[Security operations for consumer accounts](security-operations-consumer-accounts.md)

+[Security operations for infrastructure](security-operations-infrastructure.md)

+ Title: Azure Active Directory security operations for consumer accounts

+description: Guidance to establish baselines and how to monitor and alert on potential security issues with consumer accounts.

+# Azure Active Directory security operations for consumer accounts

+Activities associated with consumer identities is another critical area for your organization to protect and monitor. This article is for Azure AD B2C tenants and provides guidance for monitoring consumer account activities. The activities are organized by:

+* Consumer account activities

+* Privileged account activities

+* Application activities

+* Infrastructure activities

+If you have not yet read the [Azure Active Directory (Azure AD) security operations overview](security-operations-introduction.md), we recommend you do so before proceeding.

+## Define a baseline

+To discover anomalous behavior, you first must define what normal and expected behavior is. Defining what expected behavior for your organization is, helps you determine when unexpected behavior occurs. The definition also helps to reduce the noise level of false positives when monitoring and alerting.

+Once you define what you expect, you perform baseline monitoring to validate your expectations. With that information, you can monitor the logs for anything that falls outside of tolerances you define.

+Use the Azure AD Audit Logs, Azure AD Sign-in Logs, and directory attributes as your data sources for accounts created outside of normal processes. The following are suggestions to help you think about and define what normal is for your organization.

+* **Consumer account creation** ΓÇô evaluate the following:

+ * Strategy and principles for tools and processes used for creating and managing consumer accounts. For example, are there standard attributes, formats that are applied to consumer account attributes.

+ * Approved sources for account creation. For example, onboarding custom policies, customer provisioning or migration tool.

+ * Alert strategy for accounts created outside of approved sources. Is there a controlled list of organizations your organization collaborates with?

+ * Strategy and alert parameters for accounts created, modified, or disabled by an account that isn't an approved consumer account administrator.

+ * Monitoring and alert strategy for consumer accounts missing standard attributes, such as customer number or not following organizational naming conventions.

+ * Strategy, principles, and process for account deletion and retention.

+## Where to look

+The log files you use for investigation and monitoring are:

+* [Azure AD Audit logs](../reports-monitoring/concept-audit-logs.md)

+* [Sign-in logs](../reports-monitoring/concept-all-sign-ins.md)

+* [Risky Users log](../identity-protection/howto-identity-protection-investigate-risk.md)

+* [UserRiskEvents log](../identity-protection/howto-identity-protection-investigate-risk.md)

+From the Azure portal, you can view the Azure AD Audit logs and download as comma separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Azure AD logs with other tools that allow for greater automation of monitoring and alerting:

+* **[Microsoft Sentinel](../../sentinel/overview.md)** ΓÇô enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.

+* **[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)** - Sigma is an evolving open standard for writing rules and templates that automated management tools can use to parse log files. Where Sigma templates exist for our recommended search criteria, we've added a link to the Sigma repo. The Sigma templates aren't written, tested, and managed by Microsoft. Rather, the repo and templates are created and collected by the worldwide IT security community.

+* **[Azure Monitor](../../azure-monitor/overview.md)** ΓÇô enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.

+* **[Azure Event Hubs](../../event-hubs/event-hubs-about.md) integrated with a SIEM**- [Azure AD logs can be integrated to other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar and Sumo Logic via the Azure Event Hubs integration.

+* **[Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security)** ΓÇô enables you to discover and manage apps, govern across apps and resources, and check your cloud apps' compliance.

+* **[Securing workload identities with Identity Protection Preview](..//identity-protection/concept-workload-identity-risk.md)** - Used to detect risk on workload identities across sign-in behavior and offline indicators of compromise.

+ The remainder of this article describes what we recommend you monitor and alert on, and is organized by the type of threat. Where there are specific pre-built solutions we link to them or provide samples following the table. Otherwise, you can build alerts using the preceding tools.

+## Consumer accounts

+| What to monitor | Risk Level | Where | Filter / subfilter | Notes |

+| - | - | - | - | - |

+| Large number of account creations or deletions | High | Azure AD Audit logs | Activity: Add user<br>Status = success<br>Initiated by (actor) = CPIM Service<br>-and-<br>Activity: Delete user<br>Status = success<br>Initiated by (actor) = CPIM Service | Define a baseline threshold, and then monitor and adjust to suite your organizational behaviors and limit false alerts from being generated. |

+| Accounts created and deleted by non-approved users or processes. | Medium | Azure AD Audit logs | Initiated by (actor) ΓÇô USER PRINCIPAL NAME<br>-and-<br>Activity: Add user<br>Status = success<br>Initiated by (actor) != CPIM Service<br>and-or<br>Activity: Delete user<br>Status = success<br>Initiated by (actor) != CPIM Service | If the actors are non-approved users, configure to send an alert. |

+| Accounts assigned to a privileged role. | High | Azure AD Audit logs | Activity: Add user<br>Status = success<br>Initiated by (actor) == CPIM Service<br>-and-<br>Activity: Add member to role<br>Status = success | If the account is assigned to an Azure AD role, Azure role, or privileged group membership, alert and prioritize the investigation. |

+| Failed sign-in attempts. | Medium - if Isolated incident<br>High - if many accounts are experiencing the same pattern | Azure AD Sign-ins log | Status = failed<br>-and-<br>Sign-in error code 50126 - Error validating credentials due to invalid username or password.<br>-and-<br>Application == "CPIM PowerShell Client"<br>-or-<br>Application == "ProxyIdentityExperienceFramework" | Define a baseline threshold, and then monitor and adjust to suite your organizational behaviors and limit false alerts from being generated. |

+| Smart lock-out events. | Medium - if Isolated incident<br>High - if many accounts are experiencing the same pattern or a VIP | Azure AD Sign-ins log | Status = failed<br>-and-<br>Sign-in error code = 50053 ΓÇô IdsLocked<br>-and-<br>Application == "CPIM PowerShell Client"<br>-or-<br>Application =="ProxyIdentityExperienceFramework" | Define a baseline threshold, and then monitor and adjust to suite your organizational behaviors and limit false alerts from being generated. |

+| Failed authentications from countries you don't operate out of. | Medium | Azure AD Sign-ins log | Status = failed<br>-and-<br>Location = \<unapproved location><br>-and-<br>Application == "CPIM PowerShell Client"<br>-or-<br>Application == "ProxyIdentityExperienceFramework" | Monitor entries not equal to the city names you provide. |

+| Increased failed authentications of any type. | Medium | Azure AD Sign-ins log | Status = failed<br>-and-<br>Application == "CPIM PowerShell Client"<br>-or-<br>Application == "ProxyIdentityExperienceFramework" | If you don't have a set threshold, monitor and alert if failures increase by 10% or greater. |

+| Account disabled/blocked for sign-ins | Low | Azure AD Sign-ins log | Status = Failure<br>-and-<br>error code = 50057, The user account is disabled. | This could indicate someone is trying to gain access to an account after they have left an organization. Although the account is blocked it's important to log and alert on this activity. |

+| Measurable increase of successful sign-ins. | Low | Azure AD Sign-ins log | Status = Success<br>-and-<br>Application == "CPIM PowerShell Client"<br>-or-<br>Application == "ProxyIdentityExperienceFramework" | If you don't have a set threshold, monitor and alert if successful authentications increase by 10% or greater. |

+## Privileged accounts

+| What to monitor | Risk Level | Where | Filter/sub-filter | Notes |

+| - | - | - | - | - |

+| Sign-in failure, bad password threshold | High | Azure AD Sign-ins log | Status = Failure<br>-and-<br>error code = 50126 | Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated. |

+| Failure because of Conditional Access requirement | High | Azure AD Sign-ins log | Status = Failure<br>-and-<br>error code = 53003<br>-and-<br>Failure reason = Blocked by Conditional Access | This event can be an indication an attacker is trying to get into the account. |

+| Interrupt | High, medium | Azure AD Sign-ins log | Status = Failure<br>-and-<br>error code = 53003<br>-and-<br>Failure reason = Blocked by Conditional Access | This event can be an indication an attacker has the password for the account but can't pass the MFA challenge. |

+| Account lockout | High | Azure AD Sign-ins log | Status = Failure<br>-and-<br>error code = 50053 | Define a baseline threshold, and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated. |

+| Account disabled or blocked for sign-ins | low | Azure AD Sign-ins log | Status = Failure<br>-and-<br>Target = User UPN<br>-and-<br>error code = 50057 | This event could indicate someone is trying to gain access to an account after they've left the organization. Although the account is blocked, it's still important to log and alert on this activity. |

+| MFA fraud alert or block | High | Azure AD Sign-ins log/Azure Log Analytics | Sign-ins>Authentication details<br> Result details = MFA denied, fraud code entered | Privileged user has indicated they haven't instigated the MFA prompt, which could indicate an attacker has the password for the account. |

+| MFA fraud alert or block | High | Azure AD Sign-ins log/Azure Log Analytics | Activity type = Fraud reported - User is blocked for MFA or fraud reported - No action taken (based on fraud report tenant-level settings) | Privileged user indicated no instigation of the MFA prompt. This can indicate an attacker has the account password. |

+| Privileged account sign-ins outside of expected controls | High | Azure AD Sign-ins log | Status = Failure<br>UserPricipalName = \<Admin account> <br> Location = \<unapproved location> <br> IP address = \<unapproved IP><br>Device info = \<unapproved Browser, Operating System> | Monitor and alert on any entries that you've defined as unapproved. |

+| Outside of normal sign-in times | High | Azure AD Sign-ins log | Status = Success<br>-and-<br>Location =<br>-and-<br>Time = Outside of working hours | Monitor and alert if sign-ins occur outside of expected times. It's important to find the normal working pattern for each privileged account and to alert if there are unplanned changes outside of normal working times. Sign-ins outside of normal working hours could indicate compromise or possible insider threats. |

+| Password change | High | Azure AD Audit logs | Activity actor = Admin/self-service<br>-and-<br>Target = User<br>-and-<br>Status = Success or failure | Alert on any admin account password changes, especially for global admins, user admins, subscription admins, and emergency access accounts. Write a query targeted at all privileged accounts. |

+| Changes to authentication methods | High | Azure AD Audit logs | Activity: Create identity provider<br>Category: ResourceManagement<br>Target: User Principal Name | This change could be an indication of an attacker adding an auth method to the account so they can have continued access. |

+| Identity Provider updated by non-approved actors | High | Azure AD Audit logs | Activity: Update identity provider<br>Category: ResourceManagement<br>Target: User Principal Name | This change could be an indication of an attacker adding an auth method to the account so they can have continued access. |

+Identity Provider deleted by non-approved actors | High | Azure AD Access Reviews | Activity: Delete identity provider<br>Category: ResourceManagement<br>Target: User Principal Name | This change could be an indication of an attacker adding an auth method to the account so they can have continued access. |

+## Applications

+| What to monitor | Risk Level | Where | Filter/sub-filter | Notes |

+| - | - | - | - | - |

+| Added credentials to existing applications | High | Azure AD Audit logs | Service-Core Directory, Category-ApplicationManagement<br>Activity: Update Application-Certificates and secrets management<br>-and-<br>Activity: Update Service principal/Update Application | Alert when credentials are: added outside of normal business hours or workflows, of types not used in your environment, or added to a non-SAML flow supporting service principal. |

+| App assigned to an Azure role-based access control (RBAC) role, or Azure AD Role | High to medium | Azure AD Audit logs | Type: service principal<br>Activity: ΓÇ£Add member to roleΓÇ¥<br>or<br>ΓÇ£Add eligible member to roleΓÇ¥<br>-or-<br>ΓÇ£Add scoped member to role.ΓÇ¥ |

+| App granted highly privileged permissions, such as permissions with ΓÇ£.AllΓÇ¥ (Directory.ReadWrite.All) or wide-ranging permissions (Mail.) | High | Azure AD Audit logs |N/A | Apps granted broad permissions such as ΓÇ£.AllΓÇ¥ (Directory.ReadWrite.All) or wide-ranging permissions (Mail.) |

+| Administrator granting either application permissions (app roles) or highly privileged delegated permissions | High | Microsoft 365 portal | ΓÇ£Add app role assignment to service principalΓÇ¥<br>-where-<br>Target(s) identifies an API with sensitive data (such as Microsoft Graph) ΓÇ£Add delegated permission grantΓÇ¥<br>-where-<br>Target(s) identifies an API with sensitive data (such as Microsoft Graph)<br>-and-<br>DelegatedPermissionGrant.Scope includes high-privilege permissions. | Alert when a global administrator, application administrator, or cloud application administrator consents to an application. Especially look for consent outside of normal activity and change procedures. |

+| Application is granted permissions for Microsoft Graph, Exchange, SharePoint, or Azure AD. | High | Azure AD Audit logs | ΓÇ£Add delegated permission grantΓÇ¥<br>-or-<br>ΓÇ£Add app role assignment to service principalΓÇ¥<br>-where-<br>Target(s) identifies an API with sensitive data (such as Microsoft Graph, Exchange Online, and so on) | Alert as in the preceding row. |

+| Highly privileged delegated permissions are granted on behalf of all users | High | Azure AD Audit logs | ΓÇ£Add delegated permission grantΓÇ¥<br>where<br>Target(s) identifies an API with sensitive data (such as Microsoft Graph)<br>DelegatedPermissionGrant.Scope includes high-privilege permissions<br>-and-<br>DelegatedPermissionGrant.ConsentType is ΓÇ£AllPrincipalsΓÇ¥. | Alert as in the preceding row. |

+| Applications that are using the ROPC authentication flow | Medium | Azure AD Sign-ins log | Status=Success<br>Authentication Protocol-ROPC | High level of trust is being placed in this application as the credentials can be cached or stored. Move if possible to a more secure authentication flow. This should only be used in automated testing of applications, if at all. For more information |

+| Dangling URI | High | Azure AD Logs and Application Registration | Service-Core Directory<br>Category-ApplicationManagement<br>Activity: Update Application<br>Success ΓÇô Property Name AppAddress | For example look for dangling URIs that point to a domain name that no longer exists or one you donΓÇÖt own. |

+| Redirect URI configuration changes | High | Azure AD logs | Service-Core Directory<br>Category-ApplicationManagement<br>Activity: Update Application<br>Success ΓÇô Property Name AppAddress | Look for URIs not using HTTPS*, URIs with wildcards at the end or the domain of the URL, URIs that are **not** unique to the application, URIs that point to a domain you don't control. |

+| Changes to AppID URI | High | Azure AD logs | Service-Core Directory<br>Category-ApplicationManagement<br>Activity: Update Application<br>Activity: Update Service principal | Look for any AppID URI modifications, such as adding, modifying, or removing the URI. |

+| Changes to application ownership | Medium | Azure AD logs | Service-Core Directory<br>Category-ApplicationManagement<br>Activity: Add owner to application | Look for any instance of a user being added as an application owner outside of normal change management activities. |

+| Changes to log-out URL | Low | Azure AD logs | Service-Core Directory<br>Category-ApplicationManagement<br>Activity: Update Application<br>-and-<br>Activity: Update service principle | Look for any modifications to a sign-out URL. Blank entries or entries to non-existent locations would stop a user from terminating a session.

+## Infrastructure

+| What to monitor | Risk Level | Where | Filter/sub-filter | Notes |

+| - | - | - | - | - |

+| New Conditional Access Policy created by non-approved actors | High | Azure AD Audit logs | Activity: Add conditional access policy<br>Category: Policy<br>Initiated by (actor): User Principal Name | Monitor and alert on Conditional Access changes. Is Initiated by (actor): approved to make changes to Conditional Access? |

+| Conditional Access Policy removed by non-approved actors | Medium | Azure AD Audit logs | Activity: Delete conditional access policy<br>Category: Policy<br>Initiated by (actor): User Principal Name | Monitor and alert on Conditional Access changes. Is Initiated by (actor): approved to make changes to Conditional Access? |

+| Conditional Access Policy updated by non-approved actors | High | Azure AD Audit logs | Activity: Update conditional access policy<br>Category: Policy<br>Initiated by (actor): User Principal Name | Monitor and alert on Conditional Access changes. Is Initiated by (actor): approved to make changes to Conditional Access?<br>Review Modified Properties and compare ΓÇ£oldΓÇ¥ vs ΓÇ£newΓÇ¥ value |

+| B2C Custom policy created by non-approved actors | High | Azure AD Audit logs| Activity: Create custom policy<br>Category: ResourceManagement<br>Target: User Principal Name | Monitor and alert on Custom Policies changes. Is Initiated by (actor): approved to make changes to Custom Policies? |

+| B2C Custom policy updated by non-approved actors | High | Azure AD Audit logs| Activity: Get custom policies<br>Category: ResourceManagement<br>Target: User Principal Name | Monitor and alert on Custom Policies changes. Is Initiated by (actor): approved to make changes to Custom Policies? |

+| B2C Custom policy deleted by non-approved actors | Medium |Azure AD Audit logs | Activity: Delete custom policy<br>Category: ResourceManagement<br>Target: User Principal Name | Monitor and alert on Custom Policies changes. Is Initiated by (actor): approved to make changes to Custom Policies? |

+| User Flow created by non-approved actors | High |Azure AD Audit logs | Activity: Create user flow<br>Category: ResourceManagement<br>Target: User Principal Name | Monitor and alert on User Flow changes. Is Initiated by (actor): approved to make changes to User Flows? |

+| User Flow updated by non-approved actors | High | Azure AD Audit logs| Activity: Update user flow<br>Category: ResourceManagement<br>Target: User Principal Name | Monitor and alert on User Flow changes. Is Initiated by (actor): approved to make changes to User Flows? |

+| User Flow deleted by non-approved actors | Medium | Azure AD Audit logs| Activity: Delete user flow<br>Category: ResourceManagement<br>Target: User Principal Name | Monitor and alert on User Flow changes. Is Initiated by (actor): approved to make changes to User Flows? |

+| API Connectors created by non-approved actors | Medium | Azure AD Audit log| Activity: Create API connector<br>Category: ResourceManagement<br>Target: User Principal Name | Monitor and alert on API Connector changes. Is Initiated by (actor): approved to make changes to API Connectors? |

+| API Connectors updated by non-approved actors | Medium | Azure AD Audit logs| Activity: Update API connector<br>Category: ResourceManagement<br>Target: User Principal Name: ResourceManagement | Monitor and alert on API Connector changes. Is Initiated by (actor): approved to make changes to API Connectors? |

+| API Connectors deleted by non-approved actors | Medium | Azure AD Audit log|Activity: Update API connector<br>Category: ResourceManagment<br>Target: User Principal Name: ResourceManagment | Monitor and alert on API Connector changes. Is Initiated by (actor): approved to make changes to API Connectors? |

+| Identity Provider created by non-approved actors | High |Azure AD Audit log | Activity: Create identity provider<br>Category: ResourceManagement<br>Target: User Principal Name | Monitor and alert on Identity Provider changes. Is Initiated by (actor): approved to make changes to Identity Provider configuration? |

+| Identity Provider updated by non-approved actors | High | Azure AD Audit log| Activity: Update identity provider<br>Category: ResourceManagement<br>Target: User Principal Name | Monitor and alert on Identity Provider changes. Is Initiated by (actor): approved to make changes to Identity Provider configuration? |

+Identity Provider deleted by non-approved actors | Medium | | Activity: Delete identity provider<br>Category: ResourceManagement<br>Target: User Principal Name | Monitor and alert on Identity Provider changes. Is Initiated by (actor): approved to make changes to Identity Provider configuration? |

+## Next steps

+See these security operations guide articles:

+[Azure AD security operations overview](security-operations-introduction.md)

+[Security operations for user accounts](security-operations-user-accounts.md)

+[Security operations for privileged accounts](security-operations-privileged-accounts.md)

+[Security operations for Privileged Identity Management](security-operations-privileged-identity-management.md)

+[Security operations for applications](security-operations-applications.md)

+[Security operations for devices](security-operations-devices.md)

+[Security operations for infrastructure](security-operations-infrastructure.md)

+Devices aren't commonly targeted in identity-based attacks, but *can* be used to satisfy and trick security controls, or to impersonate users. Devices can have one of four relationships with Azure AD:

+* [Hybrid Azure AD joined](../devices/concept-azure-ad-join-hybrid.md)

+The log files you use for investigation and monitoring are:

+* [Microsoft 365 Audit logs](/microsoft-365/compliance/auditing-solutions-overview)

+* **[Microsoft Sentinel](../../sentinel/overview.md)** ΓÇô enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.

+* **[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)** - Sigma is an evolving open standard for writing rules and templates that automated management tools can use to parse log files. Where Sigma templates exist for our recommended search criteria, we've added a link to the Sigma repo. The Sigma templates aren't written, tested, and managed by Microsoft. Rather, the repo and templates are created and collected by the worldwide IT security community.

+* **[Azure Event Hubs](../../event-hubs/event-hubs-about.md) -integrated with a SIEM**- [Azure AD logs can be integrated to other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar, and Sumo Logic via the Azure Event Hubs integration.

+* **[Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security)** ΓÇô enables you to discover and manage apps, govern across apps and resources, and check your cloud appsΓÇÖ compliance.

+Much of what you'll monitor and alert on are the effects of your Conditional Access policies. You can use the [Conditional Access insights and reporting workbook](../conditional-access/howto-conditional-access-insights-reporting.md) to examine the effects of one or more Conditional Access policies on your sign-ins, and the results of policies including device state. This workbook enables you to view a summary, and identify the effects over a specific time period. You can also use the workbook to investigate the sign-ins of a specific user.

+ The rest of this article describes what we recommend you monitor and alert on, and is organized by the type of threat. Where there are specific pre-built solutions we link to them or provide samples following the table. Otherwise, you can build alerts using the preceding tools.

+## Device registrations and joins outside policy

+Azure AD registered and Azure AD joined devices possess primary refresh tokens (PRTs), which are the equivalent of a single authentication factor. These devices can at times contain strong authentication claims. For more information on when PRTs contain strong authentication claims, see [When does a PRT get an MFA claim](../devices/concept-primary-refresh-token.md)? To keep bad actors from registering or joining devices, require multi-factor authentication (MFA) to register or join devices. Then monitor for any devices registered or joined without MFA. YouΓÇÖll also need to watch for changes to MFA settings and policies, and device compliance policies.

+| Device registration or join completed without MFA| Medium| Sign-in logs| Activity: successful authentication to Device Registration Service. <br>And<br>No MFA required| Alert when: Any device registered or joined without MFA<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuspiciousSignintoPrivilegedAccount.yaml)<br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Changes to the Device Registration MFA toggle in Azure AD| High| Audit log| Activity: Set device registration policies| Look for: The toggle being set to off. There isn't audit log entry. Schedule periodic checks.<br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Changes to Conditional Access policies requiring domain joined or compliant device.| High| Audit log| Changes to CA policies<br>| Alert when: Change to any policy requiring domain joined or compliant, changes to trusted locations, or accounts or devices added to MFA policy exceptions. |

+~~~

+ where ResourceDisplayName == "Device Registration Service"

+ where conditionalAccessStatus == "success"

+ where AuthenticationRequirement <> "multiFactorAuthentication"

+~~~

+## Non-compliant device sign-in

+It might not be possible to block access to all cloud and software-as-a-service applications with Conditional Access policies requiring compliant devices.

+[Mobile device management](/windows/client-management/mdm/) (MDM) helps you keep Windows 10 devices compliant. With Windows version 1809, we released a [security baseline](/windows/client-management/mdm/) of policies. Azure Active Directory can [integrate with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm) to enforce device compliance with corporate policies, and can report a deviceΓÇÖs compliance status.

+| Sign-ins by non-compliant devices| High| Sign-in logs| DeviceDetail.isCompliant == false| If requiring sign-in from compliant devices, alert when: any sign in by non-compliant devices, or any access without MFA or a trusted location.<p>If working toward requiring devices, monitor for suspicious sign-ins.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuccessfulSigninFromNon-CompliantDevice.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Sign-ins by unknown devices| Low| Sign-in logs| DeviceDetail is empty, single factor authentication, or from a non-trusted location| Look for: any access from out of compliance devices, any access without MFA or trusted location<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AnomolousSingleFactorSignin.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+Stale devices include devices that haven't signed in for a specified time period. Devices can become stale when a user gets a new device or loses a device, or when an Azure AD joined device is wiped or reprovisioned. Devices might also remain registered or joined when the user is no longer associated with the tenant. Stale devices should be removed so the primary refresh tokens (PRTs) cannot be used.

+| Key retrieval| Medium| Audit logs| OperationName == "Read BitLocker key"| Look for: key retrieval, other anomalous behavior by users retrieving keys.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AuditLogs/BitLockerKeyRetrieval.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Users added to global or device admin roles| High| Audit logs| Activity type = Add member to role.| Look for: new users added to these Azure AD roles, subsequent anomalous behavior by machines or users.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/4ad195f4fe6fdbc66fb8469120381e8277ebed81/Detections/AuditLogs/UserAddedtoAdminRole.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Non-Azure AD account signing in, especially over SSH| High| Local authentication logs| Ubuntu: <br>monitor /var/log/auth.log for SSH use<br>RedHat: <br>monitor /var/log/sssd/ for SSH use| Look for: entries [where non-Azure AD accounts are successfully connecting to VMs](../devices/howto-vm-sign-in-azure-ad-linux.md). See following example. |

+You can set policy for LINUX VM sign-ins, and detect and flag Linux VMs that have non-approved local accounts added. To learn more, see using [Azure Policy to ensure standards and assess compliance](../devices/howto-vm-sign-in-azure-ad-linux.md).

+| Non-Azure AD account sign-in, especially over RDP| High| Windows Server event logs| Interactive Login to Windows VM| Event 528, log-on type 10 (RemoteInteractive).<br>Shows when a user signs in over Terminal Services or Remote Desktop. |

+## Next steps

+[Security operations for consumer accounts](security-operations-consumer-accounts.md)

+* Policies

+Monitoring and alerting the components of your authentication infrastructure is critical. Any compromise can lead to a full compromise of the whole environment. Many enterprises that use Azure AD operate in a hybrid authentication environment. Cloud and on-premises components should be included in your monitoring and alerting strategy. Having a hybrid authentication environment also introduces another attack vector to your environment.

+We recommend all the components be considered Control Plane / Tier 0 assets, and the accounts used to manage them. Refer to [Securing privileged assets](/security/compass/overview) (SPA) for guidance on designing and implementing your environment. This guidance includes recommendations for each of the hybrid authentication components that could potentially be used for an Azure AD tenant.

+The log files you use for investigation and monitoring are:

+* [Microsoft 365 Audit logs](/microsoft-365/compliance/auditing-solutions-overview)

+From the Azure portal, you can view the Azure AD Audit logs and download as comma separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Azure AD logs with other tools that allow for greater automation of monitoring and alerting:

+* **[Microsoft Sentinel](../../sentinel/overview.md)** ΓÇô Enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.

+* **[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)** - Sigma is an evolving open standard for writing rules and templates that automated management tools can use to parse log files. Where Sigma templates exist for our recommended search criteria, we've added a link to the Sigma repo. The Sigma templates aren't written, tested, and managed by Microsoft. Rather, the repo and templates are created and collected by the worldwide IT security community.

+* **[Azure Monitor](../../azure-monitor/overview.md)** ΓÇô Enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.

+* **[Azure Event Hubs](../../event-hubs/event-hubs-about.md)** integrated with a SIEM - [Azure AD logs can be integrated to other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar and Sumo Logic via the Azure Event Hubs integration.

+* **[Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security)** ΓÇô Enables you to discover and manage apps, govern across apps and resources, and check your cloud appsΓÇÖ compliance.

+The remainder of this article describes what to monitor and alert on. It is organized by the type of threat. Where there are pre-built solutions, you'll find links to them, after the table. Otherwise, you can build alerts using the preceding tools.

+* [Microsoft Defender for Identity monitored domain activities](/defender-for-identity/monitored-activities) - This article provides a comprehensive list of activities to monitor and set alerts for.

+* [Understand and use Lateral Movement Paths with Microsoft Defender for Identity](/defender-for-identity/use-case-lateral-movement-path) - Detection techniques to help identify when non-sensitive accounts are used to gain access to sensitive network accounts.

+* [Working with security alerts in Microsoft Defender for Identity](/defender-for-identity/working-with-suspicious-activities) - This article describes how to review and manage alerts after they're logged.

+| Extranet lockout trends| High| Azure AD Connect Health| See, [Monitor AD FS using Azure AD Connect Health](../hybrid/how-to-connect-health-adfs.md) for tools and techniques to help detect extranet lock-out trends. |

+| In privacy compliant| Low| Azure AD Connect Health| Configure Azure AD Connect Health to disable data collections and monitoring using the [User privacy and Azure AD Connect Health](../hybrid/reference-connect-health-user-privacy.md) article. |

+### Pass-through authentication monitoring

+Azure Active Directory (Azure AD) Pass-through Authentication signs users in by validating their passwords directly against on-premises Active Directory.

+| Azure AD pass-through authentication errors|Medium | Application and Service Logs\Microsoft\AzureAdConnect\AuthenticationAgent\Admin| AADSTS80001 ΓÇô Unable to connect to Active Directory| Ensure that agent servers are members of the same AD forest as the users whose passwords need to be validated and they can connect to Active Directory. |

+| Azure AD pass-through authentication errors| Medium| Application and Service Logs\Microsoft\AzureAdConnect\AuthenticationAgent\Admin| AADSTS8002 - A timeout occurred connecting to Active Directory| Check to ensure that Active Directory is available and is responding to requests from the agents. |

+| Azure AD pass-through authentication errors|Medium | Application and Service Logs\Microsoft\AzureAdConnect\AuthenticationAgent\Admin| AADSTS80004 - The username passed to the agent was not valid| Ensure the user is attempting to sign in with the right username. |

+| Azure AD pass-through authentication errors|Medium | Application and Service Logs\Microsoft\AzureAdConnect\AuthenticationAgent\Admin| AADSTS80005 - Validation encountered unpredictable WebException| A transient error. Retry the request. If it continues to fail, contact Microsoft support. |

+| Azure AD pass-through authentication errors| Medium| Application and Service Logs\Microsoft\AzureAdConnect\AuthenticationAgent\Admin| AADSTS80007 - An error occurred communicating with Active Directory| Check the agent logs for more information and verify that Active Directory is operating as expected. |

+| Azure AD pass-through authentication errors|High | Win32 LogonUserA function API| Log on events 4624(s): An account was successfully logged on<br>- correlate with ΓÇô<br>4625(F): An account failed to log on| Use with the suspected usernames on the domain controller that is authenticating requests. Guidance at [LogonUserA function (winbase.h)](/windows/win32/api/winbase/nf-winbase-logonusera) |

+| Azure AD pass-through authentication errors| Medium| PowerShell script of domain controller| See the query after the table. | Use the information at [Azure AD Connect: Troubleshoot Pass-through Authentication](../hybrid/tshoot-connect-pass-through-authentication.md)for guidance. |

+## Monitoring for creation of new Azure AD tenants

+Organizations might need to monitor for and alert on the creation of new Azure AD tenants when the action is initiated by identities from their organizational tenant. Monitoring for this scenario provides visibility on how many tenants are being created and could be accessed by end users.

+| What to monitor| Risk level| Where| Filter/sub-filter| Notes |

+| - | - | - | - | - |

+| Creation of a new Azure AD tenant, using an identity from your tenant. | Medium | Azure AD Audit logs | Category: Directory Management<br><br>Activity: Create Company | Target(s) shows the created TenantID |

+Azure AD and Azure AD Application Proxy give remote users a single sign-on (SSO) experience. Users securely connect to on-premises apps without a virtual private network (VPN) or dual-homed servers and firewall rules. If your Azure AD Application Proxy connector server is compromised, attackers could alter the SSO experience or change access to published applications.

+To configure monitoring for Application Proxy, see [Troubleshoot Application Proxy problems and error messages](../app-proxy/application-proxy-troubleshoot.md). The data file that logs information can be found in Applications and Services Logs\Microsoft\AadApplicationProxy\Connector\Admin. For a complete reference guide to audit activity, see [Azure AD audit activity reference](../reports-monitoring/reference-audit-activities.md). Specific things to monitor:

+| Pass-the-ticket like attacks| High| | | Follow guidance in:<br>[Security principal reconnaissance (LDAP) (external ID 2038)](/defender-for-identity/reconnaissance-alerts)<br>[Tutorial: Compromised credential alerts](/defender-for-identity/compromised-credentials-alerts)<br>[Understand and use Lateral Movement Paths with Microsoft Defender for Identity](/defender-for-identity/use-case-lateral-movement-path)<br>[Understanding entity profiles](/defender-for-identity/entity-profiles) |

+For multifactor authentication (MFA) to be effective, you also need to block legacy authentication. You then need to monitor your environment and alert on any use of legacy authentication. Legacy authentication protocols like POP, SMTP, IMAP, and MAPI canΓÇÖt enforce MFA. This makes these protocols the preferred entry points for attackers. For more information on tools that you can use to block legacy authentication, see [New tools to block legacy authentication in your organization](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302).

+| Legacy authentications|High | Azure AD Sign-ins log| ClientApp : POP<br>ClientApp : IMAP<br>ClientApp : MAPI<br>ClientApp: SMTP<br>ClientApp : ActiveSync go to EXO<br>Other Clients = SharePoint and EWS| In federated domain environments, failed authentications aren't recorded and don't appear in the log. |

+* [Synchronization](../hybrid/how-to-connect-sync-whatis.md) - Responsible for creating users, groups, and other objects. And, making sure identity information for your on-premises users and groups matches the cloud. This synchronization also includes password hashes.

+Synchronizing identity between your on-premises environment and your cloud environment introduces a new attack surface for your on-premises and cloud-based environment. We recommend:

+* You treat your Azure AD Connect primary and staging servers as Tier 0 Systems in your control plane.

+* You install Azure AD Connect and Connect Health. These primarily provide operational data for the environment.

+* For Microsoft Sentinel, see [Connect to Windows servers to collect security events](/sql/relational-databases/security/auditing/sql-server-audit-records).

+ One function of Azure AD Connect is to synchronize hash synchronization between a userΓÇÖs on-premises password and Azure AD. If passwords aren't synchronizing as expected, the synchronization might affect a subset of users or all users. Use the following to help verify proper operation or troubleshoot issues:

+* Information for checking and troubleshooting hash synchronization, see [Troubleshoot password hash synchronization with Azure AD Connect sync](../hybrid/tshoot-connect-password-hash-synchronization.md).

+* Modifications to the connector spaces, see [Troubleshoot Azure AD Connect objects and attributes](/troubleshoot/azure/active-directory/troubleshoot-aad-connect-objects-attributes).

+| Modifications to rules you configured| Monitor changes to: filtering, domain and OU, attribute, and group-based changes |

+**Monitor the following**:

+* For more information on logging PowerShell script operations, see [Enabling Script Block Logging](/powershell/module/microsoft.powershell.core/about/about_logging_windows), which is part of the PowerShell reference documentation.

+Azure Active Directory (Azure AD) Seamless Single Sign-On (Seamless SSO) automatically signs in users when they are on their corporate desktops that are connected to your corporate network. Seamless SSO provides your users with easy access to your cloud-based applications without other on-premises components. SSO uses the pass-through authentication and password hash synchronization capabilities provided by Azure AD Connect.

+If you deploy Azure AD Password Protection, monitoring and reporting are essential tasks. The following links provide details to help you understand various monitoring techniques, including where each service logs information and how to report on the use of Azure AD Password Protection.

+The domain controller (DC) agent and proxy services both log event log messages. All PowerShell cmdlets described below are only available on the proxy server (see the AzureADPasswordProtection PowerShell module). The DC agent software doesn't install a PowerShell module.

+Complete reference for Azure AD audit activities is available at [Azure Active Directory (Azure AD) audit activity reference](../reports-monitoring/reference-audit-activities.md).

+In Azure AD, you can protect access to your resources by configuring Conditional Access policies. As an IT administrator, you want to ensure your Conditional Access policies work as expected to ensure that your resources are protected. Monitoring and alerting on changes to the Conditional Access service ensures policies defined by your organization for access to data are enforced. Azure AD logs when changes are made to Conditional Access and also provides workbooks to ensure your policies are providing the expected coverage.

+| New Conditional Access Policy created by non-approved actors|Medium | Azure AD Audit logs|Activity: Add conditional access policy<br><br>Category: Policy<br><br>Initiated by (actor): User Principal Name | Monitor and alert on Conditional Access changes. Is Initiated by (actor): approved to make changes to Conditional Access?<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ConditionalAccessPolicyModifiedbyNewUser.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|

+|Conditional Access Policy removed by non-approved actors|Medium|Azure AD Audit logs|Activity: Delete conditional access policy<br><br>Category: Policy<br><br>Initiated by (actor): User Principal Name|Monitor and alert on Conditional Access changes. Is Initiated by (actor): approved to make changes to Conditional Access?<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ConditionalAccessPolicyModifiedbyNewUser.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+|Conditional Access Policy updated by non-approved actors|Medium|Azure AD Audit logs|Activity: Update conditional access policy<br><br>Category: Policy<br><br>Initiated by (actor): User Principal Name|Monitor and alert on Conditional Access changes. Is Initiated by (actor): approved to make changes to Conditional Access?<br><br>Review Modified Properties and compare ΓÇ£oldΓÇ¥ vs ΓÇ£newΓÇ¥ value<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ConditionalAccessPolicyModifiedbyNewUser.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+|Removal of a user from a group used to scope critical Conditional Access policies|Medium|Azure AD Audit logs|Activity: Remove member from group<br><br>Category: GroupManagement<br><br>Target: User Principal Name|Montior and Alert for groups used to scope critical Conditional Access Policies.<br><br>"Target" is the user that has been removed.<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|

+|Addition of a user to a group used to scope critical Conditional Access policies|Low|Azure AD Audit logs|Activity: Add member to group<br><br>Category: GroupManagement<br><br>Target: User Principal Name|Montior and Alert for groups used to scope critical Conditional Access Policies.<br><br>"Target" is the user that has been added.<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|

+[Security operations for consumer accounts](security-operations-consumer-accounts.md)

+The Azure AD SecOps Guide is intended for enterprise IT identity and security operations teams and managed service providers that need to counter threats through better identity security configuration and monitoring profiles. This guide is especially relevant for IT administrators and identity architects advising Security Operations Center (SOC) defensive and penetration testing teams to improve and maintain their identity security posture.

+* **[Microsoft Sentinel](../../sentinel/overview.md)** - Enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.

+* **[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)** - Sigma is an evolving open standard for writing rules and templates that automated management tools can use to parse log files. Where Sigma templates exist for our recommended search criteria, we have added a link to the Sigma repo. The Sigma templates are not written, tested, and managed by Microsoft. Rather, the repo and templates are created and collected by the worldwide IT security community.

+* **[Azure Monitor](../../azure-monitor/overview.md)** - Enables automated monitoring and alerting of various conditions. Can create or use workbooks to combine data from different sources.

+* **[Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security)** - Enables you to discover and manage apps, govern across apps and resources, and check the compliance of your cloud apps.

+* **[Securing workload identities with Identity Protection Preview](../identity-protection/concept-workload-identity-risk.md)** - Used to detect risk on workload identities across sign-in behavior and offline indicators of compromise.

+* **PTA Agent** - The pass-through authentication agent is used to enable pass-through authentication and is installed on-premises. See [Azure AD Pass-through Authentication agent: Version release history](../hybrid/reference-connect-pta-version-history.md) for information on verifying your agent version and next steps.

+* **AD FS/WAP** - Azure Active Directory Federation Services (Azure AD FS) and Web Application Proxy (WAP) enable secure sharing of digital identity and entitlement rights across your security and enterprise boundaries. For information on security best practices, see [Best practices for securing Active Directory Federation Services](/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs).

+* **Azure AD Connect Health Agent** - The agent used to provide a communications link for Azure AD Connect Health. For information on installing the agent, see [Azure AD Connect Health agent installation](../hybrid/how-to-connect-health-agent-install.md).

+* **Azure AD Connect Sync Engine** - The on-premises component, also called the sync engine. For information on the feature, see [Azure AD Connect sync service features](../hybrid/how-to-connect-syncservice-features.md).

+* **Password Protection DC agent** - Azure password protection DC agent is used to help with monitoring and reporting event log messages. For information, see [Enforce on-premises Azure AD Password Protection for Active Directory Domain Services](../authentication/concept-password-ban-bad-on-premises.md).

+* **Password Filter DLL** - The password filter DLL of the DC Agent receives user password-validation requests from the operating system. The filter forwards them to the DC Agent service that's running locally on the DC. For information on using the DLL, see [Enforce on-premises Azure AD Password Protection for Active Directory Domain Services](../authentication/concept-password-ban-bad-on-premises.md).

+* **Password writeback Agent** - Password writeback is a feature enabled with [Azure AD Connect](../hybrid/whatis-hybrid-identity.md) that allows password changes in the cloud to be written back to an existing on-premises directory in real time. For more information on this feature, see [How does self-service password reset writeback work in Azure Active Directory](../authentication/concept-sspr-writeback.md).

+* **Azure AD Application Proxy Connector** - Lightweight agents that sit on-premises and facilitate the outbound connection to the Application Proxy service. For more information, see [Understand Azure ADF Application Proxy connectors](../app-proxy/application-proxy-connectors.md).

+* **Azure AD Application Proxy** - This cloud service provides secure remote access to on-premises web applications. For more information, see [Remote access to on-premises applications through Azure AD Application Proxy](../app-proxy/application-proxy-connectors.md).

+* **Azure AD Connect** - Services used for an Azure AD Connect solution. For more information, see [What is Azure AD Connect](../hybrid/whatis-azure-ad-connect.md).

+* **Azure AD Connect Health** - Service Health provides you with a customizable dashboard that tracks the health of your Azure services in the regions where you use them. For more information, see [Azure AD Connect Health](../hybrid/whatis-azure-ad-connect.md).

+* **Azure AD multifactor authentication** - Multifactor authentication requires a user to provide more than one form of proof for authentication. This approach can provide a proactive first step to securing your environment. For more information, see [Azure AD multi-factor authentication](../authentication/concept-mfa-howitworks.md).

+* **Dynamic groups** - Dynamic configuration of security group membership for Azure AD Administrators can set rules to populate groups that are created in Azure AD based on user attributes. For more information, see [Dynamic groups and Azure Active Directory B2B collaboration](../external-identities/use-dynamic-groups.md).

+* **Conditional Access** - Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity driven control plane. For more information, see [What is Conditional Access](../conditional-access/overview.md).

+* **Identity Protection** - A tool that enables organizations to automate the detection and remediation of identity-based risks, investigate risks using data in the portal, and export risk detection data to your SIEM. For more information, see [What is Identity Protection](../identity-protection/overview-identity-protection.md).

+* **Group-based licensing** - Licenses can be assigned to groups rather than directly to users. Azure AD stores information about license assignment states for users.

+* **Provisioning Service** - Provisioning refers to creating user identities and roles in the cloud applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. For more information, see [How Application Provisioning works in Azure Active Directory](../app-provisioning/how-provisioning-works.md).

+* **Graph API** - The Microsoft Graph API is a RESTful web API that enables you to access Microsoft Cloud service resources. After you register your app and get authentication tokens for a user or service, you can make requests to the Microsoft Graph API. For more information, see [Overview of Microsoft Graph](/graph/overview).

+* **Domain Service** - Azure Active Directory Domain Services (AD DS) provides managed domain services such as domain join, group policy. For more information, see [What is Azure Active Directory Domain Services](../../active-directory-domain-services/overview.md).

+* **Azure Resource Manager** - Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. For more information, see [What is Azure Resource Manager](../../azure-resource-manager/management/overview.md).

+* **Managed identity** - Managed identities eliminate the need for developers to manage credentials. Managed identities provide an identity for applications to use when connecting to resources that support Azure AD authentication. For more information, see [What are managed identities for Azure resources](../managed-identities-azure-resources/overview.md).

+* **Privileged Identity Management** - PIM is a service in Azure AD that enables you to manage, control, and monitor access to important resources in your organization. For more information, see [What is Azure AD Privileged Identity Management](../privileged-identity-management/pim-configure.md).

+* **Access reviews** - Azure AD access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed regularly to make sure only the right people have continued access. For more information, see [What are Azure AD access reviews](../governance/access-reviews-overview.md).

+* **Entitlement management** - Azure AD entitlement management is an [identity governance](../governance/identity-governance-overview.md) feature. Organizations can manage identity and access lifecycle at scale, by automating access request workflows, access assignments, reviews, and expiration. For more information, see [What is Azure AD entitlement management](../governance/entitlement-management-overview.md).

+* **Activity logs** - The Activity log is an Azure [platform log](../../azure-monitor/essentials/platform-logs-overview.md) that provides insight into subscription-level events. This log includes such information as when a resource is modified or when a virtual machine is started. For more information, see [Azure Activity log](../../azure-monitor/essentials/activity-log.md).

+* **Self-service password reset service** - Azure AD self-service password reset (SSPR) gives users the ability to change or reset their password. The administrator or help desk isn't required. For more information, see [How it works: Azure AD self-service password reset](../authentication/concept-sspr-howitworks.md).

+* **Device services** - Device identity management is the foundation for [device-based Conditional Access](../conditional-access/require-managed-devices.md). With device-based Conditional Access policies, you can ensure that access to resources in your environment is only possible with managed devices. For more information, see [What is a device identity](../devices/overview.md).

+* **Self-service group management** - You can enable users to create and manage their own security groups or Microsoft 365 groups in Azure AD. The owner of the group can approve or deny membership requests and can delegate control of group membership. Self-service group management features aren't available for mail-enabled security groups or distribution lists. For more information, see [Set up self-service group management in Azure Active Directory](../enterprise-users/groups-self-service-management.md).

+* **Risk detections** - Contains information about other risks triggered when a risk is detected and other pertinent information such as sign-in location and any details from Microsoft Defender for Cloud Apps.

+[Security operations for user accounts](security-operations-user-accounts.md)

+[Security operations for consumer accounts](security-operations-consumer-accounts.md)

+[Security operations for privileged accounts](security-operations-privileged-accounts.md)

+[Security operations for Privileged Identity Management](security-operations-privileged-identity-management.md)

+[Security operations for applications](security-operations-applications.md)

+[Security operations for devices](security-operations-devices.md)

+[Security operations for infrastructure](security-operations-infrastructure.md)

+* **[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)** - Sigma is an evolving open standard for writing rules and templates that automated management tools can use to parse log files. Where Sigma templates exist for our recommended search criteria, we have added a link to the Sigma repo. The Sigma templates are not written, tested, and managed by Microsoft. Rather, the repo and templates are created and collected by the worldwide IT security community.

+

+

+| Sign-in failure, bad password threshold | High | Azure AD Sign-ins log | Status = Failure<br>-and-<br>error code = 50126 | Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/PrivilegedAccountsSigninFailureSpikes.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Failure because of Conditional Access requirement |High | Azure AD Sign-ins log | Status = Failure<br>-and-<br>error code = 53003<br>-and-<br>Failure reason = Blocked by Conditional Access | This event can be an indication an attacker is trying to get into the account.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/UserAccounts-CABlockedSigninSpikes.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Interrupt | High, medium | Azure AD Sign-ins | Status = Interrupted<br>-and-<br>error code = 50074<br>-and-<br>Failure reason = Strong auth required<br>Status = Interrupted<br>-and-<br>Error code = 500121<br>Failure reason = Authentication failed during strong authentication request | This event can be an indication an attacker has the password for the account but can't pass the multi-factor authentication challenge.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AADPrivilegedAccountsFailedMFA.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Discover privileged accounts not registered for multi-factor authentication | High | Microsoft Graph API| Query for IsMFARegistered eq false for admin accounts. [List credentialUserRegistrationDetails - Microsoft Graph beta](/graph/api/reportroot-list-credentialuserregistrationdetails?view=graph-rest-beta&preserve-view=true&tabs=http) | Audit and investigate to determine if the event is intentional or an oversight. |

+| Account lockout | High | Azure AD Sign-ins log | Status = Failure<br>-and-<br>error code = 50053 | Define a baseline threshold, and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountsLockedOut.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Account disabled or blocked for sign-ins | Low | Azure AD Sign-ins log | Status = Failure<br>-and-<br>Target = User UPN<br>-and-<br>error code = 50057 | This event could indicate someone is trying to gain access to an account after they've left the organization. Although the account is blocked, it's still important to log and alert on this activity.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-BlockedAccounts.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| MFA fraud alert or block | High | Azure AD Sign-ins log/Azure Log Analytics | Sign-ins>Authentication details Result details = MFA denied, fraud code entered | Privileged user has indicated they haven't instigated the multi-factor authentication prompt, which could indicate an attacker has the password for the account.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/MFARejectedbyUser.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| MFA fraud alert or block | High | Azure AD Audit log log/Azure Log Analytics | Activity type = Fraud reported - User is blocked for MFA or fraud reported - No action taken (based on tenant-level settings for fraud report) | Privileged user has indicated they haven't instigated the multi-factor authentication prompt, which could indicate an attacker has the password for the account.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/MFARejectedbyUser.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Privileged account sign-ins outside of expected controls | | Azure AD Sign-ins log | Status = Failure<br>UserPricipalName = \<Admin account\><br>Location = \<unapproved location\><br>IP address = \<unapproved IP\><br>Device info = \<unapproved Browser, Operating System\> | Monitor and alert on any entries that you've defined as unapproved.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuspiciousSignintoPrivilegedAccount.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Outside of normal sign-in times | High | Azure AD Sign-ins log | Status = Success<br>-and-<br>Location =<br>-and-<br>Time = Outside of working hours | Monitor and alert if sign-ins occur outside of expected times. It's important to find the normal working pattern for each privileged account and to alert if there are unplanned changes outside of normal working times. Sign-ins outside of normal working hours could indicate compromise or possible insider threats.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AnomolousSignInsBasedonTime.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Password change | High | Azure AD Audit logs | Activity actor = Admin/self-service<br>-and-<br>Target = User<br>-and-<br>Status = Success or failure | Alert on any admin account password changes, especially for global admins, user admins, subscription admins, and emergency access accounts. Write a query targeted at all privileged accounts.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/PrivilegedAccountPasswordChanges.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Change in legacy authentication protocol | High | Azure AD Sign-ins log | Client App = Other client, IMAP, POP3, MAPI, SMTP, and so on<br>-and-<br>Username = UPN<br>-and-<br>Application = Exchange (example) | Many attacks use legacy authentication, so if there's a change in auth protocol for the user, it could be an indication of an attack.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/17ead56ae30b1a8e46bb0f95a458bdeb2d30ba9b/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| New device or location | High | Azure AD Sign-ins log | Device info = Device ID<br>-and-<br>Browser<br>-and-<br>OS<br>-and-<br>Compliant/Managed<br>-and-<br>Target = User<br>-and-<br>Location | Most admin activity should be from [privileged access devices](/security/compass/privileged-access-devices), from a limited number of locations. For this reason, alert on new devices or locations.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SuspiciousSignintoPrivilegedAccount.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Audit alert setting is changed | High | Azure AD Audit logs | Service = PIM<br>-and-<br>Category = Role management<br>-and-<br>Activity = Disable PIM alert<br>-and-<br>Status = Success | Changes to a core alert should be alerted if unexpected.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/DetectPIMAlertDisablingActivity.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Administrators authenticating to other Azure AD tenants| Medium| Azure AD Sign-ins log| Status = success<br><br>Resource tenantID != Home Tenant ID| When scoped to Privileged Users, this monitor detects when an administrator has successfully authenticated to another Azure AD tenant with an identity in your organization's tenant. <br><br>Alert if Resource TenantID isn't equal to Home Tenant ID<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/AdministratorsAuthenticatingtoAnotherAzureADTenant.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+|Admin User state changed from Guest to Member|Medium|Azure AD Audit logs|Activity: Update user<br><br>Category: UserManagement<br><br>UserType changed from Guest to Member|Monitor and alert on change of user type from Guest to Member.<br><br> Was this change expected?<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserStatechangedfromGuesttoMember.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+|Guest users invited to tenant by non-approved inviters|Medium|Azure AD Audit logs|Activity: Invite external user<br><br>Category: UserManagement<br><br>Initiated by (actor): User Principal Name|Monitor and alert on non-approved actors inviting external users.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| What to monitor | Risk level | Where | Filter/subfilter | Notes |

+| - | - | - | - | - |

+| Attempted and completed changes | High | Azure AD Audit logs | Date and time<br>-and-<br>Service<br>-and-<br>Category and name of the activity (what)<br>-and-<br>Status = Success or failure<br>-and-<br>Target<br>-and-<br>Initiator or actor (who) | Any unplanned changes should be alerted on immediately. These logs should be retained to help with any investigation. Any tenant-level changes should be investigated immediately (link out to Infra doc) that would lower the security posture of your tenant. An example is excluding accounts from multifactor authentication or Conditional Access. Alert on any additions or changes to applications. See [Azure Active Directory security operations guide for Applications](security-operations-applications.md). |

+| **Example**<br>Attempted or completed change to high-value apps or services | High | Audit log | Service<br>-and-<br>Category and name of the activity | Date and time, Service, Category and name of the activity, Status = Success or failure, Target, Initiator or actor (who) |

+| Privileged changes in Azure AD Domain Services | High | Azure AD Domain Services | Look for event [4673](/windows/security/threat-protection/auditing/event-4673) | [Enable security audits for Azure Active Directory Domain Services](../../active-directory-domain-services/security-audit-events.md)<br>For a list of all privileged events, see [Audit Sensitive Privilege use](/windows/security/threat-protection/auditing/audit-sensitive-privilege-use). |

+| Privileged account creation| Medium| Azure AD Audit logs| Service = Core Directory<br>-and-<br>Category = User management<br>-and-<br>Activity type = Add user<br>-correlate with-<br>Category type = Role management<br>-and-<br>Activity type = Add member to role<br>-and-<br>Modified properties = Role.DisplayName| Monitor creation of any privileged accounts. Look for correlation that's of a short time span between creation and deletion of accounts.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserAssignedPrivilegedRole.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Changes to authentication methods| High| Azure AD Audit logs| Service = Authentication Method<br>-and-<br>Activity type = User registered security information<br>-and-<br>Category = User management| This change could be an indication of an attacker adding an auth method to the account so they can have continued access.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AuthenticationMethodsChangedforPrivilegedAccount.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Alert on changes to privileged account permissions| High| Azure AD Audit logs| Category = Role management<br>-and-<br>Activity type = Add eligible member (permanent)<br>-or-<br>Activity type = Add eligible member (eligible)<br>-and-<br>Status = Success or failure<br>-and-<br>Modified properties = Role.DisplayName| This alert is especially for accounts being assigned roles that aren't known or are outside of their normal responsibilities.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PrivilegedAccountPermissionsChanged.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Unused privileged accounts| Medium| Azure AD Access Reviews| | Perform a monthly review for inactive privileged user accounts.<br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Addition of a Temporary Access Pass to a privileged account| High| Azure AD Audit logs| Activity: Admin registered security info<br><br>Status Reason: Admin registered temporary access pass method for user<br><br>Category: UserManagement<br><br>Initiated by (actor): User Principal Name<br><br>Target: User Principal Name|Monitor and alert on a Temporary Access Pass being created for a privileged user.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/tree/master/Detections/AuditLogs/AdditionofaTemporaryAccessPasstoaPrivilegedAccount.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Added to eligible privileged role| High| Azure AD Audit Logs| Service = PIM<br>-and-<br>Category = Role managementΓÇï<br>-and-<br>Activity type = Add member to role completed (eligible)<br>-and-<br>Status = Success or failureΓÇï<br>-and-<br>Modified properties = Role.DisplayName| Any account eligible for a role is now being given privileged access. If the assignment is unexpected or into a role that isn't the responsibility of the account holder, investigate.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserAssignedPrivilegedRole.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Roles assigned out of PIM| High| Azure AD Audit Logs| Service = PIM<br>-and-<br>Category = Role managementΓÇï<br>-and-<br>Activity type = Add member to role (permanent)<br>-and-<br>Status = Success or failure<br>-and-<br>Modified properties = Role.DisplayName| These roles should be closely monitored and alerted. Users shouldn't be assigned roles outside of PIM where possible.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PrivlegedRoleAssignedOutsidePIM.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Elevations| Medium| Azure AD Audit Logs| Service = PIM<br>-and-<br>Category = Role management<br>-and-<br>Activity type = Add member to role completed (PIM activation)<br>-and-<br>Status = Success or failure <br>-and-<br>Modified properties = Role.DisplayName| After a privileged account is elevated, it can now make changes that could affect the security of your tenant. All elevations should be logged and, if happening outside of the standard pattern for that user, should be alerted and investigated if not planned.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/tree/master/Detections/AuditLogs/AccountElevatedtoNewRole.yaml) |

+| Approvals and deny elevation| Low| Azure AD Audit Logs| Service = Access Review<br>-and-<br>Category = UserManagement<br>-and-<br>Activity type = Request approved or denied<br>-and-<br>Initiated actor = UPN| Monitor all elevations because it could give a clear indication of the timeline for an attack.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PIMElevationRequestRejected.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Changes to PIM settings| High| Azure AD Audit Logs| Service = PIM<br>-and-<br>Category = Role management<br>-and-<br>Activity type = Update role setting in PIM<br>-and-<br>Status reason = MFA on activation disabled (example)| One of these actions could reduce the security of the PIM elevation and make it easier for attackers to acquire a privileged account.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/4ad195f4fe6fdbc66fb8469120381e8277ebed81/Detections/AuditLogs/ChangestoPIMSettings.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Elevation not occurring on SAW/PAW| High| Azure AD Sign In logs| Device ID <br>-and-<br>Browser<br>-and-<br>OS<br>-and-<br>Compliant/Managed<br>Correlate with:<br>Service = PIM<br>-and-<br>Category = Role management<br>-and-<br>Activity type = Add member to role completed (PIM activation)<br>-and-<br>Status = Success or failure<br>-and-<br>Modified properties = Role.DisplayName| If this change is configured, any attempt to elevate on a non-PAW/SAW device should be investigated immediately because it could indicate an attacker is trying to use the account.<br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+[Azure AD security operations overview](security-operations-introduction.md)

+[Security operations for user accounts](security-operations-user-accounts.md)

+[Security operations for consumer accounts](security-operations-consumer-accounts.md)

+[Security operations for Privileged Identity Management](security-operations-privileged-identity-management.md)

+[Security operations for applications](security-operations-applications.md)

+[Security operations for devices](security-operations-devices.md)

+[Security operations for infrastructure](security-operations-infrastructure.md)

+description: Establish baselines and use Azure AD Privileged Identity Management (PIM) to monitor and alert on issues with accounts governed by PIM.

+# Azure Active Directory security operations for Privileged Identity Management

+The security of business assets depends on the integrity of the privileged accounts that administer your IT systems. Cyber-attackers use credential theft attacks to target admin accounts and other privileged access accounts to try gaining access to sensitive data.

+For cloud services, prevention and response are the joint responsibilities of the cloud service provider and the customer.

+You're entirely responsible for all layers of security for your on-premises IT environment. When you use Azure cloud services, prevention and response are joint responsibilities of Microsoft as the cloud service provider and you as the customer.

+* For a wide range of videos, how-to guides, and content of key concepts for privileged identity, visit [Privileged Identity Management documentation](../privileged-identity-management/index.yml).

+Use this article provides guidance to set baselines, audit sign-ins, and usage of privileged accounts. Use the source audit log source to help maintain privileged account integrity.

+The log files you use for investigation and monitoring are:

+* [Microsoft 365 Audit logs](/microsoft-365/compliance/auditing-solutions-overview)

+In the Azure portal, view the Azure AD Audit logs and download them as comma-separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Azure AD logs with other tools to automate monitoring and alerting:

+* [**Microsoft Sentinel**](../../sentinel/overview.md) ΓÇô enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.

+* **[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)** - Sigma is an evolving open standard for writing rules and templates that automated management tools can use to parse log files. Where Sigma templates exist for our recommended search criteria, we've added a link to the Sigma repo. The Sigma templates aren't written, tested, and managed by Microsoft. Rather, the repo and templates are created and collected by the worldwide IT security community.

+* [**Azure Event Hubs**](../../event-hubs/event-hubs-about.md) **integrated with a SIEM**- [Azure AD logs can be integrated to other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar, and Sumo Logic via the Azure Event Hubs integration.

+* [**Microsoft Defender for Cloud Apps**](/cloud-app-security/what-is-cloud-app-security) ΓÇô enables you to discover and manage apps, govern across apps and resources, and check your cloud appsΓÇÖ compliance.

+The rest of this article has recommendations to set a baseline to monitor and alert on, with a tier model. Links to pre-built solutions appear after the table. You can build alerts using the preceding tools. The content is organized into the following areas:

+* Azure AD role assignment

+| Azure AD roles assignment| High| Require justification for activation.Require approval to activate. Set two-level approver process. On activation, require Azure AD Multi-Factor Authentication (MFA). Set maximum elevation duration to 8 hrs.| Privileged Role Administration, Global Administrator| A privileged role administrator can customize PIM in their Azure AD organization, including changing the experience for users activating an eligible role assignment. |

+| Azure Resource Role Configuration| High| Require justification for activation. Require approval to activate. Set two-level approver process. On activation, require Azure AD Multi-Factor Authentication. Set maximum elevation duration to 8 hrs.| Owner, Resource Administrator, User Access, Administrator, Global Administrator, Security Administrator| Investigate immediately if not a planned change. This setting might enable attacker access to Azure subscriptions in your environment. |

+A privileged role administrator can customize PIM in their Azure AD organization, which includes changing the user experience of activating an eligible role assignment:

+* Prevent bad actor to remove Azure AD Multi-Factor Authentication requirements to activate privileged access.

+| Alert on Add changes to privileged account permissions| High| Azure AD Audit logs| Category = Role Management<br>-and-<br>Activity Type ΓÇô Add eligible member (permanent) <br>-and-<br>Activity Type ΓÇô Add eligible member (eligible) <br>-and-<br>Status = Success/failure<br>-and-<br>Modified properties = Role.DisplayName| Monitor and always alert for any changes to privileged role administrator and global administrator. This can be an indication an attacker is trying to gain privilege to modify role assignment settings. If you donΓÇÖt have a defined threshold, alert on 4 in 60 minutes for users and 2 in 60 minutes for privileged accounts.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserAddedtoAdminRole.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Alert on bulk deletion changes to privileged account permissions| High| Azure AD Audit logs| Category = Role Management<br>-and-<br>Activity Type ΓÇô Remove eligible member (permanent) <br>-and-<br>Activity Type ΓÇô Remove eligible member (eligible) <br>-and-<br>Status = Success/failure<br>-and-<br>Modified properties = Role.DisplayName| Investigate immediately if not a planned change. This setting could enable an attacker access to Azure subscriptions in your environment.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/BulkChangestoPrivilegedAccountPermissions.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Changes to PIM settings| High| Azure AD Audit Log| Service = PIM<br>-and-<br>Category = Role Management<br>-and-<br>Activity Type = Update role setting in PIM<br>-and-<br>Status Reason = MFA on activation disabled (example)| Monitor and always alert for any changes to Privileged Role Administrator and Global Administrator. This can be an indication an attacker has access to modify role assignment settings. One of these actions could reduce the security of the PIM elevation and make it easier for attackers to acquire a privileged account.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ChangestoPIMSettings.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Approvals and deny elevation| High| Azure AD Audit Log| Service = Access Review<br>-and-<br>Category = UserManagement<br>-and-<br>Activity Type = Request Approved/Denied<br>-and-<br>Initiated actor = UPN| All elevations should be monitored. Log all elevations to give a clear indication of timeline for an attack.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/PIMElevationRequestRejected.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Alert setting changes to disabled.| High| Azure AD Audit logs| Service =PIM<br>-and-<br>Category = Role Management<br>-and-<br>Activity Type = Disable PIM Alert<br>-and-<br>Status = Success /Failure| Always alert. Helps detect bad actor removing alerts associated with Azure AD Multi-Factor Authentication requirements to activate privileged access. Helps detect suspicious or unsafe activity.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/DetectPIMAlertDisablingActivity.yaml)<br><br>[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+For more information on identifying role setting changes in the Azure AD Audit log, see [View audit history for Azure AD roles in Privileged Identity Management](../privileged-identity-management/pim-how-to-use-audit-log.md).

+Monitoring Azure resource role assignments allows visibility into activity and activations for resources roles. These assignments might be misused to create an attack surface to a resource. As you monitor for this type of activity, you're trying to detect:

+| Audit Alert Resource Audit log for Privileged account activities| High| In PIM, under Azure Resources, Resource Audit| Action: Add eligible member to role in PIM completed (time bound) <br>-and-<br>Primary Target <br>-and-<br>Type User<br>-and-<br>Status = Succeeded<br>| Always alert. Helps detect bad actor adding eligible roles to manage all resources in Azure. |

+| Audit Alert Resource Audit for Disable Alert| Medium| In PIM, under Azure Resources, Resource Audit| Action: Disable Alert<br>-and-<br>Primary Target: Too many owners assigned to a resource<br>-and-<br>Status = Succeeded| Helps detect bad actor disabling alerts, in the Alerts pane, which can bypass malicious activity being investigated |

+| Audit Alert Resource Audit for Disable Alert| Medium| In PIM, under Azure Resources, Resource Audit| Action: Disable Alert<br>-and-<br>Primary Target: Too many permanent owners assigned to a resource<br>-and-<br>Status = Succeeded| Prevent bad actor from disable alerts, in the Alerts pane, which can bypass malicious activity being investigated |

+| Audit Alert Resource Audit for Disable Alert| Medium| In PIM, under Azure Resources, Resource Audit| Action: Disable Alert<br>-and-<br>Primary Target Duplicate role created<br>-and-<br>Status = Succeeded| Prevent bad actor from disable alerts, from the Alerts pane, which can bypass malicious activity being investigated |

+Users or group members assigned the Owner or User Access Administrator subscriptions roles, and Azure AD Global Administrators who enabled subscription management in Azure AD, have Resource Administrator permissions by default. The administrators assign roles, configure role settings, and review access using Privileged Identity Management (PIM) for Azure resources.

+A user who has Resource administrator permissions can manage PIM for Resources. Monitor for and mitigate this introduced risk: the capability can be used to allow bad actors privileged access to Azure subscription resources, such as virtual machines (VMs) or storage accounts.

+| Elevations| High| Azure AD, under Manage, Properties| Periodically review setting.<br>Access management for Azure resources| Global administrators can elevate by enabling Access management for Azure resources.<br>Verify bad actors haven't gained permissions to assign roles in all Azure subscriptions and management groups associated with Active Directory. |

+For more information, see [Assign Azure resource roles in Privileged Identity Management](../privileged-identity-management/pim-resource-roles-assign-roles.md)

+[Security operations for consumer accounts](security-operations-consumer-accounts.md)

+[Security operations for privileged accounts](security-operations-privileged-accounts.md)

+# Azure Active Directory security operations for user accounts

+User identity is one of the most important aspects of protecting your organization and data. This article provides guidance for monitoring account creation, deletion, and account usage. The first portion covers how to monitor for unusual account creation and deletion. The second portion covers how to monitor for unusual account usage.

+To discover anomalous behavior, you first must define what normal and expected behavior is. Defining what expected behavior for your organization is, helps you determine when unexpected behavior occurs. The definition also helps to reduce the noise level of false positives when monitoring and alerting.

+Once you define what you expect, you perform baseline monitoring to validate your expectations. With that information, you can monitor the logs for anything that falls outside of tolerances you define.

+ * Strategy and principles for tools and processes used for creating and managing user accounts. For example, are there standard attributes, formats that are applied to user account attributes.

+ * Strategy and alert parameters for accounts created, modified, or disabled by an account that isn't an approved user administrator.

+ * The types of accounts that are synchronized. For example, user accounts and or service accounts.

+ * The process to create and maintained an alert strategy for non-approved cloud-based accounts.

+The log files you use for investigation and monitoring are:

+* [Microsoft 365 Audit logs](/microsoft-365/compliance/auditing-solutions-overview)

+From the Azure portal, you can view the Azure AD Audit logs and download as comma separated value (CSV) or JavaScript Object Notation (JSON) files. The Azure portal has several ways to integrate Azure AD logs with other tools that allow for greater automation of monitoring and alerting:

+* **[Microsoft Sentinel](../../sentinel/overview.md)** ΓÇô enables intelligent security analytics at the enterprise level by providing security information and event management (SIEM) capabilities.

+* **[Sigma rule templates](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)** - Sigma is an evolving open standard for writing rules and templates that automated management tools can use to parse log files. Where Sigma templates exist for our recommended search criteria, we've added a link to the Sigma repo. The Sigma templates aren't written, tested, and managed by Microsoft. Rather, the repo and templates are created and collected by the worldwide IT security community.

+* **[Azure Event Hubs](../../event-hubs/event-hubs-about.md)** integrated with a SIEM - [Azure AD logs can be integrated to other SIEMs](../reports-monitoring/tutorial-azure-monitor-stream-logs-to-event-hub.md) such as Splunk, ArcSight, QRadar and Sumo Logic via the Azure Event Hubs integration.

+* **[Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security)** ΓÇô enables you to discover and manage apps, govern across apps and resources, and check your cloud apps' compliance.

+Much of what you will monitor and alert on are the effects of your Conditional Access policies. You can use the [Conditional Access insights and reporting workbook](../conditional-access/howto-conditional-access-insights-reporting.md) to examine the effects of one or more Conditional Access policies on your sign-ins, and the results of policies, including device state. This workbook enables you to view a summary, and identify the effects over a specific time period. You can also use the workbook to investigate the sign-ins of a specific user.

+ The remainder of this article describes what we recommend you monitor and alert on, and is organized by the type of threat. Where there are specific pre-built solutions we link to them or provide samples following the table. Otherwise, you can build alerts using the preceding tools.

+Short-lived account patterns might indicate non-approved people or processes might have the right to create and delete accounts that fall outside of established processes and policies. This type of behavior removes visible markers from the directory.

+If the data trail for account creation and deletion is not discovered quickly, the information required to investigate an incident may no longer exist. For example, accounts might be deleted and then purged from the recycle bin. Audit logs are retained for 30 days. However, you can export your logs to Azure Monitor or a security information and event management (SIEM) solution for longer term retention.

+|What to monitor|Risk Level|Where|Filter/sub-filter|Notes|

+||||||

+| Account creation and deletion events within a close time frame. | High | Azure AD Audit logs | Activity: Add user<br>Status = success<br>-and-<br>Activity: Delete user<br>Status = success<br> | Search for user principal name (UPN) events. Look for accounts created and then deleted in under 24 hours.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AccountCreatedandDeletedinShortTimeframe.yaml) |

+| Accounts created and deleted by non-approved users or processes. | Medium| Azure AD Audit logs | Initiated by (actor) ΓÇô USER PRINCIPAL NAME<br>-and-<br>Activity: Add user<br>Status = success<br>and-or<br>Activity: Delete user<br>Status = success | If the actors are non-approved users, configure to send an alert. <br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AccountCreatedDeletedByNonApprovedUser.yaml) |

+| Accounts from non-approved sources. | Medium | Azure AD Audit logs | Activity: Add user<br>Status = success<br>Target(s) = USER PRINCIPAL NAME | If the entry isn't from an approved domain or is a known blocked domain, configure to send an alert.<br> [Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Accountcreatedfromnon-approvedsources.yaml) |

+| Accounts assigned to a privileged role.| High | Azure AD Audit logs | Activity: Add user<br>Status = success<br>-and-<br>Activity: Delete user<br>Status = success<br>-and-<br>Activity: Add member to role<br>Status = success | If the account is assigned to an Azure AD role, Azure role, or privileged group membership, alert and prioritize the investigation.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserAssignedPrivilegedRole.yaml) |

+Both privileged and non-privileged accounts should be monitored and alerted. However, since privileged accounts have administrative permissions, they should have higher priority in your monitor, alert, and respond processes.

+User accounts not following naming policies might have been created outside of organizational policies.

+Frequently, user accounts have an attribute that identifies a real user. For example, EMPID = XXXNNN. Use the following suggestions to help define normal for your organization, and when defining a baseline for log entries when accounts don't follow your naming convention:

+* Accounts that don't follow the naming convention. For example, `nnnnnnn@contoso.com` versus `firstname.lastname@contoso.com`.

+* Accounts that don't have the standard attributes populated or aren't in the correct format. For example, not having a valid employee ID.

+| User accounts that don't have expected attributes defined.| Low| Azure AD Audit logs| Activity: Add user<br>Status = success| Look for accounts with your standard attributes either null or in the wrong format. For example, EmployeeID <br> [Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/Useraccountcreatedwithoutexpectedattributesdefined.yaml) |

+| User accounts created using incorrect naming format.| Low| Azure AD Audit logs| Activity: Add user<br>Status = success| Look for accounts with a UPN that does not follow your naming policy. <br> [Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserAccountCreatedUsingIncorrectNamingFormat.yaml) |

+| Privileged accounts that don't follow naming policy.| High| Azure Subscription| [List Azure role assignments using the Azure portal - Azure RBAC](../../role-based-access-control/role-assignments-list-portal.md)| List role assignments for subscriptions and alert where sign-in name does not match your organizations format. For example, ADM_ as a prefix. |

+| Privileged accounts that don't follow naming policy.| High| Azure AD directory| [List Azure AD role assignments](../roles/view-assignments.md)| List roles assignments for Azure AD roles alert where UPN doesn't match your organizations format. For example, ADM_ as a prefix. |

+* Azure AD Audit logs - [Parse text data in Azure Monitor Logs](../../azure-monitor/logs/parse-text.md)

+* Azure Subscriptions - [List Azure role assignments using Azure PowerShell](../../role-based-access-control/role-assignments-list-powershell.md)

+* Azure Active Directory - [List Azure AD role assignments](../roles/view-assignments.md)

+* User and privileged accounts might not be governed to adhere to organizational policies. This can lead to a wider attack surface on accounts that aren't managed correctly.

+* It becomes harder to detect when bad actors create accounts for malicious purposes. By having valid accounts created outside of established procedures, it becomes harder to detect when accounts are created, or permissions modified for malicious purposes.

+| User accounts created or deleted by non-approved users or processes.| Medium| Azure AD Audit logs| Activity: Add user<br>Status = success<br>and-or-<br>Activity: Delete user<br>Status = success<br>-and-<br>Initiated by (actor) = USER PRINCIPAL NAME| Alert on accounts created by non-approved users or processes. Prioritize accounts created with heightened privileges.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AccountCreatedDeletedByNonApprovedUser.yaml) |

+## Unusual sign-ins

+Seeing failures for user authentication is normal. But seeing patterns or blocks of failures can be an indicator that something is happening with a user's Identity. For example, during Password spray or Brute Force attacks, or when a user account is compromised. It's critical that you monitor and alert when patterns emerge. This helps ensure you can protect the user and your organization's data.

+Success appears to say all is well. But it can mean that a bad actor has successfully accessed a service. Monitoring successful logins helps you detect user accounts that are gaining access but aren't user accounts that should have access. User authentication successes are normal entries in Azure AD Sign-Ins logs. We recommend you monitor and alert to detect when patterns emerge. This helps ensure you can protect user accounts and your organization's data.

+As you design and operationalize a log monitoring and alerting strategy, consider the tools available to you through the Azure portal. Identity Protection enables you to automate the detection, protection, and remediation of identity-based risks. Identity protection uses intelligence-fed machine learning and heuristic systems to detect risk and assign a risk score for users and sign-ins. Customers can configure policies based on a risk level for when to allow or deny access or allow the user to securely self-remediate from a risk. The following Identity Protection risk detections inform risk levels today:

+For more information, visit [What is Identity Protection](../identity-protection/overview-identity-protection.md).

+* **Failed Authentications**: As humans we all get our passwords wrong from time to time. However, many failed authentications can indicate that a bad actor is trying to obtain access. Attacks differ in ferocity but can range from a few attempts per hour to a much higher rate. For example, Password Spray normally preys on easier passwords against many accounts, while Brute Force attempts many passwords against targeted accounts.

+* **Interrupted Authentications**: An Interrupt in Azure AD represents an injection of a process to satisfy authentication, such as when enforcing a control in a CA policy. This is a normal event and can happen when applications aren't configured correctly. But when you see many interrupts for a user account it could indicate something is happening with that account.

+ * For example, if you filtered on a user in Sign-in logs and see a large volume of sign in status = Interrupted and Conditional Access = Failure. Digging deeper it may show in authentication details that the password is correct, but that strong authentication is required. This could mean the user isn't completing multi-factor authentication (MFA) which could indicate the user's password is compromised and the bad actor is unable to fulfill MFA.

+* **Smart lock-out**: Azure AD provides a smart lock-out service which introduces the concept of familiar and non-familiar locations to the authentication process. A user account visiting a familiar location might authenticate successfully while a bad actor unfamiliar with the same location is blocked after several attempts. Look for accounts that have been locked out and investigate further.

+* **IP changes**: It is normal to see users originating from different IP addresses. However, Zero Trust states never trust and always verify. Seeing a large volume of IP addresses and failed sign-ins can be an indicator of intrusion. Look for a pattern of many failed authentications taking place from multiple IP addresses. Note, virtual private network (VPN) connections can cause false positives. Regardless of the challenges, we recommend you monitor for IP address changes and if possible, use Azure AD Identity Protection to automatically detect and mitigate these risks.

+* **Locations**: Generally, you expect a user account to be in the same geographical location. You also expect sign-ins from locations where you have employees or business relations. When the user account comes from a different international location in less time than it would take to travel there, it can indicate the user account is being abused. Note, VPNs can cause false positives, we recommend you monitor for user accounts signing in from geographically distant locations and if possible, use Azure AD Identity Protection to automatically detect and mitigate these risks.

+For this risk area, we recommend you monitor standard user accounts and privileged accounts but prioritize investigations of privileged accounts. Privileged accounts are the most important accounts in any Azure AD tenant. For specific guidance for privileged accounts, see Security operations ΓÇô privileged accounts.

+You use Azure Identity Protection and the Azure AD sign-in logs to help discover threats indicated by unusual sign-in characteristics. Information about Identity Protection is available at [What is Identity Protection](../identity-protection/overview-identity-protection.md). You can also replicate the data to Azure Monitor or a SIEM for monitoring and alerting purposes. To define normal for your environment and to set a baseline, determine:

+* the parameters you consider normal for your user base.

+* if legacy authentication is enabled and your roadmap for discontinuing usage.

+* Identify any other indicators for unusual sign-ins that are specific to your organization. For example days or times of the week or year that your organization doesn't operate.

+After you scope what normal is for the accounts in your environment, consider the following list to help determine scenarios you want to monitor and alert on, and to fine-tune your alerting.

+The following are listed in order of importance based on the effect and severity of the entries.

+| Users authenticating to other Azure AD tenants.| Low| Azure AD Sign-ins log| Status = success<br>Resource tenantID != Home Tenant ID| Detects when a user has successfully authenticated to another Azure AD tenant with an identity in your organization's tenant.<br>Alert if Resource TenantID isn't equal to Home Tenant ID <br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AuditLogs/UsersAuthenticatingtoOtherAzureADTenants.yaml) |

+|User state changed from Guest to Member|Medium|Azure AD Audit logs|Activity: Update user<br>Category: UserManagement<br>UserType changed from Guest to Member|Monitor and alert on change of user type from Guest to Member. Was this expected?<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserStatechangedfromGuesttoMember.yaml)

+|Guest users invited to tenant by non-approved inviters|Medium|Azure AD Audit logs|Activity: Invite external user<br>Category: UserManagement<br>Initiated by (actor): User Principal Name|Monitor and alert on non-approved actors inviting external users.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml)

+| Failed sign-in attempts.| Medium - if Isolated Incident<br>High - if many accounts are experiencing the same pattern or a VIP.| Azure AD Sign-ins log| Status = failed<br>-and-<br>Sign-in error code 50126 - <br>Error validating credentials due to invalid username or password.| Define a baseline threshold, and then monitor and adjust to suite your organizational behaviors and limit false alerts from being generated.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SpikeInFailedSignInAttempts.yaml) |

+| Smart lock-out events.| Medium - if Isolated Incident<br>High - if many accounts are experiencing the same pattern or a VIP.| Azure AD Sign-ins log| Status = failed<br>-and-<br>Sign-in error code = 50053 ΓÇô IdsLocked| Define a baseline threshold, and then monitor and adjust to suite your organizational behaviors and limit false alerts from being generated.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SmartLockouts.yaml) |

+| Interrupts| Medium - if Isolated Incident<br>High - if many accounts are experiencing the same pattern or a VIP.| Azure AD Sign-ins log| 500121, Authentication failed during strong authentication request. <br>-or-<br>50097, Device authentication is required or 50074, Strong Authentication is required. <br>-or-<br>50155, DeviceAuthenticationFailed<br>-or-<br>50158, ExternalSecurityChallenge - External security challenge wasn't satisfied<br>-or-<br>53003 and Failure reason = blocked by CA| Monitor and alert on interrupts.<br>Define a baseline threshold, and then monitor and adjust to suite your organizational behaviors and limit false alerts from being generated.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AADPrivilegedAccountsFailedMFA.yaml) |

+The following are listed in order of importance based on the effect and severity of the entries.

+| Multi-factor authentication (MFA) fraud alerts.| High| Azure AD Sign-ins log| Status = failed<br>-and-<br>Details = MFA Denied<br>| Monitor and alert on any entry.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/MFARejectedbyUser.yaml) |

+| Failed authentications from countries you don't operate out of.| Medium| Azure AD Sign-ins log| Location = \<unapproved location\>| Monitor and alert on any entries. <br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AuthenticationAttemptfromNewCountry.yaml) |

+| Failed authentications for legacy protocols or protocols that aren't used.| Medium| Azure AD Sign-ins log| Status = failure<br>-and-<br>Client app = Other Clients, POP, IMAP, MAPI, SMTP, ActiveSync| Monitor and alert on any entries.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/9bd30c2d4f6a2de17956cd11536a83adcbfc1757/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml) |

+| Failures blocked by CA.| Medium| Azure AD Sign-ins log| Error code = 53003 <br>-and-<br>Failure reason = blocked by CA| Monitor and alert on any entries.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/UserAccounts-CABlockedSigninSpikes.yaml) |

+| Increased failed authentications of any type.| Medium| Azure AD Sign-ins log| Capture increases in failures across the board. That is, the failure total for today is >10% on the same day, the previous week.| If you don't have a set threshold, monitor and alert if failures increase by 10% or greater.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/SpikeInFailedSignInAttempts.yaml) |

+| Authentication occurring at times and days of the week when countries don't conduct normal business operations.| Low| Azure AD Sign-ins log| Capture interactive authentication occurring outside of normal operating days\time. <br>Status = success<br>-and-<br>Location = \<location\><br>-and-<br>Day\Time = \<not normal working hours\>| Monitor and alert on any entries.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/MultipleDataSources/AnomolousSignInsBasedonTime.yaml) |

+| Account disabled/blocked for sign-ins| Low| Azure AD Sign-ins log| Status = Failure<br>-and-<br>error code = 50057, The user account is disabled.| This could indicate someone is trying to gain access to an account once they have left an organization. Although the account is blocked, it is important to log and alert on this activity.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-BlockedAccounts.yaml) |

+| What to monitor| Risk Level| Where| Filter/sub-filter| Notes |

+| Authentications of privileged accounts outside of expected controls.| High| Azure AD Sign-ins log| Status = success<br>-and-<br>UserPricipalName = \<Admin account\><br>-and-<br>Location = \<unapproved location\><br>-and-<br>IP Address = \<unapproved IP\><br>Device Info= \<unapproved Browser, Operating System\><br>| Monitor and alert on successful authentication for privileged accounts outside of expected controls. Three common controls are listed. <br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AuthenticationsofPrivilegedAccountsOutsideofExpectedControls.yaml)<br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| When only single-factor authentication is required.| Low| Azure AD Sign-ins log| Status = success<br>Authentication requirement = Single-factor authentication| Monitor periodically and ensure expected behavior.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-NewSingleFactorAuth.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Successful authentications from countries your organization doesn't operate out of.| Medium| Azure AD Sign-ins log| Status = success<br>Location = \<unapproved country\>| Monitor and alert on any entries not equal to the city names you provide.<br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Successful authentication, session blocked by CA.| Medium| Azure AD Sign-ins log| Status = success<br>-and-<br>error code = 53003 ΓÇô Failure reason, blocked by CA| Monitor and investigate when authentication is successful, but session is blocked by CA.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/UserAccounts-CABlockedSigninSpikes.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Successful authentication after you have disabled legacy authentication.| Medium| Azure AD Sign-ins log| status = success <br>-and-<br>Client app = Other Clients, POP, IMAP, MAPI, SMTP, ActiveSync| If your organization has disabled legacy authentication, monitor and alert when successful legacy authentication has taken place.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/9bd30c2d4f6a2de17956cd11536a83adcbfc1757/Hunting%20Queries/SigninLogs/LegacyAuthAttempt.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+We recommend you periodically review authentications to medium business impact (MBI) and high business impact (HBI) applications where only single-factor authentication is required. For each, you want to determine if single-factor authentication was expected or not. In addition, review for successful authentication increases or at unexpected times, based on the location.

+| Authentications to MBI and HBI application using single-factor authentication.| Low| Azure AD Sign-ins log| status = success<br>-and-<br>Application ID = \<HBI app\> <br>-and-<br>Authentication requirement = single-factor authentication.| Review and validate this configuration is intentional.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-NewSingleFactorAuth.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Authentications at days and times of the week or year that countries do not conduct normal business operations.| Low| Azure AD Sign-ins log| Capture interactive authentication occurring outside of normal operating days\time. <br>Status = success<br>Location = \<location\><br>Date\Time = \<not normal working hours\>| Monitor and alert on authentications days and times of the week or year that countries do not conduct normal business operations.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccounts-UnusualLogonTimes.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+| Measurable increase of successful sign ins.| Low| Azure AD Sign-ins log| Capture increases in successful authentication across the board. That is, success totals for today are >10% on the same day, the previous week.| If you don't have a set threshold, monitor and alert if successful authentications increase by 10% or greater.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/UserAccountsMeasurableincreaseofsuccessfulsignins.yaml)<br><br>[Sigma rules template](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

+[Security operations for consumer accounts](security-operations-consumer-accounts.md)

+To view a list of user processing results using API via Microsoft Graph, see: [List userProcessingResults](/graph/api/identitygovernance-workflow-list-userprocessingresults)

+To view a summary of user processing results via API using Microsoft Graph, see: [userProcessingResult: summary](/graph/api/identitygovernance-userprocessingresult-summary)

+To view runs of a workflow via API using Microsoft Graph, see: [runs](/graph/api/resources/identitygovernance-run)

+To view run summary via API using Microsoft Graph, see: [run summary of a lifecycle workflow](/graph/api/identitygovernance-run-summary)

+To get user processing result for a run of a lifecycle workflow via API using Microsoft Graph, see: [Get userProcessingResult (for a run of a lifecycle workflow)](/graph/api/identitygovernance-userprocessingresult-get)

+To list task processing results for a user processing result via API using Microsoft Graph, see: [List taskProcessingResults (for a userProcessingResult)](/graph/api/identitygovernance-userprocessingresult-list-taskprocessingresults)

+To create a workflow using Microsoft Graph API, see [Create workflow (lifecycle workflow)](/graph/api/identitygovernance-lifecycleworkflowscontainer-post-workflows)

+To delete a workflow using API via Microsoft Graph, see: [Delete workflow (lifecycle workflow)](/graph/api/identitygovernance-workflow-delete?view=graph-rest-beta).

+To view

+To View a list of deleted workflows using API via Microsoft Graph, see: [List deleted workflows](/graph/api/identitygovernance-lifecycleworkflowscontainer-list-deleteditems).

+To permanently delete a workflow using API via Microsoft Graph, see: [Permanently delete a deleted workflow](/graph/api/identitygovernance-deleteditemcontainer-delete)

+To restore a deleted workflow using API via Microsoft Graph, see: [Restore a deleted workflow](/graph/api/identitygovernance-workflow-restore)

+* You can view the last 30 days of sign ins to an application in the [sign ins report](../reports-monitoring/howto-find-activity-reports.md#sign-ins-report) in the Azure portal, or via [Graph](/graph/api/signin-list?view=graph-rest-1.0&tabs=http&preserve-view=true).

+To update a workflow via API using Microsoft Graph, see: [Update workflow](/graph/api/identitygovernance-workflow-update)

+To create a new version of a workflow via API using Microsoft Graph, see: [workflow: createNewVersion](/graph/api/identitygovernance-workflow-createnewversion)

+To list workflow versions via API using Microsoft Graph, see: [List versions (of a lifecycle workflow)](/graph/api/identitygovernance-workflow-list-versions)

+To run a workflow on-demand using API via Microsoft Graph, see: [workflow: activate (run a workflow on-demand)](/graph/api/identitygovernance-workflow-activate).

+For more information about updating manager information for a user in Graph API, see [assign manager](/graph/api/user-post-manager?view=graph-rest-1.0&tabs=http&preserve-view=true) documentation. You can also set this attribute in the Azure Admin center. For more information, see [add or change profile information](/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal?context=azure/active-directory/users-groups-roles/context/ugr-context).

+- Disable Soft Matching on your tenant. Soft Matching is a great feature to help transfering source of autority for existing cloud only objects to Azure AD Connect, but it comes with certain security risks. If you do not require Soft Matching, you should disable it: [https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-syncservice-features#blocksoftmatch](how-to-connect-syncservice-features.md#blocksoftmatch)

+| Suspicious application | Offline | This detection indicates that Microsoft has identified an application that may be violating our terms of service, but has not disabled it. We recommend [conducting an investigation](https://go.microsoft.com/fwlink/?linkid=2208429) of the application.|

+| $filter | ```type eq 'microsoft.cognitiveservices/account' and contains(name, 'test')``` | An OData expression that allows you to filter any of the available fields: name, type, resourceGroup, subscriptionId, subscriptionDisplayName<br/><br/>The following operations are supported: ```and```, ```or```, ```eq``` and ```contains``` |

+- Confluence: 7.0.1 to 7.19.0

+1. The Name ID attribute in Azure AD can be mapped to any desired user attribute by editing the Attributes & Claims section.

+ > [!div class="mx-imgBorder"]

+ > 

+

+ a. After clicking on Edit, any desired user attribute can be mapped by clicking on Unique User Identifier (Name ID).

+

+ > [!div class="mx-imgBorder"]

+ > 

+

+ b. On the next screen, the desired attribute name like user.userprincipalname can be selected as an option from the Source Attribute dropdown menu.

+

+ > [!div class="mx-imgBorder"]

+ > 

+

+ c. The selection can then be saved by clicking on the Save button at the top.

+

+ > [!div class="mx-imgBorder"]

+ > 

+

+ d. Now, the user.userprincipalname attribute source in Azure AD is mapped to the Name ID attribute name in Azure AD which will be compared with the username attribute in Atlassian by the SSO plugin.

+

+ > [!div class="mx-imgBorder"]

+ > 

+

+ > [!NOTE]

+ > The SSO service provided by Microsoft Azure supports SAML authentication which is able to perform user identification using different attributes such as givenname (first name), surname (last name), email (email address), and user principal name (username). We recommend not to use email as an authentication attribute as email addresses are not always verified by Azure AD. The plugin compares the values of Atlassian username attribute with the NameID attribute in Azure AD in order to determine the valid user authentication.

+This tutorial describes the steps you need to perform in both Lucid (All Products) and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Lucid (All Products)](https://lucid.co/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).

+* Confluence: 7.0.1 to 7.19.0

+* Confluence: 7.0.1 to 7.19.0

+ "verifiableCredentialServicePrincipalId": "90e10a26-94cd-49d6-8cd7-cacb10f00686",

+ "verifiableCredentialRequestServicePrincipalId": "870e10a26-94cd-49d6-8cd7-cacb10f00fe",

+ "verifiableCredentialAdminServicePrincipalId": "760e10a26-94cd-49d6-8cd7-cacb10f00ab",

+- Ensure that you have the [global administrator](../../active-directory/roles/permissions-reference.md#global-administrator) or the [authentication policy administrator](../../active-directory/roles/permissions-reference.md#authentication-policy-administrator) permission for the directory you want to configure. If you're not the global administrator, you will need permission [application administrator](../../active-directory/roles/permissions-reference.md#application-administrator) to complete the app registration including granting admin consent.

+- Ensure that you have the [contributor](../../role-based-access-control/built-in-roles.md#contributor) role for the Azure subscription or the resource group that you will deploy Azure Key Vault in.

+1. Search for the **Verifiable Credentials Service Request** and **Verifiable Credentials Service** service principals, and select them.

+## Optimize virtual machine (VM) or virtual machine scale set (VMSS) spend by resizing or shutting down underutilized instances

+Although certain application scenarios can result in low utilization by design, you can often save money by managing the size and number of your virtual machines or virtual machine scale sets.

+Advisor uses machine-learning algorithms to identify low utilization and to identify the ideal recommendation to ensure optimal usage of virtual machines and virtual machine scale sets. The recommended actions are shut down or resize, specific to the resource being evaluated.

+Advisor identifies resources that haven't been used at all over the last 7 days and makes a recommendation to shut them down.

+- Recommendation criteria include **CPU** and **Outbound Network utilization** metrics. **Memory** isn't considered since we've found that **CPU** and **Outbound Network utilization** are sufficient.

+- Metrics are sampled every 30 seconds, aggregated to 1 min and then further aggregated to 30 mins (we take the max of average values while aggregating to 30 mins). On virtual machine scale sets, the metrics from individual virtual machines are aggregated using the average of the metrics across instances.

+Advisor recommends resizing virtual machines when it's possible to fit the current load on a more appropriate SKU, which is less expensive (based on retail rates). On virtual machine scale sets, Advisor recommends resizing when it's possible to fit the current load on a more appropriate cheaper SKU, or a lower number of instances of the same SKU.

+- Metrics are sampled every 30 seconds, aggregated to 1 minute and then further aggregated to 30 minutes (taking the max of average values while aggregating to 30 minutes). On virtual machine scale sets, the metrics from individual virtual machines are aggregated using the average of the metrics for instance count recommendations, and aggregated using the max of the metrics for SKU change recommendations.

+- An appropriate SKU (for virtual machines) or instance count (for virtual machine scale set resources) is determined based on the following criteria:

+ - Performance of the workloads on the new SKU shouldn't be impacted.

+ - The new SKU, if applicable, has the same Accelerated Networking and Premium Storage capabilities

+ - The new SKU, if applicable, is supported in the current region of the Virtual Machine with the recommendation

+ - The new SKU, if applicable, is less expensive

+ - Instance count recommendations also take into account if the virtual machine scale set is being managed by Service Fabric or AKS. For service fabric managed resources, recommendations take into account reliability and durability tiers.

+- Based on the best fit and the cheapest costs with no performance impacts, Advisor not only recommends smaller SKUs in the same family (for example D3v2 to D2v2), but also SKUs in a newer version (for example D3v2 to D2v3), or a different family (for example D3v2 to E3v2).

+- For virtual machine scale set resources, Advisor prioritizes instance count recommendations over SKU change recommendations because instance count changes are easily actionable, resulting in faster savings.

+A burstable SKU recommendation is made if:

+ - If the current SKU doesn't have accelerated networking enabled, since burstable SKUs don't support accelerated networking yet

+The resulting recommendation suggests that a user should resize their current virtual machine or virtual machine scale set to a burstable SKU with the same number of cores. This suggestion is made so a user can take advantage of lower cost and also the fact that the workload has low average utilization but high spikes in cases, which can be best served by the B-series SKU.

+Advisor shows the estimated cost savings for either recommended action: resize or shut down. For resize, Advisor provides current and target SKU/instance count information.

+To be more selective about the actioning on underutilized virtual machines or virtual machine scale sets, you can adjust the CPU utilization rule on a per-subscription basis.

+In some cases recommendations can't be adopted or might not be applicable, such as some of these common scenarios (there may be other cases):

+- Virtual machine or virtual machine scale set has been provisioned to accommodate upcoming traffic

+- Virtual machine or virtual machine scale set uses other resources not considered by the resize algo, such as metrics other than CPU, Memory and Network

+- Need to keep virtual machine or virtual machine scale set SKUs homogeneous

+- Virtual machine or virtual machine scale set being utilized for disaster recovery purposes

+In such cases, simply use the Dismiss/Postpone options associated with the recommendation.

+We're constantly working on improving these recommendations. Feel free to share feedback on [Advisor Forum](https://aka.ms/advisorfeedback).

+[**Shutdown/Resize your virtual machines**](advisor-cost-recommendations.md#optimize-virtual-machine-vm-or-virtual-machine-scale-set-vmss-spend-by-resizing-or-shutting-down-underutilized-instances) recommendation was enhanced to increase the quality, robustness, and applicability.

+Read the [How-to guide](advisor-cost-recommendations.md#optimize-virtual-machine-vm-or-virtual-machine-scale-set-vmss-spend-by-resizing-or-shutting-down-underutilized-instances) to learn more.

+SP_SECRET=$(az ad sp credential reset --id "$SP_ID" --query password -o tsv)

+[node-surge-upgrade]: upgrade-cluster.md#customize-node-surge-upgrade

+You need the Azure CLI version 2.0.61 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

+Azure NPM for Linux uses Linux *IPTables* and Azure NPM for Windows uses *Host Network Service (HNS) ACLPolicies* to enforce the specified policies. Policies are translated into sets of allowed and disallowed IP pairs. These pairs are then programmed as IPTable/HNS ACLPolicy filter rules.

+| Supported platforms | Linux, Windows Server 2022 | Linux, Windows Server 2019 and 2022 |

+## Limitations:

+Azure Network Policy Manager(NPM) doesn't support IPv6. Otherwise, Azure NPM fully supports the network policy spec in Linux.

+* In Windows, Azure NPM doesn't support the following:

+ * named ports

+ * SCTP protocol

+ * negative match label or namespace selectors (e.g. all labels except "debug=true")

+ * "except" CIDR blocks (a CIDR with exceptions)

+>[!NOTE]

+> * Azure NPM pod logs will record an error if an unsupported policy is created.

+### Create an AKS cluster with Azure NPM enabled - Linux only

+In this section, we'll work on creating a cluster with Linux node pools and Azure NPM enabled.

+### Create an AKS cluster with Azure NPM enabled - Windows Server 2022 (Preview)

+In this section, we'll work on creating a cluster with Windows node pools and Azure NPM enabled.

+Please execute the following commands prior to creating a cluster:

+```azurecli

+ az extension add --name aks-preview

+ az extension update --name aks-preview

+ az feature register --namespace Microsoft.ContainerService --name AKSWindows2022Preview

+ az feature register --namespace Microsoft.ContainerService --name WindowsNetworkPolicyPreview

+ az provider register -n Microsoft.ContainerService

+```

+> [!NOTE]

+> At this time, Azure NPM with Windows nodes is available on Windows Server 2022 only

+>

+Now, you should replace the values for *$RESOURCE_GROUP_NAME*, *$CLUSTER_NAME* and *$WINDOWS_USERNAME* variables.

+```azurecli-interactive

+$RESOURCE_GROUP_NAME=myResourceGroup-NP

+$CLUSTER_NAME=myAKSCluster

+$WINDOWS_USERNAME=myWindowsUserName

+$LOCATION=canadaeast

+```

+Create a username to use as administrator credentials for your Windows Server containers on your cluster. The following command prompts you for a username. Set it to `$WINDOWS_USERNAME`(remember that the commands in this article are entered into a BASH shell).

+```azurecli-interactive

+echo "Please enter the username to use as administrator credentials for Windows Server containers on your cluster: " && read WINDOWS_USERNAME

+```

+Use the following command to create a cluster:

+```azurecli

+az aks create \

+ --resource-group $RESOURCE_GROUP_NAME \

+ --name $CLUSTER_NAME \

+ --node-count 1 \

+ --windows-admin-username $WINDOWS_USERNAME \

+ --network-plugin azure \

+ --network-policy azure

+```

+It takes a few minutes to create the cluster. By default, your cluster is created with only a Linux node pool. If you would like to use Windows node pools, you can add one. For example:

+```azurecli

+az aks nodepool add \

+ --resource-group $RESOURCE_GROUP_NAME \

+ --cluster-name $CLUSTER_NAME \

+ --os-type Windows \

+ --name npwin \

+ --node-count 1

+```

+To begin verification of Network Policy, we'll create a sample application and set traffic rules.

+We'll now create two pods in the cluster named *client* and *server*.

+Connectivity with traffic will be blocked since the server is labeled with app=server, but the client isn't labeled. The connect command above will yield this output:

+[dsr]: ../load-balancer/load-balancer-multivip-overview.md#rule-type-2-backend-port-reuse-by-using-floating-ip

+For an overview of options to secure the developer portal, see [Authentication and authorization in API Management](authentication-authorization-overview.md#developer-portal-user-plane).

+For an overview of options to secure the developer portal, see [Authentication and authorization in API Management](authentication-authorization-overview.md#developer-portal-user-plane).

+

+For information about securing access to the back-end service of an API using client certificates (i.e., API Management to backend), see [How to secure back-end services using client certificate authentication](./api-management-howto-mutual-certificates.md).

+For a conceptual overview of API authorization, see [Authentication and authorization in API Management](authentication-authorization-overview.md#gateway-data-plane).

+In this article, you'll learn high level steps to configure your [Azure API Management](api-management-key-concepts.md) instance to protect an API, by using the [OAuth 2.0 protocol with Azure Active Directory (Azure AD)](../active-directory/develop/active-directory-v2-protocols.md).

+For a conceptual overview of API authorization, see [Authentication and authorization in API Management](authentication-authorization-overview.md#gateway-data-plane).

+### Assessing impact with Azure Advisor

+In order to make the migration easier, we have introduced new Azure Advisor recommendations:

+- **Use self-hosted gateway v2** recommendation - Identifies Azure API Management instances where the usage of self-hosted gateway v0.x or v1.x was identified.

+- **Use Configuration API v2 for self-hosted gateways** recommendation - Identifies Azure API Management instances where the usage of Configuration API v1 for self-hosted gateway was identified.

+We highly recommend customers to use ["All Recommendations" overview in Azure Advisor](https://portal.azure.com/#view/Microsoft_Azure_Expert/AdvisorMenuBlade/~/All) to determine if a migration is required. Use the filtering options to see if one of the above recommendations is present.

+See all [upcoming breaking changes and feature retirements](overview.md).

+For an overview of options to secure the developer portal, see [Authentication and authorization in API Management](authentication-authorization-overview.md#developer-portal-user-plane).

+For a conceptual overview of API authorization, see [Authentication and authorization in API Management](authentication-authorization-overview.md#gateway-data-plane).

+* [Authentication and authorization in API Management](authentication-authorization-overview.md)

+Each API Management instance is allocated a number of SNAT ports, based on APIM units. You can allocate additional SNAT ports by scaling your API Management instance with additional units. For more info, see [Scale your API Management service](upgrade-and-scale.md#scale-your-api-management-instance).

+* [Azure App Service: Troubleshooting intermittent outbound connection errors](../app-service/troubleshoot-intermittent-outbound-connection-errors.md)

+description: This article describes how to upgrade and scale an Azure API Management instance.

+Customers can scale an Azure API Management instance in a dedicated service tier by adding and removing units. A **unit** is composed of dedicated Azure resources and has a certain load-bearing capacity expressed as a number of API calls per second. This number doesn't represent a call limit, but rather an estimated maximum throughput value to allow for rough capacity planning. Actual throughput and latency vary broadly depending on factors such as number and rate of concurrent connections, the kind and number of configured policies, request and response sizes, and backend latency.

+> [!NOTE]

+> API Management instances in the **Consumption** tier scale automatically based on the traffic. Currently, you cannot upgrade from or downgrade to the Consumption tier.

+The throughput and price of each unit depend on the [service tier](api-management-features.md) in which the unit exists. If you need to increase capacity for a service within a tier, you should add a unit. If the tier that is currently selected in your API Management instance doesn't allow adding more units, you need to upgrade to a higher-level tier.

+>See [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/?ref=microsoft.com&utm_source=microsoft.com&utm_medium=docs&utm_campaign=visualstudio) for features, scale limits, and estimated throughput in each tier. To get more accurate throughput numbers, you need to look at a realistic scenario for your APIs. See [Capacity of an Azure API Management instance](api-management-capacity.md).

+You can choose between four dedicated tiers: **Developer**, **Basic**, **Standard**, and **Premium**.

+* The **Developer** tier should be used to evaluate the service; it shouldn't be used for production. The **Developer** tier doesn't have SLA and you can't scale this tier (add/remove units).

+* **Basic**, **Standard**, and **Premium** are production tiers that have SLA and can be scaled. For pricing details and scale limits, see [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/#pricing).

+* The **Premium** tier enables you to distribute a single Azure API Management instance across any number of desired Azure regions. When you initially create an Azure API Management service, the instance contains only one unit and resides in a single Azure region (the **primary** region).

+ Additional regions can be easily added. When adding a region, you specify the number of units you want to allocate. For example, you can have one unit in the primary region and five units in some other region. You can tailor the number of units to the traffic you have in each region. For more information, see [How to deploy an Azure API Management service instance to multiple Azure regions](api-management-howto-deploy-multi-region.md).

+* You can upgrade and downgrade to and from any dedicated service tier. Downgrading can remove some features. For example, downgrading to Standard or Basic from the Premium tier can remove virtual networks or multi-region deployment.

+> The upgrade or scale process can take from 15 to 45 minutes to apply. You get notified when it is done.

+## Scale your API Management instance

+1. Navigate to your API Management instance in the [Azure portal](https://portal.azure.com/).

+1. Select **Locations** from the menu.

+1. Select the row with the location you want to scale.

+1. Specify the new number of **Units** - use the slider if available, or type the number.

+1. Select **Apply**.

+> [!NOTE]

+> In the Premium service tier, you can optionally configure availability zones and a virtual network in a selected location. For more information, see [Deploy API Management service to an additional location](api-management-howto-deploy-multi-region.md#-deploy-api-management-service-to-an-additional-location).

+1. Navigate to your API Management instance in the [Azure portal](https://portal.azure.com/).

+1. Select **Pricing tier** in the menu.

+1. Select the desired service tier from the dropdown. Use the slider to specify the number of units for your API Management service after the change.

+1. Select **Save**.

+If you're scaling from or to the Developer tier, there will be downtime. Otherwise, there is no downtime.

+If your security requirements include [compute isolation](../azure-government/azure-secure-isolation-guidance.md#compute-isolation), you can use the **Isolated** pricing tier. This tier ensures the compute resources of an API Management service instance consume the entire physical host and provide the necessary level of isolation required to support, for example, US Department of Defense Impact Level 5 (IL5) workloads. To get access to the Isolated tier, [create a support request](../azure-portal/supportability/how-to-create-azure-support-request.md).

+# [YAML](#tab/yaml/)

+ Title: Use the migration feature to migrate your App Service Environment to App Service Environment v3

+description: Learn how to migrate your App Service Environment to App Service Environment v3 using the migration feature

+# Use the migration feature to migrate App Service Environment v1 and v2 to App Service Environment v3

+An App Service Environment v1 and v2 can be automatically migrated to an [App Service Environment v3](overview.md) using the migration feature. To learn more about the migration process and to see if your App Service Environment supports migration at this time, see the [Migration to App Service Environment v3 Overview](migrate.md).

+Run these commands to get your App Service Environment ID and store it as an environment variable. Replace the placeholders for name and resource groups with your values for the App Service Environment you want to migrate. "ASE_RG" and "VNET_RG" will be the same if your virtual network and App Service Environment are in the same resource group.

+ASE_RG=<Your-ASE-Resource-Group>

+VNET_RG=<Your-VNet-Resource-Group>

+If there are no errors, your migration is supported, and you can continue to the next step.

+If it's in progress, you'll get a status of "Migrating". Once you get a status of "Ready", run the following command to view your new IPs. If you don't see the new IPs immediately, wait a few minutes and try again.

+Using the new IPs, update any of your resources or networking components to ensure your new environment functions as intended once migration is complete. It's your responsibility to make any necessary updates. Don't migrate until you've completed this step.

+az network vnet subnet update --resource-group $VNET_RG -name <subnet-name> --vnet-name <vnet-name> --delegations Microsoft.Web/hostingEnvironments

+## 6. Prepare your configurations

+You can make your new App Service Environment v3 zone redundant if your existing environment is in a [region that supports zone redundancy](./overview.md#regions). This can be done by setting the `zoneRedundant` property to "true". Zone redundancy is an optional configuration. This configuration can only be set during the creation of your new App Service Environment v3 and can't be removed at a later time. For more information, see [Choose your App Service Environment v3 configurations](./migrate.md#choose-your-app-service-environment-v3-configurations). If you don't want to configure zone redundancy, don't include the `zoneRedundant` parameter.

+If your existing App Service Environment uses a custom domain suffix, you'll need to [configure one for your new App Service Environment v3 during the migration process](./migrate.md#choose-your-app-service-environment-v3-configurations). Migration will fail if you don't configure a custom domain suffix and are using one currently. Migration will also fail if you attempt to add a custom domain suffix during migration to an environment that doesn't have one configured currently. For more information on App Service Environment v3 custom domain suffix including requirements, step-by-step instructions, and best practices, see [Configure custom domain suffix for App Service Environment](./how-to-custom-domain-suffix.md).

+If your migration doesn't include a custom domain suffix and you aren't enabling zone redundancy, you can move on to migration.

+In order to set these configurations, create a file called "parameters.json" with the following details based on your scenario. Don't include the custom domain suffix properties if this feature doesn't apply to your migration. Be sure to pay attention to the value of the `zoneRedundant` property as this configuration is irreversible after migration. Ensure the value of the `kind` property is set based on your existing App Service Environment version. Accepted values for the `kind` property are "ASEV1" and "ASEV2".

+If you're migrating without a custom domain suffix and are enabling zone redundancy:

+```json

+{

+ "type": "Microsoft.Web/hostingEnvironments",

+ "name": "sample-ase-migration",

+ "kind": "ASEV2",

+ "location": "westcentralus",

+ "properties": {

+ "zoneRedundant": true

+ }

+}

+```

+If you're using a user assigned managed identity for your custom domain suffix configuration and **are enabling zone redundancy**:

+```json

+{

+ "type": "Microsoft.Web/hostingEnvironments",

+ "name": "sample-ase-migration",

+ "kind": "ASEV2",

+ "location": "westcentralus",

+ "properties": {

+ "zoneRedundant": true,

+ "customDnsSuffixConfiguration": {

+ "dnsSuffix": "internal-contoso.com",

+ "certificateUrl": "https://contoso.vault.azure.net/secrets/myCertificate",

+ "keyVaultReferenceIdentity": "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/asev3-migration/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ase-managed-identity"

+ }

+ }

+}

+```

+If you're using a system assigned managed identity for your custom domain suffix configuration and **aren't enabling zone redundancy**:

+```json

+{

+ "type": "Microsoft.Web/hostingEnvironments",

+ "name": "sample-ase-migration",

+ "kind": "ASEV2",

+ "location": "westcentralus",

+ "properties": {

+ "customDnsSuffixConfiguration": {

+ "dnsSuffix": "internal-contoso.com",

+ "certificateUrl": "https://contoso.vault.azure.net/secrets/myCertificate",

+ "keyVaultReferenceIdentity": "SystemAssigned"

+ }

+ }

+}

+```

+## 7. Migrate to App Service Environment v3

+Only start this step once you've completed all pre-migration actions listed previously and understand the [implications of migration](migrate.md#migrate-to-app-service-environment-v3) including what will happen during this time. This step takes up to three hours for v2 to v3 migrations and up to six hours for v1 to v3 migrations depending on environment size. During that time, there will be about one hour of application downtime. Scaling, deployments, and modifications to your existing App Service Environment will be blocked during this step.

+Only include the "body" parameter in the command if you're enabling zone redundancy and/or are configuring a custom domain suffix. If neither of those configurations apply to your migration, you can remove the parameter from the command.

+az rest --method post --uri "${ASE_ID}/migrate?api-version=2021-02-01&phase=fullmigration" --body @parameters.json

+Once you get a status of "Ready", migration is done, and you have an App Service Environment v3. Your apps will now be running in your new environment.

+Under **Get new IP addresses**, confirm you understand the implications and start the process. This step will take about 15 minutes to complete. You won't be able to scale or make changes to your existing App Service Environment during this time.

+## 5. Choose your configurations

+You can make your new App Service Environment v3 zone redundant if your existing environment is in a [region that supports zone redundancy](./overview.md#regions). Zone redundancy is an optional configuration. This configuration can only be set during the creation of your new App Service Environment v3 and can't be removed at a later time. For more information, see [Choose your App Service Environment v3 configurations](./migrate.md#choose-your-app-service-environment-v3-configurations). Select **Enabled** if you'd like to configure zone redundancy.

+If your environment is in a region that doesn't support zone redundancy, the checkbox will be disabled. If you need a zone redundant App Service Environment v3, use one of the manual migration options and create your new App Service Environment v3 in one of the regions that supports zone redundancy.

+If your existing App Service Environment uses a [custom domain suffix](./migrate.md#choose-your-app-service-environment-v3-configurations), you'll be required to configure one for your new App Service Environment v3. You'll be shown the custom domain suffix configuration options if this situation applies to you. You won't be able to migrate until you provide the required information. If you'd like to use a custom domain suffix but don't currently have one configured, you can configure one once migration is complete. For more information on App Service Environment v3 custom domain suffix including requirements, step-by-step instructions, and best practices, see [Configure custom domain suffix for App Service Environment](./how-to-custom-domain-suffix.md).

+After you add your custom domain suffix details, the "Migrate" button will be enabled.

+## 6. Migrate to App Service Environment v3

+Once you've completed all of the above steps, you can start migration. Make sure you understand the [implications of migration](migrate.md#migrate-to-app-service-environment-v3) including what will happen during this time. This step takes up to three hours for v2 to v3 migrations and up to six hours for v1 to v3 migrations depending on environment size. Scaling and modifications to your existing App Service Environment will be blocked during this step.

+When migration is complete, you'll have an App Service Environment v3, and all of your apps will be running in your new environment. You can confirm the environment's version by checking the **Configuration** page for your App Service Environment.

+If your migration included a custom domain suffix, for App Service Environment v3, the custom domain will no longer be shown in the **Essentials** section of the **Overview** page of the portal as it is for App Service Environment v1/v2. Instead, for App Service Environment v3, go to the **Custom domain suffix** page where you can confirm your custom domain suffix is configured correctly. You can also remove the configuration if you no longer need it or configure one if you didn't have one previously.

+> [!div class="nextstepaction"]

+> [Custom domain suffix](./how-to-custom-domain-suffix.md)

+App Service can now automate migration of your App Service Environment v1 and v2 to an [App Service Environment v3](overview.md). App Service Environment v3 provides [advantages and feature differences](overview.md#feature-differences) over earlier versions. Make sure to review the [supported features](overview.md#feature-differences) of App Service Environment v3 before migrating to reduce the risk of an unexpected application issue.

+At this time, App Service Environment migrations to v3 using the migration feature are supported in the following regions:

+The following App Service Environment configurations can be migrated using the migration feature. The table gives the App Service Environment v3 configuration you'll end up with when using the migration feature based on your existing App Service Environment. All supported App Service Environments can be migrated to a [zone redundant App Service Environment v3](../../availability-zones/migrate-app-service-environment.md) using the migration feature as long as the environment is [in a region that supports zone redundancy](./overview.md#regions). You can [configure zone redundancy](#choose-your-app-service-environment-v3-configurations) during the migration process.

+|Configuration |App Service Environment v3 Configuration |

+||--|

+|[Internal Load Balancer (ILB)](create-ilb-ase.md) App Service Environment v2 |ILB App Service Environment v3 |

+|[External (ELB/internet facing with public IP)](create-external-ase.md) App Service Environment v2 |ELB App Service Environment v3 |

+|ILB App Service Environment v2 with a custom domain suffix |ILB App Service Environment v3 with a custom domain suffix |

+|ILB App Service Environment v1 |ILB App Service Environment v3 |

+|ELB App Service Environment v1 |ELB App Service Environment v3 |

+|ILB App Service Environment v1 with a custom domain suffix |ILB App Service Environment v3 with a custom domain suffix |

+If you want your new App Service Environment v3 to use a custom domain suffix and you aren't using one currently, custom domain suffix can be configured at any time once migration is complete. For more information, see [Configure custom domain suffix for App Service Environment](./how-to-custom-domain-suffix.md).

+The following are limitations when using the migration feature:

+- Your new App Service Environment v3 will be placed in the existing subnet that was used for your old environment.

+- You can't change the region your App Service Environment is located in.

+- ELB App Service Environment canΓÇÖt be migrated to ILB App Service Environment v3 and vice versa.

+- If your existing App Service Environment uses a custom domain suffix, you'll have to configure custom domain suffix for your App Service Environment v3 during the migration process.

+ - If you no longer want to use a custom domain suffix, you can remove it once the migration is complete.

+App Service Environment v3 doesn't currently support the following features that you may be using with your current App Service Environment. If you require any of these features, don't migrate until they're supported.

+The following scenarios aren't supported by the migration feature. See the [manual migration options](migration-alternatives.md) if your App Service Environment falls into one of these categories.

+- App Service Environment v1 in a [Classic VNet](/previous-versions/azure/virtual-network/create-virtual-network-classic)

+- ELB App Service Environment v2 with IP SSL addresses

+- ELB App Service Environment v1 with IP SSL addresses

+|Migrate cannot be called on Zone Pinned ASEs. |App Service Environment v2 that is zone pinned can't be migrated using the migration feature at this time. |Migrate using one of the [manual migration options](migration-alternatives.md) if you want to migrate immediately. |

+|Migrate cannot be called if IP SSL is enabled on any of the sites.|App Service Environments that have sites with IP SSL enabled can't be migrated using the migration feature at this time. |Migrate using one of the [manual migration options](migration-alternatives.md) if you want to migrate immediately. |

+|Full migration cannot be called before IP addresses are generated. |You'll see this error if you attempt to migrate before finishing the pre-migration steps. |Ensure you've completed all pre-migration steps before you attempt to migrate. See the [step-by-step guide for migrating](how-to-migrate.md). |

+|Migration to ASEv3 is not allowed for this ASE. |You won't be able to migrate using the migration feature. |Migrate using one of the [manual migration options](migration-alternatives.md). |

+|`<ZoneRedundant><DedicatedHosts><ASEv3/ASE>` is not available in this location. |You'll see this error if you're trying to migrate an App Service Environment in a region that doesn't support one of your requested features. |Migrate using one of the [manual migration options](migration-alternatives.md) if you want to migrate immediately. Otherwise, wait for the migration feature to support this App Service Environment configuration. |

+|App Service Environment management operation in progress. |Your App Service Environment is undergoing a management operation. These operations can include activities such as deployments or upgrades. Migration is blocked until these operations are complete. |You'll be able to migrate once these operations are complete. |

+The platform will create the [new inbound IP (if you're migrating an ELB App Service Environment) and the new outbound IP](networking.md#addresses) addresses. While these IPs are getting created, activity with your existing App Service Environment won't be interrupted, however, you won't be able to scale or make changes to your existing environment. This process will take about 15 minutes to complete.

+Once the new IPs are created, you'll have the new default outbound to the internet public addresses so you can adjust any external firewalls, DNS routing, network security groups, and any other resources that rely on these IPs, in preparation for the migration. For ELB App Service Environment, you'll also have the new inbound IP address that you can use to set up new endpoints with services like [Traffic Manager](../../traffic-manager/traffic-manager-overview.md) or [Azure Front Door](../../frontdoor/front-door-overview.md). **It's your responsibility to update any and all resources that will be impacted by the IP address change associated with the new App Service Environment v3. Don't move on to the next step until you've made all required updates.**

+### Choose your App Service Environment v3 configurations

+Your App Service Environment v3 can be deployed across availability zones in the regions that support it. This architecture is known as [zone redundancy](../../availability-zones/migrate-app-service-environment.md). Zone redundancy can only be configured during App Service Environment creation. If you want your new App Service Environment v3 to be zone redundant, enable the configuration during the migration process. Any App Service Environment that is using the migration feature to migrate can be configured as zone redundant as long as you're using a [region that supports zone redundancy for App Service Environment v3](./overview.md#regions). If you're existing environment is using a region that doesn't support zone redundancy, the configuration option will be disabled and you won't be able to configure it. The migration feature doesn't support changing regions. If you'd like to use a different region, use one of the [manual migration options](migration-alternatives.md).

+> [!NOTE]

+> Enabling zone redundancy can lead to additional charges. Review the [zone redundancy pricing model](../../availability-zones/migrate-app-service-environment.md#pricing) for more information.

+>

+If your existing App Service Environment uses a custom domain suffix, you'll be prompted to configure a custom domain suffix for your new App Service Environment v3. You'll need to provide the custom domain name, managed identity, and certificate. For more information on App Service Environment v3 custom domain suffix including requirements, step-by-step instructions, and best practices, see [Configure custom domain suffix for App Service Environment](./how-to-custom-domain-suffix.md). You must configure a custom domain suffix for your new environment even if you no longer want to use it. Once migration is complete, you can remove the custom domain suffix configuration if needed.

+If your migration includes a custom domain suffix, for App Service Environment v3, the custom domain will no longer be shown in the **Essentials** section of the **Overview** page of the portal as it is for App Service Environment v1/v2. Instead, for App Service Environment v3, go to the **Custom domain suffix** page where you can confirm your custom domain suffix is configured correctly.

+After completing the previous steps, you should continue with migration as soon as possible.

+During migration, which requires up to a three hour service window for App Service Environment v2 to v3 migrations and up to a six hour service window depending on environment size for v1 to v3 migrations, scaling and environment configurations are blocked and the following events will occur:

+- All App Service plans in the App Service Environment are converted from the Isolated to Isolated v2 SKU.

+- All of the apps that are on your App Service Environment are temporarily down. **You should expect about one hour of downtime during this period**.

+- The public addresses that are used by the App Service Environment will change to the IPs generated during the IP generation step.

+As in the IP generation step, you won't be able to scale, modify your App Service Environment, or deploy apps to it during this process. When migration is complete, the apps that were on the old App Service Environment will be running on the new App Service Environment v3.

+ Yes, you should expect about one hour of downtime during the three to six hour service window during the migration step, so plan accordingly. If downtime isn't an option for you, see the [manual migration options](migration-alternatives.md).

+ The migration feature supports this [migration scenario](#supported-scenarios). You can migrate using a manual method if you don't want to use the migration feature. You can configure your [custom domain suffix](./how-to-custom-domain-suffix.md) when creating your App Service Environment v3 or any time after.

+ Zone pinned App Service Environment is currently not a supported scenario for migration using the migration feature. App Service Environment v3 doesn't support zone pinning. To migrate to App Service Environment v3, see the [manual migration options](migration-alternatives.md).

+ You'll now be on App Service Environment v3 so be sure to review the [features and feature differences](overview.md#feature-differences) compared to previous versions. For ILB App Service Environment, you'll keep the same ILB IP address. For internet facing App Service Environment, the public IP address and the outbound IP address will change. Note for ELB App Service Environment, previously there was a single IP for both inbound and outbound. For App Service Environment v3, they're separate. For more information, see [App Service Environment v3 networking](networking.md#addresses).

+ If you decide to migrate an App Service Environment using the migration feature, the old environment gets shut down, deleted, and all of your apps are migrated to a new environment. Your old environment will no longer be accessible. A rollback to the old environment won't be possible.

+> [Migrate your App Service Environment to App Service Environment v3](how-to-migrate.md)

+> [!div class="nextstepaction"]

+> [Custom domain suffix](./how-to-custom-domain-suffix.md)

+The step-by-step instructions in the current documentation for [backup and restore](../manage-backup.md) should be sufficient to allow you to use this feature. You can select a backup and use that to restore the app to an App Service in your App Service Environment v3.

+If the above features don't support your apps or you're looking to take a more manual route, you have the option of deploying your apps following the same process you used for your existing App Service Environment. You don't need to make updates when you deploy your apps to your new environment.

+You can export [Azure Resource Manager (ARM) templates](../../azure-resource-manager/templates/overview.md) of your existing apps, App Service plans, and any other supported resources and deploy them in or with your new environment. To export a template for just your app, navigate to your App Service and go to **Export template** under **Automation**.

+- Update SKU parameters for App Service plan to an Isolated v2 plan:

+ The migration feature supports this [migration scenario](./migrate.md#supported-scenarios). You can migrate using a manual method if you don't want to use the migration feature. You can configure your [custom domain suffix](./how-to-custom-domain-suffix.md) when creating your App Service Environment v3 or any time after that.

+ Zone pinning isn't a supported feature on App Service Environment v3.

+> [Migrate to App Service Environment v3 using the migration feature](migrate.md)

+> [!div class="nextstepaction"]

+> [Custom domain suffix](./how-to-custom-domain-suffix.md)

+Backup and restore are supported in **Basic**, **Standard**, **Premium**, and **Isolated** tiers. For **Basic** tier, only the production slot can be backed up and restored. For more information about scaling your App Service plan to use a higher tier, see [Scale up an app in Azure](manage-scale-up.md).

+> Support in App Service environments (ASE) V2 and V3 is in preview. For App Service environments:

+| Retention | 30 days, not configurable. <br>- Days 1-3: hourly backups retained.<br>- Days 4-14: every 3 hourly backup retained.<br>- Days 15-30: every 6 hourly backup retained. | 0-30 days or indefinite. |

+The App Service domain you bought is valid for one year from the time of purchase. You can configure to renew your domain automatically which will charge your payment method when your domain renews the following year. You can also manually renew your domain name.

+If you want to configure automatic renewal, or if you want to manually renew your domain, follow the steps here.

+1. From the left navigation of the domain, select **Domain renewal**. To start renewing your domain automatically, select **On**, otherwise select **Off**. The setting takes effect immediately. If automatic renewal is enabled, on the day after your domain expiration date, Azure attempts to bill you for the domain name renewal.

+To manually renew your domain, select **Renew domain**. However, this button is not active until 90 days before the domain's expiration date.

+If your domain renewal is successful, you receive an email notification within 24 hours.

+ Title: Migrate Azure Kubernetes Service and MySQL Flexible Server workloads to availability zone support

+description: Learn how to migrate Azure Kubernetes Service and MySQL Flexible Server workloads to availability zone support.

+

+# Migrate Azure Kubernetes Service (AKS) and MySQL Flexible Server workloads to availability zone support

+This guide describes how to migrate an Azure Kubernetes Service and MySQL Flexible Server workload to complete availability zone support across all dependent services. For complete list of all workload dependencies, see [Workload service dependencies](#workload-service-dependencies).

+Availability zone support for this workload must be enabled during the creation of your AKS cluster or MySQL Flexible Server. If you want availability zone support for an existing AKS cluster and MySQL Flexible Server, you'll need to redeploy those resources.

+This migration guidance focuses mainly on the infrastructure and availability considerations of running the following architecture on Azure:

+## Workload service dependencies

+To provide full workload support for availability zones, each service dependency in the workload must support availability zones.

+There are two approaches types of availability zone supported

+The AKS and MySQL workload architecture consists of the following component dependencies:

+### Azure Kubernetes Service (AKS)

+- *Zonal* : The system node pool and user node pools are zonal when you pre-select the zones in which the node pools are deployed during creation time. We recommend that you pre-select all three zones for better resiliency. More user node pools that support availability zones can be added to an existing AKS cluster and by supplying a value for the `zones` parameter.

+- *Zone-redundant*: Kubernetes control plane components such as *etcd*, *API server*, *Scheduler*, and *Controller Manager* are automatically replicated or distributed across zones.

+ >[!NOTE]

+ >To enable zone-redundancy of the AKS cluster control plane components, you must define your default system node pool with zones when you create an AKS cluster. Adding more zonal node pools to an existing non-zonal AKS cluster won't make the AKS cluster zone-redundant, because that action doesn't distribute the control plane components across zones after-the-fact.

+### Azure Database for MySQL Flexible Server

+- *Zonal*: The zonal availability mode means that a standby server is always available within the same zone as the primary server. While this option reduces failover time and network latency, it's less resilient due to a single zone outage impacting both the primary and standby servers.

+

+- *Zone-redundant*: The zone-redundant availability mode means that a standby server is always available within another zone in the same region as the primary server. Two zones will be enabled for zone redundancy for the primary and standby servers. We recommend this configuration for better resiliency.

+### Azure Standard Load Balancer or Azure Application Gateway

+#### Standard Load Balancer

+To understand considerations related to Standard Load Balancer resources, see [Load Balancer and Availability Zones](../load-balancer/load-balancer-standard-availability-zones.md).

+- *Zone-redundant*: Choosing zone-redundancy is the recommended way to configure your Frontend IP with your existing Load Balancer. The zone-redundant front-end corresponds with the AKS cluster back-end pool, which is distributed across multiple zones.

+- *Zonal*: If you're pinning your node pools to specific zones such as zone 1 and 2, you can pre-select zone 1 and 2 for your Frontend IP in the existing Load Balancer. The reason why you may want to pin your node pools to specific zones could be due to the availability of specialized VM SKU series such as M-series.

+#### Azure Application Gateway

+Using the Application Gateway Ingress Controller add-on with your AKS cluster is supported only on Application Gateway v2 SKUs (Standard and WAF). To understand further considerations related to Azure Application Gateway, see [Scaling Application Gateway v2 and WAF v2](../application-gateway/application-gateway-autoscaling-zone-redundant.md).

+*Zonal*: To use the benefits of availability zones, we recommend that the Application Gateway resource be created in multiple zones, such as zone 1, 2, and 3. Select all three zones for best intra-region resiliency strategy. However, to correspond to your backend node pools, you may pin your node pools to specific zones by pre-selecting zone 1 and 2 during the creation of your App Gateway resource. The reason why you may want to pin your node pools to specific zones could be due to the availability of specialized VM SKU series such as `M-series`.

+#### Zone Redundant Storage (ZRS)

+- We recommend that your AKS cluster is configured with managed ZRS disks because they're zone-redundant resources. Volumes can be scheduled on all zones.

+- Kubernetes is aware of Azure availability zones since version 1.12. You can deploy a `PersistentVolumeClaim` object referencing an Azure Managed Disk in a multi-zone AKS cluster. Kubernetes will take care of scheduling any pod that claims this PVC in the correct availability zone.

+- For Azure Database for SQL, we recommend that the data and log files are hosted in zone-redundant storage (ZRS). These files are replicated to the standby server via the storage-level replication available with ZRS.

+#### Azure Firewall

+*Zonal*: To use the benefits of availability zones, we recommend that the Application Gateway resource be created in multiple zones, such as zone 1, 2, and 3. We recommend that you select all three zones for best intra-region resiliency strategy.

+#### Azure Bastion

+*Regional*: Azure Bastion is deployed within VNets or peered VNets and is associated to an Azure region. For more information, se [Bastion FAQ](../bastion/bastion-faq.md#dr).

+#### Azure Container Registry (ACR)

+*Zone-redundant*: We recommend that you create a zone-redundant registry in the Premium service tier. You can also create a zone-redundant registry replica by setting the `zoneRedundancy` property for the replica. To learn how to enable zone redundancy for your ACR, see [Enable zone redundancy in Azure Container Registry for resiliency and high availability](../container-registry/zone-redundancy.md).

+#### Azure Cache for Redis

+*Zone-redundant*: Azure Cache for Redis supports zone-redundant configurations in the Premium and Enterprise tiers. A zone-redundant cache places its nodes across different availability zones in the same region.

+#### Azure Active Directory (AD)

+*Global*: Azure AD is a global service with multiple levels of internal redundancy and automatic recoverability. Azure AD is deployed in over 30 datacenters around the world that provide availability zones where present. This number is growing rapidly as more regions are deployed.

+#### Azure Key Vault

+*Regional*: Azure Key Vault is deployed in a region. To maintain high durability of your keys and secrets, the contents of your key vault are replicated within the region and to a secondary region within the same geography.

+*Zone-redundant*: For Azure regions with availability zones and no region pair, Key Vault uses zone-redundant storage (ZRS) to replicate the contents of your key vault three times within the single location/region.

+## Workload considerations

+### Azure Kubernetes Service (AKS)

+- Pods can communicate with other pods, regardless of which node or the availability zone in which the pod lands on the node. Your application may experience higher response time if the pods are located in different availability zones. While the extra round-trip latencies between pods are expected to fall within an acceptable range for most applications, there are application scenarios which require low latency, especially for a chatty communication pattern between pods.

+- We recommend that you test your application to ensure it performs well across availability zones.

+- For performance reasons such low latency, pods can be co-located in the same data center within the same availability zone. To co-locate pods in the same data center within the same availability zone, you can create user node pools with a unique zone and proximity placement group. You can add a proximity placement group (PPG) to an existing AKS cluster by creating a new agent node pool and specifying the PPG. Use Pod Topology Spread Constraints to control how pods are spread in your AKS cluster across availability zones, nodes and regions.

+- After pods that require low latency communication are co-located in the same availability zone, communications between the pods aren't direct. Instead, pod communications are channeled through a service that defines a logical set of pods in your AKS cluster. Pods can be configured to talk to AKS and the communication to the service will be automatically load-balanced to all the pods that are members of the service.

+- To take advantage of availability zones, node pools contain underlying VMs that are zonal resources. To support applications that have different compute or storage demands, you can create user node pools with specific VM sizes when you create the user node pool.

+ For example, you may decide to use the `Standard_M32ms` under the `M-series` for your user nodes because the microservices in your application require high throughput, low latency, and memory optimized VM sizes that provide high vCPU counts and large amounts of memory. Depending on the deployment region, when you select the VM size in the Azure portal, you may see that this VM size is supported only in zone 1 and 2. You can accept this resiliency configuration as a trade-off for high performance.

+- You can't change the VM size of a node pool after you create it. For more information on node pool limitations, see [Limitations](../aks/use-multiple-node-pools.md#limitations).

+### Azure Database for MySQL Flexible Server

+The implication of deploying your node pools in specific zones, such as zone 1 and 2, is that all service dependencies of your AKS cluster must also support zone 1 and 2. In this workload architecture, your AKS cluster has a service dependency on Azure Database for MySQL Flexible Servers with zone resiliency. You would select zone 1 for your primary server and zone 2 for your standby server to be co-located with your AKS user node pools.

+### Azure Cache for Redis

+- Azure Cache for Redis distributes nodes in a zone-redundant cache in a round-robin manner over the availability zones that you've selected.

+- You can't update an existing Premium cache to use zone redundancy. To use zone redundancy, you must recreate the Azure Cache for Redis.

+- To achieve optimal resiliency, we recommend that you create your Azure Cache for Redis with three, or more replicas so that you can distribute the replicas across three availability zones.

+## Disaster recovery considerations

+*Availability zones* are used for better resiliency to achieve high availability of your workload within the primary region of your deployment.

+*Disaster Recovery* consists of recovery operations and practices defined in your business continuity plan. Your business continuity plan addresses both how your workload recovers during a disruptive event and how it fully recovers after the event. Consider extending your deployment to an alternative region.

+For your application tier, please review the business continuity and disaster recovery considerations for AKS in this article.

+- Consider running multiple AKS clusters in alternative regions. The alternative region can use a secondary paired region. Or, where there's no region pairing for your primary region, you can select an alternative region based on your consideration for available services, capacity, geographical proximity, and data sovereignty. Please review the [Azure regions decision guide](/azure/cloud-adoption-framework/migrate/azure-best-practices/multiple-regions). Also review the [deployment stamp pattern](/azure/architecture/patterns/deployment-stamp).

+- You have the option of configuring active-active, active-standby, active-passive for your AKS clusters.

+- For your database tier, disaster recovery features include geo-redundant backups with the ability to initiate geo-restore and deploying read replicas in a different region.

+- During an outage, you'll need to decide whether to initiate a recovery. You'll need to initiate recovery operations only when the outage is likely to last longer than your workloadΓÇÖs recovery time objective (RTO). Otherwise, you'll wait for service recovery by checking the service status on the Azure Service Health Dashboard. On the Service Health blade of the Azure portal, you can view any notifications associated with your subscription.

+- When you do initiate recovery with the geo-restore feature in Azure Database for MySQL, a new database server is created using backup data that is replicated from another region.

+## Next Steps

+Learn more about:

+> [!div class="nextstepaction"]

+> [Regions and Availability Zones in Azure](az-overview.md)

+> [!div class="nextstepaction"]

+> [Azure Services that support Availability Zones](az-region.md)

+Azure includes built-in resiliency services that you can use and manage based on your business needs. Whether itΓÇÖs a single hardware node failure, a rack level failure, a datacenter outage, or a large-scale regional outage, Azure provides solutions that improve resiliency. For example, availability sets ensure that the virtual machines deployed on Azure are distributed across multiple isolated hardware nodes in a cluster. Availability zones protect customersΓÇÖ applications and data from datacenter failures across multiple physical locations within a region. **Regions** and **availability zones** are central to your application design and resiliency strategy and are discussed in greater detail later in this article.

+Building resilient systems on Azure is a **shared responsibility**. Microsoft is responsible for the reliability of the cloud platform, including its global network and data centers. Azure customers and partners are responsible for the resilience of their cloud applications, using architectural best practices based on the requirements of each workload. While Azure continually strives for highest possible resiliency in SLA for the cloud platform, you must define your own target SLAs for each workload in your solution. An SLA makes it possible to evaluate whether the architecture meets the business requirements. As you strive for higher percentages of SLA guaranteed uptime, the cost and complexity to achieve that level of availability grows. An uptime of 99.99 percent translates to about five minutes of total downtime per month. Is it worth the more complexity and cost to reach that percentage? The answer depends on the individual business requirements. While deciding final SLA commitments, understand MicrosoftΓÇÖs supported SLAs. Each Azure service has its own SLA.

+You should define your applicationΓÇÖs availability requirements at the beginning of planning. If you know which applications don't need 100% high availability during certain periods of time, you can optimize costs during those non-critical periods. Identify the type of failures an application can experience, and the potential effect of each failure. A recovery plan should cover all critical services by finalizing recovery strategy at the individual component and the overall application level. Design your recovery strategy to protect against zonal, regional, and application-level failure. And perform testing of the end-to-end application environment to measure application resiliency and recovery against unexpected failure.

+Regions and Availability Zones are a big part of the resiliency equation. Regions feature multiple, physically separate availability zones. These availability zones are connected by a high-performance network featuring less than 2ms latency between physical zones. Low latency helps your data stay synchronized and accessible when things go wrong. You can use this infrastructure strategically as you architect applications and data infrastructure that automatically replicate and deliver uninterrupted services between zones and across regions. Choose the best region for your needs based on technical and regulatory considerationsΓÇöservice capabilities, data residency, compliance requirements, latencyΓÇöand begin advancing your resiliency strategy.

+Microsoft Azure services support availability zones and are enabled to drive your cloud operations at optimum high availability while supporting your disaster recovery and business continuity strategy needs. Choose the best region for your needs based on technical and regulatory considerationsΓÇöservice capabilities, data residency, compliance requirements, latencyΓÇöand begin advancing your resiliency strategy. For more information, see [Azure regions and availability zones](az-overview.md).

+Building resilient systems on Azure is a shared responsibility. Microsoft is responsible for the reliability of the cloud platform, which includes its global network and datacenters. Azure customers and partners are responsible for the resilience of their cloud applications, using architectural best practices based on the requirements of each workload. For more information, see [Business continuity management program in Azure](business-continuity-management-program.md).

+ > You may also do the following to minimize the risk of inconsistencies:

+1. Register the Microsoft.AzureArcData provider for the subscription where the Azure Arc-enabled data services will be deployed, as follows:

+ ```console

+ az provider register --namespace Microsoft.AzureArcData

+ ```

+- The Microsoft.AzureArcData provider is registered for the subscription where the Azure Arc-enabled data services will be deployed.

+To update the credentials of the account for Arc resource bridge, run the following Azure CLI commands . Run the commands from a workstation that can access cluster configuration IP address of the Arc resource bridge locally:

+az account set -s <subscription id>

+az arcappliance get-credentials -n <name of the appliance> -g <resource group name>

+az arcappliance update-infracredentials vmware --kubeconfig kubeconfig

+For more details on the commands see [`az arcappliance get-credentials`](/cli/azure/arcappliance/get-credentials#az-arcappliance-get-credentials) and [`az arcappliance update-infracredentials vmware`](/cli/azure/arcappliance/update-infracredentials#az-arcappliance-update-infracredentials-vmware).

+To save the logs to a destination folder, run the following commands. These commands need connectivity to cluster configuration IP address.

+az account set -s <subscription id>

+az arcappliance get-credentials -n <name of the appliance> -g <resource group name>

+az arcappliance logs vmware --kubeconfig kubeconfig --out-dir <path to specified output directory>

+If the Kubernetes cluster on the resource bridge isn't in functional state, you can use the following commands. These commands require connectivity to IP address of the Azure Arc resource bridge VM via SSH

+az account set -s <subscription id>

+az arcappliance get-credentials -n <name of the appliance> -g <resource group name>

+az arcappliance logs vmware --out-dir <path to specified output directory> --ip XXX.XXX.XXX.XXX

+> Azure Arc-enabled VMware vSphere (preview) supports vCenters with a maximum of 9500 VMs. If your vCenter has more than 9500 VMs, it is not recommended to use Arc-enabled VMware vSphere with it at this point.

+- Australia East

+- Canada Central

+> Azure Arc-enabled VMware vSphere (preview) supports vCenter Server instances with a maximum of 9,500 virtual machines (VMs). If your vCenter Server instance has more than 9,500 VMs, we don't recommend that you use Azure Arc-enabled VMware vSphere with it at this point.

+ > [!NOTE]

+ > On Windows workstations, the script must be run in PowerShell window and not in PowerShell Integrated Script Editor (ISE) as PowerShell ISE doesn't display the input prompts from Azure CLI commands. If the script is run on PowerShell ISE, it could appear as though the script is stuck while it is waiting for input.

+In this article, you learn how Azure Functions allows you to build highly scalable APIs. Azure Functions comes with a collection of built-in HTTP triggers and bindings, which make it easy to author an endpoint in various languages, including Node.js, C#, and more. In this article, you'll customize an HTTP trigger to handle specific actions in your API design. You'll also prepare for growing your API by integrating it with Azure Functions Proxies and setting up mock APIs. These tasks are accomplished on top of the Functions serverless compute environment, so you don't have to worry about scaling resources - you can just focus on your API logic.

+Repeat the steps to [Create a function app](./functions-get-started.md) to create a new function app in which you'll create your proxy. This new app's URL serves as the frontend for our API, and the function app you were previously editing serves as a backend.

+Select `proxies.json` in the left navigation. This file stores the configuration for all of your proxies. If you use one of the [Functions deployment methods](./functions-continuous-deployment.md), you maintain this file in source control. To learn more about this file, see [Proxies advanced configuration](./legacy-proxies.md#advanced-configuration).

+This code adds a new proxy, `GetUserByName`, without the `backendUri` property. Instead of calling another resource, it modifies the default response from Proxies using a response override. Request and response overrides can also be used with a backend URL. This technique is useful when proxying to a legacy system, where you might need to modify headers, query parameters, and so on. To learn more about request and response overrides, see [Modifying requests and responses in Proxies](./legacy-proxies.md).

+[Working with Azure Functions Proxies]: ./legacy-proxies.md

+ Title: Create serverless APIs using Azure Functions

+description: Describes how to use Azure Functions as the basis of a cohesive set of serverless APIs.

+# Serverless REST APIs using Azure Functions

+Azure Functions is an essential compute service that you use to build serverless REST-based APIs. HTTP triggers expose REST endpoints that can be called by your clients, like browsers, mobile apps, and other backend services. With [native support for routes](functions-bindings-http-webhook-trigger.md#customize-the-http-endpoint), a single HTTP triggered function can expose a highly functional REST API. Functions also provides its own basic key-based authorization scheme to help limit access only to specific clients. For more information, see [Azure Functions HTTP trigger](functions-bindings-http-webhook-trigger.md)

+In some scenarios, you may need your API to support a more complex set of REST behaviors. For example, you may need to combine multiple HTTP function endpoints into a single API. You might also want to pass requests through to one or more backend REST-based services. Finally, your APIs might require a higher-degree of security that lets you monetize its use.

+Today, the recommended approach to build more complex and robust APIs based on your functions is to use the comprehensive API services provided by [Azure API Management](../api-management/api-management-key-concepts.md).

+API Management uses a policy-based model to let you control routing, security, and OpenAPI integration. It also supports advanced policies like rate limiting monetization. Previous versions of the Functions runtime used the legacy Functions Proxies feature.

+## <a name="migration"></a>Moving from Functions Proxies to API Management

+When moving from Functions Proxies to using API Management, you must integrate your function app with an API Management instance, and then configure the API Management instance to behave like the previous proxy. The following section provides links to the relevant articles that help you succeed in using API Management with Azure Functions.

+If you have challenges moving from Proxies or if Azure API Management doesn't address your specific scenarios, create an issue in the [Azure Functions repository](https://github.com/Azure/Azure-Functions). Make sure to tag the issue with the label `proxy-deprecation`.

+## API Management integration

+API Management lets you import an existing function app. After import, each HTTP triggered function endpoint becomes an API that you can modify and manage. After import, you can also use API Management to generate an OpenAPI definition file for your APIs. During import, any endpoints with an `admin` [authorization level](functions-bindings-http-webhook-trigger.md#http-auth) are ignored. For more information about using API Management with Functions, see the following articles:

+| Article | Description |

+| | |

+| [Expose serverless APIs from HTTP endpoints using Azure API Management](functions-openapi-definition.md) | Shows how to create a new API Management instance from an existing function app in the Azure portal. Supports all languages. |

+| [Create serverless APIs in Visual Studio using Azure Functions and API Management integration](openapi-apim-integrate-visual-studio.md) | Shows how to use Visual Studio to create a C# project that uses the [OpenAPI extension](https://github.com/Azure/azure-functions-openapi-extension). The OpenAPI extension lets you define your .NET APIs by applying attributes directly to your C# code. |

+| [Quickstart: Create a new Azure API Management service instance by using the Azure portal](../api-management/get-started-create-service-instance.md) | Create a new API Management instance in the portal. After you create an API Management instance, you can connect it to your function app. Other non-portal creation methods are supported. |

+| [Import an Azure function app as an API in Azure API Management](../api-management/import-function-app-as-api.md) | Shows how to import an existing function app to expose existing HTTP trigger endpoints as a managed API. This article supports both creating a new API and adding the endpoints to an existing managed API. |

+After you have your function app endpoints exposed by using API Management, the following articles provide general information about how to manage your Functions-based APIs in the API Management instance.

+| Article | Description |

+| | |

+| [Edit an API](../api-management/edit-api.md) | Shows you how to work with an existing API hosted in API Management. |

+| [Policies in Azure API Management](../api-management/api-management-howto-policies.md) | In API Management, publishers can change API behavior through configuration using policies. Policies are a collection of statements that are run sequentially on the request or response of an API. |

+| [API Management policy reference](../api-management/api-management-policies.md) | Reference that details all supported API Management policies. |

+| [API Management policy samples](/azure/api-management/policies/) | Helpful collection of samples using API Management policies in key scenarios. |

+## Legacy Functions Proxies

+The legacy [Functions Proxies feature](legacy-proxies.md) also provides a set of basic API functionality for version 3.x and older version of the Functions runtime.

+Some basic hints for how to perform equivalent tasks using API Management have been added to the [Functions Proxies article](legacy-proxies.md). We don't currently have documentation or tools to help you migrate an existing Functions Proxies implementation to API Management.

+## Next steps

+> [!div class="nextstepaction"]

+> [Expose serverless APIs from HTTP endpoints using Azure API Management](functions-openapi-definition.md)

+ Title: Work with legacy Azure Functions Proxies

+description: Overview of how to use the legacy Proxies feature in Azure Functions

+# Work with legacy proxies

+> To help make it easier to migrate from existing proxy implemetations, this article links to equivalent API Management content, when available.

+This article explains how to configure and work with Azure Functions Proxies. With this feature, you can specify endpoints on your function app that are implemented by another resource. You can use these proxies to break a large API into multiple function apps (as in a microservice architecture), while still presenting a single API surface for clients.

+Standard Functions billing applies to proxy executions. For more information, see [Azure Functions pricing](https://azure.microsoft.com/pricing/details/functions/).

+## <a name="create"></a>Create a proxy

+> [!IMPORTANT]

+> For equivalent content using API Management, see [Expose serverless APIs from HTTP endpoints using Azure API Management](functions-openapi-definition.md).

+Proxies are defined in the _proxies.json_ file in the root of your function app. The steps in this section show you how to use the Azure portal to create this file in your function app. Not all languages and operating system combinations support in-portal editing. If you can't modify your function app files in the portal, you can instead create and deploy the equivalent `proxies.json` file from the root of your local project folder. To learn more about portal editing support, see [Language support details](functions-create-function-app-portal.md#language-support-details).

+1. Open the [Azure portal], and then go to your function app.

+1. In the left pane, select **Proxies** and then select **+Add**.

+1. Provide a name for your proxy.

+1. Configure the endpoint that's exposed on this function app by specifying the **route template** and **HTTP methods**. These parameters behave according to the rules for [HTTP triggers].

+1. Set the **backend URL** to another endpoint. This endpoint could be a function in another function app, or it could be any other API. The value doesn't need to be static, and it can reference [application settings] and [parameters from the original client request].

+1. Select **Create**.

+Your proxy now exists as a new endpoint on your function app. From a client perspective, it's the same as an HttpTrigger in Functions. You can try out your new proxy by copying the **Proxy URL** and testing it with your favorite HTTP client.

+## <a name="modify-requests-responses"></a>Modify requests and responses

+> [!IMPORTANT]

+> API Management lets you can change API behavior through configuration using policies. Policies are a collection of statements that are run sequentially on the request or response of an API. For more information about API Management policies, see [Policies in Azure API Management](../api-management/api-management-howto-policies.md).

+With proxies, you can modify requests to and responses from the back-end. These transformations can use variables as defined in [Use variables].

+### <a name="modify-backend-request"></a>Modify the back-end request

+By default, the back-end request is initialized as a copy of the original request. In addition to setting the back-end URL, you can make changes to the HTTP method, headers, and query string parameters. The modified values can reference [application settings] and [parameters from the original client request].

+Back-end requests can be modified in the portal by expanding the *request override* section of the proxy detail page.

+### <a name="modify-response"></a>Modify the response

+By default, the client response is initialized as a copy of the back-end response. You can make changes to the response's status code, reason phrase, headers, and body. The modified values can reference [application settings], [parameters from the original client request], and [parameters from the back-end response].

+Back-end responses can be modified in the portal by expanding the *response override* section of the proxy detail page.

+## <a name="using-variables"></a>Use variables

+The configuration for a proxy doesn't need to be static. You can condition it to use variables from the original client request, the back-end response, or application settings.

+### <a name="reference-localhost"></a>Reference local functions

+You can use `localhost` to reference a function inside the same function app directly, without a roundtrip proxy request.

+`"backendUri": "https://localhost/api/httptriggerC#1"` will reference a local HTTP triggered function at the route `/api/httptriggerC#1`

+>[!Note]

+>If your function uses *function, admin or sys* authorization levels, you will need to provide the code and clientId, as per the original function URL. In this case the reference would look like: `"backendUri": "https://localhost/api/httptriggerC#1?code=<keyvalue>&clientId=<keyname>"` We recommend storing these keys in [application settings] and referencing those in your proxies. This avoids storing secrets in your source code.

+### <a name="request-parameters"></a>Reference request parameters

+You can use request parameters as inputs to the back-end URL property or as part of modifying requests and responses. Some parameters can be bound from the route template that's specified in the base proxy configuration, and others can come from properties of the incoming request.

+#### Route template parameters

+Parameters that are used in the route template are available to be referenced by name. The parameter names are enclosed in braces ({}).

+For example, if a proxy has a route template, such as `/pets/{petId}`, the back-end URL can include the value of `{petId}`, as in `https://<AnotherApp>.azurewebsites.net/api/pets/{petId}`. If the route template terminates in a wildcard, such as `/api/{*restOfPath}`, the value `{restOfPath}` is a string representation of the remaining path segments from the incoming request.

+#### Additional request parameters

+In addition to the route template parameters, the following values can be used in config values:

+* **{request.method}**: The HTTP method that's used on the original request.

+* **{request.headers.\<HeaderName\>}**: A header that can be read from the original request. Replace *\<HeaderName\>* with the name of the header that you want to read. If the header isn't included on the request, the value will be the empty string.

+* **{request.querystring.\<ParameterName\>}**: A query string parameter that can be read from the original request. Replace *\<ParameterName\>* with the name of the parameter that you want to read. If the parameter isn't included on the request, the value will be the empty string.

+### <a name="response-parameters"></a>Reference back-end response parameters

+Response parameters can be used as part of modifying the response to the client. The following values can be used in config values:

+* **{backend.response.statusCode}**: The HTTP status code that's returned on the back-end response.

+* **{backend.response.statusReason}**: The HTTP reason phrase that's returned on the back-end response.

+* **{backend.response.headers.\<HeaderName\>}**: A header that can be read from the back-end response. Replace *\<HeaderName\>* with the name of the header you want to read. If the header isn't included on the response, the value will be the empty string.

+### <a name="use-appsettings"></a>Reference application settings

+You can also reference [application settings defined for the function app](./functions-how-to-use-azure-function-app-settings.md) by surrounding the setting name with percent signs (%).

+For example, a back-end URL of *https://%ORDER_PROCESSING_HOST%/api/orders* would have "%ORDER_PROCESSING_HOST%" replaced with the value of the ORDER_PROCESSING_HOST setting.

+> [!TIP]

+> Use application settings for back-end hosts when you have multiple deployments or test environments. That way, you can make sure that you are always talking to the right back-end for that environment.

+## <a name="debugProxies"></a>Troubleshoot Proxies

+By adding the flag `"debug":true` to any proxy in your `proxies.json`, you'll enable debug logging. Logs are stored in `D:\home\LogFiles\Application\Proxies\DetailedTrace` and accessible through the advanced tools (kudu). Any HTTP responses will also contain a `Proxy-Trace-Location` header with a URL to access the log file.

+You can debug a proxy from the client side by adding a `Proxy-Trace-Enabled` header set to `true`. This will also log a trace to the file system, and return the trace URL as a header in the response.

+### Block proxy traces

+For security reasons you may not want to allow anyone calling your service to generate a trace. They won't be able to access the trace contents without your sign-in credentials, but generating the trace consumes resources and exposes that you're using Function Proxies.

+Disable traces altogether by adding `"debug":false` to any particular proxy in your `proxies.json`.

+## Advanced configuration

+The proxies that you configure are stored in a *proxies.json* file, which is located in the root of a function app directory. You can manually edit this file and deploy it as part of your app when you use any of the [deployment methods](./functions-continuous-deployment.md) that Functions supports.

+> [!TIP]

+> If you have not set up one of the deployment methods, you can also work with the *proxies.json* file in the portal. Go to your function app, select **Platform features**, and then select **App Service Editor**. By doing so, you can view the entire file structure of your function app and then make changes.

+*Proxies.json* is defined by a proxies object, which is composed of named proxies and their definitions. Optionally, if your editor supports it, you can reference a [JSON schema](http://json.schemastore.org/proxies) for code completion. An example file might look like the following:

+```json

+{

+ "$schema": "http://json.schemastore.org/proxies",

+ "proxies": {

+ "proxy1": {

+ "matchCondition": {

+ "methods": [ "GET" ],

+ "route": "/api/{test}"

+ },

+ "backendUri": "https://<AnotherApp>.azurewebsites.net/api/<FunctionName>"

+ }

+ }

+}

+```

+Each proxy has a friendly name, such as *proxy1* in the preceding example. The corresponding proxy definition object is defined by the following properties:

+* **matchCondition**: Required--an object defining the requests that trigger the execution of this proxy. It contains two properties that are shared with [HTTP triggers]:

+ * _methods_: An array of the HTTP methods that the proxy responds to. If it isn't specified, the proxy responds to all HTTP methods on the route.

+ * _route_: Required--defines the route template, controlling which request URLs your proxy responds to. Unlike in HTTP triggers, there's no default value.

+* **backendUri**: The URL of the back-end resource to which the request should be proxied. This value can reference application settings and parameters from the original client request. If this property isn't included, Azure Functions responds with an HTTP 200 OK.

+* **requestOverrides**: An object that defines transformations to the back-end request. See [Define a requestOverrides object].

+* **responseOverrides**: An object that defines transformations to the client response. See [Define a responseOverrides object].

+> [!NOTE]

+> The *route* property in Azure Functions Proxies does not honor the *routePrefix* property of the Function App host configuration. If you want to include a prefix such as `/api`, it must be included in the *route* property.

+### <a name="disableProxies"></a> Disable individual proxies

+You can disable individual proxies by adding `"disabled": true` to the proxy in the `proxies.json` file. This will cause any requests meeting the matchCondition to return 404.

+```json

+{

+ "$schema": "http://json.schemastore.org/proxies",

+ "proxies": {

+ "Root": {

+ "disabled":true,

+ "matchCondition": {

+ "route": "/example"

+ },

+ "backendUri": "https://<AnotherApp>.azurewebsites.net/api/<FunctionName>"

+ }

+ }

+}

+```

+### <a name="applicationSettings"></a> Application Settings

+The proxy behavior can be controlled by several app settings. They're all outlined in the [Functions App Settings reference](./functions-app-settings.md)

+* [AZURE_FUNCTION_PROXY_DISABLE_LOCAL_CALL](./functions-app-settings.md#azure_function_proxy_disable_local_call)

+* [AZURE_FUNCTION_PROXY_BACKEND_URL_DECODE_SLASHES](./functions-app-settings.md#azure_function_proxy_backend_url_decode_slashes)

+### <a name="reservedChars"></a> Reserved Characters (string formatting)

+Proxies read all strings out of a JSON file, using \ as an escape symbol. Proxies also interpret curly braces. See a full set of examples below.

+|Character|Escaped Character|Example|

+|-|-|-|

+|{ or }|{{ or }}|`{{ example }}` --> `{ example }`

+| \ | \\\\ | `example.com\\text.html` --> `example.com\text.html`

+|"|\\\"| `\"example\"` --> `"example"`

+### <a name="requestOverrides"></a>Define a requestOverrides object

+The requestOverrides object defines changes made to the request when the back-end resource is called. The object is defined by the following properties:

+* **backend.request.method**: The HTTP method that's used to call the back-end.

+* **backend.request.querystring.\<ParameterName\>**: A query string parameter that can be set for the call to the back-end. Replace *\<ParameterName\>* with the name of the parameter that you want to set. If an empty string is provided, the parameter is still included on the back-end request.

+* **backend.request.headers.\<HeaderName\>**: A header that can be set for the call to the back-end. Replace *\<HeaderName\>* with the name of the header that you want to set. If an empty string is provided, the parameter is still included on the back-end request.

+Values can reference application settings and parameters from the original client request.

+An example configuration might look like the following:

+```json

+{

+ "$schema": "http://json.schemastore.org/proxies",

+ "proxies": {

+ "proxy1": {

+ "matchCondition": {

+ "methods": [ "GET" ],

+ "route": "/api/{test}"

+ },

+ "backendUri": "https://<AnotherApp>.azurewebsites.net/api/<FunctionName>",

+ "requestOverrides": {

+ "backend.request.headers.Accept": "application/xml",

+ "backend.request.headers.x-functions-key": "%ANOTHERAPP_API_KEY%"

+ }

+ }

+ }

+}

+```

+### <a name="responseOverrides"></a>Define a responseOverrides object

+The requestOverrides object defines changes that are made to the response that's passed back to the client. The object is defined by the following properties:

+* **response.statusCode**: The HTTP status code to be returned to the client.

+* **response.statusReason**: The HTTP reason phrase to be returned to the client.

+* **response.body**: The string representation of the body to be returned to the client.

+* **response.headers.\<HeaderName\>**: A header that can be set for the response to the client. Replace *\<HeaderName\>* with the name of the header that you want to set. If you provide the empty string, the header isn't included on the response.

+Values can reference application settings, parameters from the original client request, and parameters from the back-end response.

+An example configuration might look like the following:

+```json

+{

+ "$schema": "http://json.schemastore.org/proxies",

+ "proxies": {

+ "proxy1": {

+ "matchCondition": {

+ "methods": [ "GET" ],

+ "route": "/api/{test}"

+ },

+ "responseOverrides": {

+ "response.body": "Hello, {test}",

+ "response.headers.Content-Type": "text/plain"

+ }

+ }

+ }

+}

+```

+> [!NOTE]

+> In this example, the response body is set directly, so no `backendUri` property is needed. The example shows how you might use Azure Functions Proxies for mocking APIs.

+[Azure portal]: https://portal.azure.com

+[HTTP triggers]: ./functions-bindings-http-webhook.md

+[Modify the back-end request]: #modify-backend-request

+[Modify the response]: #modify-response

+[Define a requestOverrides object]: #requestOverrides

+[Define a responseOverrides object]: #responseOverrides

+[application settings]: #use-appsettings

+[Use variables]: #using-variables

+[parameters from the original client request]: #request-parameters

+[parameters from the back-end response]: #response-parameters

+| [Azure App Service](../../app-service/index.yml) | &#x2705; | &#x2705; |

+| [Azure App Service](../../app-service/index.yml) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |

+| [Azure Monitor](../../azure-monitor/index.yml) (incl. [Application Insights](../../azure-monitor/app/app-insights-overview.md), [Log Analytics](../../azure-monitor/logs/data-platform-logs.md)) | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |

+# Customer intent: As an IT manager, I want to understand how I should move from using legacy agents to Azure Monitor Agent.

+[Azure Monitor Agent (AMA)](./agents-overview.md) replaces the Log Analytics agent (also known as MMA and OMS) for both Windows and Linux machines, in Azure and on premises. It introduces a simplified, flexible method of configuring collection configuration called [Data Collection Rules (DCRs)](../essentials/data-collection-rule-overview.md). This article outlines the benefits of migrating to Azure Monitor Agent (AMA) and provides guidance on how to implement a successful migration.

+- **Current and new feature requirements:** Review [Azure Monitor Agent's supported services and features](agents-overview.md#supported-services-and-features) to ensure that Azure Monitor Agent has the features you require. If you currently use unsupported features you can temporarily do without, consider migrating to the new agent to benefit from added security and reduced cost immediately. Use the [AMA Migration Helper](./azure-monitor-agent-migration-tools.md#using-ama-migration-helper-preview) to **discover what solutions and features you're using today that depend on the legacy agent**.

+- **Installing Azure Monitor Agent alongside a legacy agent:** If you're setting up a **new environment** with resources, such as deployment scripts and onboarding templates, and you still need a legacy agent, assess the effort of migrating to Azure Monitor Agent later. If the setup will take a significant amount of rework, install Azure Monitor Agent together with a legacy agent in your new environment to decrease the migration effort.

+ Azure Monitor Agent can run alongside the legacy Log Analytics agents on the same machine so that you can continue to use existing functionality during evaluation or migration. While this allows you to begin the transition, ensure you understand the limitations:

+## Prerequisites

+Review the [prerequisites](./azure-monitor-agent-manage.md#prerequisites) for use Azure Monitor Agent. For on-premises servers or other cloud managed servers, [installing the Azure Arc agent](/azure/azure-arc/servers/agent-overview) is an important prerequisite that then helps to install the agent extension and other required extensions. Using Arc for this purpose comes at no added cost, and it's not mandatory to use Arc for server management overall (i.e. you can continue using your existing on premises management solutions). Once Arc agent is installed, you can follow the same guidance below across Azure and on-premise for migration.

+See [create new data collection rules](./data-collection-rule-azure-monitor-agent.md#create-data-collection-rule-and-association) to start collecting some of the existing data types. Alternatively you can use the [DCR Config Generator](./azure-monitor-agent-migration-tools.md#installing-and-using-dcr-config-generator-preview) to convert existing legacy agent configuration into data collection rules.

+After you **validate** that data is flowing as expected with Azure Monitor Agent, check the `Category` column in the [Heartbeat](/azure/azure-monitor/reference/tables/heartbeat) table for the value *Azure Monitor Agent* for AMA collected data. Ensure it matches data flowing through the existing Log Analytics agent.

+>You can migrate your Application Insight resources to alerts-based smart detection (preview). The migration creates alert rules for the different smart detection modules. Once created, you can manage and configure these rules just like any other Azure Monitor alert rules. You can also configure action groups for these rules, thus enabling multiple methods of taking actions or triggering notification on new detections.

+> It is *highly recommended* to use the newer [Microsoft.ApplicationInsights.WorkerService](https://www.nuget.org/packages/Microsoft.ApplicationInsights.WorkerService) package and associated instructions from [here](./worker-service.md) for any Console Applications. This package is compatible with [Long Term Support (LTS) versions](https://dotnet.microsoft.com/platform/support/policy/dotnet-core) of .NET Core and .NET Framework or higher.

+### Using config file

+For .NET Framework based application, by default, Application Insights SDK looks for `ApplicationInsights.config` file in the working directory when `TelemetryConfiguration` is being created. Reading config file is not supported on .NET Core.

+> Reading config file is not supported on .NET Core.

+description: Autoscale patterns in Azure for Web Apps, virtual machine scale sets, and Cloud Services

+- [Autoscale flapping](/azure/azure-monitor/autoscale/autoscale-flapping)

+ Title: Autoscale flapping

+description: "Flapping in Autoscale"

+#Customer intent: As a cloud administrator, I want understand flapping so that I can configure autoscale correctly.

+# Flapping in Autoscale

+This article describes flapping in autoscale and how to avoid it.

+Flapping refers to a loop condition that causes a series of opposing scale events. Flapping happens when a scale event triggers the opposite scale event.

+Autoscale evaluates a pending scale-in action to see if it would cause flapping. In cases where flapping could occur, autoscale may skip the scale action and reevaluate at the next run, or autoscale may scale by less than the specified number of resource instances. The autoscale evaluation process occurs each time the autoscale engine runs, which is every 30 to 60 seconds, depending on the resource type.

+To ensure adequate resources, checking for potential flapping doesn't occur for scale-out events. Autoscale will only defer a scale-in event to avoid flapping.

+For example, let's assume the following rules:

+* Scale out increasing by 1 instance when average CPU usage is above 50%.

+* Scale in decreasing the instance count by 1 instance when average CPU usage is lower than 30%.

+ In the table below at T0, when usage is at 56%, a scale-out action is triggered and results in 56% CPU usage across 2 instances. That gives an average of 28% for the scale set. As 28% is less than the scale-in threshold, autoscale should scale back in. Scaling in would return the scale set to 56% CPU usage, which triggers a scale-out action.

+|Time| Instance count| CPU% |CPU% per instance| Scale event| Resulting instance count

+|||||||

+T0|1|56%|56%|Scale out|2|

+T1|2|56%|28%|Scale in|1|

+T2|1|56%|56%|Scale out|2|

+T3|2|56%|28%|Scale in|1|

+If left uncontrolled, there would be an ongoing series of scale events. However, in this situation, the autoscale engine will defer the scale-in event at *T1* and reevaluate during the next autoscale run. The scale-in will only happen once the average CPU usage is below 30%.

+Flapping is often caused by:

+* Small or no margins between thresholds

+* Scaling by more than one instance

+* Scaling in and out using different metrics

+## Small or no margins between thresholds

+To avoid flapping, keep adequate margins between scaling thresholds.

+For example, the following rules where there's no margin between thresholds, cause flapping.

+* Scale out when thread count >=600

+* Scale in when thread count < 600

+The table below shows a potential outcome of these autoscale rules:

+|Time| Instance count| Thread count|Thread count per instance| Scale event| Resulting instance count

+|||||||

+T0|2|1250|625|Scale out|3|

+T1|3|1250|417|Scale in|2|

+* At time T0, there are two instances handling 1250 threads, or 625 treads per instance. Autoscale scales out to three instances.

+* Following the scale-out, at T1, we have the same 1250 threads, but with three instances, only 417 threads per instance. A scale-in event is triggered.

+* Before scaling-in, autoscale evaluates what would happen if the scale-in event occurs. In this example, 1250 / 2 = 625, that is, 625 threads per instance. Autoscale would have to immediately scale out again after it scaled in. If it scaled out again, the process would repeat, leading to flapping loop.

+* To avoid this situation, autoscale doesn't scale in. Autoscale skips the current scale event and reevaluates the rule in the next execution cycle.

+In this case, it looks like autoscale isn't working since no scale event takes place. Check the *Run history* tab on the autoscale setting page to see if there's any flapping.

+Setting an adequate margin between thresholds avoids the above scenario. For example,

+* Scale out when thread count >=600

+* Scale in when thread count < 400

+If the scale-in thread count is 400, the total thread count would have to drop to below 1200 before a scale event would take place. See the table below.

+|Time| Instance count| Thread count|Thread count per instance| Scale event| Resulting instance count

+|||||||

+T0|2|1250|625|Scale out|3|

+T1|3|1250|417|no scale event|3|

+T2|3|1180|394|scale in|2|

+T3|3|1180|590|no scale event|2|

+## Scaling by more than one instance

+To avoid flapping when scaling in or out by more than one instance, autoscale may scale by less than the number of instances specified in the rule.

+For example, the following rules can cause flapping:

+* Scale out by 20 when the request count >=200 per instance.

+* OR when CPU > 70% per instance.

+* Scale in by 10 when the request count <=50 per instance.

+The table below shows a potential outcome of these autoscale rules:

+|Time|Number of instances|CPU |Request count| Scale event| Resulting instances|Comments|

+||||||||

+|T0|30|65%|3000, or 100 per instance.|No scale event|30|

+|T1|30|65|1500| Scale in by 3 instances |27|Scaling-in by 10 would cause an estimated CPU rise above 70%, leading to a scale-out event.

+At time T0, the app is running with 30 instances, a total request count of 3000, and a CPU usage of 65% per instance.

+At T1, when the request count drops to 1500 requests, or 50 requests per instance, autoscale will try to scale in by 10 instances to 20. However, autoscale estimates that the CPU load for 20 instances will be above 70%, causing a scale-out event.

+To avoid flapping, the autoscale engine estimates the CPU usage for instance counts above 20 until it finds an instance count where all metrics are with in the defined thresholds:

+* Keep the CPU below 70%.

+* Keep the number of requests per instance is above 50.

+* Reduce the number of instances below 30.

+In this situation, autoscale may scale in by 3, from 30 to 27 instances in order to satisfy the rules, even though the rule specifies a decrease of 10. A log message is written to the activity log with a description that includes *Scale down will occur with updated instance count to avoid flapping*

+If autoscale can't find a suitable number of instances, it will skip the scale in event and reevaluate during the next cycle.

+> [!NOTE]

+> If the autoscale engine detects that flapping could occur as a result of scaling to the target number of instances, it will also try to scale to a lower number of instances between the current count and the target count. If flapping does not occur within this range, autoscale will continue the scale operation with the new target.

+## Log files

+Find flapping in the activity log with the following query:

+````KQL

+// Activity log, CategoryValue: Autoscale

+// Lists latest Autoscale operations from the activity log, with OperationNameValue =="Microsoft.Insights/AutoscaleSettings/Flapping/Action

+AzureActivity

+|where CategoryValue =="Autoscale" and OperationNameValue =="Microsoft.Insights/AutoscaleSettings/Flapping/Action"

+|sort by TimeGenerated desc

+````

+Below is an example of an activity log record for flapping:

+````JSON

+{

+"eventCategory": "Autoscale",

+"eventName": "FlappingOccurred",

+"operationId": "ffd31c67-1438-47a5-bee4-1e3a102cf1c2",

+"eventProperties":

+ "{"Description":"Scale down will occur with updated instance count to avoid flapping.

+ Resource: '/subscriptions/d1234567-9876-a1b2-a2b1-123a567b9f8767/ resourcegroups/ed-rg-001/providers/Microsoft.Web/serverFarms/ ScaleableAppServicePlan'.

+ Current instance count: '6',

+ Intended new instance count: '1'.

+ Actual new instance count: '4'",

+ "ResourceName":"/subscriptions/d1234567-9876-a1b2-a2b1-123a567b9f8767/resourcegroups/ed-rg-001/providers/Microsoft.Web/serverFarms/ScaleableAppServicePlan",

+ "OldInstancesCount":6,

+ "NewInstancesCount":4,

+ "ActiveAutoscaleProfile":{"Name":"Auto created scale condition",

+ "Capacity":{"Minimum":"1","Maximum":"30","Default":"1"},

+ "Rules":[{"MetricTrigger":{"Name":"Requests","Namespace":"microsoft.web/sites","Resource":"/subscriptions/d1234567-9876-a1b2-a2b1-123a567b9f8767/resourceGroups/ed-rg-001/providers/Microsoft.Web/sites/ScaleableWebApp1","ResourceLocation":"West Central US","TimeGrain":"PT1M","Statistic":"Average","TimeWindow":"PT1M","TimeAggregation":"Maximum","Operator":"GreaterThanOrEqual","Threshold":3.0,"Source":"/subscriptions/d1234567-9876-a1b2-a2b1-123a567b9f8767/resourceGroups/ed-rg-001/providers/Microsoft.Web/sites/ScaleableWebApp1","MetricType":"MDM","Dimensions":[],"DividePerInstance":true},"ScaleAction":{"Direction":"Increase","Type":"ChangeCount","Value":"10","Cooldown":"PT1M"}},{"MetricTrigger":{"Name":"Requests","Namespace":"microsoft.web/sites","Resource":"/subscriptions/d1234567-9876-a1b2-a2b1-123a567b9f8767/resourceGroups/ed-rg-001/providers/Microsoft.Web/sites/ScaleableWebApp1","ResourceLocation":"West Central US","TimeGrain":"PT1M","Statistic":"Max","TimeWindow":"PT1M","TimeAggregation":"Maximum","Operator":"LessThan","Threshold":3.0,"Source":"/subscriptions/d1234567-9876-a1b2-a2b1-123a567b9f8767/resourceGroups/ed-rg-001/providers/Microsoft.Web/sites/ScaleableWebApp1","MetricType":"MDM","Dimensions":[],"DividePerInstance":true},"ScaleAction":{"Direction":"Decrease","Type":"ChangeCount","Value":"5","Cooldown":"PT1M"}}]}}",

+"eventDataId": "b23ae911-55d0-4881-8684-fc74227b2ddb",

+"eventSubmissionTimestamp": "2022-09-13T07:20:41.1589076Z",

+"resource": "scaleableappserviceplan",

+"resourceGroup": "ED-RG-001",

+"resourceProviderValue": "MICROSOFT.WEB",

+"subscriptionId": "D1234567-9876-A1B2-A2B1-123A567B9F876",

+"activityStatusValue": "Succeeded"

+}

+````

+## Next steps

+To learn more about autoscale, see the following resources:

+* [Overview of common autoscale patterns](/azure/azure-monitor/autoscale/autoscale-common-scale-patterns)

+* [Automatically scale a virtual machine scale](/azure/virtual-machine-scale-sets/tutorial-autoscale-powershell)

+* [Use autoscale actions to send email and webhook alert notifications](/azure/azure-monitor/autoscale/autoscale-webhook-email)

+Autoscale uses a cool-down period to prevent "flapping," which is the rapid, repetitive up-and-down scaling of instances. For more information, see [Autoscale evaluation steps](autoscale-understanding-settings.md#autoscale-evaluation). For other valuable information on flapping and understanding how to monitor the autoscale engine, see [Flapping in Autoscale](autoscale-flapping.md) and [Troubleshooting autoscale](autoscale-troubleshoot.md), respectively.

+If you want to stop monitoring your VMs for a while or remove VM insights entirely, see [Disable monitoring of your VMs in VM insights](../vm/vminsights-optout.md).

+> Service Map will be retired on 30 September 2025. Be sure to migrate to VM insights before this date to continue monitoring processes and dependencies for your virtual machines.

+* Japan West

+ "value": "[reference(resourceId(parameters('storageResourceGroup'), 'Microsoft.Storage/storageAccounts', parameters('storageName')), '2022-05-01')]",

+resource stg 'Microsoft.Storage/storageAccounts@2022-05-01' existing = {

+You can't enable debug logging with Azure CLI but you can get the debug log's data using the `request` and `response` properties.

+- **Validation errors** occur before a deployment begins and are caused by syntax errors in your file. A code editor like Visual Studio Code can identify these errors.

+- **Deployment errors** occur during the deployment process and can only be found by assessing the deployment's progress in your Azure environment.

+Templates are validated during the deployment process and error codes are displayed. Before you run a deployment, you can identify validation and preflight errors by running validation tests with Azure PowerShell or Azure CLI.

+### Other scopes

+There are Azure PowerShell cmdlets to validate deployment templates for the subscription, management group, and tenant scopes.

+| Scope | Cmdlets |

+| - | - |

+| Subscription | [Test-AzDeployment](/powershell/module/az.resources/test-azdeployment) |

+| Management group | [Test-AzManagementGroupDeployment](/powershell/module/az.resources/test-azmanagementgroupdeployment) |

+| Tenant | [Test-AzTenantDeployment](/powershell/module/az.resources/test-aztenantdeployment) |

+### Other scopes

+There are Azure CLI commands to validate deployment templates for the subscription, management group, and tenant scopes.

+| Scope | Commands |

+| - | - |

+| Subscription | [az deployment sub validate](/cli/azure/deployment/sub#az-deployment-sub-validate) |

+| Management group | [az deployment mg validate](/cli/azure/deployment/mg#az-deployment-mg-validate) |

+| Tenant | [az deployment tenant validate](/cli/azure/deployment/tenant#az-deployment-tenant-validate) |

+### Other scopes

+There are Azure PowerShell cmdlets to get deployment information for the subscription, management group, and tenant scopes.

+| Scope | Cmdlets |

+| - | - |

+| Subscription | [Get-AzDeploymentOperation](/powershell/module/az.resources/get-azdeploymentoperation) <br> [Get-AzDeployment](/powershell/module/az.resources/get-azdeployment) |

+| Management group | [Get-AzManagementGroupDeploymentOperation](/powershell/module/az.resources/get-azmanagementgroupdeploymentoperation) <br> [Get-AzManagementGroupDeployment](/powershell/module/az.resources/get-azmanagementgroupdeployment) |

+| Tenant | [Get-AzTenantDeploymentOperation](/powershell/module/az.resources/get-aztenantdeploymentoperation) <br> [Get-AzTenantDeployment](/powershell/module/az.resources/get-aztenantdeployment) |

+### Other scopes

+There are Azure CLI commands to get deployment information for the subscription, management group, and tenant scopes.

+| Scope | Commands |

+| - | - |

+| Subscription | [az deployment operation sub list](/cli/azure/deployment/operation/sub#az-deployment-operation-sub-list) <br> [az deployment sub show](/cli/azure/deployment/sub#az-deployment-sub-show) |

+| Management group | [az deployment operation mg list](/cli/azure/deployment/operation/mg#az-deployment-operation-mg-list) <br> [az deployment mg show](/cli/azure/deployment/mg#az-deployment-mg-show) |

+| Tenant | [az deployment operation tenant list](/cli/azure/deployment/operation/tenant#az-deployment-operation-tenant-list) <br> [az deployment tenant show](/cli/azure/deployment/tenant#az-deployment-tenant-show) |

+ Title: Overview of deployment troubleshooting for Bicep files and ARM templates

+description: Describes deployment troubleshooting when you use Bicep files or Azure Resource Manager templates (ARM templates) to deploy Azure resources.

+When you deploy Azure resources with Bicep files or Azure Resource Manager templates (ARM templates), you may get an error. There are troubleshooting tools available to help you resolve syntax errors before deployment. You can get more information about error codes and deployment errors from the Azure portal, Azure PowerShell, and Azure CLI. This documentation helps you find solutions to troubleshoot errors.

+Validation errors occur before a deployment begins and are caused by incorrect syntax that can be identified by a code editor like Visual Studio Code. For example, a misspelled property name or a function that's missing an argument.

+Preflight validation errors occur when a deployment command is run but resources aren't deployed in Azure. For example, if an incorrect parameter value is used, the deployment command returns an error message.

+There are several troubleshooting tools available to resolve errors.

+### Syntax errors

+To help identify syntax errors before a deployment, use the latest version of [Visual Studio Code](https://code.visualstudio.com). Install the latest version of the extension for Bicep or ARM templates.

+- [Bicep](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-bicep)

+- [Azure Resource Manager Tools](https://marketplace.visualstudio.com/items?itemName=msazurermtools.azurerm-vscode-tools)

+To follow best practices for developing your deployment templates, use the following tools:

+- [Bicep linter](../bicep/linter.md)

+- [ARM template test toolkit](../templates/test-toolkit.md)

+### Resource provider and API version

+To troubleshoot deployments, it's helpful to learn about a resource provider's properties or API versions. For more information, see [Define resources with Bicep and ARM templates](/azure/templates).

+### Error details

+- To learn more about how to find deployment error codes and troubleshoot deployment problems, see [Find error codes](find-error-code.md).

+- For an introduction to finding the error code, see [Quickstart: Troubleshoot ARM template JSON deployments](quickstart-troubleshoot-arm-deployment.md) or [Quickstart: Troubleshoot Bicep file deployments](quickstart-troubleshoot-bicep-deployment.md).

+- **Validation errors** occur before a deployment begins and are caused by syntax errors in your file. A code editor like Visual Studio Code can identify these errors.

+- **Deployment errors** occur during the deployment process and can only be found by assessing the deployment's progress in your Azure environment.

+Because the deployment didn't run, there's no deployment history.

+To fix the deployment error, change the reference function to use a valid resource. For more information, see [Resolve resource not found errors](error-not-found.md). For this quickstart, delete the comma that precedes `vnetResult` and all of `vnetResult`. Save the file and rerun the deployment.

+- **Validation errors** occur before a deployment begins and are caused by syntax errors in your file. A code editor like Visual Studio Code can identify these errors.

+- **Deployment errors** occur during the deployment process and can only be found by assessing the deployment's progress in your Azure environment.

+The message states: _This declaration type is not recognized. Specify a parameter, variable, resource, or output declaration._ If you attempt to deploy this file, you'll get the same error message from the deployment command.

+description: An overview of service modes in Azure SignalR Service.

+Service mode is an important concept in Azure SignalR Service. SignalR Service currently supports three service modes: *Default*, *Serverless*, and *Classic*. Your SignalR Service resource will behave differently in each mode. In this article, you'll learn how to choose the right service mode based on your scenario.

+## Setting the service mode

+You'll be asked to specify a service mode when you create a new SignalR resource in the Azure portal.

+You can also change the service mode later in the settings menu.

+Use `az signalr create` and `az signalr update` to set or change the service mode by using the [Azure SignalR CLI](/cli/azure/service-page/azure%20signalr).

+As the name implies, *Default* mode is the default service mode for SignalR Service. In Default mode, your application works as a typical [ASP.NET Core SignalR](/aspnet/core/signalr/introduction) or ASP.NET SignalR (deprecated) application. You have a web server application that hosts a hub, called a *hub server*, and clients have full duplex communication with the hub server. The difference between ASP.NET Core SignalR and Azure SignalR Service is instead of connecting client and hub server directly, client and server both connect to SignalR Service and use the service as a proxy. The following diagram shows the typical application structure in Default mode.

+Default mode is usually the right choice when you have a SignalR application that you want to use with SignalR Service.

+### Connection routing in Default mode

+In Default mode, there are WebSocket connections between hub server and SignalR Service called *server connections*. These connections are used to transfer messages between a server and client. When a new client is connected, SignalR Service will route the client to one hub server (assume you've more than one server) through existing server connections. The client connection will stick to the same hub server during its lifetime. This property is referred to as *connection stickiness*. When the client sends messages, they always go to the same hub server. With stickiness behavior, you can safely maintain some states for individual connections on your hub server. For example, if you want to stream something between server and client, you don't need to consider the case where data packets go to different servers.

+> In Default mode a client cannot connect without a hub server being connected to the service first. If all your hub servers are disconnected due to network interruption or server reboot, your client connections will get an error telling you no server is connected. It's your responsibility to make sure there is always at least one hub server connected to SignalR service. For example, you can design your application with multiple hub servers, and then make sure they won't all go offline at the same time.

+The default routing model also means when a hub server goes offline, the connections routed to that server will be dropped. You should expect connections to drop when your hub server is offline for maintenance, and handle reconnection to minimize the effects on your application.

+> [!NOTE]

+> In Default mode you can also use REST API, management SDK, and function binding to directly send messages to a client if you don't want to go through a hub server. In Default mode client connections are still handled by hub servers and upstream endpoints won't work in that mode.

+Unlike Default mode, Serverless mode doesn't require a hub server to be running, which is why this mode is named "serverless." SignalR Service is responsible for maintaining client connections. There's no guarantee of connection stickiness and HTTP requests may be less efficient than WebSockets connections.

+Serverless mode works with Azure Functions to provide real time messaging capability. Clients work with [SignalR Service bindings for Azure Functions](../azure-functions/functions-bindings-signalr-service.md), called *function binding*, to send messages as an output binding.

+Because there's no server connection, if you try to use a server SDK to establish a server connection you'll get an error. SignalR Service will reject server connection attempts in Serverless mode.

+Serverless mode doesn't have connection stickiness, but you can still have a server-side application push messages to clients. There are two ways to push messages to clients in Serverless mode:

+- Use [REST APIs](https://github.com/Azure/azure-signalr/blob/dev/docs/rest-api.md) for a one-time send event, or

+- Use a WebSocket connection so that you can send multiple messages more efficiently. This WebSocket connection is different than a server connection.

+> Both REST API and WebSockets are supported in SignalR service [management SDK](https://github.com/Azure/azure-signalr/blob/dev/docs/management-sdk-guide.md). If you're using a language other than .NET, you can also manually invoke the REST APIs following this [specification](https://github.com/Azure/azure-signalr/blob/dev/docs/rest-api.md).

+It's also possible for your server application to receive messages and connection events from clients. SignalR Service will deliver messages and connection events to pre-configured endpoints (called *upstream endpoints*) using web hooks. Upstream endpoints can only be configured in Serverless mode. For more information, see [Upstream settings](concept-upstream.md).

+The following diagram shows how Serverless mode works.

+> Classic mode is mainly for backward compatibility for applications created before the Default and Serverless modes were introduced. Don't use Classic mode except as a last resort. Use Default or Serverless for new applications, based on your scenario. You should consider redesigning existing applications to eliminate the need for Classic mode.

+Classic is a mixed mode of Default and Serverless modes. In Classic mode, connection type is decided by whether there's a hub server connected when the client connection is established. If there's a hub server, the client connection will be routed to a hub server. If a hub server isn't available, the client connection will be made in a limited serverless mode where client-to-server messages can't be delivered to a hub server. Classic mode serverless connections don't support some features such as upstream endpoints.

+If all your hub servers are offline for any reason, connections will be made in Serverless mode. It's your responsibility to ensure that at least one hub server is always available.

+Now you should understand the differences between service modes and know how to choose between them. As previously discussed, Classic mode isn't recommended for new or existing applications. Here are some more tips that can help you make the right choice for service mode and help you retire Classic mode for existing applications.

+- Choose Default mode if you're already familiar with how SignalR library works and want to move from a self-hosted SignalR to use Azure SignalR Service. Default mode works exactly the same way as self-hosted SignalR, and you can use the same programming model in SignalR library. SignalR Service acts as a proxy between clients and hub servers.

+- Choose Serverless mode if you're creating a new application and don't want to maintain hub server and server connections. Serverless mode works together with Azure Functions so that you don't need to maintain any server at all. You can still have full duplex communications with REST API, management SDK, or function binding + upstream endpoint, but the programming model will be different than SignalR library.

+- Choose Default mode if you have *both* hub servers to serve client connections and a backend application to directly push messages to clients. The key difference between Default and Serverless mode is whether you have hub servers and how client connections are routed. REST API/management SDK/function binding can be used in both modes.

+- If you really have a mixed scenario, you should consider separating use cases into multiple SignalR Service instances with service mode set according to use. An example of a mixed scenario that requires Classic mode is where you have two different hubs on the same SignalR resource. One hub is used as a traditional SignalR hub and the other hub is used with Azure Functions. This example should be split into two resources, with one instance in Default mode and one in Serverless mode.

+See the following articles to learn more about how to use Default and Serverless modes.

+- [Azure SignalR Service internals](signalr-concept-internals.md)

+- [Azure Functions development and configuration with Azure SignalR Service](signalr-concept-serverless-development-config.md)

+Once complete, newer versions of VMware components appear. If you notice any issues or have any questions, contact our support team by opening a support ticket.

+**Cross Subscription Restore** | Allows you to restore Azure Virtual Machines or disks to any subscription (as per the Azure RBAC capabilities) from restore points. <br><br> You can trigger Cross Subscription Restore for managed virtual machines only. <br><br> Cross Subscription Restore is supported for [Restore with Managed System Identities (MSI)](backup-azure-arm-restore-vms.md#restore-vms-with-managed-identities). <br><br> It's unsupported from [snapshots](backup-azure-vms-introduction.md#snapshot-creation) and [secondary region](backup-azure-arm-restore-vms.md#restore-in-secondary-region) restores. <br><br> It's unsupported for [Encrypted Azure VMs](backup-azure-vms-introduction.md#encryption-of-azure-vm-backups) and [Trusted Launch VMs](backup-support-matrix-iaas.md#tvm-backup).

+ Title: Batch Certificate Migration Guide

+description: Describes the migration steps for the batch certificates and the end of support details.

+# Batch Certificate Migration Guide

+Securing the application and critical information has become essential in today's needs. With growing customers and increasing demand for security, managing key information plays a significant role in securing data. Many customers need to store secure data in the application, and it needs to be managed to avoid any leakage. In addition, only legitimate administrators or authorized users should access it. Azure Batch offers Certificates created and managed by the Batch service. Azure Batch also provides a Key Vault option, and it's considered an azure-standard method for delivering more controlled secure access management.

+Azure Batch provides certificates feature at the account level. Customers must generate the Certificate and upload it manually to the Azure Batch via the portal. To access the Certificate, it must be associated and installed for the 'Current User.' The Certificate is usually valid for one year and must follow a similar procedure every year.

+For Azure Batch customers, a secure way of access should be provided in a more standardized way, reducing any manual interruption and reducing the readability of key generated. Therefore, we'll retire the certificate feature on **29 February 2024** to reduce the maintenance effort and better guide customers to use Azure Key Vault as a standard and more modern method with advanced security. After it's retired, the Certificate functionality may cease working properly. Additionally, pool creation with certificates will be rejected and possibly resize up.

+## Retirement alternatives

+Azure Key Vault is the service provided by Microsoft Azure to store and manage secrets, certificates, tokens, keys, and other configuration values that authenticated users access the applications and services. The original idea was to remove the hard-coded storing of these secrets and keys in the application code.

+Azure Key Vault provides security at the transport layer by ensuring any data flow from the key vault to the client application is encrypted. Azure key vault stores the secrets and keys with such strong encryption that even Microsoft itself won't see the keys or secrets in any way.

+Azure Key Vault provides a secure way to store the information and define the fine-grained access control. All the secrets can be managed from one dashboard. Azure Key Vault can store the key in the software-protected or hardware protected by hardware security module (HSMs) mechanism. In addition, it has a mechanism to auto-renew the Key Vault certificates.

+## Migration steps

+Azure Key Vault can be created in three ways:

+1. Using Azure portal

+2. Using PowerShell

+3. Using CLI

+**Create Azure Key Vault step by step procedure using Azure portal:**

+__Prerequisite__: Valid Azure subscription and owner/contributor access on Key Vault service.

+ 1. Log in to the Azure portal.

+ 2. In the top-level search box, look for **Key Vaults**.

+ 3. In the Key Vault dashboard, click on create and provide all the details like subscription, resource group, Key Vault name, select the pricing tier (standard/premium), and select region. Once all these details are provided, click on review, and create. This will create the Key Vault account.

+ 4. Key Vault names need to be unique across the globe. Once any user has taken a name, it wonΓÇÖt be available for other users.

+ 5. Now go to the newly created Azure Key Vault. There you can see the vault name and the vault URI used to access the vault.

+**Create Azure Key Vault step by step using the Azure PowerShell:**

+ 1. Log in to the user PowerShell using the following command - Login-AzAccount

+ 2. Create an 'azure secure' resource group in the 'eastus' location. You can change the name and location as per your need.

+```

+ New-AzResourceGroup -Name "azuresecure" -Location "EastUS"

+```

+ 3. Create the Azure Key Vault using the cmdlet. You need to provide the key vault name, resource group, and location.

+```

+ New-AzKeyVault -Name "azuresecureKeyVault" -ResourceGroupName "azuresecure" -Location "East US"

+```

+ 4. Created the Azure Key Vault successfully using the PowerShell cmdlet.

+**Create Azure Key Vault step by step using the Azure CLI bash:**

+ 1. Create an 'azure secure' resource in the 'eastus' location. You can change the name and location as per your need. Use the following bash command.

+```

+ az group create ΓÇôname "azuresecure" -l "EastUS."

+```

+ 2. Create the Azure Key Vault using the bash command. You need to provide the key vault name, resource group, and location.

+```

+ az keyvault create ΓÇôname ΓÇ£azuresecureKeyVaultΓÇ¥ ΓÇôresource-group ΓÇ£azureΓÇ¥ ΓÇôlocation ΓÇ£EastUSΓÇ¥

+```

+ 3. Successfully created the Azure Key Vault using the Azure CLI bash command.

+## FAQ

+ 1. Is Certificates or Azure Key Vault recommended?

+ Azure Key Vault is recommended and essential to protect the data in the cloud.

+ 2. Does user subscription mode support Azure Key Vault?

+ Yes, it's mandatory to create Key Vault while creating the Batch account in user subscription mode.

+ 3. Are there best practices to use Azure Key Vault?

+ Best practices are covered [here](../key-vault/general/best-practices.md).

+## Next steps

+For more information, see [Certificate Access Control](../key-vault/certificates/certificate-access-control.md).

+ Title: Batch Pools without Public IP Addresses Classic Retirement Migration Guide

+description: Describes the migration steps for the batch pool without public ip addresses and the end of support details.

+# Batch Pools without Public IP Addresses Classic Retirement Migration Guide

+By default, all the compute nodes in an Azure Batch virtual machine (VM) configuration pool are assigned a public IP address. This address is used by the Batch service to schedule tasks and for communication with compute nodes, including outbound access to the internet. To restrict access to these nodes and reduce the discoverability of these nodes from the internet, we released [Batch pools without public IP addresses (classic)](./batch-pool-no-public-ip-address.md).

+In late 2021, we launched a simplified compute node communication model for Azure Batch. The new communication model improves security and simplifies the user experience. Batch pools no longer require inbound Internet access and outbound access to Azure Storage, only outbound access to the Batch service. As a result, Batch pools without public IP addresses (classic) which is currently in public preview will be retired on **31 March 2023**, and will be replaced with simplified compute node communication pools without public IPs.

+## Retirement alternatives

+[Simplified Compute Node Communication Pools without Public IPs](./simplified-node-communication-pool-no-public-ip.md) requires using simplified compute node communication. It provides customers with enhanced security for their workload environments on network isolation and data exfiltration to Azure Batch accounts. Its key benefits include:

+* Allow creating simplified node communication pool without public IP addresses.

+* Support Batch private pool using a new private endpoint (sub-resource nodeManagement) for Azure Batch account.

+* Simplified private link DNS zone for Batch account private endpoints: changed from **privatelink.\<region>.batch.azure.com** to **privatelink.batch.azure.com**.

+* Mutable public network access for Batch accounts.

+* Firewall support for Batch account public endpoints: configure IP address network rules to restrict public network access with Batch accounts.

+## Migration steps

+Batch pool without public IP addresses (classic) will retire on **31/2023 and will be updated to simplified compute node communication pools without public IPs. For existing pools that use the previous preview version of Batch pool without public IP addresses (classic), it's only possible to migrate pools created in a virtual network. To migrate the pool, follow the opt-in process for simplified compute node communication:

+1. Opt in to [use simplified compute node communication](./simplified-compute-node-communication.md#opt-your-batch-account-in-or-out-of-simplified-compute-node-communication).

+ 

+2. Create a private endpoint for Batch node management in the virtual network.

+ 

+3. Scale down the pool to zero nodes.

+ 

+4. Scale out the pool again. The pool is then automatically migrated to the new version of the preview.

+ 

+## FAQ

+* How can I migrate my Batch pool without public IP addresses (classic) to simplified compute node communication pools without public IPs?

+ You can only migrate your pool to simplified compute node communication pools if it was created in a virtual network. Otherwise, youΓÇÖd need to create a new simplified compute node communication pool without public IPs.

+* What differences will I see in billing?

+ Compared with Batch pools without public IP addresses (classic), the simplified compute node communication pools without public IPs support will reduce costs because it wonΓÇÖt need to create network resources the following: load balancer, network security groups, and private link service with the Batch pool deployments. However, there will be a [cost associated with private link](https://azure.microsoft.com/pricing/details/private-link/) or other outbound network connectivity used by pools, as controlled by the user, to allow communication with the Batch service without public IP addresses.

+* Will there be any performance changes?

+ No known performance differences compared to Batch pools without public IP addresses (classic).

+* How can I connect to my pool nodes for troubleshooting?

+ Similar to Batch pools without public IP addresses (classic). As there is no public IP address for the Batch pool, users will need to connect their pool nodes from within the virtual network. You can create a jump box VM in the virtual network or use other remote connectivity solutions like [Azure Bastion](../bastion/bastion-overview.md).

+* Will there be any change to how my workloads are downloaded from Azure Storage?

+ Similar to Batch pools without public IP addresses (classic), users will need to provide their own internet outbound connectivity if their workloads need access to other resources like Azure Storage.

+* What if I donΓÇÖt migrate to simplified compute node communication pools without public IPs?

+ After **31 March 2023**, we will stop supporting Batch pool without public IP addresses. The functionality of the existing pool in that configuration may break, such as scale out operations, or may be actively scaled down to zero at any point in time after that date.

+## Next steps

+For more information, refer to [Simplified compute node communication](./simplified-compute-node-communication.md).

+ Title: Batch Tls 1.0 Migration Guide

+description: Describes the migration steps for the batch TLS 1.0 and the end of support details.

+# Batch TLS 1.0 Migration Guide

+Transport Layer Security (TLS) versions 1.0 and 1.1 are known to be susceptible to attacks such as BEAST and POODLE, and to have other Common Vulnerabilities and Exposures (CVE) weaknesses. They also don't support the modern encryption methods and cipher suites recommended by Payment Card Industry (PCI) compliance standards. There's an industry-wide push toward the exclusive use of TLS version 1.2 or later.

+To follow security best practices and remain in compliance with industry standards, Azure Batch will retire Batch TLS 1.0/1.1 on **31 March 2023**. Most customers have already migrated to TLS 1.2. Customers who continue to use TLS 1.0/1.1 can be identified via existing BatchOperation telemetry. Customers will need to adjust their existing workflows to ensure that they're using TLS 1.2. Failure to migrate to TLS 1.2 will break existing Batch workflows.

+## Migration strategy

+Customers must update client code before the TLS 1.0/1.1 retirement.

+- Customers using native WinHTTP for client code can follow this [guide](https://support.microsoft.com/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392).

+- Customers using .NET framework for their client code should upgrade to .NET > 4.7, that which enforces TLS 1.2 by default.

+- For customers on .NET framework who are unable to upgrade to > 4.7, please follow this [guide](https://docs.microsoft.com/dotnet/framework/network-programming/tls) to enforce TLS 1.2.

+For TLS best practices, refer to [TLS best practices for .NET framework](https://docs.microsoft.com/dotnet/framework/network-programming/tls).

+## FAQ

+* Why must we upgrade to TLS 1.2?<br>

+ TLS 1.0/1.1 has security issues that are fixed in TLS 1.2. TLS 1.2 has been available since 2008 and is the current default version in most frameworks.

+* What happens if I donΓÇÖt upgrade?<br>

+ After the feature retirement, our client application won't work until you upgrade.<br>

+* Will Upgrading to TLS 1.2 affect the performance?<br>

+ Upgrading to TLS 1.2 won't affect performance.<br>

+* How do I know if IΓÇÖm using TLS 1.0/1.1?<br>

+ You can check the Audit Log to determine the TLS version you're using.

+## Next steps

+For more information, see [How to enable TLS 1.2 on clients](https://docs.microsoft.com/mem/configmgr/core/plan-design/security/enable-tls-1-2-client).

+ Title: Batch job pool lifetime statistics migration guide

+description: Describes the migration steps for the batch job pool lifetime statistics and the end of support details.

+# Batch Job Pool Lifetime Statistics Migration Guide

+The Azure Batch service currently supports API for Job/Pool to retrieve lifetime statistics. The API is used to get lifetime statistics for all the Pools/Jobs in the specified batch account or for a specified Pool/Job. The API collects the statistical data from when the Batch account was created until the last time updated or entire lifetime of the specified Job/Pool. Job/Pool lifetime statistics API is helpful for customers to analyze and evaluate their usage.

+To make the statistical data available for customers, the Batch service allocates batch pools and schedule jobs with an in-house MapReduce implementation to perform background periodic roll-up of statistics. The aggregation is performed for all accounts/pools/jobs in each region, no matter if customer needs or queries the stats for their account/pool/job. The operating cost includes eleven VMs allocated in each region to execute MapReduce aggregation jobs. For busy regions, we had to increase the pool size further to accommodate the extra aggregation load.

+The MapReduce aggregation logic was implemented with legacy code, and no new features are being added or improvised due to technical challenges with legacy code. Still, the legacy code and its hosting repo need to be updated frequently to accommodate ever growing load in production and to meet security/compliance requirements. In addition, since the API is featured to provide lifetime statistics, the data is growing and demands more storage and performance issues, even though most customers aren't using the API. Batch service currently eats up all the compute and storage usage charges associated with MapReduce pools and jobs.

+The purpose of the API is designed and maintained to serve the customer in troubleshooting. However, not many customers use it in real life, and the customers are interested in extracting the details for not more than a month. Now more advanced ways of log/job/pool data can be collected and used on a need basis using Azure portal logs, Alerts, Log export, and other methods. Therefore, we are retire Job/Pool Lifetime.

+Job/Pool Lifetime Statistics API will be retired on **30 April 2023**. Once complete, the API will no longer work and will return an appropriate HTTP response error code back to the client.

+## FAQ

+* Is there an alternate way to view logs of Pool/Jobs?

+ Azure portal has various options to enable the logs, namely system logs, diagnostic logs. Refer [Monitor Batch Solutions](./monitoring-overview.md) for more information.

+* Can customers extract logs to their system if the API doesn't exist?

+ Azure portal log feature allows every customer to extract the output and error logs to their workspace. Refer [Monitor with Application Insights](./monitor-application-insights.md) for more information.

+## Next steps

+For more information, refer to [Azure Monitor Logs](../azure-monitor/logs/data-platform-logs.md).

+ Title: Low priority vms retirement migration guide

+description: Describes the migration steps for the low priority vms retirement and the end of support details.

+# Low Priority VMs Retirement Migration Guide

+Azure Batch offers Low priority and Spot virtual machines (VMs). The virtual machines are computing instances allocated from spare capacity, offered at a highly discounted rate compared to "on-demand" VMs.

+Low priority VMs enable the customer to take advantage of unutilized capacity. The amount of available unutilized capacity can vary based on size, region, time of day, and more. At any point in time when Azure needs the capacity back, we'll evict low-priority VMs. Therefore, the low-priority offering is excellent for flexible workloads, like large processing jobs, dev/test environments, demos, and proofs of concept. In addition, low-priority VMs can easily be deployed through our virtual machine scale set offering.

+Low priority VMs are a deprecated feature, and it will never become Generally Available (GA). Spot VMs are the official preemptible offering from the Compute platform, and is generally available. Therefore, we'll retire Low Priority VMs on **30 September 2025**. After that, we'll stop supporting Low priority VMs. The existing Low priority pools may no longer work or be provisioned.

+## Retirement alternative

+As of May 2020, Azure offers Spot VMs in addition to Low Priority VMs. Like Low Priority, the Spot option allows the customer to purchase spare capacity at a deeply discounted price in exchange for the possibility that the VM may be evicted. Unlike Low Priority, you can use the Azure Spot option for single VMs and scale sets. Virtual machine scale sets scale up to meet demand, and when used with Spot VMs, will only allocate when capacity is available. 

+The Spot VMs can be evicted when Azure needs the capacity or when the price goes above your maximum price. In addition, the customer can choose to get a 30-second eviction notice and attempt to redeploy. 

+The other key difference is that Azure Spot pricing is variable and based on the capacity for size or SKU in an Azure region. Prices change slowly to provide stabilization. The price will never go above pay-as-you-go rates.

+When it comes to eviction, you have two policy options to choose between:

+* Stop/Deallocate (default) ΓÇô when evicted, the VM is deallocated, but you keep (and pay for) underlying disks. This is ideal for cases where the state is stored on disks.

+* Delete ΓÇô when evicted, the VM and underlying disks are deleted.

+While similar in idea, there are a few key differences between these two purchasing options:

+| | **Low Priority VMs** | **Spot VMs** |

+||||

+| **Availability** | **Azure Batch** | **Single VMs, Virtual machine scale sets** |

+| **Pricing** | **Fixed pricing** | **Variable pricing with ability to set maximum price** |

+| **Eviction/Preemption** | **Preempted when Azure needs the capacity. Tasks on preempted node VMs are re-queued and run again.** | **Evicted when Azure needs the capacity or if the price exceeds your maximum. If evicted for price and afterward the price goes below your maximum, the VM will not be automatically restarted.** |

+## Migration steps

+Customers in User Subscription mode have the option to include Spot VMs using the following the steps below:

+1. In the Azure portal, select the Batch account and view the existing pool or create a new pool.

+2. Under **Scale**, users can choose 'Target dedicated nodes' or 'Target Spot/low-priority nodes.'

+ 

+3. Navigate to the existing Pool and select 'Scale' to update the number of Spot nodes required based on the job scheduled.

+4. Click **Save**.

+Customers in Batch Managed mode must recreate the Batch account, pool, and jobs under User Subscription mode to take advantage of spot VMs.

+## FAQ

+* How to create a new Batch account /job/pool?

+ Refer to the quick start [link](./batch-account-create-portal.md) on creating a new Batch account/pool/task.

+* Are Spot VMs available in Batch Managed mode?

+ No, Spot VMs are available in User Subscription mode - Batch accounts only.

+* What is the pricing and eviction policy of Spot VMs? Can I view pricing history and eviction rates?

+ Refer to [Spot VMs](../virtual-machines/spot-vms.md) for more information on using Spot VMs. Yes, you can see historical pricing and eviction rates per size in a region in the portal.

+## Next steps

+Use the [CLI](../virtual-machines/linux/spot-cli.md), [portal](../virtual-machines/spot-portal.md), [ARM template](../virtual-machines/linux/spot-template.md), or [PowerShell](../virtual-machines/windows/spot-powershell.md) to deploy Azure Spot Virtual Machines.

+You can also deploy a [scale set with Azure Spot Virtual Machine instances](../virtual-machine-scale-sets/use-spot.md).

+- If you're installing a Highly Available (HA) SAP system, get the Service Principal identifier (SPN ID) and password to authorize the Azure fence agent (fencing device) against Azure resources. For more information, see [Use Azure CLI to create an Azure AD app and configure it to access Media Services API](/azure/media-services/previous/media-services-cli-create-and-configure-aad-app). For an example, see the Red Hat documentation for [Creating an Azure Active Directory Application](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/deploying_red_hat_enterprise_linux_7_on_public_cloud_platforms/configuring-rhel-high-availability-on-azure_cloud-content#azure-create-an-azure-directory-application-in-ha_configuring-rhel-high-availability-on-azure).

+ 1. For High Availability (HA) systems only, enter the client identifier for the Fencing Agent service principal for **Fencing client ID**.

+ 1. For High Availability (HA) systems only, enter the password for the Fencing Agent service principal for **Fencing client password**.

+* [Form Recognizer](../applied-ai-services/form-recognizer/overview.md?tabs=v3-0)

+- Take the [Cost Management](/learn/paths/control-spending-manage-bills?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) guided learning course.

+|[AudioCodes](https://www.audiocodes.com/media/lbjfezwn/mediant-sbc-with-microsoft-azure-communication-services.pdf)|Mediant SBC VE|7.40A

+|[TE-SYSTEMS](https://community.te-systems.de/community-download/files?fileId=9624)|anynode|4.6|

+| | Redirect (forward) a call to one or more endpoints | ✔️ | ✔️ |

+| | Blind Transfer* a call to another endpoint | ✔️ | ✔️ |

+*Transfer of VoIP call to a phone number is currently not supported.

+The downloadable [GitHub sample](https://github.com/Azure-Samples/communication-services-javascript-quickstarts/tree/main/ui-library-filesharing-chat-composite) showcases the use of SAS for creating SAS URLs to Azure Storage contents. Additionally, you can [read more about SAS](../../storage/common/storage-sas-overview.md).

+- [Learn about authentication](../concepts/authentication.md)

+ Title: Enable soft delete policy

+description: Learn how to enable a soft delete policy in your Azure Container Registry for recovering accidentally deleted artifacts for a set retention period.

+# Enable soft delete policy in Azure Container Registry (Preview)

+Azure Container Registry (ACR) allows you to enable the *soft delete policy* to recover any accidentally deleted artifacts for a set retention period.

+This feature is available in all the service tiers (also known as SKUs). For information about registry service tiers, see [Azure Container Registry service tiers](container-registry-skus.md).

+> [!NOTE]

+>The soft deleted artifacts are billed as per active sku pricing for storage.

+The article gives you an overview of the soft delete policy and walks you through the step by step process to enable the soft delete policy using Azure CLI and Azure portal.

+You can use the Azure Cloud Shell or a local installation of the Azure CLI to run the command examples in this article. If you'd like to use it locally, version 2.0.74 or later is required. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli](/cli/azure/install-azure-cli).

+## Prerequisites

+* The user will require following permissions (at registry level) to perform soft delete operations:

+ | Permission | Description |

+ |||

+ | Microsoft.ContainerRegistry/registries/deleted/read | List soft-deleted artifacts |

+ | Microsoft.ContainerRegistry/registries/deleted/restore/action | Restore soft-deleted artifact |

+## About soft delete policy

+The soft delete policy can be enabled/disabled at your convenience.

+Once you enable the soft delete policy, ACR manages the deleted artifacts as the soft deleted artifacts with a set retention period. Thereby you have ability to list, filter, and restore the soft deleted artifacts. Once the retention period is complete, all the soft deleted artifacts are auto-purged.

+## Retention period

+The default retention period is seven days. It's possible to set the retention period value between one to 90 days. The user can set, update and change the retention policy value. The soft deleted artifacts will expire once the retention period is complete.

+## Auto-purge

+The auto-purge runs every 24 hours. The auto-purge always considers the current value of `retention days` before permanently deleting the soft deleted artifacts.

+For example, after five days of soft deleting the artifact, if the user changes the value of retention days from seven to 14 days, the artifact will only expire after 14 days from the initial soft delete.

+## Preview limitations

+* ACR currently doesn't support manually purging soft deleted artifacts.

+* The soft delete policy doesn't support a geo-replicated registry.

+* ACR doesn't allow enabling both the retention policy and the soft delete policy. See [retention policy for untagged manifests.](container-registry-retention-policy.md)

+## Enable soft delete policy for registry - CLI

+1. Update soft delete policy for a given `MyRegistry` ACR with a retention period set between 1 to 90 days.

+ ```azurecli-interactive

+ az acr config soft-delete update -r MyRegistry --days 7 --status <enabled/disabled>

+ ```

+2. Show configured soft delete policy for a given `MyRegistry` ACR.

+ ```azurecli-interactive

+ az acr config soft-delete show -r MyRegistry

+ ```

+### List the soft-delete artifacts- CLI

+The `az acr repository list-deleted` commands enable fetching and listing of the soft deleted repositories. For more information use `--help`.

+1. List the soft deleted repositories in a given `MyRegistry` ACR.

+ ```azurecli-interactive

+ az acr repository list-deleted -n MyRegistry

+ ```

+The `az acr manifest list-deleted` commands enable fetching and listing of the soft delete manifests.

+2. List the soft deleted manifests of a `hello-world` repository in a given `MyRegistry` ACR.

+ ```azurecli-interactive

+ az acr manifest list-deleted -r MyRegistry -n hello-world

+ ```

+The `az acr manifest list-deleted-tags` commands enable fetching and listing of the soft delete tags.

+3. List the soft delete tags of a `hello-world` repository in a given `MyRegistry` ACR.

+ ```azurecli-interactive

+ az acr manifest list-deleted-tags -r MyRegistry -n hello-world

+ ```

+4. Filter the soft delete tags of a `hello-world` repository to match tag `latest` in a given `MyRegistry` ACR.

+ ```azurecli-interactive

+ az acr manifest list-deleted-tags -r MyRegistry -n hello-world:latest

+ ```

+### Restore the soft delete artifacts - CLI

+The `az acr manifest restore` commands restore a single image by tag and digest.

+1. Restore the image of a `hello-world` repository by tag `latest`and digest `sha256:abc123` in a given `MyRegistry` ACR.

+ ```azurecli-interactive

+ az acr manifest restore -r MyRegistry -n hello-world:latest -d sha256:abc123

+ ```

+2. Restore the most recently deleted manifest of a `hello-world` repository by tag `latest` in a given `MyRegistry` ACR.

+ ```azurecli-interactive

+ az acr manifest restore -r MyRegistry -n hello-world:latest

+ ```

+Force restore will overwrite the existing tag with the same name in the repository. If the soft delete policy is enabled during force restore. The overwritten tag will be soft deleted. You can force restore with specific arguments `--force, -f`.

+3. Force restore the image of a `hello-world` repository by tag `latest`and digest `sha256:abc123` in a given `MyRegistry` ACR.

+ ```azurecli-interactive

+ az acr manifest restore -r MyRegistry -n hello-world:latest -d sha256:abc123 -f

+ ```

+> [!IMPORTANT]

+>* Restoring a [manifest list](push-multi-architecture-images.md#manifest-list) won't recursively restore any underlying soft deleted manifests.

+>* If you're restoring soft deleted [ORAS artifacts](container-registry-oras-artifacts.md), then restoring a subject doesn't recursively restore the referrer chain. Also, the subject has to be restored first, only then a referrer manifest is allowed to restore. Otherwise it throws an error.

+## Enable soft delete policy for registry - Portal

+You can also enable a registry's soft delete policy in the [Azure portal](https://portal.azure.com).

+1. Navigate to your Azure Container Registry.

+2. In the **Overview tab**, verify the status of the **Soft Delete** (Preview).

+3. If the **Status** is **Disabled**, Select **Update**.

+4. Select the checkbox to **Enable Soft Delete**.

+5. Select the number of days between `0` and `90` days to retain the soft deleted artifacts.

+6. Select **Save** to save your changes.

+### Restore the soft deleted artifacts - Portal

+1. Navigate to your Azure Container Registry.

+2. In the **Menu** section, Select **Services**, and Select **Repositories**.

+3. In the **Repositories**, Select your preferred **Repository**.

+4. Click on the **Manage deleted artifacts** to see all the soft deleted artifacts.

+> [!NOTE]

+> Once you enable the soft delete policy and perform actions such as untag a manifest or delete an artifact, You will be able to find these tags and artifacts in the Managed delete artifacts before the number of retention days expire.

+5. Filter the deleted artifact you have to restore

+6. Select the artifact, and Click on the **Restore** in the right column.

+7. A **Restore Artifact** window pops up.

+8. Select the tag to restore, here you have an option to choose, and recover any additional tags.

+9. Click on **Restore**.

+### Restore from soft deleted repositories - Portal

+1. Navigate to your Azure Container Registry.

+2. In the **Menu** section, Select **Services**,

+3. In the **Services** tab, Select **Repositories**.

+4. In the **Repositories** tab, Click on **Manage Deleted Repositories**.

+5. Filter the deleted repository in the **Soft Deleted Repositories**(Preview).

+6. Select the deleted repository, filter the deleted artifact from on the **Manage deleted artifacts**.

+7. Select the artifact, and Click on the **Restore** in the right column.

+8. A **Restore Artifact** window pops up.

+9. Select the tag to restore, here you have an option to choose, and recover any additional tags.

+10. Click on **Restore**.

+> [!IMPORTANT]

+>* Importing a soft deleted image at both source and target resources is blocked.

+>* Pushing an image to the soft deleted repository will restore the soft deleted repository.

+>* Pushing an image that shares a same manifest digest with the soft deleted image is not allowed. Instead restore the soft deleted image.

+## Next steps

+* Learn more about options to [delete images and repositories](container-registry-delete.md) in Azure Container Registry.

+- [Optimize virtual machine spend by resizing or shutting down underutilized instances](../../advisor/advisor-cost-recommendations.md#optimize-virtual-machine-vm-or-virtual-machine-scale-set-vmss-spend-by-resizing-or-shutting-down-underutilized-instances)

+ Title: Transform data in Google Sheets (Preview)

+description: Learn how to transform data in Google Sheets (Preview) by using Data Factory or Azure Synapse Analytics.

+# Transform data in Google Sheets (Preview) using Azure Data Factory or Synapse Analytics

+This article outlines how to use Data Flow to transform data in Google Sheets (Preview). To learn more, read the introductory article for [Azure Data Factory](introduction.md) or [Azure Synapse Analytics](../synapse-analytics/overview-what-is.md).

+> [!IMPORTANT]

+> This connector is currently in preview. You can try it out and give us feedback. If you want to take a dependency on preview connectors in your solution, please contact [Azure support](https://azure.microsoft.com/support/).

+## Supported capabilities

+This Google Sheets connector is supported for the following capabilities:

+| Supported capabilities|IR |

+|| --|

+|[Mapping data flow](concepts-data-flow-overview.md) (source/-)|&#9312; |

+<small>*&#9312; Azure integration runtime &#9313; Self-hosted integration runtime*</small>

+For a list of data stores that are supported as sources/sinks, see the [Supported data stores](connector-overview.md#supported-data-stores) table.

+## Create a Google Sheets linked service using UI

+Use the following steps to create a Google Sheets linked service in the Azure portal UI.

+1. Browse to the Manage tab in your Azure Data Factory or Synapse workspace and select Linked Services, then select New:

+ # [Azure Data Factory](#tab/data-factory)

+ :::image type="content" source="media/doc-common-process/new-linked-service.png" alt-text="Screenshot of creating a new linked service with Azure Data Factory U I.":::

+ # [Azure Synapse](#tab/synapse-analytics)

+ :::image type="content" source="media/doc-common-process/new-linked-service-synapse.png" alt-text="Screenshot of creating a new linked service with Azure Synapse U I.":::

+2. Search for Google Sheets (Preview) and select the Google Sheets (Preview) connector.

+ :::image type="content" source="media/connector-google-sheets/google-sheets-connector.png" alt-text="Screenshot showing selecting Google Sheets connector.":::

+3. Configure the service details, test the connection, and create the new linked service.

+ :::image type="content" source="media/connector-google-sheets/configure-google-sheets-linked-service.png" alt-text="Screenshot of configuration for Google Sheets linked service.":::

+## Connector configuration details

+The following sections provide information about properties that are used to define Data Factory and Synapse pipeline entities specific to Google Sheets.

+## Linked service properties

+The following properties are supported for the Google Sheets linked service:

+| Property | Description | Required |

+|: |: |: |

+| type | The type property must be set to **GoogleSheets**. | Yes |

+| apiToken | Specify an API token for the Google Sheets. Mark this field as **SecureString** to store it securely. Or, you can [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). |Yes |

+**Example:**

+```json

+{

+ "name": "GoogleSheetsLinkedService",

+ "properties": {

+ "type": "GoogleSheets",

+ "typeProperties": {

+ "apiToken": {

+ "type": "SecureString",

+ "value": "<API token>"

+ }

+ }

+ }

+}

+```

+## Mapping data flow properties

+When transforming data in mapping data flow, you can read resources from Google Sheets. For more information, see the [source transformation](data-flow-source.md) in mapping data flows. You can only use an [inline dataset](data-flow-source.md#inline-datasets) as source type.

+### Source transformation

+The below table lists the properties supported by Google Sheets source. You can edit these properties in the **Source options** tab.

+| Name | Description | Required | Allowed values | Data flow script property |

+| - | -- | -- | -- | - |

+| SpreadSheet ID | The spreadsheet ID in your Google Sheets. Make sure the general access of the spreadsheet is set as **Anyone with the link**. | Yes | String | spreadSheetId |

+| Sheet name | The name of the sheet in the spreadsheet. | Yes | String | sheetName |

+| Start cell | The start cell of the sheet from where the data is required, for example A2, B4. | Yes | String | startCell |

+| End cell | The end cell of the sheet till where the data is required, for example F10, S600. | Yes | String | endCell |

+#### Google Sheets source script example

+When you use Google Sheets as source type, the associated data flow script is:

+```

+source(allowSchemaDrift: true,

+ validateSchema: false,

+ store: 'googlesheets',

+ format: 'rest',

+ spreadSheetId: $spreadSheetId,

+ startCell: 'A2',

+ endCell: 'F10',

+ sheetName: 'Sheet1') ~> GoogleSheetsSource

+```

+## Next steps

+For a list of data stores supported as sources and sinks by the copy activity, see [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats).

+- Copying data by using one of the following authentications: **Anonymous**, **Basic**, **Service Principal**, **OAuth2 Client Credential**, **System Assigned Managed Identity** and **User Assigned Managed Identity**.

+- [System-assigned managed identity authentication](#managed-identity)

+### <a name="managed-identity"></a> Use system-assigned managed identity authentication

+Set the **authenticationType** property to **ManagedServiceIdentity**. In addition to the generic properties that are described in the preceding section, specify the following properties:

+| Property | Description | Required |

+|: |: |: |

+| aadResourceId | Specify the AAD resource you are requesting for authorization, for example, `https://management.core.windows.net`.| Yes |

+**Example**

+```json

+{

+ "name": "RESTLinkedService",

+ "properties": {

+ "type": "RestService",

+ "typeProperties": {

+ "url": "<REST endpoint e.g. https://www.example.com/>",

+ "authenticationType": "ManagedServiceIdentity",

+ "aadResourceId": "<AAD resource URL e.g. https://management.core.windows.net>"

+ },

+ "connectVia": {

+ "referenceName": "<name of Integration Runtime>",

+ "type": "IntegrationRuntimeReference"

+ }

+ }

+}

+```

+>[!TIP]

+>After configuring additional columns remember to map them to you destination sink, in the Mapping tab.

+**Q: What can I do to re-create the same virtual network in a different region?**

+- Learn how to [create a DDoS protection plan](manage-ddos-protection.md).

+> DDoS Protection Standard protects the Public IPs of Azure resource. DDoS infrastructure protection, which requires no configuration and is enabled by default, only protects the Azure underlying platform infrastructure (e.g. Azure DNS). For more information, see [Azure DDoS Protection Standard overview](ddos-protection-overview.md).

+### Metrics

+The metric names present different packet types, and bytes vs. packets, with a basic construct of tag names on each metric as follows:

+- **Dropped tag name** (for example, **Inbound Packets Dropped DDoS**): The number of packets dropped/scrubbed by the DDoS protection system.

+- **Forwarded tag name** (for example **Inbound Packets Forwarded DDoS**): The number of packets forwarded by the DDoS system to the destination VIP ΓÇô traffic that was not filtered.

+- **No tag name** (for example **Inbound Packets DDoS**): The total number of packets that came into the scrubbing system ΓÇô representing the sum of the packets dropped and forwarded.

+The following [metrics](../azure-monitor/essentials/metrics-supported.md#microsoftnetworkpublicipaddresses) are available for Azure DDoS Protection Standard. These metrics are also exportable via diagnostic settings (see [View and configure DDoS diagnostic logging](diagnostic-logging.md)).

+| Metric | Metric Display Name | Unit | Aggregation Type | Description |

+| | | | | |

+| BytesDroppedDDoSΓÇï | Inbound bytes dropped DDoSΓÇï | BytesPerSecondΓÇï | MaximumΓÇï | Inbound bytes dropped DDoSΓÇï|

+| BytesForwardedDDoSΓÇï | Inbound bytes forwarded DDoSΓÇï | BytesPerSecondΓÇï | MaximumΓÇï | Inbound bytes forwarded DDoSΓÇï |

+| BytesInDDoSΓÇï | Inbound bytes DDoSΓÇï | BytesPerSecondΓÇï | MaximumΓÇï | Inbound bytes DDoSΓÇï |

+| DDoSTriggerSYNPacketsΓÇï | Inbound SYN packets to trigger DDoS mitigationΓÇï | CountPerSecondΓÇï | MaximumΓÇï | Inbound SYN packets to trigger DDoS mitigationΓÇï |

+| DDoSTriggerTCPPacketsΓÇï | Inbound TCP packets to trigger DDoS mitigationΓÇï | CountPerSecondΓÇï | MaximumΓÇï | Inbound TCP packets to trigger DDoS mitigationΓÇï |

+| DDoSTriggerUDPPacketsΓÇï | Inbound UDP packets to trigger DDoS mitigationΓÇï | CountPerSecondΓÇï | MaximumΓÇï | Inbound UDP packets to trigger DDoS mitigationΓÇï |

+| IfUnderDDoSAttackΓÇï | Under DDoS attack or notΓÇï | CountΓÇï | MaximumΓÇï | Under DDoS attack or notΓÇï |

+| PacketsDroppedDDoSΓÇï | Inbound packets dropped DDoSΓÇï | CountPerSecondΓÇï | MaximumΓÇï | Inbound packets dropped DDoSΓÇï |

+| PacketsForwardedDDoSΓÇï | Inbound packets forwarded DDoSΓÇï | CountPerSecondΓÇï | MaximumΓÇï | Inbound packets forwarded DDoSΓÇï |

+| PacketsInDDoSΓÇï | Inbound packets DDoSΓÇï | CountPerSecondΓÇï | MaximumΓÇï | Inbound packets DDoSΓÇï |

+| TCPBytesDroppedDDoSΓÇï | Inbound TCP bytes dropped DDoSΓÇï | BytesPerSecondΓÇï | MaximumΓÇï | Inbound TCP bytes dropped DDoSΓÇï |

+| TCPBytesForwardedDDoSΓÇï | Inbound TCP bytes forwarded DDoSΓÇï | BytesPerSecondΓÇï | MaximumΓÇï | Inbound TCP bytes forwarded DDoSΓÇï |

+| TCPBytesInDDoSΓÇï | Inbound TCP bytes DDoSΓÇï | BytesPerSecondΓÇï | MaximumΓÇï | Inbound TCP bytes DDoSΓÇï |

+| TCPPacketsDroppedDDoSΓÇï | Inbound TCP packets dropped DDoSΓÇï | CountPerSecondΓÇï | MaximumΓÇï | Inbound TCP packets dropped DDoSΓÇï |

+| TCPPacketsForwardedDDoSΓÇï | Inbound TCP packets forwarded DDoSΓÇï | CountPerSecondΓÇï | MaximumΓÇï | Inbound TCP packets forwarded DDoSΓÇï |

+| TCPPacketsInDDoSΓÇï | Inbound TCP packets DDoSΓÇï | CountPerSecondΓÇï | MaximumΓÇï | Inbound TCP packets DDoSΓÇï |

+| UDPBytesDroppedDDoSΓÇï | Inbound UDP bytes dropped DDoSΓÇï | BytesPerSecondΓÇï | MaximumΓÇï | Inbound UDP bytes dropped DDoSΓÇï |

+| UDPBytesForwardedDDoSΓÇï | Inbound UDP bytes forwarded DDoSΓÇï | BytesPerSecondΓÇï | MaximumΓÇï | Inbound UDP bytes forwarded DDoSΓÇï |

+| UDPBytesInDDoSΓÇï | Inbound UDP bytes DDoSΓÇï | BytesPerSecondΓÇï | MaximumΓÇï | Inbound UDP bytes DDoSΓÇï |

+| UDPPacketsDroppedDDoSΓÇï | Inbound UDP packets dropped DDoSΓÇï | CountPerSecondΓÇï | MaximumΓÇï | Inbound UDP packets dropped DDoSΓÇï |

+| UDPPacketsForwardedDDoSΓÇï | Inbound UDP packets forwarded DDoSΓÇï | CountPerSecondΓÇï | MaximumΓÇï | Inbound UDP packets forwarded DDoSΓÇï |

+| UDPPacketsInDDoSΓÇï | Inbound UDP packets DDoSΓÇï | CountPerSecondΓÇï | MaximumΓÇï | Inbound UDP packets DDoSΓÇï |

+You may be charged for storing data in Log Analytics. For more information, see the [pricing page](https://azure.microsoft.com/pricing/details/defender-for-cloud/).

+FIM is now available in a new version based on Azure Monitor Agent (AMA), which you can [deploy through Defender for Cloud](auto-deploy-azure-monitoring-agent.md).

+|Service area |Updates |

+|||

+|**OT networks** |**Sensor software version 22.2.5**: Minor version with stability improvements<br><br>**Sensor software version 22.2.4**: [New alert columns with timestamp data](#new-alert-columns-with-timestamp-data)<br><br>**Sensor software version 22.1.3**: [Sensor health from the Azure portal (Public preview)](#sensor-health-from-the-azure-portal-public-preview) |

+You may find more information availability zone resiliency and disaster recovery in Azure Event Grid in our [FAQ](./event-grid-faq.yml).

+- If you want to implement your own disaster recovery plan for Azure Event Grid topics and domains, see [Build your own disaster recovery for custom topics in Event Grid](custom-disaster-recovery.md).

+ The **Cross-Geo** option allows Microsoft-initiated failover to the paired region in case of a region failure. For more information, see [Server-side geo disaster recovery in Azure Event Grid](geo-disaster-recovery.md). Microsoft-initiated failover is exercised by Microsoft in rare situations to fail over Event Grid resources from an affected region to the corresponding geo-paired region. This process doesn't require an intervention from user. Microsoft reserves right to make a determination of when this path will be taken. The mechanism doesn't involve a user consent before the user's topic or domain is failed over. For more information, see [How do I recover from a failover?](./event-grid-faq.yml).

+- [Azure Event Grid samples for TypeScript](/samples/azure/azure-sdk-for-js/eventgrid-typescript/)

+If you're new to Azure Event Grid, read through [Event Grid overview](overview.md) before starting this tutorial.

+ The **Cross-Geo** option allows Microsoft-initiated failover to the paired region in case of a region failure. For more information, see [Server-side geo disaster recovery in Azure Event Grid](geo-disaster-recovery.md). Microsoft-initiated failover is exercised by Microsoft in rare situations to fail over Event Grid resources from an affected region to the corresponding geo-paired region. This process doesn't require an intervention from user. Microsoft reserves right to make a determination of when this path will be taken. The mechanism doesn't involve a user consent before the user's topic or domain is failed over. For more information, see [How do I recover from a failover?](./event-grid-faq.yml).

+> For a greater security stance, specify the minimum expiration time that offers the partner enough time to configure your events to flow to Event Grid and to provision your partner topic. Your partner won't be able to create resources (partner topics) in your Azure subscription after the authorization expiration time.

+ :::image type="content" source="./media/subscribe-to-partner-events/add-non-verified-partner.png" alt-text="Screenshot for granting a non-verified partner the authorization to create resources in your resource group.":::

+ > [!IMPORTANT]

+ > Your partner won't be able to create resources (partner topics) in your Azure subscription after the authorization expiration time.

+`retries` | 2 | | Default is 2147483647.

+>[!NOTE]

+> This offering provides limited features compared to the [Check Point NVA integration with Virtual WAN](../virtual-wan/about-nva-hub.md#partners). We strongly recommend using this NVA integration to secure your network traffic.

+- [Deploy a security partner provider](deploy-trusted-security-partner.md)

+For most solutions, you should use *either* Front Door *or* [Azure Traffic Manager](../traffic-manager/traffic-manager-overview.md).

+Front Door can rewrite the `Host` header of incoming requests. This feature can be helpful when you manage a set of customer-facing custom domain names that route to a single origin. The feature can also help when you want to avoid configuring custom domain names in Front Door and at your origin. However, when you rewrite the `Host` header, request cookies and URL redirections might break. In particular, when you use platforms like Azure App Service, features like [session affinity](../app-service/configure-common.md#configure-general-settings) and [authentication and authorization](../app-service/overview-authentication-authorization.md) might not work correctly.

+Learn how to [create an Front Door profile](create-front-door-portal.md).

+* [Upload Data to HDInsight](./../hdinsight-upload-data.md).

+| **.NET** | [NuGet](https://www.nuget.org/packages/Microsoft.Azure.Devices.Client) | [GitHub](https://github.com/Azure/azure-iot-sdk-csharp) | [IoT Hub](quickstart-send-telemetry-iot-hub.md?pivots=programming-language-csharp) / [IoT Central](quickstart-send-telemetry-central.md?pivots=programming-language-csharp) | [Samples](https://github.com/Azure/azure-iot-sdk-csharp/tree/main/iothub/device/samples) | [Reference](/dotnet/api/microsoft.azure.devices.client) |

+| .NET - Device | [NuGet 1.41.2](https://www.nuget.org/packages/Microsoft.Azure.Devices.Client) | [GitHub](https://github.com/Azure/azure-iot-sdk-csharp/tree/main/) | [Samples](https://github.com/Azure/azure-iot-sdk-csharp/tree/main/iothub/device/samples/solutions/PnpDeviceSamples) | [Connect to IoT Hub](tutorial-connect-device.md) | [Reference](/dotnet/api/microsoft.azure.devices.client) |

+| .NET - IoT Hub service | [NuGet 1.38.1](https://www.nuget.org/packages/Microsoft.Azure.Devices ) | [GitHub](https://github.com/Azure/azure-iot-sdk-csharp) | [Samples](https://github.com/Azure/azure-iot-sdk-csharp/tree/main/iothub/service/samples/solutions/PnpServiceSamples) | N/A | [Reference](/dotnet/api/microsoft.azure.devices) |

+Open a command prompt in a folder of your choice. Use the following command to clone the [Azure IoT C# SDK](https://github.com/Azure/azure-iot-sdk-csharp) GitHub repository into this location:

+git clone https://github.com/Azure/azure-iot-sdk-csharp.git

+1. Open the *azure-iot-sdk-csharp\iothub\device\samples\solutions\PnpDeviceSamples\Thermostat\Thermostat.csproj* project file in Visual Studio 2019.

+ To learn more about the sample configuration, see the [sample readme](https://github.com/Azure/azure-iot-sdk-csharp/tree/main/iothub/device/samples/solutions/PnpDeviceSamples#readme).

+> The sample used in this tutorial is written in C. There is also a [C# device provisioning symmetric key sample](https://github.com/Azure/azure-iot-sdk-csharp/tree/main/provisioning/device/samples/How%20To/SymmetricKeySample) available. To use this sample, download or clone the [azure-iot-sdk-csharp](https://github.com/Azure/azure-iot-sdk-csharp) repository and follow the in-line instructions in the sample code. You can follow the instructions in this tutorial to create a symmetric key enrollment group using the portal and to find the ID Scope and enrollment group primary and secondary keys needed to run the sample. You can also create individual enrollments using the sample.

+[IoT Plug and Play (PnP)](../iot-develop/overview-iot-plug-and-play.md) devices use the payload to send their model ID when they register with DPS. You can find examples of this usage in the PnP samples in the SDK or sample repositories. For example, [C# PnP thermostat](https://github.com/Azure/azure-iot-sdk-csharp/blob/main/iothub/device/samples/solutions/PnpDeviceSamples/Thermostat/Program.cs) or [Node.js PnP temperature controller](https://github.com/Azure/azure-iot-sdk-node/blob/main/device/samples/javascript/pnp_temperature_controller.js).

+- The **Azure IoT Hub C# SDK** contains the [Group Certificate Verification Sample](https://github.com/Azure/azure-iot-sdk-csharp/tree/main/provisioning/service/samples/How%20To/GroupCertificateVerificationSample), which you can use to do proof-of-possession.

+| .NET|[NuGet](https://www.nuget.org/packages/Microsoft.Azure.Devices.Provisioning.Client/) |[GitHub](https://github.com/Azure/azure-iot-sdk-csharp/)|[Samples](https://github.com/Azure/azure-iot-sdk-csharp/tree/main/provisioning/device/samples)|[Quickstart](./quick-create-simulated-device-x509.md?pivots=programming-language-csharp&tabs=windows)| [Reference](/dotnet/api/microsoft.azure.devices.provisioning.client) |

+| .NET|[NuGet](https://www.nuget.org/packages/Microsoft.Azure.Devices.Provisioning.Service/) |[GitHub](https://github.com/Azure/azure-iot-sdk-csharp/)|[Samples](https://github.com/Azure/azure-iot-sdk-csharp/tree/main/provisioning/service/samples)|[Quickstart](./quick-enroll-device-tpm.md?pivots=programming-language-csharp&tabs=symmetrickey)|[Reference](/dotnet/api/microsoft.azure.devices.provisioning.service) |

+2. Clone the [Azure IoT SDK for C#](https://github.com/Azure/azure-iot-sdk-csharp) GitHub repository using the following command:

+ git clone https://github.com/Azure/azure-iot-sdk-csharp.git

+3. Open a command prompt and go to the *SymmetricKeySample* in the cloned sdk repository:

+ cd '.\azure-iot-sdk-csharp\provisioning\device\samples\How To\SymmetricKeySample\'

+ D:\azure-iot-sdk-csharp\provisioning\device\samples\How To\SymmetricKeySample>dotnet run --s 0ne00000A0A --i symm-key-csharp-device-01 --p sbDDeEzRuEuGKag+kQKV+T1QGakRtHpsERLP0yPjwR93TrpEgEh/Y07CXstfha6dhIPWvdD1nRxK5T0KGKA+nQ==

+2. Clone the [Azure IoT SDK for C#](https://github.com/Azure/azure-iot-sdk-csharp) GitHub repository using the following command:

+ git clone https://github.com/Azure/azure-iot-sdk-csharp.git

+ cd '.\azure-iot-sdk-csharp\provisioning\device\samples\How To\TpmSample\'

+ cd '.\azure-iot-sdk-csharp\provisioning\device\samples\How To\TpmSample\'

+1. In your Windows command prompt, clone the [Azure IoT SDK for C#](https://github.com/Azure/azure-iot-sdk-csharp) GitHub repository using the following command:

+ git clone https://github.com/Azure/azure-iot-sdk-csharp.git

+ cp certificate.pfx ./azure-iot-sdk-csharp/provisioning/device/samples/Getting Started/X509Sample

+The [Group certificate verification sample](https://github.com/Azure/azure-iot-sdk-csharp/tree/main/provisioning/service/samples/How%20To/GroupCertificateVerificationSample) in the [Azure IoT SDK for C# (.NET)](https://github.com/Azure/azure-iot-sdk-csharp) shows how to do proof-of-possession in C# with an existing X.509 intermediate or root CA certificate.

+You can enable dedicated data endpoints in your Azure Container registry to avoid wildcard allowlisting of the *\*.blob.core.windows.net* FQDN. For more information, see [Enable dedicated data endpoints](../container-registry/container-registry-firewall-access-rules.md#enable-dedicated-data-endpoints).

+* See how IoT Edge supports [Continuous integration and continuous deployment](how-to-continuous-integration-continuous-deployment.md).

+CLI example not available, please use Python SDK.

+### Test the deployment

+Please check this [Test the deployment](./tutorial-auto-train-image-models.md#test-the-deployment) section to test the deployment and visualize the detections from the model.

+# [Python](#tab/python)

+Import modules:

+```python

+from azure.ai.ml import MLClient

+from azure.identity import DefaultAzureCredential

+from azure.mgmt.monitor import MonitorManagementClient

+from azure.mgmt.monitor.models import AutoscaleProfile, ScaleRule, MetricTrigger, ScaleAction, Recurrence, RecurrentSchedule

+import random

+import datetime

+```

+Define variables for the workspace, endpoint, and deployment:

+```python

+subscription_id = "<YOUR-SUBSCRIPTION-ID>"

+resource_group = "<YOUR-RESOURCE-GROUP>"

+workspace = "<YOUR-WORKSPACE>"

+endpoint_name = "<YOUR-ENDPOINT-NAME>"

+deployment_name = "blue"

+```

+Get Azure ML and Azure Monitor clients:

+```python

+credential = DefaultAzureCredential()

+ml_client = MLClient(

+ credential, subscription_id, resource_group, workspace

+)

+mon_client = MonitorManagementClient(

+ credential, subscription_id

+)

+```

+Get the endpoint and deployment objects:

+```python

+deployment = ml_client.online_deployments.get(

+ deployment_name, endpoint_name

+)

+endpoint = ml_client.online_endpoints.get(

+ endpoint_name

+)

+```

+Create an autoscale profile:

+```python

+# Set a unique name for autoscale settings for this deployment. The below will append a random number to make the name unique.

+autoscale_settings_name = f"autoscale-{endpoint_name}-{deployment_name}-{random.randint(0,1000)}"

+mon_client.autoscale_settings.create_or_update(

+ resource_group,

+ autoscale_settings_name,

+ parameters = {

+ "location" : endpoint.location,

+ "target_resource_uri" : deployment.id,

+ "profiles" : [

+ AutoscaleProfile(

+ name="my-scale-settings",

+ capacity={

+ "minimum" : 2,

+ "maximum" : 5,

+ "default" : 2

+ },

+ rules = []

+ )

+ ]

+ }

+)

+```

+# [Python](#tab/python)

+Create the rule definition:

+```python

+rule_scale_out = ScaleRule(

+ metric_trigger = MetricTrigger(

+ metric_name="CpuUtilizationPercentage",

+ metric_resource_uri = deployment.id,

+ time_grain = datetime.timedelta(minutes = 1),

+ statistic = "Average",

+ operator = "GreaterThan",

+ time_aggregation = "Last",

+ time_window = datetime.timedelta(minutes = 5),

+ threshold = 70

+ ),

+ scale_action = ScaleAction(

+ direction = "Increase",

+ type = "ChangeCount",

+ value = 2,

+ cooldown = datetime.timedelta(hours = 1)

+ )

+)

+```

+This rule is refers to the last 5 minute average of `CPUUtilizationpercentage` from the arguments `metric_name`, `time_window` and `time_aggregation`. When value of the metric is greater than the `threshold` of 70, two more VM instances are allocated.

+Update the `my-scale-settings` profile to include this rule:

+```python

+mon_client.autoscale_settings.create_or_update(

+ resource_group,

+ autoscale_settings_name,

+ parameters = {

+ "location" : endpoint.location,

+ "target_resource_uri" : deployment.id,

+ "profiles" : [

+ AutoscaleProfile(

+ name="my-scale-settings",

+ capacity={

+ "minimum" : 2,

+ "maximum" : 5,

+ "default" : 2

+ },

+ rules = [

+ rule_scale_out

+ ]

+ )

+ ]

+ }

+)

+```

+# [Python](#tab/python)

+Create the rule definition:

+```python

+rule_scale_in = ScaleRule(

+ metric_trigger = MetricTrigger(

+ metric_name="CpuUtilizationPercentage",

+ metric_resource_uri = deployment.id,

+ time_grain = datetime.timedelta(minutes = 1),

+ statistic = "Average",

+ operator = "GreaterThan",

+ time_aggregation = "Last",

+ time_window = datetime.timedelta(minutes = 5),

+ threshold = 70

+ ),

+ scale_action = ScaleAction(

+ direction = "Increase",

+ type = "ChangeCount",

+ value = 2,

+ cooldown = datetime.timedelta(hours = 1)

+ )

+)

+```

+Update the `my-scale-settings` profile to include this rule:

+```python

+mon_client.autoscale_settings.create_or_update(

+ resource_group,

+ autoscale_settings_name,

+ parameters = {

+ "location" : endpoint.location,

+ "target_resource_uri" : deployment.id,

+ "profiles" : [

+ AutoscaleProfile(

+ name="my-scale-settings",

+ capacity={

+ "minimum" : 2,

+ "maximum" : 5,

+ "default" : 2

+ },

+ rules = [

+ rule_scale_out,

+ rule_scale_in

+ ]

+ )

+ ]

+ }

+)

+```

+

+# [Python](#tab/python)

+Create the rule definition:

+```python

+rule_scale_out_endpoint = ScaleRule(

+ metric_trigger = MetricTrigger(

+ metric_name="RequestLatency",

+ metric_resource_uri = endpoint.id,

+ time_grain = datetime.timedelta(minutes = 1),

+ statistic = "Average",

+ operator = "GreaterThan",

+ time_aggregation = "Last",

+ time_window = datetime.timedelta(minutes = 5),

+ threshold = 70

+ ),

+ scale_action = ScaleAction(

+ direction = "Increase",

+ type = "ChangeCount",

+ value = 1,

+ cooldown = datetime.timedelta(hours = 1)

+ )

+)

+```

+This rule's `metric_resource_uri` field now refers to the endpoint rather than the deployment.

+Update the `my-scale-settings` profile to include this rule:

+```python

+mon_client.autoscale_settings.create_or_update(

+ resource_group,

+ autoscale_settings_name,

+ parameters = {

+ "location" : endpoint.location,

+ "target_resource_uri" : deployment.id,

+ "profiles" : [

+ AutoscaleProfile(

+ name="my-scale-settings",

+ capacity={

+ "minimum" : 2,

+ "maximum" : 5,

+ "default" : 2

+ },

+ rules = [

+ rule_scale_out,

+ rule_scale_in,

+ rule_scale_out_endpoint

+ ]

+ )

+ ]

+ }

+)

+```

+# [Python](#tab/python)

+```python

+mon_client.autoscale_settings.create_or_update(

+ resource_group,

+ autoscale_settings_name,

+ parameters = {

+ "location" : endpoint.location,

+ "target_resource_uri" : deployment.id,

+ "profiles" : [

+ AutoscaleProfile(

+ name="Default",

+ capacity={

+ "minimum" : 2,

+ "maximum" : 2,

+ "default" : 2

+ },

+ recurrence = Recurrence(

+ frequency = "Week",

+ schedule = RecurrentSchedule(

+ time_zone = "Pacific Standard Time",

+ days = ["Saturday", "Sunday"],

+ hours = [],

+ minutes = []

+ )

+ )

+ )

+ ]

+ }

+)

+```

+# [Azure CLI](#tab/azure-cli)

+# [Python](#tab/python)

+```python

+mon_client.autoscale_settings.delete(

+ resource_group,

+ autoscale_settings_name

+)

+ml_client.online_endpoints.begin_delete(endpoint_name)

+```

+# [Studio](#tab/azure-studio)

+1. Go to the [Azure Machine Learning studio](https://ml.azure.com).

+1. In the left navigation bar, select the **Endpoints** page.

+1. Select an endpoint by checking the circle next to the model name.

+1. Select **Delete**.

+Alternatively, you can delete a managed online endpoint directly in the [endpoint details page](how-to-use-managed-online-endpoint-studio.md#view-managed-online-endpoints).

+

+> [!IMPORTANT]

+> SDK v2 is currently in public preview.

+> The preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+# [Azure CLI](#tab/cli)

+# [Python](#tab/python)

+This guide assumes you have the following items installed locally on your PC.

+- [Docker](https://docs.docker.com/engine/install/)

+- [VS Code](https://code.visualstudio.com/#alt-downloads)

+- [Azure CLI](/cli/azure/install-azure-cli)

+- [Azure CLI `ml` extension (v2)](how-to-configure-cli.md)

+- [Azure ML Python SDK (v2)](https://aka.ms/sdk-v2-install)

+For more information, see the guide on [how to prepare your system to deploy managed online endpoints](how-to-deploy-managed-online-endpoints.md#prepare-your-system).

+The examples in this article can be found in the [Debug online endpoints locally in Visual Studio Code](https://github.com/Azure/azureml-examples/blob/main/sdk/endpoints/online/managed/debug-online-endpoints-locally-in-visual-studio-code.ipynb) notebook within the[azureml-examples](https://github.com/azure/azureml-examples) repository. To run the code locally, clone the repo and then change directories to the notebook's parent directory `sdk/endpoints/online/managed`.

+```azurecli

+git clone https://github.com/Azure/azureml-examples --depth 1

+cd azureml-examples

+cd sdk/endpoints/online/managed

+```

+Import the required modules:

+```python

+from azure.ai.ml import MLClient

+from azure.ai.ml.entities import (

+ ManagedOnlineEndpoint,

+ ManagedOnlineDeployment,

+ Model,

+ CodeConfiguration,

+ Environment,

+)

+from azure.identity import DefaultAzureCredential, AzureCliCredential

+```

+Set up variables for the workspace and endpoint:

+```python

+subscription_id = "<SUBSCRIPTION_ID>"

+resource_group = "<RESOURCE_GROUP>"

+workspace_name = "<AML_WORKSPACE_NAME>"

+endpoint_name = "<ENDPOINT_NAME>"

+```

+

+# [Azure CLI](#tab/cli)

+# [Python](#tab/python)

+Azure Machine Learning local endpoints use Docker and VS Code development containers (dev container) to build and configure a local debugging environment. With dev containers, you can take advantage of VS Code features from inside a Docker container. For more information on dev containers, see [Create a development container](https://code.visualstudio.com/docs/remote/create-dev-container).

+Get a handle to the workspace:

+```python

+credential = AzureCliCredential()

+ml_client = MLClient(

+ credential,

+ subscription_id=subscription_id,

+ resource_group_name=resource_group,

+ workspace_name=workspace_name,

+)

+```

+To debug online endpoints locally in VS Code, set the `vscode-debug` and `local` flags when creating or updating an Azure Machine Learning online deployment. The following code mirrors a deployment example from the examples repo:

+```python

+deployment = ManagedOnlineDeployment(

+ name="blue",

+ endpoint_name=endpoint_name,

+ model=Model(path="../model-1/model"),

+ code_configuration=CodeConfiguration(

+ code="../model-1/onlinescoring", scoring_script="score.py"

+ ),

+ environment=Environment(

+ conda_file="../model-1/environment/conda.yml",

+ image="mcr.microsoft.com/azureml/openmpi3.1.2-ubuntu18.04:20210727.v1",

+ ),

+ instance_type="Standard_DS2_v2",

+ instance_count=1,

+)

+deployment = ml_client.online_deployments.begin_create_or_update(

+ deployment,

+ local=True,

+ vscode_debug=True,

+)

+```

+> [!IMPORTANT]

+> On Windows Subsystem for Linux (WSL), you'll need to update your PATH environment variable to include the path to the VS Code executable or use WSL interop. For more information, see [Windows interoperability with Linux](/windows/wsl/interop).

+A Docker image is built locally. Any environment configuration or model file errors are surfaced at this stage of the process.

+> [!NOTE]

+> The first time you launch a new or updated dev container it can take several minutes.

+Once the image successfully builds, your dev container opens in a VS Code window.

+You'll use a few VS Code extensions to debug your deployments in the dev container. Azure Machine Learning automatically installs these extensions in your dev container.

+- Inference Debug

+- [Pylance](https://marketplace.visualstudio.com/items?itemName=ms-python.vscode-pylance)

+- [Jupyter](https://marketplace.visualstudio.com/items?itemName=ms-toolsai.jupyter)

+- [Python](https://marketplace.visualstudio.com/items?itemName=ms-python.python)

+> [!IMPORTANT]

+> Before starting your debug session, make sure that the VS Code extensions have finished installing in your dev container.

+# [Azure CLI](#tab/cli)

+# [Python](#tab/python)

+Now that your application is running in the debugger, try making a prediction to debug your scoring script.

+Use the `invoke` method on your `MLClient` object to make a request to your local endpoint.

+```python

+endpoint = ml_client.online_endpoints.get(name=endpoint_name, local=True)

+request_file_path = "../model-1/sample-request.json"

+endpoint.invoke(endpoint_name, request_file_path, local=True)

+```

+In this case, `<REQUEST-FILE>` is a JSON file that contains input data samples for the model to make predictions on similar to the following JSON:

+```json

+{"data": [

+ [1,2,3,4,5,6,7,8,9,10],

+ [10,9,8,7,6,5,4,3,2,1]

+]}

+```

+> [!TIP]

+> The scoring URI is the address where your endpoint listens for requests. The `as_dict` method of endpoint objects returns information similar to `show` in the Azure CLI. The endpoint object can be obtained through `.get`.

+>

+> ```python

+> endpoint = ml_client.online_endpoints.get(endpoint_name, local=True)

+> endpoint.as_dict()

+> ```

+>

+> The output should look similar to the following:

+>

+> ```json

+> {

+> "auth_mode": "aml_token",

+> "location": "local",

+> "name": "my-new-endpoint",

+> "properties": {},

+> "provisioning_state": "Succeeded",

+> "scoring_uri": "http://localhost:5001/score",

+> "tags": {},

+> "traffic": {},

+> "type": "online"

+>}

+>```

+>

+>The scoring URI can be found in the `scoring_uri` key.

+At this point, any breakpoints in your `run` function are caught. Use the debug actions to step through your code. For more information on debug actions, see the [debug actions guide](https://code.visualstudio.com/Docs/editor/debugging#_debug-actions).

+

+# [Azure CLI](#tab/cli)

+# [Python](#tab/python)

+As you debug and troubleshoot your application, there are scenarios where you need to update your scoring script and configurations.

+To apply changes to your code:

+1. Update your code

+1. Restart your debug session using the `Developer: Reload Window` command in the command palette. For more information, see the [command palette documentation](https://code.visualstudio.com/docs/getstarted/userinterface#_command-palette).

+> [!NOTE]

+> Since the directory containing your code and endpoint assets is mounted onto the dev container, any changes you make in the dev container are synced with your local file system.

+For more extensive changes involving updates to your environment and endpoint configuration, use your `MLClient`'s `online_deployments.update` module/method. Doing so will trigger a full image rebuild with your changes.

+```python

+new_deployment = ManagedOnlineDeployment(

+ name="green",

+ endpoint_name=endpoint_name,

+ model=Model(path="../model-2/model"),

+ code_configuration=CodeConfiguration(

+ code="../model-2/onlinescoring", scoring_script="score.py"

+ ),

+ environment=Environment(

+ conda_file="../model-2/environment/conda.yml",

+ image="mcr.microsoft.com/azureml/openmpi3.1.2-ubuntu18.04:20210727.v1",

+ ),

+ instance_type="Standard_DS2_v2",

+ instance_count=2,

+)

+ml_client.online_deployments.update(new_deployment, local=True, vscode_debug=True)

+```

+Once the updated image is built and your development container launches, use the VS Code debugger to test and troubleshoot your updated endpoint.

+

+This article will teach you how to create a GitHub Actions workflow that builds and deploys a machine learning model to [Azure Machine Learning](/azure/machine-learning/overview-what-is-azure-machine-learning). You'll train a [scikit-learn](https://scikit-learn.org/) linear regression model on the NYC Taxi dataset.

+GitHub Actions uses a workflow YAML (.yml) file in the `/.github/workflows/` path in your repository. This definition contains the various steps and parameters that make up the workflow.

+## Prerequisites

+* A GitHub account. If you don't have one, sign up for [free](https://github.com/join).

+## Step 1. Get the code

+Fork the following repo at GitHub:

+```

+https://github.com/azure/azureml-examples

+```

+## Step 2. Authenticate with Azure

+You'll need to first define how to authenticate with Azure. You can use a [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) or [OpenID Connect](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect).

+### Generate deployment credentials

+# [Service principal](#tab/userlevel)

+Create a [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) with the [az ad sp create-for-rbac](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) command in the [Azure CLI](/cli/azure/). Run this command with [Azure Cloud Shell](https://shell.azure.com/) in the Azure portal or by selecting the **Try it** button.

+# [OpenID Connect](#tab/openid)

+OpenID Connect is an authentication method that uses short-lived tokens. Setting up [OpenID Connect with GitHub Actions](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) is more complex process that offers hardened security.

+1. If you don't have an existing application, register a [new Active Directory application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md). Create the Active Directory application.

+ ```azurecli-interactive

+ az ad app create --display-name myApp

+ ```

+ This command will output JSON with an `appId` that is your `client-id`. Save the value to use as the `AZURE_CLIENT_ID` GitHub secret later.

+ You'll use the `objectId` value when creating federated credentials with Graph API and reference it as the `APPLICATION-OBJECT-ID`.

+1. Create a service principal. Replace the `$appID` with the appId from your JSON output.

+ This command generates JSON output with a different `objectId` and will be used in the next step. The new `objectId` is the `assignee-object-id`.

+

+ Copy the `appOwnerTenantId` to use as a GitHub secret for `AZURE_TENANT_ID` later.

+ ```azurecli-interactive

+ az ad sp create --id $appId

+ ```

+1. Create a new role assignment by subscription and object. By default, the role assignment will be tied to your default subscription. Replace `$subscriptionId` with your subscription ID, `$resourceGroupName` with your resource group name, and `$assigneeObjectId` with the generated `assignee-object-id`. Learn [how to manage Azure subscriptions with the Azure CLI](/cli/azure/manage-azure-subscriptions-azure-cli).

+ ```azurecli-interactive

+ az role assignment create --role contributor --scope /subscriptions/$subscriptionId/resourceGroups/$resourceGroupName --subscription $subscriptionId --assignee-object-id $assigneeObjectId --assignee-principal-type ServicePrincipal

+ ```

+1. Run the following command to [create a new federated identity credential](/graph/api/application-post-federatedidentitycredentials?view=graph-rest-beta&preserve-view=true) for your active directory application.

+ * Replace `APPLICATION-OBJECT-ID` with the **objectId (generated while creating app)** for your Active Directory application.

+ * Set a value for `CREDENTIAL-NAME` to reference later.

+ * Set the `subject`. The value of this is defined by GitHub depending on your workflow:

+ * Jobs in your GitHub Actions environment: `repo:< Organization/Repository >:environment:< Name >`

+ * For Jobs not tied to an environment, include the ref path for branch/tag based on the ref path used for triggering the workflow: `repo:< Organization/Repository >:ref:< ref path>`. For example, `repo:n-username/ node_express:ref:refs/heads/my-branch` or `repo:n-username/ node_express:ref:refs/tags/my-tag`.

+ * For workflows triggered by a pull request event: `repo:< Organization/Repository >:pull_request`.

+

+ ```azurecli

+ az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:organization/repository:ref:refs/heads/main","description":"Testing","audiences":["api://AzureADTokenExchange"]}'

+ ```

+

+To learn how to create a Create an active directory application, service principal, and federated credentials in Azure portal, see [Connect GitHub and Azure](/azure/developer/github/connect-from-azure#use-the-azure-login-action-with-openid-connect).

+### Create secrets

+# [Service principal](#tab/userlevel)

+1. In [GitHub](https://github.com/), browse your repository, select **Settings > Secrets > Actions**. Select **New repository secret**.

+2. Paste the entire JSON output from the Azure CLI command into the secret's value field. Give the secret the name `AZ_CREDS`.

+ # [OpenID Connect](#tab/openid)

+You need to provide your application's **Client ID**, **Tenant ID**, and **Subscription ID** to the login action. These values can either be provided directly in the workflow or can be stored in GitHub secrets and referenced in your workflow. Saving the values as GitHub secrets is the more secure option.

+1. In [GitHub](https://github.com/), browse your repository, select **Settings > Secrets > Actions**. Select **New repository secret**.

+1. Create secrets for `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, and `AZURE_SUBSCRIPTION_ID`. Use these values from your Active Directory application for your GitHub secrets:

+ |GitHub Secret | Active Directory Application |

+ |||

+ |AZURE_CLIENT_ID | Application (client) ID |

+ |AZURE_TENANT_ID | Directory (tenant) ID |

+ |AZURE_SUBSCRIPTION_ID | Subscription ID |

+1. Save each secret by selecting **Add secret**.

+## Step 3. Update `setup.sh` to connect to your Azure Machine Learning workspace

+You'll need to update the CLI setup file variables to match your workspace.

+1. In your cloned repository, go to `azureml-examples/cli/`.

+1. Edit `setup.sh` and update these variables in the file.

+

+ |Variable | Description |

+ |||

+ |GROUP | Name of resource group |

+ |LOCATION | Location of your workspace (example: `eastus2`) |

+ |WORKSPACE | Name of Azure ML workspace |

+## Step 4. Update `pipeline.yml` with your compute cluster name

+You'll use a `pipeline.yml` file to deploy your Azure ML pipeline. This is a machine learning pipeline and not a DevOps pipeline. You only need to make this update if you're using a name other than `cpu-cluster` for your computer cluster name.

+1. In your cloned repository, go to `azureml-examples/cli/jobs/pipelines/nyc-taxi/pipeline.yml`.

+1. Each time you see `compute: azureml:cpu-cluster`, update the value of `cpu-cluster` with your compute cluster name. For example, if your cluster is named `my-cluster`, your new value would be `azureml:my-cluster`. There are five updates.

+## Step 5: Run your GitHub Actions workflow

+Your workflow authenticates with Azure, sets up the Azure Machine Learning CLI, and uses the CLI to train a model in Azure Machine Learning.

+# [Service principal](#tab/userlevel)

+Your workflow file is made up of a trigger section and jobs:

+- A trigger starts the workflow in the `on` section. The workflow runs by default on a cron schedule and when a pull request is made from matching branches and paths. Learn more about [events that trigger workflows](https://docs.github.com/actions/using-workflows/events-that-trigger-workflows).

+- In the jobs section of the workflow, you checkout code and log into Azure with your service principal secret.

+- The jobs section also includes a setup action that installs and sets up the [Machine Learning CLI (v2)](how-to-configure-cli.md). Once the CLI is installed, the run job action runs your Azure Machine Learning `pipeline.yml` file to train a model with NYC taxi data.

+### Enable your workflow

+1. In your cloned repository, open `.github/workflows/cli-jobs-pipelines-nyc-taxi-pipeline.yml` and verify that your workflow looks like this.

+ ```yaml

+ name: cli-jobs-pipelines-nyc-taxi-pipeline

+ on:

+ workflow_dispatch:

+ schedule:

+ - cron: "0 0/4 * * *"

+ pull_request:

+ branches:

+ - main

+ - sdk-preview

+ paths:

+ - cli/jobs/pipelines/nyc-taxi/**

+ - .github/workflows/cli-jobs-pipelines-nyc-taxi-pipeline.yml

+ - cli/run-pipeline-jobs.sh

+ - cli/setup.sh

+ jobs:

+ build:

+ runs-on: ubuntu-latest

+ steps:

+ - name: check out repo

+ uses: actions/checkout@v2

+ - name: azure login

+ uses: azure/login@v1

+ with:

+ creds: ${{secrets.AZ_CREDS}}

+ - name: setup

+ run: bash setup.sh

+ working-directory: cli

+ continue-on-error: true

+ - name: run job

+ run: bash -x ../../../run-job.sh pipeline.yml

+ working-directory: cli/jobs/pipelines/nyc-taxi

+ ```

+1. Select **View runs**.

+1. Enable workflows by selecting **I understand my workflows, go ahead and enable them**.

+1. Select the **cli-jobs-pipelines-nyc-taxi-pipeline workflow** and choose to **Enable workflow**.

+ :::image type="content" source="media/how-to-github-actions-machine-learning/enable-github-actions-ml-workflow.png" alt-text="Screenshot of enable GitHub Actions workflow.":::

+1. Select **Run workflow** and choose the option to **Run workflow** now.

+ :::image type="content" source="media/how-to-github-actions-machine-learning/github-actions-run-workflow.png" alt-text="Screenshot of run GitHub Actions workflow.":::

+ # [OpenID Connect](#tab/openid)

+Your workflow file is made up of a trigger section and jobs:

+- A trigger starts the workflow in the `on` section. The workflow runs by default on a cron schedule and when a pull request is made from matching branches and paths. Learn more about [events that trigger workflows](https://docs.github.com/actions/using-workflows/events-that-trigger-workflows).

+- In the jobs section of the workflow, you checkout code and log into Azure with the Azure login action using OpenID Connect.

+- The jobs section also includes a setup action that installs and sets up the [Machine Learning CLI (v2)](how-to-configure-cli.md). Once the CLI is installed, the run job action runs your Azure Machine Learning `pipeline.yml` file to train a model with NYC taxi data.

+### Enable your workflow

+1. In your cloned repository, open `.github/workflows/cli-jobs-pipelines-nyc-taxi-pipeline.yml` and verify that your workflow looks like this.

+ ```yaml

+ name: cli-jobs-pipelines-nyc-taxi-pipeline

+ on:

+ workflow_dispatch:

+ schedule:

+ - cron: "0 0/4 * * *"

+ pull_request:

+ branches:

+ - main

+ - sdk-preview

+ paths:

+ - cli/jobs/pipelines/nyc-taxi/**

+ - .github/workflows/cli-jobs-pipelines-nyc-taxi-pipeline.yml

+ - cli/run-pipeline-jobs.sh

+ - cli/setup.sh

+ jobs:

+ build:

+ runs-on: ubuntu-latest

+ steps:

+ - name: check out repo

+ uses: actions/checkout@v2

+ - name: azure login

+ uses: azure/login@v1

+ with:

+ client-id: ${{ secrets.AZURE_CLIENT_ID }}

+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}

+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

+ - name: setup

+ run: bash setup.sh

+ working-directory: cli

+ continue-on-error: true

+ - name: run job

+ run: bash -x ../../../run-job.sh pipeline.yml

+ working-directory: cli/jobs/pipelines/nyc-taxi

+ ```

+1. Select **View runs**.

+1. Enable workflows by selecting **I understand my workflows, go ahead and enable them**.

+1. Select the **cli-jobs-pipelines-nyc-taxi-pipeline workflow** and choose to **Enable workflow**.

+ :::image type="content" source="media/how-to-github-actions-machine-learning/enable-github-actions-ml-workflow.png" alt-text="Screenshot of enable GitHub Actions workflow.":::

+1. Select **Run workflow** and choose the option to **Run workflow** now.

+ :::image type="content" source="media/how-to-github-actions-machine-learning/github-actions-run-workflow.png" alt-text="Screenshot of run GitHub Actions workflow.":::

+## Step 6: Verify your workflow run

+1. Open your completed workflow run and verify that the build job ran successfully. You'll see a green checkmark next to the job.

+1. Open Azure Machine Learning studio and navigate to the **nyc-taxi-pipeline-example**. Verify that each part of your job (prep, transform, train, predict, score) completed and that you see a green checkmark.

+ :::image type="content" source="media/how-to-github-actions-machine-learning/github-actions-machine-learning-nyc-taxi-complete.png" alt-text="Screenshot of successful Machine Learning Studio run.":::

+> [Create production ML pipelines with Python SDK](tutorial-pipeline-python-sdk.md)

+# Troubleshooting environment image builds using troubleshooting log error messages

+In this article, learn how to troubleshoot common problems you may encounter with environment image builds.

+## Azure Machine Learning environments

+Azure Machine Learning environments are an encapsulation of the environment where your machine learning training happens.

+They specify the base docker image, Python packages, and software settings around your training and scoring scripts.

+Environments are managed and versioned assets within your Machine Learning workspace that enable reproducible, auditable, and portable machine learning workflows across various compute targets.

+## Types of environments

+Environments can broadly be divided into three categories: curated, user-managed, and system-managed.

+Curated environments are pre-created environments that are managed by Azure Machine Learning (AzureML) and are available by default in every workspace provisioned. ```

+Intended to be used as is, they contain collections of Python packages and settings to help you get started with various machine learning frameworks.

+These pre-created environments also allow for faster deployment time.

+In user-managed environments, you're responsible for setting up your environment and installing every package that your training script needs on the compute target.

+Also be sure to include any dependencies needed for model deployment.

+These types of environments are represented by two subtypes, BYOC (bring your own container) ΓÇô a Docker image user brings to AzureML and Docker build context based environment where AzureML materializes the image from the user provided content.

+You use system-managed environments when you want conda to manage the Python environment for you.

+A new isolated conda environment is materialized from your conda specification on top of a base Docker image. By default, common properties are added to the derived image.

+Note that environment isolation implies that Python dependencies installed in the base image won't be available in the derived image.

+## Create and manage environments

+You can create and manage environments from clients like AzureML Python SDK, AzureML CLI, AzureML Studio UI, VS code extension.

+"Anonymous" environments are automatically registered in your workspace when you submit an experiment without registering or referencing an already existing environment.

+They won't be listed but may be retrieved by version or label.

+AzureML builds environment definitions into Docker images.

+It also caches the environments in Azure Container Registry associated with your AzureML Workspace so they can be reused in subsequent training jobs and service endpoint deployments.

+Multiple environments with the same definition may result the same image, so the cached image will be reused.

+Running a training script remotely requires the creation of a Docker image.

+## Reproducibility and vulnerabilities

+Over time vulnerabilities are discovered and Docker images that correspond to AzureML environments may be flagged by the scanning tools.

+Updates for AzureML based images are released regularly, with a commitment of no unpatched vulnerabilities older than 30 days in the latest version of the image.

+It's your responsibility to evaluate the threat and address vulnerabilities in environments.

+Not all the vulnerabilities are exploitable, so you need to use your judgment when choosing between reproducibility and resolving vulnerabilities.

+> [!IMPORTANT]

+> There's no guarantee that the same set of python dependencies will be materialized with an image rebuild or for a new environment with the same set of Python dependencies.

+## *Environment definition problems*

+### Environment name issues

+#### **"Curated prefix not allowed"**

+Terminology:

+"Curated": environments Microsoft creates and maintains.

+"Custom": environments you create and maintain.

+- The name of your custom environment uses terms reserved only for curated environments

+- Don't start your environment name with *Microsoft* or *AzureML*--these prefixes are reserved for curated environments

+- To customize a curated environment, you must clone and rename the environment

+- For more information about proper curated environment usage, see [create and manage reusable environments](https://aka.ms/azureml/environment/create-and-manage-reusable-environments)

+#### **"Environment name is too long"**

+- Environment names can be up to 255 characters in length

+- Consider renaming and shortening your environment name

+### Docker issues

+To create a new environment, you must use one of the following approaches:

+1. Base image

+ - Provide base image name, repository from which to pull it, credentials if needed

+ - Provide a conda specification

+2. Base Dockerfile (V1 only, Deprecated)

+ - Provide a Dockerfile

+ - Provide a conda specification

+3. Docker build context

+ - Provide the location of the build context (URL)

+ - The build context must contain at least a Dockerfile, but may contain other files as well

+#### **"Missing Docker definition"**

+- An environment has a `DockerSection` that must be populated with either a base image, base Dockerfile, or build context

+- This section configures settings related to the final Docker image built to the specifications of the environment and whether to use Docker containers to build the environment

+- See [DockerSection](https://aka.ms/azureml/environment/environment-docker-section)

+#### **"Missing Docker build context location"**

+- If you're specifying a Docker build context as part of your environment build, you must provide the path of the build context directory

+- See [BuildContext](https://aka.ms/azureml/environment/build-context-class)

+#### **"Too many Docker options"**

+Only one of the following options can be specified:

+*V1*

+- `base_image`

+- `base_dockerfile`

+- `build_context`

+- See [DockerSection](https://aka.ms/azureml/environment/docker-section-class)

+*V2*

+- `image`

+- `build`

+- See [azure.ai.ml.entities.Environment](https://aka.ms/azureml/environment/environment-class-v2)

+#### **"Missing Docker option"**

+*V1*

+- You must specify one of: base image, base Dockerfile, or build context

+*V2:*

+- You must specify one of: image or build context

+#### **"Container registry credentials missing either username or password"**

+- To access the base image in the container registry specified, you must provide both a username and password. One is missing.

+- Note that providing credentials in this way is deprecated. For the current method of providing credentials, see the *secrets in base image registry* section.

+#### **"Multiple credentials for base image registry"**

+- When specifying credentials for a base image registry, you must specify only one set of credentials.

+- The following authentication types are currently supported:

+ - Basic (username/password)

+ - Registry identity (clientId/resourceId)

+- If you're using workspace connections to specify credentials, [delete one of the connections](https://aka.ms/azureml/environment/delete-connection-v1)

+- If you've specified credentials directly in your environment definition, choose either username/password or registry identity

+to use, and set the other credentials you won't use to `null`

+ - Specifying credentials in this way is deprecated. It's recommended that you use workspace connections. See

+ *secrets in base image registry* below

+#### **"Secrets in base image registry"**

+- If you specify a base image in your `DockerSection`, you must specify the registry address from which the image will be pulled,

+and credentials to authenticate to the registry, if needed.

+- Historically, credentials have been specified in the environment definition. However, this isn't secure and should be

+avoided.

+- Users should set credentials using workspace connections. For instructions on how to

+do this, see [set_connection](https://aka.ms/azureml/environment/set-connection-v1)

+#### **"Deprecated Docker attribute"**

+- The following `DockerSection` attributes are deprecated:

+ - `enabled`

+ - `arguments`

+ - `shared_volumes`

+ - `gpu_support`

+ - Azure Machine Learning now automatically detects and uses NVIDIA Docker extension when available.

+ - `smh_size`

+- Use [DockerConfiguration](https://aka.ms/azureml/environment/docker-configuration-class) instead

+- See [DockerSection deprecated variables](https://aka.ms/azureml/environment/docker-section-class)

+#### **"Dockerfile length over limit"**

+- The specified Dockerfile can't exceed the maximum Dockerfile size of 100KB

+- Consider shortening your Dockerfile to get it under this limit

+### Docker build context issues

+#### **"Missing Dockerfile path"**

+- In the Docker build context, a Dockerfile path must be specified

+- This is the path to the Dockerfile relative to the root of Docker build context directory

+- See [Build Context class](https://aka.ms/azureml/environment/build-context-class)

+#### **"Not allowed to specify attribute with Docker build context"**

+- If a Docker build context is specified, then the following items can't also be specified in the

+environment definition:

+ - Environment variables

+ - Conda dependencies

+ - R

+ - Spark

+#### **"Location type not supported/Unknown location type"**

+- The following are accepted location types:

+ - Git

+ - Git URLs can be provided to AzureML, but images can't yet be built using them. Use a storage

+ account until builds have Git support

+ - [How to use git repository as build context](https://aka.ms/azureml/environment/git-repo-as-build-context)

+ - Storage account

+#### **"Invalid location"**

+- The specified location of the Docker build context is invalid

+- If the build context is stored in a git repository, the path of the build context must be specified as a git URL

+- If the build context is stored in a storage account, the path of the build context must be specified as

+ - `https://storage-account.blob.core.windows.net/container/path/`

+### Base image issues

+#### **"Base image is deprecated"**

+- The following base images are deprecated:

+ - `azureml/base`

+ - `azureml/base-gpu`

+ - `azureml/base-lite`

+ - `azureml/intelmpi2018.3-cuda10.0-cudnn7-ubuntu16.04`

+ - `azureml/intelmpi2018.3-cuda9.0-cudnn7-ubuntu16.04`

+ - `azureml/intelmpi2018.3-ubuntu16.04`

+ - `azureml/o16n-base/python-slim`

+ - `azureml/openmpi3.1.2-cuda10.0-cudnn7-ubuntu16.04`

+ - `azureml/openmpi3.1.2-ubuntu16.04`

+ - `azureml/openmpi3.1.2-cuda10.0-cudnn7-ubuntu18.04`

+ - `azureml/openmpi3.1.2-cuda10.1-cudnn7-ubuntu18.04`

+ - `azureml/openmpi3.1.2-cuda10.2-cudnn7-ubuntu18.04`

+ - `azureml/openmpi3.1.2-cuda10.2-cudnn8-ubuntu18.04`

+- AzureML can't provide troubleshooting support for failed builds with deprecated images.

+- Deprecated images are also at risk for vulnerabilities since they're no longer updated or maintained.

+It's best to use newer, non-deprecated versions.

+#### **"No tag or digest"**

+- For the environment to be reproducible, one of the following must be included on a provided base image:

+ - Version tag

+ - Digest

+- See [image with immutable identifier](https://aka.ms/azureml/environment/pull-image-by-digest)

+### Environment variable issues

+#### **"Misplaced runtime variables"**

+- An environment definition shouldn't contain runtime variables

+- Use the `environment_variables` attribute on the [RunConfiguration object](https://aka.ms/azureml/environment/environment-variables-on-run-config) instead

+### Python issues

+#### **"Python section missing"**

+*V1*

+- An environment definition must have a Python section

+- Conda dependencies are specified in this section, and Python (along with its version) should be one of them

+```json

+"python": {

+ "baseCondaEnvironment": null,

+ "condaDependencies": {

+ "channels": [

+ "anaconda",

+ "conda-forge"

+ ],

+ "dependencies": [

+ "python=3.6.2"

+ ],

+ },

+ "condaDependenciesFile": null,

+ "interpreterPath": "python",

+ "userManagedDependencies": false

+}

+- See [PythonSection class](https://aka.ms/azureml/environment/environment-python-section)

+#### **"Python version missing"**

+- A Python version must be specified in the environment definition

+- A Python version can be added by adding Python as a conda package, specifying the version:

+from azureml.core.environment import CondaDependencies

+myenv = Environment(name="myenv")

+conda_dep = CondaDependencies()

+conda_dep.add_conda_package("python==3.8")

+```

+- See [Add conda package](https://aka.ms/azureml/environment/add-conda-package-v1)

+#### **"Multiple Python versions"**

+- Only one Python version can be specified in the environment definition

+#### **"Python version not supported"**

+- The Python version provided in the environment definition isn't supported

+- Consider using a newer version of Python

+- See [Python versions](https://aka.ms/azureml/environment/python-versions) and [Python end-of-life dates](https://aka.ms/azureml/environment/python-end-of-life)

+#### **"Python version not recommended"**

+- The Python version used in the environment definition is deprecated, and its use should be avoided

+- Consider using a newer version of Python as the specified version will eventually unsupported

+- See [Python versions](https://aka.ms/azureml/environment/python-versions) and [Python end-of-life dates](https://aka.ms/azureml/environment/python-end-of-life)

+#### **"Failed to validate Python version"**

+- The provided Python version may have been formatted improperly or specified with incorrect syntax

+- See [conda package pinning](https://aka.ms/azureml/environment/how-to-pin-conda-packages)

+### Conda issues

+#### **"Missing conda dependencies"**

+- The [environment definition](https://aka.ms/azureml/environment/environment-class-v1)

+has a [PythonSection](https://aka.ms/azureml/environment/environment-python-section)

+that contains a `user_managed_dependencies` bool and a `conda_dependencies` object

+- If `user_managed_dependencies` is set to `True`, you're responsible for ensuring that all the necessary packages are available in the

+Python environment in which you choose to run the script

+- If `user_managed_dependencies` is set to `False` (the default), Azure ML will create a Python environment for you based on `conda_dependencies`.

+The environment is built once and is reused as long as the conda dependencies remain unchanged

+- You'll receive a *"missing conda dependencies"* error when `user_managed_dependencies` is set to `False` and you haven't provided a conda specification.

+- See [how to create a conda file manually](https://aka.ms/azureml/environment/how-to-create-conda-file)

+- See [CondaDependencies class](https://aka.ms/azureml/environment/conda-dependencies-class)

+- See [how to set a conda specification on the environment definition](https://aka.ms/azureml/environment/set-conda-spec-on-environment-definition)

+#### **"Invalid conda dependencies"**

+- Make sure the conda dependencies specified in your conda specification are formatted correctly

+- See [how to create a conda file manually](https://aka.ms/azureml/environment/how-to-create-conda-file)

+#### **"Missing conda channels"**

+- If no conda channels are specified, conda will use defaults that might change

+- For reproducibility of your environment, specify channels from which to pull dependencies

+- See [how to manage conda channels](https://aka.ms/azureml/environment/managing-conda-channels)

+for more information

+#### **"Base conda environment not recommended"**

+- Partial environment updates can lead to dependency conflicts and/or unexpected runtime errors,

+so the use of base conda environments isn't recommended

+- Instead, specify all packages needed for your environment in the `conda_dependencies` section of your

+environment definition

+ - See [from_conda_specification](https://aka.ms/azureml/environment/set-conda-spec-on-environment-definition)

+ - See [CondaDependencies class](https://aka.ms/azureml/environment/conda-dependencies-class)

+- If you're using V2, add a conda specification to your [build context](https://aka.ms/azureml/environment/environment-build-context)

+#### **"Unpinned dependencies"**

+- For reproducibility, specify dependency versions for the packages in your conda specification

+- If versions aren't specified, there's a chance that the conda or pip package resolver will choose a different

+version of a package on subsequent builds of an environment. This can lead to unexpected errors and incorrect behavior

+- See [conda package pinning](https://aka.ms/azureml/environment/how-to-pin-conda-packages)

+### Pip issues

+#### **"Pip not specified"**

+- For reproducibility, pip should be specified as a dependency in your conda specification, and it should be pinned

+- See [how to set a conda dependency](https://aka.ms/azureml/environment/add-conda-package-v1)

+#### **"Pip not pinned"**

+- For reproducibility, specify the pip resolver version in your conda dependencies

+- If the pip version isn't specified, there's a chance different versions of pip will be used on subsequent

+image builds on the environment

+ - This could cause the build to fail if the different pip versions resolve your packages differently

+ - To avoid this and to achieve reproducibility of your environment, specify the pip version

+- See [conda package pinning](https://aka.ms/azureml/environment/how-to-pin-conda-packages)

+- See [how to set pip as a dependency](https://aka.ms/azureml/environment/add-conda-package-v1)

+### Deprecated environment property issues

+#### **"R section is deprecated"**

+- The Azure Machine Learning SDK for R will be deprecated by the end of 2021 to make way for an improved R training and deployment

+experience using Azure Machine Learning CLI 2.0

+- See the [samples repository](https://aka.ms/azureml/environment/train-r-models-cli-v2) to get started with the Public Preview edition of the 2.0 CLI

+## *Image build problems*

+### Miscellaneous issues

+#### **"Build log unavailable"**

+- Build logs are optional and not available for all environments since the image might already exist

+#### **"ACR unreachable"**

+- There was a failure communicating with the workspace's container registry

+- If your scenario involves a VNet, you may need to build images using a compute cluster

+- See [secure a workspace using virtual networks](https://aka.ms/azureml/environment/acr-private-endpoint)

+### Docker pull issues

+#### **"Failed to pull Docker image"**

+- Possible issues:

+ - The path name to the container registry might not be resolving correctly

+ - For a registry `my-registry.io` and image `test/image` with tag `3.2`, a valid image path would be `my-registry.io/test/image:3.2`

+ - See [registry path documentation](https://aka.ms/azureml/environment/docker-registries)

+ - If a container registry behind a virtual network is using a private endpoint in an [unsupported region](https://aka.ms/azureml/environment/private-link-availability),

+ configure the container registry by using the service endpoint (public access) from the portal and retry

+ - After you put the container registry behind a virtual network, run the [Azure Resource Manager template](https://aka.ms/azureml/environment/secure-resources-using-vnet)

+ so the workspace can communicate with the container registry instance

+ - The image you're trying to reference doesn't exist in the container registry you specified

+ - Check that the correct tag is used and that `user_managed_dependencies` is set to `True`.

+ Setting [user_managed_dependencies](https://aka.ms/azureml/environment/environment-python-section)

+ to `True` disables conda and uses the user's installed packages.

+ - You haven't provided credentials for a private registry you're trying to pull the image from, or the provided credentials are incorrect

+ - Set [workspace connections](https://aka.ms/azureml/environment/set-connection-v1) for the container registry if needed

+### Conda issues during build

+#### **"Bad spec"**

+- Failed to create or update the conda environment due to an invalid package specification

+ - See [package match specifications](https://aka.ms/azureml/environment/conda-package-match-specifications)

+ - See [how to create a conda file manually](https://aka.ms/azureml/environment/how-to-create-conda-file)

+#### **"Communications error"**

+- Failed to communicate with a conda channel or package repository

+- Retrying the image build may work if the issue is transient

+#### **"Compile error"**

+- Failed to build a package required for the conda environment

+- Another version of the failing package may work. If it doesn't, review the image build log, hunt for a solution, and update the environment definition.

+#### **"Missing command"**

+- Failed to build a package required for the conda environment due to a missing command

+- Identify the missing command from the image build log, determine how to add it to your image, and then update the environment definition.

+#### **"Conda timeout"**

+- Failed to create or update the conda environment because it took too long

+- Consider removing unnecessary packages and pinning specific versions

+- See [understanding and improving conda's performance](https://aka.ms/azureml/environment/improve-conda-performance)

+#### **"Out of memory"**

+- Failed to create or update the conda environment due to insufficient memory

+- Consider removing unnecessary packages and pinning specific versions

+- See [understanding and improving conda's performance](https://aka.ms/azureml/environment/improve-conda-performance)

+#### **"Package not found"**

+- One or more packages specified in your conda specification couldn't be found

+- Ensure that all packages you've specified exist, and can be found using the channels you've specified in your conda specification

+- If you don't specify conda channels, conda will use defaults that are subject to change

+ - For reproducibility, specify channels from which to pull dependencies

+- See [managing channels](https://aka.ms/azureml/environment/managing-conda-channels)

+#### **"Missing Python module"**

+- Check the Python modules specified in your environment definition and correct any misspellings or incorrect pinned versions.

+#### **"No matching distribution"**

+- Failed to find Python package matching a specified distribution

+- Search for the distribution you're looking for and ensure it exists: [pypi](https://aka.ms/azureml/environment/pypi)

+#### **"Cannot build mpi4py"**

+- Failed to build wheel for mpi4py

+- Review and update your build environment or use a different installation method

+- See [mpi4py installation](https://aka.ms/azureml/environment/install-mpi4py)

+#### **"Interactive auth was attempted"**

+- Failed to create or update the conda environment because pip attempted interactive authentication

+- Instead, provide authentication via [workspace connection](https://aka.ms/azureml/environment/set-connection-v1)

+#### **"Forbidden blob"**

+- Failed to create or update the conda environment because a blob contained in the associated storage account was inaccessible

+- Either open up permissions on the blob or add/replace the SAS token in the URL

+#### **"Horovod build"**

+- Failed to create or update the conda environment because horovod failed to build

+- See [horovod installation](https://aka.ms/azureml/environment/install-horovod)

+#### **"Conda command not found"**

+- Failed to create or update the conda environment because the conda command is missing

+- For system-managed environments, conda should be in the path in order to create the user's environment

+from the provided conda specification

+#### **"Incompatible Python version"**

+- Failed to create or update the conda environment because a package specified in the conda environment isn't compatible with the specified python version

+- Update the Python version or use a different version of the package

+#### **"Conda bare redirection"**

+- Failed to create or update the conda environment because a package was specified on the command line using ">" or "<"

+without using quotes. Consider adding quotes around the package specification

+### Pip issues during build

+#### **"Failed to install packages"**

+- Failed to install Python packages

+- Review the image build log for more information on this error

+#### **"Cannot uninstall package"**

+- Pip failed to uninstall a Python package that was installed via the OS's package manager

+- Consider creating a separate environment using conda instead

+> [!div class="op_single_selector" title1="Select the version of Azure Machine Learning you are using:"]

+> * [v1](v1/reference-automl-images-hyperparameters-v1.md)

+> * [v2 (current version)](reference-automl-images-hyperparameters.md)

+| `image_size` | Image size for train and validation. <br> Must be a positive integer. <br> <br> *Note: training run may get into CUDA OOM if the size is too big*. | 640 |

+| `model_size` | Model size. <br> Must be `small`, `medium`, `large`, or `extra_large`. <br><br> *Note: training run may get into CUDA OOM if the model size is too big*. | `medium` |

+| `box_score_threshold` | During inference, only return proposals with a score greater than `box_score_threshold`. The score is the multiplication of the objectness score and classification probability. <br> Must be a float in the range [0, 1]. | 0.1 |

+| `nms_iou_threshold` | IOU threshold used during inference in non-maximum suppression post processing. <br> Must be a float in the range [0, 1]. | 0.5 |

+| `gradient_accumulation_step` | Gradient accumulation means running a configured number of `gradient_accumulation_step` without updating the model weights while accumulating the gradients of those steps, and then using the accumulated gradients to compute the weight updates. <br> Must be a positive integer. | 1 |

+| `learning_rate_scheduler` | Type of learning rate scheduler. <br> Must be `warmup_cosine` or `step`. | `warmup_cosine` |

+|`ams_gradient` | Enable `ams_gradient` when optimizer is `adam` or `adamw`.<br> Must be 0 or 1. | 0 |

+|`checkpoint_run_id`| The run ID of the experiment that has a pretrained checkpoint for incremental training.| no default |

+| `weighted_loss` | <li> 0 for no weighted loss. <li> 1 for weighted loss with sqrt.(class_weights) <li> 2 for weighted loss with class_weights. <li> Must be 0 or 1 or 2. | 0 |

+| `validation_resize_size` | <li> Image size to which to resize before cropping for validation dataset. <li> Must be a positive integer. <br> <br> *Notes: <li> `seresnext` doesn't take an arbitrary size. <li> Training run may get into CUDA OOM if the size is too big*. | 256  |

+| `validation_crop_size` | <li> Image crop size that's input to your neural network for validation dataset. <li> Must be a positive integer. <br> <br> *Notes: <li> `seresnext` doesn't take an arbitrary size. <li> *ViT-variants* should have the same `validation_crop_size` and `training_crop_size`. <li> Training run may get into CUDA OOM if the size is too big*. | 224 |

+| `training_crop_size` | <li> Image crop size that's input to your neural network for train dataset. <li> Must be a positive integer. <br> <br> *Notes: <li> `seresnext` doesn't take an arbitrary size. <li> *ViT-variants* should have the same `validation_crop_size` and `training_crop_size`. <li> Training run may get into CUDA OOM if the size is too big*. | 224 |

+> These parameters are not supported with the `yolov5` algorithm. See the [model specific hyperparameters](#model-specific-hyperparameters) section for `yolov5` supported hyperparmeters.

+| `box_score_threshold` | During inference, only return proposals with a classification score greater than `box_score_threshold`. <br> Must be a float in the range [0, 1].| 0.3 |

+| `nms_iou_threshold` | IOU (intersection over union) threshold used in non-maximum suppression (NMS) for the prediction head. Used during inference. <br>Must be a float in the range [0, 1]. | 0.5 |

+| `box_detections_per_image` | Maximum number of detections per image, for all classes. <br> Must be a positive integer.| 100 |

+| `tile_predictions_nms_threshold` | The IOU threshold to use to perform NMS while merging predictions from tiles and image. Used in validation/ inference. <br> Must be float in the range of [0, 1] | 0.25 |

+# [Azure CLI](#tab/cli)

+```yaml

+CLI example not available, please use Python SDK.

+```

+# [Python SDK](#tab/python)

+CLI example not available, please use Python SDK.

+CLI example not available, please use Python SDK.

+CLI example not available, please use Python SDK.

+ Title: Hyperparameter for AutoML computer vision tasks (v1)

+description: Learn which hyperparameters are available for computer vision tasks with automated ML (v1).

+# Hyperparameters for computer vision tasks in automated machine learning (v1)

+> [!div class="op_single_selector" title1="Select the version of Azure Machine Learning you are using:"]

+> * [v1](reference-automl-images-hyperparameters-v1.md)

+> * [v2 (current version)](../reference-automl-images-hyperparameters.md)

+Learn which hyperparameters are available specifically for computer vision tasks in automated ML experiments.

+With support for computer vision tasks, you can control the model algorithm and sweep hyperparameters. These model algorithms and hyperparameters are passed in as the parameter space for the sweep. While many of the hyperparameters exposed are model-agnostic, there are instances where hyperparameters are model-specific or task-specific.

+## Model-specific hyperparameters

+This table summarizes hyperparameters specific to the `yolov5` algorithm.

+| Parameter name | Description | Default |

+| - |-|-|

+| `validation_metric_type` | Metric computation method to use for validation metrics. <br> Must be `none`, `coco`, `voc`, or `coco_voc`. | `voc` |

+| `validation_iou_threshold` | IOU threshold for box matching when computing validation metrics. <br>Must be a float in the range [0.1, 1]. | 0.5 |

+| `img_size` | Image size for train and validation. <br> Must be a positive integer. <br> <br> *Note: training run may get into CUDA OOM if the size is too big*. | 640 |

+| `model_size` | Model size. <br> Must be `small`, `medium`, `large`, or `xlarge`. <br><br> *Note: training run may get into CUDA OOM if the model size is too big*. | `medium` |

+| `multi_scale` | Enable multi-scale image by varying image size by +/- 50% <br> Must be 0 or 1. <br> <br> *Note: training run may get into CUDA OOM if no sufficient GPU memory*. | 0 |

+| `box_score_thresh` | During inference, only return proposals with a score greater than `box_score_thresh`. The score is the multiplication of the objectness score and classification probability. <br> Must be a float in the range [0, 1]. | 0.1 |

+| `nms_iou_thresh` | IOU threshold used during inference in non-maximum suppression post processing. <br> Must be a float in the range [0, 1]. | 0.5 |

+This table summarizes hyperparameters specific to the `maskrcnn_*` for instance segmentation during inference.

+| Parameter name | Description | Default |

+| - |-|-|

+| `mask_pixel_score_threshold` | Score cutoff for considering a pixel as part of the mask of an object. | 0.5 |

+| `max_number_of_polygon_points` | Maximum number of (x, y) coordinate pairs in polygon after converting from a mask. | 100 |

+| `export_as_image` | Export masks as images. | False |

+| `image_type` | Type of image to export mask as (options are jpg, png, bmp). | JPG |

+## Model agnostic hyperparameters

+The following table describes the hyperparameters that are model agnostic.

+| Parameter name | Description | Default|

+| | - | |

+| `number_of_epochs` | Number of training epochs. <br>Must be a positive integer. | 15 <br> (except `yolov5`: 30) |

+| `training_batch_size` | Training batch size.<br> Must be a positive integer. | Multi-class/multi-label: 78 <br>(except *vit-variants*: <br> `vits16r224`: 128 <br>`vitb16r224`: 48 <br>`vitl16r224`:10)<br><br>Object detection: 2 <br>(except `yolov5`: 16) <br><br> Instance segmentation: 2 <br> <br> *Note: The defaults are largest batch size that can be used on 12 GiB GPU memory*.|

+| `validation_batch_size` | Validation batch size.<br> Must be a positive integer. | Multi-class/multi-label: 78 <br>(except *vit-variants*: <br> `vits16r224`: 128 <br>`vitb16r224`: 48 <br>`vitl16r224`:10)<br><br>Object detection: 1 <br>(except `yolov5`: 16) <br><br> Instance segmentation: 1 <br> <br> *Note: The defaults are largest batch size that can be used on 12 GiB GPU memory*.|

+| `grad_accumulation_step` | Gradient accumulation means running a configured number of `grad_accumulation_step` without updating the model weights while accumulating the gradients of those steps, and then using the accumulated gradients to compute the weight updates. <br> Must be a positive integer. | 1 |

+| `early_stopping` | Enable early stopping logic during training. <br> Must be 0 or 1.| 1 |

+| `early_stopping_patience` | Minimum number of epochs or validation evaluations with<br>no primary metric improvement before the run is stopped.<br> Must be a positive integer. | 5 |

+| `early_stopping_delay` | Minimum number of epochs or validation evaluations to wait<br>before primary metric improvement is tracked for early stopping.<br> Must be a positive integer. | 5 |

+| `learning_rate` | Initial learning rate. <br>Must be a float in the range [0, 1]. | Multi-class: 0.01 <br>(except *vit-variants*: <br> `vits16r224`: 0.0125<br>`vitb16r224`: 0.0125<br>`vitl16r224`: 0.001) <br><br> Multi-label: 0.035 <br>(except *vit-variants*:<br>`vits16r224`: 0.025<br>`vitb16r224`: 0.025 <br>`vitl16r224`: 0.002) <br><br> Object detection: 0.005 <br>(except `yolov5`: 0.01) <br><br> Instance segmentation: 0.005 |

+| `lr_scheduler` | Type of learning rate scheduler. <br> Must be `warmup_cosine` or `step`. | `warmup_cosine` |

+| `step_lr_gamma` | Value of gamma when learning rate scheduler is `step`.<br> Must be a float in the range [0, 1]. | 0.5 |

+| `step_lr_step_size` | Value of step size when learning rate scheduler is `step`.<br> Must be a positive integer. | 5 |

+| `warmup_cosine_lr_cycles` | Value of cosine cycle when learning rate scheduler is `warmup_cosine`. <br> Must be a float in the range [0, 1]. | 0.45 |

+| `warmup_cosine_lr_warmup_epochs` | Value of warmup epochs when learning rate scheduler is `warmup_cosine`. <br> Must be a positive integer. | 2 |

+| `optimizer` | Type of optimizer. <br> Must be either `sgd`, `adam`, `adamw`. | `sgd` |

+| `momentum` | Value of momentum when optimizer is `sgd`. <br> Must be a float in the range [0, 1]. | 0.9 |

+| `weight_decay` | Value of weight decay when optimizer is `sgd`, `adam`, or `adamw`. <br> Must be a float in the range [0, 1]. | 1e-4 |

+|`nesterov`| Enable `nesterov` when optimizer is `sgd`. <br> Must be 0 or 1.| 1 |

+|`beta1` | Value of `beta1` when optimizer is `adam` or `adamw`. <br> Must be a float in the range [0, 1]. | 0.9 |

+|`beta2` | Value of `beta2` when optimizer is `adam` or `adamw`.<br> Must be a float in the range [0, 1]. | 0.999 |

+|`amsgrad` | Enable `amsgrad` when optimizer is `adam` or `adamw`.<br> Must be 0 or 1. | 0 |

+|`evaluation_frequency`| Frequency to evaluate validation dataset to get metric scores. <br> Must be a positive integer. | 1 |

+|`checkpoint_frequency`| Frequency to store model checkpoints. <br> Must be a positive integer. | Checkpoint at epoch with best primary metric on validation.|

+|`checkpoint_run_id`| The run ID of the experiment that has a pretrained checkpoint for incremental training.| no default |

+|`checkpoint_dataset_id`| FileDataset ID containing pretrained checkpoint(s) for incremental training. Make sure to pass `checkpoint_filename` along with `checkpoint_dataset_id`.| no default |

+|`checkpoint_filename`| The pretrained checkpoint filename in FileDataset for incremental training. Make sure to pass `checkpoint_dataset_id` along with `checkpoint_filename`.| no default |

+|`layers_to_freeze`| How many layers to freeze for your model. For instance, passing 2 as value for `seresnext` means freezing layer0 and layer1 referring to the below supported model layer info. <br> Must be a positive integer. <br><br>`'resnet': [('conv1.', 'bn1.'), 'layer1.', 'layer2.', 'layer3.', 'layer4.'],`<br>`'mobilenetv2': ['features.0.', 'features.1.', 'features.2.', 'features.3.', 'features.4.', 'features.5.', 'features.6.', 'features.7.', 'features.8.', 'features.9.', 'features.10.', 'features.11.', 'features.12.', 'features.13.', 'features.14.', 'features.15.', 'features.16.', 'features.17.', 'features.18.'],`<br>`'seresnext': ['layer0.', 'layer1.', 'layer2.', 'layer3.', 'layer4.'],`<br>`'vit': ['patch_embed', 'blocks.0.', 'blocks.1.', 'blocks.2.', 'blocks.3.', 'blocks.4.', 'blocks.5.', 'blocks.6.','blocks.7.', 'blocks.8.', 'blocks.9.', 'blocks.10.', 'blocks.11.'],`<br>`'yolov5_backbone': ['model.0.', 'model.1.', 'model.2.', 'model.3.', 'model.4.','model.5.', 'model.6.', 'model.7.', 'model.8.', 'model.9.'],`<br>`'resnet_backbone': ['backbone.body.conv1.', 'backbone.body.layer1.', 'backbone.body.layer2.','backbone.body.layer3.', 'backbone.body.layer4.']` | no default |

+## Image classification (multi-class and multi-label) specific hyperparameters

+The following table summarizes hyperparmeters for image classification (multi-class and multi-label) tasks.

+

+| Parameter name | Description | Default |

+| - |-|--|

+| `weighted_loss` | 0 for no weighted loss.<br>1 for weighted loss with sqrt.(class_weights) <br> 2 for weighted loss with class_weights. <br> Must be 0 or 1 or 2. | 0 |

+| `valid_resize_size` | <li> Image size to which to resize before cropping for validation dataset. <li> Must be a positive integer. <br> <br> *Notes: <li> `seresnext` doesn't take an arbitrary size. <li> Training run may get into CUDA OOM if the size is too big*. | 256  |

+| `valid_crop_size` | <li> Image crop size that's input to your neural network for validation dataset. <li> Must be a positive integer. <br> <br> *Notes: <li> `seresnext` doesn't take an arbitrary size. <li> *ViT-variants* should have the same `valid_crop_size` and `train_crop_size`. <li> Training run may get into CUDA OOM if the size is too big*. | 224 |

+| `train_crop_size` | <li> Image crop size that's input to your neural network for train dataset. <li> Must be a positive integer. <br> <br> *Notes: <li> `seresnext` doesn't take an arbitrary size. <li> *ViT-variants* should have the same `valid_crop_size` and `train_crop_size`. <li> Training run may get into CUDA OOM if the size is too big*. | 224 |

+## Object detection and instance segmentation task specific hyperparameters

+The following hyperparameters are for object detection and instance segmentation tasks.

+> [!WARNING]

+> These parameters are not supported with the `yolov5` algorithm. See the [model specific hyperparameters](#model-specific-hyperparameters) section for `yolov5` supported hyperparmeters.

+| Parameter name | Description | Default |

+| - |-|--|

+| `validation_metric_type` | Metric computation method to use for validation metrics. <br> Must be `none`, `coco`, `voc`, or `coco_voc`. | `voc` |

+| `validation_iou_threshold` | IOU threshold for box matching when computing validation metrics. <br>Must be a float in the range [0.1, 1]. | 0.5 |

+| `min_size` | Minimum size of the image to be rescaled before feeding it to the backbone. <br> Must be a positive integer. <br> <br> *Note: training run may get into CUDA OOM if the size is too big*.| 600 |

+| `max_size` | Maximum size of the image to be rescaled before feeding it to the backbone. <br> Must be a positive integer.<br> <br> *Note: training run may get into CUDA OOM if the size is too big*. | 1333 |

+| `box_score_thresh` | During inference, only return proposals with a classification score greater than `box_score_thresh`. <br> Must be a float in the range [0, 1].| 0.3 |

+| `nms_iou_thresh` | IOU (intersection over union) threshold used in non-maximum suppression (NMS) for the prediction head. Used during inference. <br>Must be a float in the range [0, 1]. | 0.5 |

+| `box_detections_per_img` | Maximum number of detections per image, for all classes. <br> Must be a positive integer.| 100 |

+| `tile_grid_size` | The grid size to use for tiling each image. <br>*Note: tile_grid_size must not be None to enable [small object detection](../how-to-use-automl-small-object-detect.md) logic*<br> A tuple of two integers passed as a string. Example: --tile_grid_size "(3, 2)" | No Default |

+| `tile_overlap_ratio` | Overlap ratio between adjacent tiles in each dimension. <br> Must be float in the range of [0, 1) | 0.25 |

+| `tile_predictions_nms_thresh` | The IOU threshold to use to perform NMS while merging predictions from tiles and image. Used in validation/ inference. <br> Must be float in the range of [0, 1] | 0.25 |

+## Next steps

+* Learn how to [Set up AutoML to train computer vision models with Python (preview)](how-to-auto-train-image-models-v1.md).

+* [Tutorial: Train an object detection model (preview) with AutoML and Python](tutorial-auto-train-image-models-v1.md).

+ Title: Data encryption with customer managed keys ΓÇô Azure Database for MySQL ΓÇô Flexible Server Preview

+description: Learn how data encryption with customer-managed keys for Azure Database for MySQL flexible server enables you to bring your own key (BYOK) for data protection at rest

+# Customer managed keys data encryption ΓÇô Azure Database for MySQL ΓÇô Flexible Server Preview

+With data encryption with customer-managed keys for Azure Database for MySQL - Flexible Server Preview, you can bring your own key (BYOK) for data protection at rest and implement separation of duties for managing keys and data. With customer managed keys (CMKs), the customer is responsible for and in a full control of key lifecycle management (key creation, upload, rotation, deletion), key usage permissions, and auditing operations on keys.

+Data encryption with CMKs is set at the server level. For a given server, a CMK, called the key encryption key (KEK), is used to encrypt the data encryption key (DEK) used by the service. The KEK is an asymmetric key stored in a customer-owned and customer-managed [Azure Key Vault instance](../../key-vault/general/security-features.md). Key Vault is highly available and scalable secure storage for RSA cryptographic keys, optionally backed by FIPS 140-2 Level 2 validated hardware security modules (HSMs). Key Vault doesn't allow direct access to a stored key, but instead provides encryption/decryption services using the key to the authorized entities. The key can be generated by the key vault, imported, or [transferred to the key vault from an on-premises HSM device](../../key-vault/keys/hsm-protected-keys.md).

+> [!Note]

+> In the Public Preview, we can't enable geo redundancy on a flexible server that has CMK enabled, nor can we enable geo redundancy on a flexible server that has CMK enabled.

+## Terminology and description

+**Data encryption key (DEK)**: A symmetric AES256 key used to encrypt a partition or block of data. Encrypting each block of data with a different key makes crypto analysis attacks more difficult. Access to DEKs is needed by the resource provider or application instance that is encrypting and decrypting a specific block. When you replace a DEK with a new key, only the data in its associated block must be re-encrypted with the new key.

+**Key encryption key (KEK)**: An encryption key used to encrypt the DEKs. A KEK that never leaves Key Vault allows the DEKs themselves to be encrypted and controlled. The entity that has access to the KEK might be different than the entity that requires the DEK. Since the KEK is required to decrypt the DEKs, the KEK is effectively a single point by which DEKs can be effectively deleted by deletion of the KEK. The DEKs, encrypted with the KEKs, are stored separately. Only an entity with access to the KEK can decrypt these DEKs. For more information, see [Security in encryption rest](../../security/fundamentals/encryption-atrest.md).

+## Benefits

+Data encryption with customer-managed keys for Azure Database for MySQL Flexible server provides the following benefits:

+- Data-access is fully controlled by you by the ability to remove the key and making the database inaccessible

+- Full control over the key-lifecycle, including rotation of the key to align with corporate policies

+- Central management and organization of keys in Azure Key Vault

+- Ability to implement separation of duties between security officers, and DBA and system administrators

+## How does data encryption with a customer-managed key work?

+Managed identities in Azure Active Directory (Azure AD) provide Azure services an alternative to storing credentials in the code by provisioning an automatically assigned identity that can be used to authenticate to any service supporting Azure AD authentication, such as Azure Key Vault (AKV). Azure Database for MySQL Flexible server currently supports only User-assigned Managed Identity (UMI). For more information, see [Managed identity types](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) in Azure.

+To configure the CMK for an Azure Database for MySQL flexible server, you need to link the UMI to the server and specify the Azure Key vault, and key to use.

+The UMI must have the following access to the key vault:

+- **Get**: For retrieving the public part and properties of the key in the key vault.

+- **List**: List the versions of the key stored in a Key Vault.

+- **Wrap Key**: To be able to encrypt the DEK. The encrypted DEK is stored in the Azure Database for MySQL Flexible server.

+- **Unwrap Key**: To be able to decrypt the DEK. Azure Database for MySQL Flexible server needs the decrypted DEK to encrypt/decrypt the data

+When you configure a flexible server to use a CMK stored in the key vault, the server sends the DEK to the key vault for encryptions. Key Vault returns the encrypted DEK, which is stored in the user database. Similarly, when needed, the flexible server will send the protected DEK to the key vault for decryption.

+After logging is enabled, auditors can use Azure Monitor to review Key Vault audit event logs. To enable logging of [Key Vault auditing events](../../key-vault/key-vault-insights-overview.md), see Monitoring your key vault service with Key Vault insights.

+> [!Note]

+> Permission changes can take up to 10 minutes to impact the key vault. This includes revoking access permissions to the TDE protector in AKV, and users within this time frame may still have access permissions.

+**Requirements for configuring data encryption for Azure Database for MySQL Flexible server**

+Before you attempt to configure Key Vault, be sure to address the following requirements.

+- The Key Vault and Azure Database for MySQL flexible server must belong to the same Azure Active Directory (Azure AD) tenant. Cross-tenant Key Vault and flexible server interactions aren't supported. If you move Key Vault resources after performing the configuration, youΓÇÖll need to reconfigure data encryption.

+- The Key Vault and Azure Database for MySQL flexible server must reside in the same region.

+- Enable the [soft-delete](../../key-vault/general/soft-delete-overview.md) feature on the key vault with retention period set to 90 days to protect from data loss should an accidental key (or Key Vault) deletion occur. The recover and purge actions have their own permissions associated in a Key Vault access policy. The soft-delete feature is off by default, but you can enable it through the Azure portal or by using PowerShell or the Azure CLI.

+- Enable the [Purge Protection](/azure/key-vault/general/soft-delete-overview#purge-protection.md) feature on the key vault and set the retention period to 90 days. When purge protection is on, a vault or an object in the deleted state can't be purged until the retention period has passed. You can enable this feature by using PowerShell or the Azure CLI, and only after you've enabled soft-delete.

+Before you attempt to configure the CMK, be sure to address the following requirements.

+

+- The customer-managed key to be used for encrypting the DEK can be only asymmetric, RSA 2048.

+- The key activation date (if set) must be a date and time in the past. The expiration date not set.

+- The key must be in the **Enabled** state.

+- The key must have [soft delete](../../key-vault/general/soft-delete-overview.md) with retention period set to 90 days. This implicitly sets the required key attribute recoveryLevel: ΓÇ£RecoverableΓÇ¥.

+- The key must have [purge protection enabled](../../key-vault/general/soft-delete-overview.md#purge-protection).

+- If you're [importing an existing key](/rest/api/keyvault/keys/import-key/import-key?tabs=HTTP) into the key vault, make sure to provide it in the supported file formats (.pfx, .byok, .backup).

+> [!Note]

+> For detailed, step-by-step instructions about how to configure date encryption for an Azure Database for MySQL flexible server via the Azure portal, see [Configure data encryption for MySQL Flexible server](how-to-data-encryption-portal.md).

+## Recommendations for configuring data encryption

+As you configure Key Vault to use data encryption by using a customer-managed key, keep in mind the following recommendations.

+- Set a resource lock on Key Vault to control who can delete this critical resource and prevent accidental or unauthorized deletion.

+- Enable auditing and reporting on all encryption keys. Key Vault provides logs that are easy to inject into other security information and event management tools. Azure Monitor Log Analytics is one example of a service that's already integrated.

+- Keep a copy of the customer-managed key in a secure place or escrow it to the escrow service.

+- If Key Vault generates the key, create a key backup before using the key for the first time. You can only restore the backup to Key Vault. For more information about the backup command, see [Backup-AzKeyVaultKey](/powershell/module/az.keyVault/backup-azkeyVaultkey?view=azps-8.3.0).

+## Inaccessible customer-managed key condition

+When you configure data encryption with a CMK in Key Vault, continuous access to this key is required for the server to stay online. If the flexible server loses access to the customer-managed key in Key Vault, the server begins denying all connections within 10 minutes. The flexible server issues a corresponding error message and changes the server state to Inaccessible. The server can reach this state for various reasons.

+- If you delete the KeyVault, the Azure Database for MySQL Flexible server will be unable to access the key, and will move to _Inaccessible_ state. Recover the [Key Vault](../../key-vault/general/key-vault-recovery.md) and revalidate the data encryption to make the Flexible server _Available_.

+- If we delete the key from the KeyVault, the Azure Database for MySQL Flexible server will be unable to access the key, and will move to _Inaccessible_ state. Recover the [Key](../../key-vault/general/key-vault-recovery.md) and revalidate the data encryption to make the Flexible server _Available_.

+- If the key stored in the Azure KeyVault expires, the key will become invalid, and the Azure Database for MySQL Flexible server will transition into _Inaccessible_ state. Extend the key expiry date using [CLI](/cli/azure/keyvault/key?view=azure-cli-latest#az-keyvault-key-set-attributes) and then revalidate the data encryption to make the Flexible server _Available_.

+## Accidental key access revocation from Key Vault

+It might happen that someone with sufficient access rights to Key Vault accidentally disables flexible server access to the key by:

+- Revoking the key vault's _get, list, wrap key_ and _unwrap key_ permissions from the server

+- Deleting the key

+- Deleting the key vault

+- Changing the key vault's firewall rules

+- Deleting the user managed identity used for encryption on the flexible server with a customer managed key in Azure AD

+## Monitor the customer-managed key in Key Vault

+To monitor the database state, and to enable alerting for the loss of transparent data encryption protector access, configure the following Azure features:

+- [Activity log](../../service-health/alerts-activity-log-service-notifications-portal.md): When access to the Customer Key in the customer-managed Key Vault fails, entries are added to the activity log. You can reinstate access as soon as possible if you create alerts for these events.

+- [Action groups](../../azure-monitor/alerts/action-groups.md): Define these groups to send you notifications and alerts based on your preferences.

+## Replica with a customer managed key in Key Vault

+Once Azure Database for MySQL flexible server is encrypted with a customer's managed key stored in Key Vault, any newly created copy of the server is also encrypted. When trying to encrypt Azure Database for MySQL flexible server with a customer managed key that already has a replica(s), we recommend configuring the replica(s) as well by adding the managed identity and key.

+## Restore with a customer managed key in Key Vault

+When attempting to restore an Azure Database for MySQL flexible server, you're given the option to select the User managed identity, and Key to encrypt the restore server.

+To avoid issues while setting up customer-managed data encryption during restore or read replica creation, it's important to follow these steps on the source and restored/replica servers:

+- Initiate the restore or read replica creation process from the source Azure Database for MySQL Flexible server.

+- On the restored/replica server, revalidate the customer-managed key in the data encryption settings to ensure that the User managed identity is given _Get, List, Wrap key_ and _Unwrap key_ permissions to the key stored in Key Vault.

+## Next steps

+- [Data encryption with Azure CLI (Preview)](how-to-data-encryption-cli.md)

+- [Data encryption with Azure portal (Preview)](how-to-data-encryption-portal.md)

+- [Azure Key Vault instance](../../key-vault/general/security-features.md)

+- [Security in encryption rest](../../security/fundamentals/encryption-atrest.md)

+ Title: Set data encryption for Azure Database for MySQL flexible server by using the Azure CLI Preview

+description: Learn how to set up and manage data encryption for your Azure Database for MySQL flexible server using Azure CLI.

+# Data encryption for Azure Database for MySQL - Flexible Server with Azure CLI Preview

+This tutorial shows you how to set up and manage data encryption for your Azure Database for MySQL - Flexible Server using Azure CLI preview.

+In this tutorial you'll learn how to:

+- Create a MySQL flexible server with data encryption

+- Update an existing MySQL flexible server with data encryption

+- Using an Azure Resource Manager template to enable data encryption

+## Prerequisites

+- An Azure account with an active subscription.

+- If you don't have an Azure subscription, create an [Azure free account](https://azure.microsoft.com/free) before you begin.

+

+ > [!Note]

+ > With an Azure free account, you can now try Azure Database for MySQL - Flexible Server for free for 12 months. For more information, see [Try Flexible Server for free](how-to-deploy-on-azure-free-account.md).

+- Install or upgrade Azure CLI to the latest version. See [Install Azure CLI](/cli/azure/install-azure-cli).

+- Log in to Azure account using [az login](/cli/azure/reference-index#az-login) command. Note the ID property, which refers to Subscription ID for your Azure account:

+```azurecli-interactive

+az login

+```

+- If you have multiple subscriptions, choose the appropriate subscription in which you want to create the server using the az account set command:

+```azurecli-interactive

+az account set --subscription \<subscription id\>

+```

+- In Azure Key Vault, create a key vault and a key. The key vault must have the following properties to use as a customer-managed key:

+[Soft delete](../../key-vault/general/soft-delete-overview.md):

+```azurecli-interactive

+az resource update --id $(az keyvault show --name \ \<key\_vault\_name\> -o tsv | awk '{print $1}') --set \ properties.enableSoftDelete=true

+```

+[Purge protected](../../key-vault/general/soft-delete-overview.md#purge-protection):

+```azurecli-interactive

+az keyvault update --name \<key\_vault\_name\> --resource-group \<resource\_group\_name\> --enable-purge-protection true

+```

+Retention days set to 90 days:

+```azurecli-interactive

+az keyvault update --name \<key\_vault\_name\> --resource-group \<resource\_group\_name\> --retention-days 90

+```

+The key must have the following attributes to use as a customer-managed key:

+ - No expiration dates

+ - Not disabled

+ - Perform **List** , **Get** , **Wrap** , **Unwrap** operations

+ - **recoverylevel** attribute set to Recoverable (this requires soft-delete enabled with retention period set to 90 days)

+ - **Purge protection** enabled

+You can verify the above attributes of the key by using the following command:

+```azurecli-interactive

+az keyvault key show --vault-name \<key\_vault\_name\> -n \<key\_name\>

+```

+> [!Note]

+> In the Public Preview, we can't enable geo redundancy on a flexible server that has CMK enabled, nor can we enable geo redundancy on a flexible server that has CMK enabled.

+## Update an existing MySQL flexible server with data encryption

+Set or change key and identity for data encryption:

+```azurecli-interactive

+az mysql flexible-server update --resource-group testGroup --name testserver \\ --key \<key identifier of newKey\> --identity newIdentity

+```

+Set or change key, identity, backup key and backup identity for data encryption with geo redundant backup:

+```azurecli-interactive

+az mysql flexible-server update --resource-group testGroup --name testserver \\ --key \<key identifier of newKey\> --identity newIdentity \\ --backup-key \<key identifier of newBackupKey\> --backup-identity newBackupIdentity

+```

+Disable data encryption for flexible server:

+```azurecli-interactive

+az mysql flexible-server update --resource-group testGroup --name testserver --disable-data-encryption

+```

+## Use an Azure Resource Manager template to enable data encryption

+The params **identityUri** and **primaryKeyUri** are the resource ID of the user managed identity and the user managed key, respectively.

+```json

+ "$schema": "http://schema.management.azure.com/schemas/2014-04-01-preview/deploymentTemplate.json#",

+ "contentVersion": "1.0.0.0",

+ "parameters": {

+ "administratorLogin": {

+ "type": "string"

+ },

+ "administratorLoginPassword": {

+ "type": "securestring"

+ },

+ "location": {

+ "type": "string"

+ },

+ "serverName": {

+ "type": "string"

+ },

+ "serverEdition": {

+ "type": "string"

+ },

+ "vCores": {

+ "type": "int",

+ "defaultValue": 4

+ },

+ "storageSizeGB": {

+ "type": "int"

+ },

+ "haEnabled": {

+ "type": "string",

+ "defaultValue": "Disabled"

+ },

+ "availabilityZone": {

+ "type": "string"

+ },

+ "standbyAvailabilityZone": {

+ "type": "string"

+ },

+ "version": {

+ "type": "string"

+ },

+ "tags": {

+ "type": "object",

+ "defaultValue": {}

+ },

+ "backupRetentionDays": {

+ "type": "int"

+ },

+ "geoRedundantBackup": {

+ "type": "string"

+ },

+ "vmName": {

+ "type": "string",

+ "defaultValue": "Standard_B1ms"

+ },

+ "storageIops": {

+ "type": "int"

+ },

+ "storageAutogrow": {

+ "type": "string",

+ "defaultValue": "Enabled"

+ },

+ "autoIoScaling": {

+ "type": "string",

+ "defaultValue": "Disabled"

+ },

+ "vnetData": {

+ "type": "object",

+ "metadata": {

+ "description": "Vnet data is an object which contains all parameters pertaining to vnet and subnet"

+ },

+ "defaultValue": {

+ "virtualNetworkName": "testVnet",

+ "subnetName": "testSubnet",

+ "virtualNetworkAddressPrefix": "10.0.0.0/16",

+ "virtualNetworkResourceGroupName": "[resourceGroup().name]",

+ "location": "eastus2",

+ "subscriptionId": "[subscription().subscriptionId]",

+ "subnetProperties": {},

+ "isNewVnet": false,

+ "subnetNeedsUpdate": false,

+ "Network": {}

+ }

+ },

+ "identityUri": {

+ "type": "string",

+ "metadata": {

+ "description": "The resource ID of the identity used for data encryption"

+ }

+ },

+ "primaryKeyUri": {

+ "type": "string",

+ "metadata": {

+ "description": "The resource ID of the key used for data encryption"

+ }

+ }

+ },

+ "variables": {

+ "api": "2021-05-01",

+ "identityData": "[if(empty(parameters('identityUri')), json('null'), createObject('type', 'UserAssigned', 'UserAssignedIdentities', createObject(parameters('identityUri'), createObject())))]",

+ "dataEncryptionData": "[if(or(empty(parameters('identityUri')), empty(parameters('primaryKeyUri'))), json('null'), createObject('type', 'AzureKeyVault', 'primaryUserAssignedIdentityId', parameters('identityUri'), 'primaryKeyUri', parameters('primaryKeyUri')))]"

+ },

+ "resources": [

+ {

+ "apiVersion": "[variables('api')]",

+ "location": "[parameters('location')]",

+ "name": "[parameters('serverName')]",

+ "identity": "[variables('identityData')]",

+ "properties": {

+ "version": "[parameters('version')]",

+ "administratorLogin": "[parameters('administratorLogin')]",

+ "administratorLoginPassword": "[parameters('administratorLoginPassword')]",

+ "Network": "[if(empty(parameters('vnetData').Network), json('null'), parameters('vnetData').Network)]",

+ "Storage": {

+ "StorageSizeGB": "[parameters('storageSizeGB')]",

+ "Iops": "[parameters('storageIops')]",

+ "Autogrow": "[parameters('storageAutogrow')]",

+ "AutoIoScaling": "[parameters('autoIoScaling')]"

+ },

+ "Backup": {

+ "backupRetentionDays": "[parameters('backupRetentionDays')]",

+ "geoRedundantBackup": "[parameters('geoRedundantBackup')]"

+ },

+ "availabilityZone": "[parameters('availabilityZone')]",

+ "highAvailability": {

+ "mode": "[parameters('haEnabled')]",

+ "standbyAvailabilityZone": "[parameters('standbyAvailabilityZone')]"

+ },

+ "dataEncryption": "[variables('dataEncryptionData')]"

+ },

+ "sku": {

+ "name": "[parameters('vmName')]",

+ "tier": "[parameters('serverEdition')]",

+ "capacity": "[parameters('vCores')]"

+ },

+ "tags": "[parameters('tags')]",

+ "type": "Microsoft.DBforMySQL/flexibleServers"

+ }

+ ]

+}

+```

+## Next steps

+- [Customer managed keys data encryption (Preview)](concepts-customer-managed-key.md)

+- [Data encryption with Azure portal (Preview)](how-to-data-encryption-portal.md)

+ Title: Set data encryption for Azure Database for MySQL flexible server by using the Azure portal Preview

+description: Learn how to set up and manage data encryption for your Azure Database for MySQL - Flexible Server using Azure portal.

+# Data encryption for Azure Database for MySQL - Flexible Server by using the Azure portal Preview

+This tutorial shows you how to set up and manage data encryption for your Azure Database for MySQL flexible server.

+In this tutorial, you learn how to:

+- Set data encryption for Azure Database for MySQL flexible server.

+- Configure data encryption for restore.

+- Configure data encryption for replica servers.

+## Prerequisites

+- An Azure account with an active subscription.

+- If you don't have an Azure subscription, create an [Azure free account](https://azure.microsoft.com/free) before you begin.

+

+ > [!Note]

+ > With an Azure free account, you can now try Azure Database for MySQL - Flexible Server for free for 12 months. For more information, see [Try Flexible Server for free](how-to-deploy-on-azure-free-account.md).

+## Set the right permissions for key operations

+1. In Key Vault, select **Access policies**, and then select **Create**.

+ :::image type="content" source="media/how-to-data-encryption-portal/1-mysql-key-vault-access-policy.jpeg" alt-text="Screenshot of Key Vault Access Policy in the Azure portal.":::

+2. On the **Permissions** tab, select the following **Key permissions - Get** , **List** , **Wrap Key** , **Unwrap Key**.

+3. On the **Principal** tab, select the User-assigned Managed Identity.

+

+ :::image type="content" source="media/how-to-data-encryption-portal/2-mysql-principal-tab.jpeg" alt-text="Screenshot of the principal tab in the Azure portal.":::

+4. Select **Create**.

+> [!Note]

+> In the Public Preview, we can't enable geo redundancy on a flexible server that has CMK enabled, nor can we enable geo redundancy on a flexible server that has CMK enabled.

+## Configure customer managed key

+To set up the customer managed key, perform the following steps.

+1. In the portal, navigate to your Azure Database for MySQL flexible server, and then, under **Security** , select **Data encryption**.

+ :::image type="content" source="media/how-to-data-encryption-portal/3-mysql-data-encryption.jpeg" alt-text="Screenshot of the data encryption page.":::

+2. On the **Data encryption** page, under **No identity assigned** , select **Change identity** ,

+3. In the **Select user assigned**** managed identity **dialog box, select the** demo-umi **identity, and then select** Add**.

+ :::image type="content" source="media/how-to-data-encryption-portal/4-mysql-assigned-managed-identity-demo-uni.jpeg" alt-text="Screenshot of selecting the demo-umi from the assigned managed identity page.":::

+4. To the right of **Key selection method** , either **Select a key** and specify a key vault and key pair, or select **Enter a key identifier**.

+ :::image type="content" source="media/how-to-data-encryption-portal/5-mysql-select-key.jpeg" alt-text="Screenshot of the Select Key page in the Azure portal.":::

+5. Select **Save**.

+## Using Data encryption for restore

+To use data encryption as part of a restore operation, perform the following steps.

+1. In the Azure portal, on the navigate Overview page for your server, select **Restore**.

+ 1. On the **Security** tab, you specify the identity and the key.

+ :::image type="content" source="media/how-to-data-encryption-portal/6-mysql-navigate-overview-page.jpeg" alt-text="Screenshot of overview page.":::

+2. Select **Change identity** and select the **User assigned managed identity** and select on **Add**

+**To select the Key** , you can either select a **key vault** and **key pair** or enter a **key identifier**

+ :::image type="content" source="media/how-to-data-encryption-portal/7-mysql-change-identity.jpeg" alt-text="SCreenshot of the change identity page.":::

+## Using Data encryption for replica servers

+After your Azure Database for MySQL flexible server is encrypted with a customer's managed key stored in Key Vault, any newly created copy of the server will also be encrypted.

+1. To configuration replication, under **Settings** , select **Replication** , and then select **Add replica**.

+ :::image type="content" source="media/how-to-data-encryption-portal/8-mysql-replication.jpeg" alt-text="Screenshot of the Replication page.":::

+2. In the Add Replica server to Azure Database for MySQL dialog box, select the appropriate **Compute + storage** option, and then select **OK**.

+ :::image type="content" source="media/how-to-data-encryption-portal/9-mysql-compute-storage.jpeg" alt-text="Screenshot of the Compute + Storage page.":::

+ > [!Important]

+ > When trying to encrypt Azure Database for MySQL flexible server with a customer managed key that already has a replica(s), we recommend configuring the replica(s) as well by adding the managed identity and key.

+## Next steps

+- [Customer managed keys data encryption (Preview)](concepts-customer-managed-key.md)

+- [Data encryption with Azure CLI (Preview)](how-to-data-encryption-cli.md)

+## September 2022

+- **Customer managed keys data encryption ΓÇô Azure Database for MySQL ΓÇô Flexible Server (Preview)**

+ With data encryption with customer-managed keys (CMKs) for Azure Database for MySQL - Flexible Server Preview, you can bring your own key (BYOK) for data protection at rest and implement separation of duties for managing keys and data. Data encryption with CMKs is set at the server level. For a given server, a CMK, called the key encryption key (KEK), is used to encrypt the data encryption key (DEK) used by the service. With customer managed keys (CMKs), the customer is responsible for and in a full control of key lifecycle management (key creation, upload, rotation, deletion), key usage permissions, and auditing operations on keys. [Learn More](concepts-customer-managed-key.md)

+- **Server parameters that are now configurable**

+ - When you try to connect to the server, you receive error "ERROR 9107 (HY000): Only Azure Active Directory accounts are allowed to connect to server".

+ Server parameter aad_auth_only was exposed in this month's deployment. Enabling server parameter aad_auth_only will block all non Azure Active Directory MySQL connections to your Azure Database for MySQL Flexible server. We're currently working on additional configurations required for Azure Active Directory authentication to be fully functional, and the feature will be available in the upcoming deployments. Don't enable the aad_auth_only parameter until then.

+ Azure Database for MySQL - Flexible Server now provides the added flexibility to migrate to geo-redundant backup storage from locally redundant backup storage post server-create to provide higher data resiliency. Enabling geo-redundancy via the server's Compute + Storage page empowers customers to recover their existing flexible servers from a geographic disaster or regional failure when they canΓÇÖt access the server in the primary region. With this feature enabled for their existing servers, customers can perform geo-restore and deploy a new server to the geo-paired Azure region using the original serverΓÇÖs latest available geo-redundant backup. [Learn more](concepts-backup-restore.md)

+ - When you're viewing automated backups for a HA enabled server on the Backup and Restore page, if at some point in time a forced or automatic failover is performed, you may lose viewing rights to the server's backups on the Backup and Restore page. Despite the invisibility of information regarding backups on the portal, the flexible server is successfully taking daily automated backups for the server in the backend. The server can be restored to any point within the retention period.

+ A dedicated Backup and Restore option is now available in the Azure portal. This page lists the backups available within the serverΓÇÖs retention period, effectively providing you with single pane view for managing a serverΓÇÖs backups and consequent restores. You can use this option to:

+- **FAQ in the Azure portal**

+ The Backup and Restore page includes section dedicated to listing your most frequently asked questions, together with answers. This should provide you with answers to most questions about backup directly within the Azure portal. In addition, selecting the question mark icon for FAQs on the top menu provides access to even more related detail.

+ Flexible Server now supports enabling validate_password and caching_sha2_password plugins in preview. Email us at AskAzureDBforMySQL@service.microsoft.com

+ - In a rare scenario and after HA failover, the primary server is in read_only mode. Resolve the issue by updating ΓÇ£read_onlyΓÇ¥ value from the server parameters page to OFF.

+ - After successfully scaling Compute on the Compute + Storage page, IOPS are reset to the SKU default. Customers can work around the issue by rescaling IOPs on the Compute + Storage page to desired value (previously set) post the compute deployment and consequent IOPS reset.

+ Title: Map enrichments in indexers

+# Map enriched output to fields in a search index in Azure Cognitive Search

+This article explains how to set up *output field mappings* that determine a data path between in-memory data structures created during skill processing, and target fields in a search index. An output field mapping is defined in an [indexer](search-indexer-overview.md) and has the following elements:

+```json

+"outputFieldMappings": [

+ {

+ "sourceFieldName": "document/path-to-a-node-in-an-enriched-document",

+ "targetFieldName": "some-search-field-in-an-index",

+ "mappingFunction": null

+ }

+],

+```

+In contrast with a [`fieldMappings`](search-indexer-field-mappings.md) definition that maps a path between two physical data structures, an `outputFieldMappings` definition maps in-memory data to fields in a search index.

+Output field mappings are required if your indexer has an attached [skillset](cognitive-search-working-with-skillsets.md) that creates new information, such as text translation or key phrase extraction. During indexer execution, AI-generated information exists in memory only. To persist this information in a search index, you'll need to tell the indexer where to send the data.

+Output field mappings can also be used to retrieve specific nodes in a source document's complex type. For example, you might want just "FullName/LastName" in a multi-part "FullName" property. When you don't need the full complex structure, you can [flatten individual nodes in a nested data structures](#flattening-information-from-complex-types), and then use an output field mapping to send the output to a string collection in your search index.

+Output field mappings apply to:

+Output field mappings are applied after [skillset execution](cognitive-search-working-with-skillsets.md) or after document cracking if there's no associated skillset.

+## Define an output field mapping

+Output field mappings are added to the `outputFieldMappings` array in an indexer definition, typically placed after the `fieldMappings` array. An output field mapping consists of three parts.

+"fieldMappings": []

+"outputFieldMappings": [

+ {

+ "sourceFieldName": "/document/path-to-a-node-in-an-enriched-document",

+ "targetFieldName": "some-search-field-in-an-index",

+ "mappingFunction": null

+ }

+],

+```

+| Property | Description |

+|-|-|

+| sourceFieldName | Required. Specifies a path to enriched content. An example might be `/document/content`. See [Reference annotations in an Azure Cognitive Search skillset](cognitive-search-concept-annotations-syntax.md) for path syntax and examples. |

+| targetFieldName | Optional. Specifies the search field that receives the enriched content. Target fields must be top-level simple fields or collections. It can't be a path to a subfield in a complex type. If you want to retrieve specific nodes in a complex structure, you can [flatten individual nodes](#flattening-information-from-complex-types) in memory, and then send the output to a string collection in your index. |

+| mappingFunction | Optional. Adds extra processing provided by [mapping functions](search-indexer-field-mappings.md#mappingFunctions) supported by indexers. In the case of enrichment nodes, encoding and decoding are the most commonly used functions. |

+You can use the REST API or an Azure SDK to define output field mappings.

+> [!TIP]

+> Indexers created by the [Import data wizard](search-import-data-portal.md) include output field mappings generated by the wizard. If you need examples, run the wizard over your data source to see the rendered definition.

+### [**REST APIs**](#tab/rest)

+Use [Create Indexer (REST)](/rest/api/searchservice/create-Indexer) or [Update Indexer (REST)](/rest/api/searchservice/update-indexer), any API version.

+This example adds entities and sentiment labels extracted from a blob's content property to fields in a search index.

+```JSON

+PUT https://[service name].search.windows.net/indexers/myindexer?api-version=[api-version]

+Content-Type: application/json

+api-key: [admin key]

+ "fieldMappings": [],

+For each output field mapping, set the location of the data in the enriched document tree (sourceFieldName), and the name of the field as referenced in the index (targetFieldName). Assign any [mapping functions](search-indexer-field-mappings.md#mappingFunctions) that you require to transform the content of a field before it's stored in the index.

+### [**.NET SDK (C#)**](#tab/csharp)

+In the Azure SDK for .NET, use the [OutputFieldMappingEntry](/dotnet/api/azure.search.documents.indexes.models.outputfieldmappingentry) class that provides "Name" and "TargetFieldName" properties and an optional "MappingFunction" reference.

+Specify output field mappings when constructing the indexer, or later by directly setting [SearchIndexer.OutputFieldMappings](/dotnet/api/azure.search.documents.indexes.models.searchindexer.outputfieldmappings). The following C# example sets the output field mappings when constructing an indexer.

+```csharp

+string indexerName = "cog-search-demo";

+SearchIndexer indexer = new SearchIndexer(

+ indexerName,

+ dataSourceConnectionName,

+ indexName)

+{

+ // Field mappings omitted for this example (assume default mappings)

+ OutputFieldMappings =

+ {

+ new FieldMapping("/document/content/organizations") { TargetFieldName = "orgNames" },

+ new FieldMapping("/document/content/sentiment") { TargetFieldName = "sentiment" }

+ },

+ SkillsetName = skillsetName

+};

+await indexerClient.CreateIndexerAsync(indexer);

+ -->

+<a name="flattening-information-from-complex-types"></a>

+## Flatten complex structures into a string collection

+If your source data is composed of nested or hierarchical JSON, you can't use field mappings to set up the data paths. Instead, your search index must mirror the source data structure for at each level for a full import.

+This section walks you through an import process that produces a one-to-one reflection of a complex document on both the source and target sides. Next, it uses the same source document to illustrate the retrieval and flattening of individual nodes into string collections.

+Here's an example of a document in Cosmos DB with nested JSON:

+```json

+{

+ "palette":"primary colors",

+ "colors":[

+ {

+ "name":"blue",

+ "medium":[

+ "acrylic",

+ "oil",

+ "pastel"

+ ]

+ },

+ {

+ "name":"red",

+ "medium":[

+ "acrylic",

+ "pastel",

+ "watercolor"

+ ]

+ },

+ {

+ "name":"yellow",

+ "medium":[

+ "acrylic",

+ "watercolor"

+ ]

+ }

+ ]

+}

+If you wanted to fully index the above source document, you'd create an index definition where the field names, levels, and types are reflected as a complex type. Because field mappings aren't supported for complex types in the search index, your index definition must mirror the source document.

+{

+ "name": "my-test-index",

+ "defaultScoringProfile": "",

+ "fields": [

+ { "name": "id", "type": "Edm.String", "searchable": false, "retrievable": true, "key": true},

+ { "name": "palette", "type": "Edm.String", "searchable": true, "retrievable": true },

+ { "name": "colors", "type": "Collection(Edm.ComplexType)",

+ "fields": [

+ {

+ "name": "name",

+ "type": "Edm.String",

+ "searchable": true,

+ "retrievable": true

+ },

+ {

+ "name": "medium",

+ "type": "Collection(Edm.String)",

+ "searchable": true,

+ "retrievable": true,

+ }

+ ]

+ ]

+}

+Here's a sample indexer definition that executes the import (notice there are no field mappings and no skillset).

+```json

+{

+ "name": "my-test-indexer",

+ "dataSourceName": "my-test-ds",

+ "skillsetName": null,

+ "targetIndexName": "my-test-index",

+ "fieldMappings": [],

+ "outputFieldMappings": []

+}

+```

+The result is the following sample search document, similar to the original in Cosmos DB.

+{

+ "value": [

+ {

+ "@search.score": 1,

+ "id": "240a98f5-90c9-406b-a8c8-f50ff86f116c",

+ "palette": "primary colors",

+ "colors": [

+ "name": "blue",

+ "medium": [

+ "acrylic",

+ "oil",

+ "pastel"

+ ]

+ },

+ {

+ "name": "red",

+ "medium": [

+ "acrylic",

+ "pastel",

+ "watercolor"

+ ]

+ },

+ {

+ "name": "yellow",

+ "medium": [

+ "acrylic",

+ "watercolor"

+ ]

+ ]

+ }

+ ]

+}

+An alternative rendering in a search index is to flatten individual nodes in the source's nested structure into a string collection in a search index.

+To accomplish this task, you'll need an `outputFieldMapping` that maps an in-memory node to a string collection in the index. Although output field mappings primarily apply to skill outputs, you can also use them to address nodes after ["document cracking"](search-indexer-overview.md#stage-1-document-cracking) where the indexer opens a source document and reads it into memory.

+Below is a sample index definition in Cognitive Search, using string collections to receive flattened output:

+{

+ "name": "my-new-flattened-index",

+ "defaultScoringProfile": "",

+ "fields": [

+ { "name": "id", "type": "Edm.String", "searchable": false, "retrievable": true, "key": true },

+ { "name": "palette", "type": "Edm.String", "searchable": true, "retrievable": true },

+ { "name": "color_names", "type": "Collection(Edm.String)", "searchable": true, "retrievable": true },

+ { "name": "color_mediums", "type": "Collection(Edm.String)", "searchable": true, "retrievable": true}

+ ]

+}

+Here's the sample indexer definition, using `outputFieldMappings` to associate the nested JSON with the string collection fields. Notice that the source field uses the path syntax for enrichment nodes, even though there's no skillset. Enriched documents are created in the system during document cracking, which means you can access nodes in each document tree as long as those nodes exist when the document is cracked.

+```json

+{

+ "name": "my-test-indexer",

+ "dataSourceName": "my-test-ds",

+ "skillsetName": null,

+ "targetIndexName": "my-new-flattened-index",

+ "parameters": { },

+ "fieldMappings": [ ],

+ "outputFieldMappings": [

+ {

+ "sourceFieldName": "/document/colors/*/name",

+ "targetFieldName": "color_names"

+ },

+ {

+ "sourceFieldName": "/document/colors/*/medium",

+ "targetFieldName": "color_mediums"

+ }

+ ]

+}

+```

+Results from the above definition are as follows. Simplifying the structure loses context in this case. There's no longer any associations between a given color and the mediums it's available in. However, depending on your scenario, a result similar to the one shown below might be exactly what you need.

+```json

+{

+ "value": [

+ {

+ "@search.score": 1,

+ "id": "240a98f5-90c9-406b-a8c8-f50ff86f116c",

+ "palette": "primary colors",

+ "color_names": [

+ "blue",

+ "red",

+ "yellow"

+ ],

+ "color_mediums": [

+ "[\"acrylic\",\"oil\",\"pastel\"]",

+ "[\"acrylic\",\"pastel\",\"watercolor\"]",

+ "[\"acrylic\",\"watercolor\"]"

+ ]

+ }

+ ]

+}

+```

+## See also

+ Title: Built-in skills

+> [!TIP]

+[**Create Index (REST API)**](/rest/api/searchservice/create-index) is used to create an index. Both Postman and Visual Studio Code (with an extension for Azure Cognitive Search) can function as a search index client. Using either tool, you can connect to your search service and send requests.

+The following links show you how to set up the request:

+You can see the current status of all of your indexers in your search service Overview page. Portal pages refresh every few minutes, so you won't see evidence of a new indexer run right away. Select **Refresh** at the top of the page to immediately retrieve the most recent view.

+| **In Progress** | Indicates active execution. The portal will report on partial information. As indexing progresses, you can watch the **Docs Succeeded** value grow in response. Indexers that process large volumes of data can take a long time to run. For example, indexers that handle millions of source documents can run for 24 hours, and then restart almost immediately to pick up where it left off. As such, the status for high-volume indexers might always say **In Progress** in the portal. Even when an indexer is running, details are available about ongoing progress and previous runs. |

+You can select on an indexer in the list to see more details about the indexer's current and recent runs.

+The **Execution details** list shows up to 50 of the most recent execution results. Select on an execution result in the list to see specifics about that run. This includes its start and end times, and any errors and warnings that occurred.

+If there were document-specific problems during the run, they'll be listed in the Errors and Warnings fields.

+Warnings are common with some types of indexers, and don't always indicate a problem. For example indexers that use Cognitive Services can report warnings when image or PDF files don't contain any text to process.

+| Skill execution invocation count | Shows the number of skill invocations. | Data source name, failed, index name, indexer name, skill name, skill type, skillset name | <br> - Reference to ensure skills are invoked as expected by comparing relative invocation numbers between skills and number of skill invocations to the number of documents. <br> - Set up to alert on failed skill invocations |

+You can also configure the graph to see the number of skill invocations over the same hour interval.

+Note there are two different status values. The top level status is for the indexer itself. An indexer status of **running** means the indexer is set up correctly and available to run, but not that it's currently running.

+For more information about status codes and indexer monitoring data, see [Get Indexer Status](/rest/api/searchservice/get-indexer-status).

+Note there are two different status values. The top-level status is the status of the indexer itself. An indexer status of **Running** means that the indexer is set up correctly and available for execution, but not that it's currently executing.

+For more information about status codes and indexer monitoring information, see the following API reference:

+ Title: Map fields in indexers

+When an [Azure Cognitive Search indexer](search-indexer-overview.md) loads a search index, it determines the data path through source-to-destination field mappings. Implicit field mappings are internal and occur when field names and data types are compatible between the source and destination.

+If inputs and outputs don't match, you can define explicit *field mappings* to set up the data path, as described in this article. Field mappings can also be used to introduce light-weight data conversion, such as encoding or decoding, through [mapping functions](#mappingFunctions). If more processing is required, consider [Azure Data Factory](../data-factory/index.yml) to bridge the gap.

+Field mappings apply to:

+> [!NOTE]

+> If you're working with complex data (nested or hierarchical structures), and you'd like to mirror that data structure in your search index, your search index must match the source structure exactly (same field names, levels, and types) so that the default mappings will work. Optionally, you might want just a few nodes in the complex structure. To get individual nodes, you can flatten incoming data into a string collection (see [outputFieldMappings](cognitive-search-output-field-mapping.md#flatten-complex-structures-into-a-string-collection) for this workaround).

+## Supported scenarios

+| Use-case | Description |

+|-|-|

+| Name discrepancy | Suppose your data source has a field named `_city`. Given that Azure Cognitive Search doesn't allow field names that start with an underscore, a field mapping lets you effectively map "_city" to "city". </p>If your indexing requirements include retrieving content from multiple data sources, where field names vary among the sources, you could use a field mapping to clarify the path.|

+| Type discrepancy | Supposed you want a source integer field to be of type `Edm.String` so that it's searchable in the search index. Because the types are different, you'll need to define a field mapping in order for the data path to succeed. Note that Cognitive Search has a smaller set of [supported data types](/rest/api/searchservice/supported-data-types) than many data sources. If you're importing SQL data, a field mapping allows you to [map the SQL data type](search-howto-connecting-azure-sql-database-to-azure-search-using-indexers.md#mapping-data-types) you want in a search index.|

+| One-to-many data paths | You can populate multiple fields in the index with content from the same source field. For example, you might want to apply different analyzers to each field to support different use cases in your client app.|

+| Encoding and decoding | You can apply [mapping functions](#mappingFunctions) to support Base64 encoding or decoding of data during indexing. |

+| Split strings or recast arrays into collections | You can apply [mapping functions](#mappingFunctions) to split a string that includes a delimiter, or to send a JSON array to a search field of type `Collection(Edm.String)`.

+## Define a field mapping

+Field mappings are added to the "fieldMappings" array of an indexer definition. A field mapping consists of three parts.

+```json

+"fieldMappings": [

+ {

+ "sourceFieldName": "_city",

+ "targetFieldName": "city",

+ "mappingFunction": null

+ }

+],

+```

+| sourceFieldName | Required. Represents a field in your data source. |

+| targetFieldName | Optional. Represents a field in your search index. If omitted, the value of "sourceFieldName" is assumed for the target. Target fields must be top-level simple fields or collections. It can't be a complex type or collection. If you're handling a data type issue, a field's data type is specified in the index definition. The field mapping just needs to have the field's name.|

+| mappingFunction | Optional. Consists of [predefined functions](#mappingFunctions) that transform data. |

+> If no field mappings are present, indexers assume data source fields should be mapped to index fields with the same name. Adding a field mapping overrides the default field mappings for the source and target field. Some indexers, such as the [blob storage indexer](search-howto-indexing-azure-blob-storage.md), add default field mappings for the index key field.

+You can use the REST API or an Azure SDK to define field mappings.

+Use [Create Indexer (REST)](/rest/api/searchservice/create-Indexer) or [Update Indexer (REST)](/rest/api/searchservice/update-indexer), any API version.

+This example handles a field name discrepancy.

+This example maps a single source field to multiple target fields ("one-to-many" mappings). You can "fork" a field, copying the same source field content to two different index fields that will be analyzed or attributed differently in the index.

+## Mapping functions and examples

+There are times when you need to use an encoded version of a field like "metadata_storage_path" as the key, but also need an unencoded version for full text search. To support both scenarios, you can map "metadata_storage_path" to two fields: one for the key (encoded), and a second for a path field that we can assume is attributed as "searchable" in the index schema.

+Azure Cognitive Search supports two different Base64 encodings. You should use the same parameters when encoding and decoding the same field. For more information, see [base64 encoding options](#base64details) to decide which parameters to use.

+The .NET libraries in Azure Cognitive Search assume the full .NET Framework, which provides built-in encoding. The `useHttpServerUtilityUrlTokenEncode` and `useHttpServerUtilityUrlTokenDecode` options apply this built-in functionality. If you're using .NET Core or another framework, we recommend setting those options to `false` and calling your framework's encoding and decoding functions directly.

+| Encoding | Base64 encode output | Extra processing after library encoding | Extra processing before library decoding |

+A multitenant application is one that provides the same services and capabilities to any number of tenants who can't see or share the data of any other tenant. This article discusses tenant isolation strategies for multitenant applications built with Azure Cognitive Search.

+Before discussing design patterns, it's important to understand a few basic concepts.

+When using Azure Cognitive Search, one subscribes to a *search service*. As data is uploaded to Azure Cognitive Search, it's stored in an *index* within the search service. There can be a number of indexes within a single service. To use the familiar concepts of databases, the search service can be likened to a database while the indexes within a service can be likened to tables within a database.

+In Azure Cognitive SearchΓÇÖs S3 pricing tier, there's an option for the High Density (HD) mode designed specifically for multitenant scenarios. In many cases, it's necessary to support a large number of smaller tenants under a single service to achieve the benefits of simplicity and cost efficiency.

+An S3 service is designed to host a fixed number of indexes (maximum 200) and allow each index to scale in size horizontally as new partitions are added to the service. Adding partitions to S3 HD services increases the maximum number of indexes that the service can host. The ideal maximum size for an individual S3HD index is around 50 - 80 GB, although there's no hard size limit on each index imposed by the system.

+In the case of a multitenant scenario, the application developer consumes one or more search services and divides their tenants among services, indexes, or both. Azure Cognitive Search has a few common patterns when modeling a multitenant scenario:

+Tenants achieve data isolation because all search requests and document operations are issued at an index level in Azure Cognitive Search. In the application layer, there's the need awareness to direct the various tenantsΓÇÖ traffic to the proper indexes while also managing resources at the service level across all tenants.

+For applications with a global footprint, the index-per-tenant model may not be the most efficient. If an application's tenants are distributed across the globe, a separate service may be necessary for each region, which may duplicate costs across each of them.

+If the total number of indexes grows too large for a single service, another service has to be provisioned to accommodate the new tenants. If indexes have to be moved between search services as new services are added, the data from the index has to be manually copied from one index to the other as Azure Cognitive Search doesn't allow for an index to be moved.

+In this model, the application achieves the maximum level of isolation for its tenants. Each service has dedicated storage and throughput for handling search requests. Each tenant has individual ownership of API keys.

+For applications where each tenant has a large footprint or the workload has little variability from tenant to tenant, the service-per-tenant model is an effective choice as resources aren't shared across various tenantsΓÇÖ workloads.

+A service per tenant model also offers the benefit of a predictable, fixed cost model. There's no up-front investment in an entire search service until there's a tenant to fill it, however the cost-per-tenant is higher than an index-per-tenant model.

+The service-per-tenant model is an efficient choice for applications with a global footprint. With geographically distributed tenants, it's easy to have each tenant's service in the appropriate region.

+The challenges in scaling this pattern arise when individual tenants outgrow their service. Azure Cognitive Search doesn't currently support upgrading the pricing tier of a search service, so all data would have to be manually copied to a new service.

+However, implementing this strategy relies on foresight in predicting which tenants will require a dedicated service versus an index in a shared service. Application complexity increases with the need to manage both of these multitenancy models.

+If service-per-tenant and index-per-tenant models aren't sufficiently small scopes, it's possible to model an index to achieve an even finer degree of granularity.

+To have a single index behave differently for different client endpoints, a field can be added to an index, which designates a certain value for each possible client. Each time a client calls Azure Cognitive Search to query or modify an index, the code from the client application specifies the appropriate value for that field using Azure Cognitive Search's [filter](./query-odata-filter-orderby-syntax.md) capability at query time.

+The string is composed of tokens, not characters or words. The maximum token count is 128 unique tokens. For estimation purposes, you can assume that 128 tokens are roughly equivalent to a string that is 128 words in length.

+> Tokenization is determined in part by the analyzer assignment on searchable fields. If you are using specialized analyzer, such as nGram or EdgeNGram, you might want to exclude that field from searchFields. For insights into how strings are tokenized, you can review the token output of an analyzer using the [Test Analyzer REST API](/rest/api/searchservice/test-analyzer).

+1. After all documents are scored, they're listed in descending order by score and included in the query response payload. The payload includes answers, plain text and highlighted captions, and any fields that you marked as retrievable or specified in a select clause.

+ | Username | Enter the user name of the administrator. Use an account that's valid for your Azure subscription. You'll want to sign into Azure portal from the VM so that you can manage your search service. |

+- [Log4j vulnerability exploit aka Log4Shell IP IOC](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/Analytic%20Rules/Log4J_IPIOC_Dec112021.yaml)

+- [User agent search for log4j exploitation attempt](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Apache%20Log4j%20Vulnerability%20Detection/Analytic%20Rules/UserAgentSearch_log4j.yaml)

+- [Heads up: Name fields being removed from UEBA UserPeerAnalytics table](#heads-up-name-fields-being-removed-from-ueba-userpeeranalytics-table)

+- [Windows DNS Events via AMA connector (Preview)](#windows-dns-events-via-ama-connector-preview)

+### Heads up: Name fields being removed from UEBA UserPeerAnalytics table

+As of **September 30, 2022**, the UEBA engine will no longer perform automatic lookups of user IDs and resolve them into names. This change will result in the removal of four name fields from the *UserPeerAnalytics* table:

+- UserName

+- UserPrincipalName

+- PeerUserName

+- PeerUserPrincipalName

+The corresponding ID fields remain part of the table, and any built-in queries and other operations will execute the appropriate name lookups in other ways (using the IdentityInfo table), so you shouldnΓÇÖt be affected by this change in nearly all circumstances.

+The only exception to this is if youΓÇÖve built custom queries or rules directly referencing any of these name fields. In this scenario, you can incorporate the following lookup queries into your own, so you can access the values that would have been in these name fields.

+The following query resolves **user** and **peer identifier fields**:

+```kusto

+UserPeerAnalytics

+| where TimeGenerated > ago(24h)

+// join to resolve user identifier fields

+| join kind=inner (

+ IdentityInfo

+ | where TimeGenerated > ago(14d)

+ | distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName

+ | extend UserPrincipalNameIdentityInfo = AccountUPN

+ | extend UserNameIdentityInfo = AccountDisplayName

+ | project AccountTenantId, AccountObjectId, UserPrincipalNameIdentityInfo, UserNameIdentityInfo

+) on $left.AADTenantId == $right.AccountTenantId, $left.UserId == $right.AccountObjectId

+// join to resolve peer identifier fields

+| join kind=inner (

+ IdentityInfo

+ | where TimeGenerated > ago(14d)

+ | distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName

+ | extend PeerUserPrincipalNameIdentityInfo = AccountUPN

+ | extend PeerUserNameIdentityInfo = AccountDisplayName

+ | project AccountTenantId, AccountObjectId, PeerUserPrincipalNameIdentityInfo, PeerUserNameIdentityInfo

+) on $left.AADTenantId == $right.AccountTenantId, $left.PeerUserId == $right.AccountObjectId

+```

+If your original query referenced the user or peer names (not just their IDs), substitute this query in its entirety for the table name (ΓÇ£UserPeerAnalyticsΓÇ¥) in your original query.

+### Windows DNS Events via AMA connector (Preview)

+You can now use the new [Windows DNS Events via AMA connector](connect-dns-ama.md) to stream and filter events from your Windows Domain Name System (DNS) server logs to the `ASimDnsActivityLog` normalized schema table. You can then dive into your data to protect your DNS servers from threats and attacks.

+The Azure Monitor Agent (AMA) and its DNS extension are installed on your Windows Server to upload data from your DNS analytical logs to your Microsoft Sentinel workspace.

+Here are some benefits of using AMA for DNS log collection:

+- AMA is faster compared to the existing Log Analytics Agent (MMA/OMS). AMA handles up to 5000 events per second (EPS) compared to 2000 EPS with the existing agent.

+- AMA provides centralized configuration using Data Collection Rules (DCRs), and also supports multiple DCRs.

+- AMA supports transformation from the incoming stream into other data tables.

+- AMA supports basic and advanced filtering of the data. The data is filtered on the DNS server and before the data is uploaded, which saves time and resources.

+description: The data protection options available for you're for Blob Storage and Azure Data Lake Storage Gen2 data enable you to protect your data from being deleted or overwritten. If you should need to recover data that has been deleted or overwritten, this guide can help you to choose the recovery option that's best for your scenario.

+If you're looking for basic data protection coverage for your storage account and the data that it contains, then Microsoft recommends taking the following steps to begin with:

+These options, as well as other data protection options for other scenarios, are described in more detail in the following section.

+The following table summarizes the options available in Azure Storage for common data protection scenarios. Choose the scenarios that are applicable to your situation to learn more about the options available to you. Not all features are available at this time for storage accounts with a hierarchical namespace enabled.

+| Prevent a storage account from being deleted or modified. | Azure Resource Manager lock<br />[Learn more...](../common/lock-account-resource.md) | Lock all of your storage accounts with an Azure Resource Manager lock to prevent deletion of the storage account. | Protects the storage account against deletion or configuration changes.<br /><br />Doesn't protect containers or blobs in the account from being deleted or overwritten. | Yes |

+| Prevent a container and its blobs from being deleted or modified for an interval that you control. | Immutability policy on a container<br />[Learn more...](immutable-storage-overview.md) | Set an immutability policy on a container to protect business-critical documents, for example, in order to meet legal or regulatory compliance requirements. | Protects a container and its blobs from all deletes and overwrites.<br /><br />When a legal hold or a locked time-based retention policy is in effect, the storage account is also protected from deletion. Containers for which no immutability policy has been set aren't protected from deletion. | Yes, in preview |

+| Restore a deleted container within a specified interval. | Container soft delete<br />[Learn more...](soft-delete-container-overview.md) | Enable container soft delete for all storage accounts, with a minimum retention interval of seven days.<br /><br />Enable blob versioning and blob soft delete together with container soft delete to protect individual blobs in a container.<br /><br />Store containers that require different retention periods in separate storage accounts. | A deleted container and its contents may be restored within the retention period.<br /><br />Only container-level operations (for example, [Delete Container](/rest/api/storageservices/delete-container)) can be restored. Container soft delete doesn't enable you to restore an individual blob in the container if that blob is deleted. | Yes |

+| Automatically save the state of a blob in a previous version when it's overwritten. | Blob versioning<br />[Learn more...](versioning-overview.md) | Enable blob versioning, together with container soft delete and blob soft delete, for storage accounts where you need optimal protection for blob data.<br /><br />Store blob data that doesn't require versioning in a separate account to limit costs. | Every blob write operation creates a new version. The current version of a blob may be restored from a previous version if the current version is deleted or overwritten. | No |

+| Restore a deleted blob or blob version within a specified interval. | Blob soft delete<br />[Learn more...](soft-delete-blob-overview.md) | Enable blob soft delete for all storage accounts, with a minimum retention interval of seven days.<br /><br />Enable blob versioning and container soft delete together with blob soft delete for optimal protection of blob data.<br /><br />Store blobs that require different retention periods in separate storage accounts. | A deleted blob or blob version may be restored within the retention period. | Yes |

+| Restore a set of block blobs to a previous point in time. | Point-in-time restore<br />[Learn more...](point-in-time-restore-overview.md) | To use point-in-time restore to revert to an earlier state, design your application to delete individual block blobs rather than deleting containers. | A set of block blobs may be reverted to their state at a specific point in the past.<br /><br />Only operations performed on block blobs are reverted. Any operations performed on containers, page blobs, or append blobs aren't reverted. | No |

+| Manually save the state of a blob at a given point in time. | Blob snapshot<br />[Learn more...](snapshots-overview.md) | Recommended as an alternative to blob versioning when versioning isn't appropriate for your scenario, due to cost or other considerations, or when the storage account has a hierarchical namespace enabled. | A blob may be restored from a snapshot if the blob is overwritten. If the blob is deleted, snapshots are also deleted. | Yes, in preview |

+| A blob can be deleted or overwritten, but the data is regularly copied to a second storage account. | Roll-your-own solution for copying data to a second account by using Azure Storage object replication or a tool like AzCopy or Azure Data Factory. | Recommended for peace-of-mind protection against unexpected intentional actions or unpredictable scenarios.<br /><br />Create the second storage account in the same region as the primary account to avoid incurring egress charges. | Data can be restored from the second storage account if the primary account is compromised in any way. | AzCopy and Azure Data Factory are supported.<br /><br />Object replication isn't supported. |

+¹ An Azure Resource Manager lock doesn't protect a container from deletion.<br />

+If you should need to recover data that has been overwritten or deleted, how you proceed depends on which data protection options you've enabled and which resource was affected. The following table describes the actions that you can take to recover data.

+| Storage account | Attempt to recover the deleted storage account<br />[Learn more...](../common/storage-account-recover.md) | The storage account was originally created with the Azure Resource Manager deployment model and was deleted within the past 14 days. A new storage account with the same name hasn't been created since the original account was deleted. |

+| Container | Recover the soft-deleted container and its contents<br />[Learn more...](soft-delete-container-enable.md) | Container soft delete is enabled and the container soft delete retention period hasn't yet expired. |

+| Blob (any type) | Recover a soft-deleted blob<br />[Learn more...](soft-delete-blob-enable.md) | Blob soft delete is enabled and the soft delete retention interval hasn't expired. |

+| Set of block blobs | Recover a set of block blobs to their state at an earlier point in time¹<br />[Learn more...](point-in-time-restore-manage.md) | Point-in-time restore is enabled and the restore point is within the retention interval. The storage account hasn't been compromised or corrupted. |

+| Blob version | Recover a soft-deleted version¹<br />[Learn more...](soft-delete-blob-enable.md) | Blob soft delete is enabled and the soft delete retention interval hasn't expired. |

+| Point-in-time restore | No charge to enable point-in-time restore for a storage account; however, enabling point-in-time restore also enables blob versioning, soft delete, and change feed, each of which may result in other charges.<br /><br />You're billed for point-in-time restore when you perform a restore operation. The cost of a restore operation depends on the amount of data being restored. For more information, see [Pricing and billing](point-in-time-restore-overview.md#pricing-and-billing). |

+Azure Storage always maintains multiple copies of your data so that it's protected from planned and unplanned events, including transient hardware failures, network or power outages, and massive natural disasters. Redundancy ensures that your storage account meets its availability and durability targets even in the face of failures. For more information about how to configure your storage account for high availability, see [Azure Storage redundancy](../common/storage-redundancy.md).

+If a failure occurs in a data center, if your storage account is redundant across two geographical regions (geo-redundant), then you have the option to fail over your account from the primary region to the secondary region. For more information, see [Disaster recovery and storage account failover](../common/storage-disaster-recovery-guidance.md).

+Customer-managed failover isn't currently supported for storage accounts with a hierarchical namespace enabled. For more information, see [Blob storage features available in Azure Data Lake Storage Gen2](./storage-feature-support-in-storage-accounts.md).

+description: A legal hold stores blob data in a Write-Once, Read-Many (WORM) format until it's explicitly cleared. Use a legal hold when the period of time that the data must be kept in a WORM state is unknown.

+A legal hold is a temporary immutability policy that can be applied for legal investigation purposes or general protection policies. A legal hold stores blob data in a Write-Once, Read-Many (WORM) format until it's explicitly cleared. When a legal hold is in effect, blobs can be created and read, but not modified or deleted. Use a legal hold when the period of time that the data must be kept in a WORM state is unknown.

+- Container-level policy: A legal hold that is configured at the container level applies to all blobs in that container. Individual blobs can't be configured with their own immutability policies.

+To configure a legal hold on a blob version, you must first enable version-level immutability on the storage account or the parent container. Version-level immutability can't be disabled after it's enabled. For more information, [Enable support for version-level immutability](immutable-policy-configure-version-scope.md#enable-support-for-version-level-immutability).

+A legal hold for a container applies to all objects in the container. When the legal hold is cleared, clients can once again write and delete objects in the container, unless there's also a time-based retention policy in effect for the container.

+When a legal hold is applied to a container, all existing blobs move into an immutable WORM state in less than 30 seconds. All new blobs that are uploaded to that policy-protected container will also move into an immutable state. Once all blobs are in an immutable state, overwrite or delete operations in the immutable container aren't allowed. In an account that has a hierarchical namespace, blobs can't be renamed or moved to a different directory.

+The [Azure Activity log](../../azure-monitor/essentials/platform-logs-overview.md) provides a more comprehensive log of all management service activities. [Azure resource logs](../../azure-monitor/essentials/platform-logs-overview.md) retain information about data operations. It's the user's responsibility to store those logs persistently, as might be required for regulatory or other purposes.

+- For a container, the maximum number of legal hold tags is 10.

+- For a container, a maximum of 10 legal hold policy audit logs are retained for the duration of the policy.

+## Allow protected append blobs writes

+Append blobs are composed of blocks of data and optimized for data append operations required by auditing and logging scenarios. By design, append blobs only allow the addition of new blocks to the end of the blob. Regardless of immutability, modification or deletion of existing blocks in an append blob is fundamentally not allowed. To learn more about append blobs, see [About Append Blobs](/rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs#about-append-blobs).

+The **AllowProtectedAppendWritesAll** property setting allows for writing new blocks to an append blob while maintaining immutability protection and compliance. If this setting is enabled, you can create an append blob directly in the policy-protected container, and then continue to add new blocks of data to the end of the append blob with the Append Block operation. Only new blocks can be added; any existing blocks can't be modified or deleted. Enabling this setting doesn't affect the immutability behavior of block blobs or page blobs.

+> [!NOTE]

+> This property is available only for container-level policies. This property is not available for version-level policies.

+This setting also adds the ability to write new blocks to a block blob. The Blob Storage API doesn't provide a way for applications to do this directly. However, applications can accomplish this by using append and flush methods that are available in the Data Lake Storage Gen2 API. Also, this property enables Microsoft applications such as Azure Data Factory to append blocks of data by using internal APIs. If your workloads depend on any of these tools, then you can use this property to avoid errors that can appear when those tools attempt to append data to blobs.

+2. Select the **More** button on the right, then select **Access policy**.

+3. In the **Immutable blob storage** section, select **Add policy**.

+4. In the **Policy type** field, select **Time-based retention**, and specify the retention period in days.

+5. To create a policy with container scope, do not check the box for **Enable version-level immutability**.

+6. Choose whether to allow protected append writes.

+ The **Append blobs** option enables your workloads to add new blocks of data to the end of an append blob by using the [Append Block](/rest/api/storageservices/append-block) operation.

+ The **Block and append blobs** option provides you with the same permissions as the **Append blobs** option but adds the ability to write new blocks to a block blob. The Blob Storage API does not provide a way for applications to do this directly. However, applications can accomplish this by using append and flush methods that are available in the Data Lake Storage Gen2 API. Also, some Microsoft applications use internal APIs to create block blobs and then append to them. If your workloads depend on any of these tools, then you can use this property to avoid errors that can appear when those tools attempt to append blocks to a block blob.

+ To learn more about these options, see [Allow protected append blobs writes](immutable-time-based-retention-policy-overview.md#allow-protected-append-blobs-writes).

+To allow protected append writes, set the `-AllowProtectedAppendWrite` or `-AllowProtectedAppendWriteAll` parameter to `true`.

+The **AllowProtectedAppendWrite** option enables your workloads to add new blocks of data to the end of an append blob by using the [Append Block](/rest/api/storageservices/append-block) operation.

+The **AllowProtectedAppendWriteAll** option provides you with the same permissions as the **AllowProtectedAppendWrite** option but adds the ability to write new blocks to a block blob. The Blob Storage API does not provide a way for applications to do this directly. However, applications can accomplish this by using append and flush methods that are available in the Data Lake Storage Gen2 API. Also, some Microsoft applications use internal APIs to create block blobs and then append to them. If your workloads depend on any of these tools, then you can use this property to avoid errors that can appear when those tools attempt to append blocks to a block blob.

+To learn more about these options, see [Allow protected append blobs writes](immutable-time-based-retention-policy-overview.md#allow-protected-append-blobs-writes).

+To allow protected append writes, set the `--allow-protected-append-writes` or `--allow-protected-append-writes-all` parameter to `true`.

+The **--allow-protected-append-writes** option enables your workloads to add new blocks of data to the end of an append blob by using the [Append Block](/rest/api/storageservices/append-block) operation.

+The **--allow-protected-append-writes-all** option provides you with the same permissions as the **--allow-protected-append-writes** option but adds the ability to write new blocks to a block blob. The Blob Storage API does not provide a way for applications to do this directly. However, applications can accomplish this by using append and flush methods that are available in the Data Lake Storage Gen2 API. Also, some Microsoft applications use internal APIs to create block blobs and then append to them. If your workloads depend on any of these tools, then you can use this property to avoid errors that can appear when those tools attempt to append blocks to a block blob.

+To learn more about these options, see [Allow protected append blobs writes](immutable-time-based-retention-policy-overview.md#allow-protected-append-blobs-writes).

+ -AllowProtectedAppendWriteAll true `

+ --allow-protected-append-writes-all true

+2. Select the **More** button and choose **Access policy**.

+3. Under the **Immutable blob versions** section, select **Add policy**.

+4. Choose **Legal hold** as the policy type.

+5. Add one or more legal hold tags.

+6. Choose whether to allow protected append writes, and then select **Save**.

+ The **Append blobs** option enables your workloads to add new blocks of data to the end of an append blob by using the [Append Block](/rest/api/storageservices/append-block) operation.

+ This setting also adds the ability to write new blocks to a block blob. The Blob Storage API does not provide a way for applications to do this directly. However, applications can accomplish this by using append and flush methods that are available in the Data Lake Storage Gen2 API. Also, this property enables Microsoft applications such as Azure Data Factory to append blocks of data by using internal APIs. If your workloads depend on any of these tools, then you can use this property to avoid errors that can appear when those tools attempt to append data to blobs.

+ To learn more about these options, see [Allow protected append blobs writes](immutable-legal-hold-overview.md#allow-protected-append-blobs-writes).

+ :::image type="content" source="media/immutable-policy-configure-container-scope/configure-retention-policy-container-scope-legal-hold.png" alt-text="Screenshot showing how to configure legal hold policy scoped to container.":::

+After you've configured the immutability policy, you will see that it is scoped to the container:

+ -Tag <tag1>,<tag2>,...`

+ -AllowProtectedAppendWriteAll true

+ --resource-group <resource-group> \

+ --allow-protected-append-writes-all true

+ --resource-group <resource-group> \

+2. Select the **More** button to the right of the container name, and choose **Access policy**.

+3. In the **Access policy** dialog, under the **Immutable blob storage** section, choose **Add policy**.

+4. Select **Time-based retention policy** and specify the retention interval.

+5. Choose whether to allow protected append writes.

+ The **Append blobs** option enables your workloads to add new blocks of data to the end of an append blob by using the [Append Block](/rest/api/storageservices/append-block) operation.

+ The **Block and append blobs** option extends this support by adding the ability to write new blocks to a block blob. The Blob Storage API does not provide a way for applications to do this directly. However, applications can accomplish this by using append and flush methods that are available in the Data Lake Storage Gen2 API. Also, this property enables Microsoft applications such as Azure Data Factory to append blocks of data by using internal APIs. If your workloads depend on any of these tools, then you can use this property to avoid errors that can appear when those tools attempt to append data to blobs.

+ To learn more about these options, see [Allow protected append blobs writes](immutable-time-based-retention-policy-overview.md#allow-protected-append-blobs-writes).

+ :::image type="content" source="media/immutable-policy-configure-version-scope/configure-retention-policy-container-scope.png" alt-text="Screenshot showing how to configure immutability policy scoped to container.":::

+2. Under the **Immutable blob versions** section, select **Add policy**.

+3. Choose **Legal hold** as the policy type, and select **OK** to apply it.

+¹ The [Append Block](/rest/api/storageservices/append-block) operation is permitted only for policies with the **allowProtectedAppendWrites** or **allowProtectedAppendWritesAll** property enabled. For more information, see [Allow protected append blobs writes](immutable-time-based-retention-policy-overview.md#allow-protected-append-blobs-writes).

+² The [Append Block](/rest/api/storageservices/append-block) operation is permitted only for policies with the **allowProtectedAppendWrites** or **allowProtectedAppendWritesAll** property enabled. For more information, see [Allow protected append blobs writes](immutable-time-based-retention-policy-overview.md#allow-protected-append-blobs-writes).

+For more information about blob inventory, see [Azure Storage blob inventory](blob-inventory.md).

+A time-based retention policy stores blob data in a Write-Once, Read-Many (WORM) format for a specified interval. When a time-based retention policy is set, clients can create and read blobs, but can't modify or delete them. After the retention interval has expired, blobs can be deleted but not overwritten.

+When you configure a time-based retention policy, the affected objects will stay in the immutable state during the *effective* retention period. The effective retention period for objects is equal to the difference between the blob's creation time and the user-specified retention interval. Because a policy's retention interval can be extended, immutable storage uses the most recent value of the user-specified retention interval to calculate the effective retention period.

+When you first configure a time-based retention policy, the policy is unlocked for testing purposes. When you have finished testing, you can lock the policy so that it's fully compliant with SEC 17a-4(f) and other regulatory compliance.

+You can't delete a locked time-based retention policy. You can extend the retention period, but you can't decrease it. A maximum of five increases to the effective retention period is allowed over the lifetime of a locked policy that is defined at the container level. For a policy configured for a blob version, there's no limit to the number of increases to the effective period.

+- Container-level policy: A time-based retention policy that is configured at the container level applies to all objects in that container. Individual objects can't be configured with their own immutability policies.

+Audit logs are available on the container for both version-level and container-level time-based retention policies. Audit logs aren't available for a policy that is scoped to a blob version.

+To configure version-level retention policies, you must first enable version-level immutability on the storage account or parent container. Version-level immutability can't be disabled after it's enabled, although unlocked policies can be deleted. For more information, see [Enable support for version-level immutability](immutable-policy-configure-version-scope.md#enable-support-for-version-level-immutability).

+Version-level immutability on the storage account must be enabled when you create the account. When you enable version-level immutability for a new storage account, all containers later created in that account automatically support version-level immutability. It's not possible to disable support for version-level immutability on a storage account after you've enabled it, nor is it possible to create a container without version-level immutability support when it's enabled for the account.

+If you haven't enabled support for version-level immutability on the storage account, then you can enable support for version-level immutability on an individual container at the time that you create the container. Existing containers can also support version-level immutability, but must undergo a migration process first. This process may take some time and isn't reversible. You can migrate 10 containers at a time per storage account. For more information about migrating a container to support version-level immutability, see [Migrate an existing container to support version-level immutability](immutable-policy-configure-version-scope.md#migrate-an-existing-container-to-support-version-level-immutability).

+Each version may have only one time-based retention policy configured. A version may also have one legal hold configured. For more information about supported immutability policy configurations based on scope, see [Immutability policy scope](immutable-storage-overview.md#immutability-policy-scope).

+If the default time-based retention policy for the account or container is locked, then the current version of a blob that inherits the default policy will also have a locked policy. However, if you override the default policy when you upload a blob by setting a policy only for that blob, then that blob's policy will remain unlocked until you explicitly lock it. When the policy on the current version is locked, you can extend the retention interval, but you can't delete the policy or shorten the retention interval.

+If there's no default policy configured for either the storage account or the container, then you can upload a blob either with a custom policy or with no policy.

+When versioning is enabled, a write or delete operation to a blob creates a new previous version of that blob that saves the blob's state before the operation. By default, a previous version possesses the time-based retention policy that was in effect for the current version, if any, when the current version became a previous version. The new current version inherits the policy on the container, if there's one.

+If the policy inherited by a previous version is locked, then the retention interval can be lengthened. The policy can't be deleted, nor can the retention interval be shortened.

+If there's no policy configured on the current version, then the previous version doesn't inherit any policy. You can configure a custom policy for the version.

+When a time-based retention policy is applied to a container, all existing blobs move into an immutable WORM state in less than 30 seconds. All new blobs that are uploaded to that policy-protected container will also move into an immutable state. Once all blobs are in an immutable state, overwrite or delete operations in the immutable container aren't allowed. In the case of an account with a hierarchical namespace, blobs can't be renamed or moved to a different directory.

+Append blobs are composed of blocks of data and optimized for data append operations required by auditing and logging scenarios. By design, append blobs only allow the addition of new blocks to the end of the blob. Regardless of immutability, modification or deletion of existing blocks in an append blob is fundamentally not allowed. To learn more about append blobs, see [About Append Blobs](/rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs#about-append-blobs).

+The **AllowProtectedAppendWrites** property setting allows for writing new blocks to an append blob while maintaining immutability protection and compliance. If this setting is enabled, you can create an append blob directly in the policy-protected container, and then continue to add new blocks of data to the end of the append blob with the Append Block operation. Only new blocks can be added; any existing blocks can't be modified or deleted. Enabling this setting doesn't affect the immutability behavior of block blobs or page blobs.

+The **AllowProtectedAppendWritesAll** property setting provides the same permissions as the **AllowProtectedAppendWrites** property and adds the ability to write new blocks to a block blob. The Blob Storage API doesn't provide a way for applications to do this directly. However, applications can accomplish this by using append and flush methods that are available in the Data Lake Storage Gen2 API. Also, this property enables Microsoft applications such as Azure Data Factory to append blocks of data by using internal APIs. If your workloads depend on any of these tools, then you can use this property to avoid errors that can appear when those tools attempt to append data to blobs.

+> [!NOTE]

+> This property is available only for container-level policies. This property is not available for version-level policies.

+Append blobs remain in the immutable state during the *effective* retention period. Since new data can be appended beyond the initial creation of the append blob, there's a slight difference in how the retention period is determined. The effective retention is the difference between append blob's last modification time and the user-specified retention interval. Similarly, when the retention interval is extended, immutable storage uses the most recent value of the user-specified retention interval to calculate the effective retention period.

+Unlocked time-based retention policies allow the **AllowProtectedAppendWrites** and the **AllowProtectedAppendWritesAll** property settings to be enabled and disabled at any time. Once the time-based retention policy is locked, the **AllowProtectedAppendWrites** and the **AllowProtectedAppendWritesAll** property settings can't be changed.

+The [Azure Activity log](../../azure-monitor/essentials/platform-logs-overview.md) provides a more comprehensive log of all management service activities. [Azure resource logs](../../azure-monitor/essentials/platform-logs-overview.md) retain information about data operations. It's the user's responsibility to store those logs persistently, as might be required for regulatory or other purposes.

+Changes to time-based retention policies at the version level aren't audited.

+To enable SFTP support, call the [az storage account update](/cli/azure/storage/account#az-storage-account-update) command and set the `--enable-sftp` parameter to true. Remember to replace the values in angle brackets with your own values:

+ Title: Actions and attributes for Azure role assignment conditions in Azure Storage

+>

+description: Authorize access to Azure blobs and Azure Data Lake Storage Gen2 (ADLS G2) using Azure role assignment conditions and Azure attribute-based access control (Azure ABAC). Define conditions on role assignments using Storage attributes.

+>

+You can [use of Azure Active Directory](../common/authorize-data-access.md) (Azure AD) to authorize requests to Azure storage resources using Azure RBAC. Azure RBAC helps you manage access to resources by defining who has access to resources and what they can do with those resources, using role definitions and role assignments. Azure Storage defines a set of Azure [built-in roles](../../role-based-access-control/built-in-roles.md#storage) that encompass common sets of permissions used to access Azure storage data. You can also define custom roles with select sets of permissions. Azure Storage supports role assignments for both storage accounts and blob containers.

+Azure ABAC builds on Azure RBAC by adding [role assignment conditions](../../role-based-access-control/conditions-overview.md) in the context of specific actions. A *role assignment condition* is an additional check that is evaluated when the action on the storage resource is being authorized. This condition is expressed as a predicate using attributes associated with any of the following:

+- **Reduce the number of role assignments you have to create and manage** - You can do this by using a generalized role assignment for a security group, and then restricting the access for individual members of the group using a condition that matches attributes of a principal with attributes of a specific resource being accessed (such as a blob or a container).

+Role-assignment conditions in Azure Storage are supported for Azure blob storage. You can also use conditions with accounts that have the [hierarchical namespace](../blobs/data-lake-storage-namespace.md) (HNS) feature enabled on them (ADLS G2).

+To use the preview, you must register for the Azure Active Directory federated client identity feature in the ISV's tenant. Follow these instructions to register with PowerShell or Azure CLI:

+To use the preview, you must register for the Azure Active Directory federated client identity feature in the ISV's tenant. Follow these instructions to register with PowerShell or Azure CLI:

+Reduce your on-premises backup spending by taking centralized backups in the cloud using Azure Backup. SMB Azure file shares have native snapshot capabilities, and the process can be automated using Azure Backup to schedule your backups and manage their retention. Azure Backup also integrates with your on-premises servers, so when you restore to the cloud, these changes are automatically downloaded on your Windows Servers.

+## Training

+For self-paced training, see the following modules:

+- [Implement a hybrid file server infrastructure](/training/modules/implement-hybrid-file-server-infrastructure/)

+- [Extend your on-premises file share capacity using Azure File Sync](/training/modules/extend-share-capacity-with-azure-file-sync/)

+## Architecture

+For guidance on architecting solutions with Azure Files and Azure File Sync using established patterns and practices, see the following:

+- [Azure enterprise cloud file share](/azure/architecture/hybrid/azure-files-private)

+- [Hybrid file services](/azure/architecture/hybrid/hybrid-file-services)

+- [Hybrid file share with disaster recovery for remote and local branch workers](/azure/architecture/example-scenario/hybrid/hybrid-file-share-dr-remote-local-branch-workers)

+Many organizations isolate their file servers from most internet locations for security purposes. To use Azure File Sync in such an environment, you need to configure your firewall to allow outbound access to select Azure services. You can do this by allowing port 443 outbound access to [required cloud endpoints](file-sync-firewall-and-proxy.md#firewall) hosting those specific Azure services if your firewall supports url/domains. If it doesn't, you can retrieve the IP address ranges for these Azure services through [service tags](../../virtual-network/service-tags-overview.md).

+6. Select **Grant admin consent for "DirectoryName"**.

+7. Select **Yes** to confirm.

+To get started using Azure Files, see [Quickstart: Create and use an Azure file share](storage-how-to-use-files-portal.md).

+## Training

+For self-paced training, see the following modules:

+- [Introduction to Azure Files](/training/modules/introduction-to-azure-files/)

+- [Configure Azure Files and Azure File Sync](/training/modules/configure-azure-files-file-sync/)

+## Architecture

+For guidance on architecting solutions on Azure Files using established patterns and practices, see the following:

+- [Azure enterprise cloud file share](/azure/architecture/hybrid/azure-files-private)

+- [Hybrid file services](/azure/architecture/hybrid/hybrid-file-services)

+- [Use Azure file shares in a hybrid environment](/azure/architecture/hybrid/azure-file-share)

+- [Hybrid file share with disaster recovery for remote and local branch workers](/azure/architecture/example-scenario/hybrid/hybrid-file-share-dr-remote-local-branch-workers)

+- [Azure files accessed on-premises and secured by AD DS](/azure/architecture/example-scenario/hybrid/azure-files-on-premises-authentication)

+* [Azure Files FAQ](storage-files-faq.md)

+ Title: Actions and attributes for Azure role assignment conditions for Azure queues | Microsoft Docs

+description: Supported actions and attributes for Azure role assignment conditions and Azure attribute-based access control (Azure ABAC) for Azure queues.

+# Actions and attributes for Azure role assignment conditions for Azure queues

+> [!IMPORTANT]

+> Azure ABAC and Azure role assignment conditions are currently in preview.

+>

+> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+This article describes the supported attribute dictionaries that can be used in conditions on Azure role assignments for each Azure Storage [DataAction](../../role-based-access-control/role-definitions.md#dataactions). For the list of Queue service operations that are affected by a specific permission or DataAction, see [Permissions for Queue service operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-queue-service-operations).

+To understand the role assignment condition format, see [Azure role assignment condition format and syntax](../../role-based-access-control/conditions-format.md).

+## Azure Queue storage actions

+This section lists the supported Azure Queue storage actions you can target for conditions.

+### Peek messages

+> [!div class="mx-tdCol2BreakAll"]

+> | Property | Value |

+> | | |

+> | **Display name** | Peek messages |

+> | **Description** | DataAction for peeking messages. |

+> | **DataAction** | `Microsoft.Storage/storageAccounts/queueServices/queues/messages/read` |

+> | **Resource attributes** | [Account name](#account-name)<br/>[Queue name](#queue-name) |

+> | **Request attributes** | |

+> | **Principal attributes support** | True |

+### Put a message

+> [!div class="mx-tdCol2BreakAll"]

+> | Property | Value |

+> | | |

+> | **Display name** | Put a message |

+> | **Description** | DataAction for putting a message. |

+> | **DataAction** | `Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action` |

+> | **Resource attributes** | [Account name](#account-name)<br/>[Queue name](#queue-name) |

+> | **Request attributes** | |

+> | **Principal attributes support** | True |

+### Put or update a message

+> [!div class="mx-tdCol2BreakAll"]

+> | Property | Value |

+> | | |

+> | **Display name** | Put or update a message |

+> | **Description** | DataAction for putting or updating a message. |

+> | **DataAction** | `Microsoft.Storage/storageAccounts/queueServices/queues/messages/write` |

+> | **Resource attributes** | [Account name](#account-name)<br/>[Queue name](#queue-name) |

+> | **Request attributes** | |

+> | **Principal attributes support** | True |

+### Clear messages

+> [!div class="mx-tdCol2BreakAll"]

+> | Property | Value |

+> | | |

+> | **Display name** | Clear messages |

+> | **Description** | DataAction for clearing messages. |

+> | **DataAction** | `Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete` |

+> | **Resource attributes** | [Account name](#account-name)<br/>[Queue name](#queue-name) |

+> | **Request attributes** | |

+> | **Principal attributes support** | True |

+### Get or delete messages

+> [!div class="mx-tdCol2BreakAll"]

+> | Property | Value |

+> | | |

+> | **Display name** | Get or delete messages |

+> | **Description** | DataAction for getting or deleting messages. |

+> | **DataAction** | `Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action` |

+> | **Resource attributes** | [Account name](#account-name)<br/>[Queue name](#queue-name) |

+> | **Request attributes** | |

+> | **Principal attributes support** | True |

+## Azure Queue storage attributes

+This section lists the Azure Queue storage attributes you can use in your condition expressions depending on the action you target. If you select multiple actions for a single condition, there might be fewer attributes to choose from for your condition because the attributes must be available across the selected actions.

+> [!NOTE]

+> Attributes and values listed are considered case-insensitive, unless stated otherwise.

+### Account name

+> [!div class="mx-tdCol2BreakAll"]

+> | Property | Value |

+> | | |

+> | **Display name** | Account name |

+> | **Description** | Name of a storage account. |

+> | **Attribute** | `Microsoft.Storage/storageAccounts:name` |

+> | **Attribute source** | Resource |

+> | **Attribute type** | String |

+> | **Examples** | `@Resource[Microsoft.Storage/storageAccounts:name] StringEquals 'sampleaccount'` |

+### Queue name

+> [!div class="mx-tdCol2BreakAll"]

+> | Property | Value |

+> | | |

+> | **Display name** | Queue name |

+> | **Description** | Name of a storage queue. |

+> | **Attribute** | `Microsoft.Storage/storageAccounts/queueServices/queues:name` |

+> | **Attribute source** | Resource |

+> | **Attribute type** | String |

+## See also

+- [Example Azure role assignment conditions (preview)](../blobs\storage-auth-abac-examples.md)

+- [Azure role assignment condition format and syntax (preview)](../../role-based-access-control/conditions-format.md)

+- [Troubleshoot Azure role assignment conditions (preview)](../../role-based-access-control/conditions-troubleshoot.md)

+ Title: Authorize access to queues using Azure role assignment conditions | Microsoft Docs

+description: Authorize access to Azure queues using Azure role assignment conditions and Azure attribute-based access control (Azure ABAC). Define conditions on role assignments using Storage attributes.

+# Authorize access to queues using Azure role assignment conditions

+> [!IMPORTANT]

+> Azure ABAC is currently in preview and is provided without a service level agreement. It is not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.

+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+Attribute-based access control (ABAC) is an authorization strategy that defines access levels based on attributes associated with an access request such as the security principal, the resource, the environment and the request itself. With ABAC, you can grant a security principal access to a resource based on [Azure role assignment conditions](../../role-based-access-control/conditions-overview.md).

+## Overview of conditions in Azure Storage

+You can [use of Azure Active Directory](../common/authorize-data-access.md) (Azure AD) to authorize requests to Azure storage resources using Azure RBAC. Azure RBAC helps you manage access to resources by defining who has access to resources and what they can do with those resources, using role definitions and role assignments. Azure Storage defines a set of Azure [built-in roles](../../role-based-access-control/built-in-roles.md#storage) that encompass common sets of permissions used to access Azure storage data. You can also define custom roles with select sets of permissions. Azure Storage supports role assignments for both storage accounts and blob containers or queues.

+Azure ABAC builds on Azure RBAC by adding [role assignment conditions](../../role-based-access-control/conditions-overview.md) in the context of specific actions. A *role assignment condition* is an additional check that is evaluated when the action on the storage resource is being authorized. This condition is expressed as a predicate using attributes associated with any of the following:

+- Security principal that is requesting authorization

+- Resource to which access is being requested

+- Parameters of the request

+- Environment from which the request originates

+The benefits of using role assignment conditions are:

+- **Enable finer-grained access to resources** - For example, if you want to grant a user access to peek messages in a specific queue, you can use peek messages DataAction and the queue name storage attribute.

+- **Reduce the number of role assignments you have to create and manage** - You can do this by using a generalized role assignment for a security group, and then restricting the access for individual members of the group using a condition that matches attributes of a principal with attributes of a specific resource being accessed (such as a queue).

+- **Express access control rules in terms of attributes with business meaning** - For example, you can express your conditions using attributes that represent a project name, business application, organization function, or classification level.

+The tradeoff of using conditions is that you need a structured and consistent taxonomy when using attributes across your organization. Attributes must be protected to prevent access from being compromised. Also, conditions must be carefully designed and reviewed for their effect.

+## Supported attributes and operations

+You can configure conditions on role assignments for [DataActions](../../role-based-access-control/role-definitions.md#dataactions) to achieve these goals. You can use conditions with a [custom role](../../role-based-access-control/custom-roles.md) or select built-in roles. Note, conditions are not supported for management [Actions](../../role-based-access-control/role-definitions.md#actions) through the [Storage resource provider](/rest/api/storagerp).

+You can add conditions to built-in roles or custom roles. The built-in roles on which you can use role-assignment conditions include:

+- [Storage Queue Data Contributor](../../role-based-access-control/built-in-roles.md#storage-queue-data-contributor)

+- [Storage Queue Data Message Processor](../../role-based-access-control/built-in-roles.md#storage-queue-data-message-processor)

+- [Storage Queue Data Message Sender](../../role-based-access-control/built-in-roles.md#storage-queue-data-message-sender)

+- [Storage Queue Data Reader](../../role-based-access-control/built-in-roles.md#storage-queue-data-reader)

+You can use conditions with custom roles so long as the role includes [actions that support conditions](..\blobs\storage-auth-abac-attributes.md#azure-blob-storage-actions-and-suboperations).

+The [Azure role assignment condition format](../../role-based-access-control/conditions-format.md) allows use of `@Principal`, `@Resource` or `@Request` attributes in the conditions. A `@Principal` attribute is a custom security attribute on a principal, such as a user, enterprise application (service principal), or managed identity. A `@Resource` attribute refers to an existing attribute of a storage resource that is being accessed, such as a storage account or a queue. A `@Request` attribute refers to an attribute or parameter included in a storage operation request.

+Azure RBAC currently supports 2,000 role assignments in a subscription. If you need to create thousands of Azure role assignments, you may encounter this limit. Managing hundreds or thousands of role assignments can be difficult. In some cases, you can use conditions to reduce the number of role assignments on your storage account and make them easier to manage. You can [scale the management of role assignments](../../role-based-access-control/conditions-custom-security-attributes-example.md) using conditions and [Azure AD custom security attributes]() for principals.

+## Next steps

+- [Prerequisites for Azure role assignment conditions](../../role-based-access-control/conditions-prerequisites.md)

+- [Actions and attributes for Azure role assignment conditions in Azure Storage](queues-auth-abac-attributes.md)

+- [Example Azure role assignment conditions](..\blobs\storage-auth-abac-examples.md)

+- [Troubleshoot Azure role assignment conditions](../../role-based-access-control/conditions-troubleshoot.md)

+## See also

+- [What is Azure attribute-based access control (Azure ABAC)?](../../role-based-access-control/conditions-overview.md)

+- [FAQ for Azure role assignment conditions](../../role-based-access-control/conditions-faq.md)

+- [Azure role assignment condition format and syntax](../../role-based-access-control/conditions-format.md)

+- [Scale the management of Azure role assignments by using conditions and custom security attributes (preview)](../../role-based-access-control/conditions-custom-security-attributes-example.md)

+- [Security considerations for Azure role assignment conditions in Azure Storage](..\blobs\storage-auth-abac-security.md)

+Stream Analytics doesn't create containers in your database. Instead, it requires you to create them beforehand. You can then control the billing costs of Azure Cosmos DB containers. You can also tune the performance, consistency, and capacity of your containers directly by using the [Azure Cosmos DB APIs](/rest/api/cosmos-db/).

+* [Azure Stream Analytics custom blob output partitioning](stream-analytics-custom-path-patterns-blob-storage-output.md)

+* Spark Pools definitions will be deleted from the Synapse workspace in 90 days after the applicable EOL date.

+For example, if the optimizer estimates that the date your query is filtering on will return one row it will choose one plan. If it estimates that the selected date will return 1 million rows, it will pick a different plan.

+> Automatic creation of statistics is turned on for Parquet files. For CSV files, statistics will be automatically created if you use OPENROWSET. You need to create statistics manually you use CSV external tables.

+Serverless SQL pool lets you create statistics manually. For CSV external tables, you have to create statistics manually because automatic creation of statistics isn't turned on for CSV external tables.

+> Automatic recreation of statistics is turned on for Parquet files. For CSV files, statistics will be recreated if you use OPENROWSET. You need to drop and create statistics manually for CSV external tables. Check the examples below on how to drop and create statistics.

+You can also get the following metrics to enable advanced monitoring of the service:

+* **Link connection events:** number of link connection events including start, stop or failure.

+* **Link table event:** number of link table events including snapshot, removal or failure.

+* **Link latency in second:** data processing latency in second.

+* **Link data processed data volume (bytes):** data volume in bytes processed by Synapse link for SQL.

+* **Link processed row:** row counts (changed) processed by Synapse Link for SQL.

+For more information, see [Manage Synapse Link for SQL change feed](/sql/sql-server/synapse-link/synapse-link-sql-server-change-feed-manage).

+You can also get the following metrics to enable advanced monitoring of the service:

+* **Link connection events:** number of link connection events including start, stop or failure.

+* **Link table event:** number of link table events including snapshot, removal or failure.

+* **Link latency in second:** data processing latency in second.

+* **Link data processed data volume (bytes):** data volume in bytes processed by Synapse link for SQL.

+* **Link processed row:** row counts (changed) processed by Synapse Link for SQL.

+ Title: Previous monthly updates in Azure Synapse Analytics

+## June 2022 update

+## General

+* **Azure Orbital analytics with Synapse Analytics** - We now offer an [Azure Orbital analytics sample solution](https://github.com/Azure/Azure-Orbital-Analytics-Samples) showing an end-to-end implementation of extracting, loading, transforming, and analyzing spaceborne data by using geospatial libraries and AI models with [Azure Synapse Analytics](overview-what-is.md). The sample solution also demonstrates how to integrate geospatial-specific [Azure Cognitive Services](../cognitive-services/index.yml) models, AI models from partners, and bring-your-own-data models.

+* **Azure Synapse success by design** - Project success is no accident and requires careful planning and execution. The Synapse Analytics' Success by Design playbooks are now available. The [Azure Synapse proof of concept playbook](./guidance/proof-of-concept-playbook-overview.md) provides a guide to scope, design, execute, and evaluate a proof of concept for SQL or Spark workloads. These guides contain best practices from the most challenging and complex solution implementations incorporating Azure Synapse. To learn more about the Azure Synapse proof of concept playbook, read [Success by Design](./guidance/success-by-design-introduction.md).

+## SQL

+**Result set size limit increase** - We know that you turn to Azure Synapse Analytics to work with large amounts of data. With that in mind, the maximum size of query result sets in Serverless SQL pools has been increased from 200 GB to 400 GB. This limit is shared between concurrent queries. To learn more about this size limit increase and other constraints, read [Self-help for serverless SQL pool](./sql/resources-self-help-sql-on-demand.md?tabs=x80070002#constraints).

+## Synapse data explorer

+* **Web Explorer new homepage** - The new Synapse Web Explorer homepage makes it even easier to get started with Synapse Web Explorer. The [Web Explorer homepage](https://dataexplorer.azure.com/home) now includes the following sections:

+ * Get started ΓÇô Sample gallery offering example queries and dashboards for popular Synapse Data Explorer use cases.

+ * Recommended ΓÇô Popular learning modules designed to help you master Synapse Web Explorer and KQL.

+ * Documentation ΓÇô Synapse Web Explorer basic and advanced documentation.

+* **Web Explorer sample gallery** - A great way to learn about a product is to see how it is being used by others. The Web Explorer sample gallery provides end-to-end samples of how customers leverage Synapse Data Explorer popular use cases such as Logs Data, Metrics Data, IoT data and Basic big data examples. Each sample includes the dataset, well-documented queries, and a sample dashboard. To learn more about the sample gallery, read [Azure Data Explorer in 60 minutes with the new samples gallery](https://techcommunity.microsoft.com/t5/azure-data-explorer-blog/azure-data-explorer-in-60-minutes-with-the-new-samples-gallery/ba-p/3447552).

+* **Web Explorer dashboards drill through capabilities** - You can now add drill through capabilities to your Synapse Web Explorer dashboards. The new drill through capabilities allow you to easily jump back and forth between dashboard pages. This is made possible by using a contextual filter to connect your dashboards. Defining these contextual drill throughs is done by editing the visual interactions of the selected tile in your dashboard. To learn more about drill through capabilities, read [Use drillthroughs as dashboard parameters](/azure/data-explorer/dashboard-parameters#use-drillthroughs-as-dashboard-parameters).

+* **Time Zone settings for Web Explorer** - Being able to display data in different time zones is very powerful. You can now decide to view the data in UTC time, your local time zone, or the time zone of the monitored device/machine. The Time Zone settings of the Web Explorer now apply to both the Query results and to the Dashboard. By changing the time zone, the dashboards will be automatically refreshed to present the data with the selected time zone. For more information on time zone settings, read [Change datetime to specific time zone](/azure/data-explorer/web-query-data#change-datetime-to-specific-time-zone).

+## Data integration

+* **Fuzzy Join option in Join Transformation** - Fuzzy matching with a sliding similarity score option has been added to the Join transformation in Mapping Data Flows. You can create inner and outer joins on data values that are similar rather than exact matches! Previously, you would have had to use an exact match. The sliding scale value goes from 60% to 100%, making it easy to adjust the similarity threshold of the match. For learn more about fuzzy joins, read [Join transformation in mapping data flow](../data-factory/data-flow-join.md).

+* **Map Data [Generally Available]** - We're excited to announce that the Map Data tool is now Generally Available. The Map Data tool is a guided process to help you create ETL mappings and mapping data flows from your source data to Synapse without writing code. To learn more about Map Data, read [Map Data in Azure Synapse Analytics](./database-designer/overview-map-data.md).

+* **Rerun pipeline with new parameters** - You can now change pipeline parameters when rerunning a pipeline from the Monitoring page without having to return to the pipeline editor. After running a pipeline with new parameters, you can easily monitor the new run against the old ones without having to toggle between pages. To learn more about rerunning pipelines with new parameters, read [Rerun pipelines and activities](../data-factory/monitor-visually.md#rerun-pipelines-and-activities).

+* **User Defined Functions [Generally Available]** - We're excited to announce that user defined functions (UDFs) are now Generally Available. With user-defined functions, you can create customized expressions that can be reused across multiple mapping data flows. You no longer have to use the same string manipulation, math calculations, or other complex logic several times. User-defined functions will be grouped in libraries to help developers group common sets of functions. To learn more about user defined functions, read [User defined functions in mapping data flows](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/introducing-user-defined-functions-preview-for-mapping-data/ba-p/3414628).

+## Machine learning

+**Distributed Deep Neural Network Training with Horovod and Petastorm [Public Preview]** - To simplify the process for creating and managing GPU-accelerated pools, Azure Synapse takes care of pre-installing low-level libraries and setting up all the complex networking requirements between compute nodes. This integration allows users to get started with GPU- accelerated pools within just a few minutes.

+Now, Azure Synapse Analytics provides built-in support for deep learning infrastructure. The Azure Synapse Analytics runtime for Apache Spark 3.1 and 3.2 now includes support for the most common deep learning libraries like TensorFlow and PyTorch. The Azure Synapse runtime also includes supporting libraries like Petastorm and Horovod, which are commonly used for distributed training. This feature is currently available in Public Preview.

+To learn more about how to leverage these libraries within your Azure Synapse Analytics GPU-accelerated pools, read the [Deep learning tutorials](./machine-learning/concept-deep-learning.md).

+**Get connected with the new Azure Synapse Influencer program!** [Join a community of Azure Synapse Influencers](https://aka.ms/synapseinfluencers) who are helping each other achieve more with cloud analytics! The Azure Synapse Influencer program recognizes Azure Synapse Analytics users and advocates who actively support the community by sharing Synapse-related content, announcements, and product news via social media.

+* **Data Warehouse Migration guide for Dedicated SQL Pools in Azure Synapse Analytics** - With the benefits that cloud migration offers, we hear that you often look for steps, processes, or guidelines to follow for quick and easy migrations from existing data warehouse environments. We just released a set of [Data Warehouse migration guides](./migration-guides/index.yml) to make your transition to dedicated SQL Pools in Azure Synapse Analytics easier.

+* **Azure Synapse Dedicated SQL Pool Connector for Apache Spark Now Available in Python** - Previously, the Azure Synapse Dedicated SQL Pool connector was only available using Scala. Now, it can be used with Python on Spark 3. The only difference between the Scala and Python implementations is the optional Scala callback handle, which allows you to receive post-write metrics.

+ The following are now supported in Python on Spark 3:

+ * Write to External Table using Azure AD Authentication or Basic Authentication

+* **Use Managed Identities for External SQL Server Tables** - One of the key benefits of Azure Synapse is the ability to bring together data integration, enterprise data warehousing, and big data analytics. With Managed Identity support, Synapse Data Explorer table definition is now simpler and more secure. You can now use managed identities instead of entering in your credentials.

+ An external SQL table is a schema entity that references data stored outside the Synapse Data Explorer database. Using the Create and alter SQL Server external tables command, External SQL tables can easily be added to the Synapse Data Explorer database schema.

+ To learn more about managed identities, read [Managed identities overview](/azure/data-explorer/managed-identities-overview).

+ To learn more about external tables, read [Create and alter SQL Server external tables](/azure/data-explorer/kusto/management/external-sql-tables).

+* **New KQL Learn module (2 out of 3) is live!** - The power of Kusto Query Language (KQL) is its simplicity to query structured, semi-structured, and unstructured data together. To make it easier for you to learn KQL, we are releasing Learn modules. Previously, we released [Write your first query with Kusto Query Language](/learn/modules/write-first-query-kusto-query-language/). New this month is [Gain insights from your data by using Kusto Query Language](/learn/modules/gain-insights-data-kusto-query-language/).

+ KQL is the query language used to query Synapse Data Explorer big data. KQL has a fast-growing user community, with hundreds of thousands of developers, data engineers, data analysts, and students.

+ Check out the newest [KQL Learn Model](/learn/modules/gain-insights-data-kusto-query-language/) and see for yourself how easy it is to become a KQL master.

+ To learn more about KQL, read [Kusto Query Language (KQL) overview](/azure/data-explorer/kusto/query/).

+* **Azure Synapse Data Explorer connector for Microsoft Power Automate, Logic Apps, and Power Apps [Generally Available]** - The Azure Data Explorer connector for Power Automate enables you to orchestrate and schedule flows, send notifications, and alerts, as part of a scheduled or triggered task. To learn more, read [Azure Data Explorer connector for Microsoft Power Automate](/azure/data-explorer/flow) and [Usage examples for Azure Data Explorer connector to Power Automate](/azure/data-explorer/flow-usage).

+* **Dynamic events routing from event hub to multiple databases** - Routing events from Event Hub/IOT Hub/Event Grid is an activity commonly performed by Azure Data Explorer (ADX) users. Previously, you could route events only to a single database per defined connection. If you wanted to route the events to multiple databases, you needed to create multiple ADX cluster connections.

+ To simplify the experience, we now support routing events data to multiple databases hosted in a single ADX cluster. To learn more about dynamic routing, read [Ingest from event hub](/azure/data-explorer/ingest-data-event-hub-overview#events-routing).

+* **Configure a database using a KQL inline script as part of JSON ARM deployment template** - Previously, Azure Data Explorer supported running a Kusto Query Language (KQL) script to configure your database during Azure Resource Manager (ARM) template deployment. Now, this can be done using an inline script provided inline as a parameter to a JSON ARM template. To learn more about using a KQL inline script, read [Configure a database using a Kusto Query Language script](/azure/data-explorer/database-script).

+* **Export pipeline monitoring as a CSV** - The ability to export pipeline monitoring to CSV has been added after receiving many community requests for the feature. Simply filter the Pipeline runs screen to the data you want and select *Export to CSV**. To learn more about exporting pipeline monitoring and other monitoring improvements, read [Azure Data Factory monitoring improvements](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/adf-monitoring-improvements/ba-p/3295531).

+* **Incremental data loading made easy for Synapse and Azure Database for PostgreSQL and MySQL** - In a data integration solution, incrementally loading data after an initial full data load is a widely used scenario. Automatic incremental source data loading is now natively available for Synapse SQL and Azure Database for PostgreSQL and MySQL. Users can "enable incremental extract" and only inserted or updated rows will be read by the pipeline. To learn more about incremental data loading, read [Incrementally copy data from a source data store to a destination data store](../data-factory/tutorial-incremental-copy-overview.md).

+* **User-Defined Functions for Mapping Data Flows [Public Preview]** - We hear you that you can find yourself doing the same string manipulation, math calculations, or other complex logic several times. Now, with the new user-defined function feature, you can create customized expressions that can be reused across multiple mapping data flows. User-defined functions will be grouped in libraries to help developers group common sets of functions. Once you've created a data flow library, you can add in your user-defined functions. You can even add in multiple arguments to make your function more reusable. To learn more about user-defined functions, read [User defined functions in mapping data flows](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/introducing-user-defined-functions-preview-for-mapping-data/ba-p/3414628).

+* **Mapping data flows projection editing** - New UI updates have been made to source projection editing in mapping data flows. You can now update source projection column names and column types. To learn more about source projection editing, read [Source transformation in mapping data flow](../data-factory/data-flow-source.md).

+### Azure Synapse Link

+**Azure Synapse Link for SQL [Public Preview]** - At Microsoft Build 2022, we announced the Public Preview availability of Azure Synapse Link for SQL, for both SQL Server 2022 and Azure SQL Database. Data-driven, quality insights are critical for companies to stay competitive. The speed to achieve those insights can make all the difference. The costly and time-consuming nature of traditional ETL and ELT pipelines is no longer enough. With this release, you can now take advantage of low- and no-code, near real-time data replication from your SQL-based operational stores into Azure Synapse Analytics. This makes it easier to run BI reporting on operational data in near real-time, with minimal impact on your operational store. To learn more, read [Announcing the Public Preview of Azure Synapse Link for SQL](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/announcing-the-public-preview-of-azure-synapse-link-for-sql/ba-p/3372986) and [watch our YouTube video](https://www.youtube.com/embed/pgusZy34-Ek).

+* We've added the option to clone a lake database. This unlocks additional opportunities to manage new versions of databases or support schemas that evolve in discrete steps. You can quickly clone a database using the action menu available on the lake database. To learn more, read [How-to: Clone a lake database](./database-designer/clone-lake-database.md).

+* You can now use wildcards to specify custom folder hierarchies. Lake databases sit on top of data that is in the lake and this data can live in nested folders that don't fit into clean partition patterns. Previously, querying lake databases required that your data exists in a simple directory structure that you could browse using the folder icon without the ability to manually specify directory structure or use wildcard characters. To learn more, read [How-to: Modify a datalake](./database-designer/modify-lake-database.md).

+* We are excited to announce the preview availability of Apache Spark&trade; 3.2 on Synapse Analytics. This new version incorporates user-requested enhancements and resolves 1,700+ Jira tickets. Please review the [official release notes](https://spark.apache.org/releases/spark-release-3-2-0.html) for the complete list of fixes and features and review the [migration guidelines between Spark 3.1 and 3.2](https://spark.apache.org/docs/latest/sql-migration-guide.html#upgrading-from-spark-sql-31-to-32) to assess potential changes to your applications. For more details, read [Apache Spark version support and Azure Synapse Runtime for Apache Spark 3.2](./spark/apache-spark-version-support.md).

+* We often receive customer requests to access the snapshot of the Notebook when there is a Pipeline Notebook run failure or there is a long-running Notebook job. With the release of the Synapse Notebook snapshot feature, you can now view the snapshot of the Notebook activity run with the original Notebook code, the cell output, and the input parameters. You can also access the snapshot of the referenced Notebook from the referencing Notebook cell output if you refer to other Notebooks through Spark utils. To learn more, read [Transform data by running a Synapse notebook](synapse-notebook-activity.md?tabs=classical#see-notebook-activity-run-history) and [Introduction to Microsoft Spark utilities](./spark/microsoft-spark-utilities.md?pivots=programming-language-scala#reference-a-notebook-1).

+* Microsoft has added Dataverse as a source and sink connector to Synapse Data Flows so that you can now build low-code data transformation ETL jobs in Synapse directly accessing your Dataverse environment. For more details on how to use this new connector, read [Mapping data flow properties](../data-factory/connector-dynamics-crm-office-365.md#mapping-data-flow-properties).

+* Previously, if you wanted to reference a notebook in another notebook, you could only reference published or committed content. Now, when using %run notebooks, you can enable 'unpublished notebook reference' which will allow you to reference unpublished notebooks. When enabled, notebook run will fetch the current contents in the notebook web cache, meaning the changes in your notebook editor can be referenced immediately by other notebooks without having to be published (Live mode) or committed (Git mode). To learn more, read [Reference unpublished notebook](spark/apache-spark-development-using-notebooks.md#reference-unpublished-notebook).

+* TLS 1.2 is now required for newly created Synapse Workspaces. To learn more, see how [TLS 1.2 provides enhanced security using this article](./security/connectivity-settings.md) or the [blog post](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-january-update-2022/ba-p/3071681#TOCREF_6). Sign-in attempts to a newly created Synapse workspace from connections using TLS versions lower than 1.2 will fail.

+* Azure Synapse Link for Dataverse [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId-1397891373) [article](/powerapps/maker/data-platform/azure-synapse-link-synapse)

+* Custom partitions for Azure Synapse Link for Azure Cosmos DB in preview [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId--409563090) [article](../cosmos-db/custom-partitioning-analytical-store.md)

+### Work with Databases and Data Lakes

+### Azure Synapse Link

+* Azure Synapse Link for Dataverse [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId-1397891373) [article](/powerapps/maker/data-platform/azure-synapse-link-synapse)

+* Custom partitions for Azure Synapse Link for Azure Cosmos DB in preview [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-november-2021-update/ba-p/3020740#toc-hId--409563090) [article](../cosmos-db/custom-partitioning-analytical-store.md)

+* Spark performance optimizations [blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics/azure-synapse-analytics-october-update/ba-p/2875372#spark-performance)

+### Governance

+[Get started with Azure Synapse Analytics](get-started.md)

+ Title: What's new?

+See below for a recent review of what's new in [Azure Synapse Analytics](overview-what-is.md), and also what features are currently in preview. To follow the latest in Azure Synapse news and features, see the [Azure Synapse Analytics Blog](https://aka.ms/SynapseMonthlyUpdate) and [companion videos on YouTube](https://www.youtube.com/channel/UCsZ4IlYjjVxqe5OZ14tyh5g).

+For older updates, review past [Azure Synapse Analytics Blog](https://aka.ms/SynapseMonthlyUpdate) posts or [previous monthly updates in Azure Synapse Analytics](whats-new-archive.md).

+## Features currently in preview

+The following table lists the features of Azure Synapse Analytics that are currently in preview. Preview features are sorted alphabetically.

+> [!NOTE]

+> Features currently in preview are available under [supplemental terms of use](https://azure.microsoft.com/support/legal/preview-supplemental-terms/), review for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. Azure Synapse Analytics provides previews to give you a chance to evaluate and [share feedback with the product group](https://feedback.azure.com/d365community/forum/9b9ba8e4-0825-ec11-b6e6-000d3a4f07b8) on features before they become generally available (GA).

+| **Feature** | **Learn more**|

+|:-- |:-- |

+| **Azure Synapse Data Explorer** | The [Azure Synapse Data Explorer](./data-explorer/data-explorer-overview.md) provides an interactive query experience to unlock insights from log and telemetry data. Connectors for Azure Data Explorer are available for Synapse Data Explorer. |

+| **Azure Synapse Link to SQL** | Azure Synapse Link is in preview for both SQL Server 2022 and Azure SQL Database. The Azure Synapse Link feature provides low- and no-code, near real-time data replication from your SQL-based operational stores into Azure Synapse Analytics. Provide BI reporting on operational data in near real-time, with minimal impact on your operational store. To learn more, read [Announcing the Public Preview of Azure Synapse Link for SQL](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/announcing-the-public-preview-of-azure-synapse-link-for-sql/ba-p/3372986) and [watch our YouTube video](https://www.youtube.com/embed/pgusZy34-Ek). |

+| **Browse ADLS Gen2 folders in the Azure Synapse Analytics workspace** | You can now browse an Azure Data Lake Storage Gen2 (ADLS Gen2) container or folder in your Azure Synapse Analytics workspace by connecting to a specific container or folder in Synapse Studio. To learn more, see [Browse an ADLS Gen2 folder with ACLs in Azure Synapse Analytics](how-to-access-container-with-access-control-lists.md).|

+| **Custom partitions for Synapse link for Azure Cosmos DB** | Improve query execution times for your Spark queries, by creating custom partitions based on fields frequently used in your queries. To learn more, see [Custom partitioning in Azure Synapse Link for Azure Cosmos DB (Preview)](../cosmos-db/custom-partitioning-analytical-store.md). |

+| **Data flow improvements to Data Preview** | To learn more, see [Data Preview and debug improvements in Mapping Data Flows](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/data-preview-and-debug-improvements-in-mapping-data-flows/ba-p/3268254?wt.mc_id=azsynapseblog_mar2022_blog_azureeng). |

+| **Distribution Advisor**| The Distribution Advisor is a new preview feature in Azure Synapse dedicated SQL pools Gen2 that analyzes queries and recommends the best distribution strategies for tables to improve query performance. For more information, see [Distribution Advisor in Azure Synapse SQL](sql/distribution-advisor.md).|

+| **Distributed Deep Neural Network Training** | Learn more about new distributed training libraries like Horovod, Petastorm, TensorFlow, and PyTorch in [Deep learning tutorials](./machine-learning/concept-deep-learning.md). |

+| **Ingest data from Azure Stream Analytics into Synapse Data Explorer** | You can now use a Streaming Analytics job to collect data from an event hub and send it to your Azure Data Explorer cluster using the Azure portal or an ARM template. For more information on this preview feature, see [Ingest data from Azure Stream Analytics into Azure Data Explorer](/azure/data-explorer/stream-analytics-connector). |

+| **Multi-column distribution in dedicated SQL pools** | You can now Hash Distribute tables on multiple columns for a more even distribution of the base table, reducing data skew over time and improving query performance. For more information on opting-in to the preview, see [CREATE TABLE distribution options](/sql/t-sql/statements/create-table-azure-sql-data-warehouse#TableDistributionOptions) or [CREATE TABLE AS SELECT distribution options](/sql/t-sql/statements/create-table-as-select-azure-sql-data-warehouse#table-distribution-options).|

+| **SAP CDC connector preview** | A new data connector for SAP Change Data Capture (CDC) is now available in preview. For more information, see [Announcing Public Preview of the SAP CDC solution in Azure Data Factory and Azure Synapse Analytics](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/announcing-public-preview-of-the-sap-cdc-solution-in-azure-data/ba-p/3420904) and [SAP CDC solution in Azure Data Factory](/azure/data-factory/sap-change-data-capture-introduction-architecture).|

+| **Spark Delta Lake tables in serverless SQL pools** | The ability to for serverless SQL pools to access Delta Lake tables created in Spark databases is in preview. For more information, see [Azure Synapse Analytics shared metadata tables](metadat).|

+| **Spark elastic pool storage** | Azure Synapse Analytics Spark pools now support elastic pool storage in preview. Elastic pool storage allows the Spark engine to monitor worker nodes temporary storage and attach additional disks if needed. No action is required, and you should see fewer job failures as a result. For more information, see [Blog: Azure Synapse Analytics Spark elastic pool storage is available for public preview](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-august-update-2022/ba-p/3535126#TOCREF_8).|

+| **Spark Optimized Write** | Optimize Write is a Delta Lake on Synapse feature that reduces the number of files written by Apache Spark 3 (3.1 and 3.2) and aims to increase individual file size of the written data. To learn more about the usage scenarios and how to enable this preview feature, read [The need for optimize write on Apache Spark](spark/optimize-write-for-apache-spark.md).|

+| **Time-To-Live in managed virtual network (VNet)** | Reserve compute for the time-to-live (TTL) in managed virtual network TTL period, saving time and improving efficiency. For more information on this preview, see [Announcing public preview of Time-To-Live (TTL) in managed virtual network](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/announcing-public-preview-of-time-to-live-ttl-in-managed-virtual/ba-p/3552879).|

+| **User-Assigned managed identities** | Now you can use user-assigned managed identities in linked services for authentication in Synapse Pipelines and Dataflows.To learn more, see [Credentials in Azure Data Factory and Azure Synapse](../data-factory/credentials.md?context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext&tabs=data-factory).|

+## Generally available features

+The following table lists the features of Azure Synapse Analytics that have transitioned from preview to general availability (GA) within the last 12 months.

+|**Month** | **Feature** | **Learn more**|

+|:-- |:-- | :-- |

+| July 2022 | **Apache Spark&trade; 3.2 on Synapse Analytics** | Apache Spark&trade; 3.2 on Synapse Analytics is now generally available. Review the [official release notes](https://spark.apache.org/releases/spark-release-3-2-0.html) and [migration guidelines between Spark 3.1 and 3.2](https://spark.apache.org/docs/latest/sql-migration-guide.html#upgrading-from-spark-sql-31-to-32) to assess potential changes to your applications. For more details, read [Apache Spark version support and Azure Synapse Runtime for Apache Spark 3.2](./spark/apache-spark-version-support.md). Highlights of what got better in Spark 3.2 in the [Azure Synapse Analytics July Update 2022](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-july-update-2022/ba-p/3535089#TOCREF_1).|

+| July 2022 | **Apache Spark in Azure Synapse Intelligent Cache feature** | Intelligent Cache for Spark automatically stores each read within the allocated cache storage space, detecting underlying file changes and refreshing the files to provide the most recent data. To learn more, see how to [Enable/Disable the cache for your Apache Spark pool](./spark/apache-spark-intelligent-cache-concept.md).|

+| June 2022 | **Map Data tool** | The Map Data tool is a guided process to help you create ETL mappings and mapping data flows from your source data to Synapse without writing code. To learn more about the Map Data tool, read [Map Data in Azure Synapse Analytics](./database-designer/overview-map-data.md).|

+| June 2022 | **User Defined Functions** | User defined functions (UDFs) are now generally available. To learn more, read [User defined functions in mapping data flows](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/introducing-user-defined-functions-preview-for-mapping-data/ba-p/3414628). |

+| May 2022 | **Azure Synapse Data Explorer connector for Power Automate, Logic Apps, and Power Apps** | The Azure Data Explorer connector for Power Automate enables you to orchestrate and schedule flows, send notifications, and alerts, as part of a scheduled or triggered task. To learn more, read [Azure Data Explorer connector for Microsoft Power Automate](/data-explorer/flow) and [Usage examples for Azure Data Explorer connector to Power Automate](/azure/data-explorer/flow-usage). |

+| April 2022 | **Cross-subscription restore for Azure Synapse SQL** | With the PowerShell `Az.Sql` module 3.8 update, the [Restore-AzSqlDatabase](/powershell/module/az.sql/restore-azsqldatabase) cmdlet can be used for cross-subscription restore of dedicated SQL pools. To learn more, see [Blog: Restore a dedicated SQL pool (formerly SQL DW) to a different subscription](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-april-update-2022/ba-p/3280185). This feature is now generally available for dedicated SQL pools (formerly SQL DW) and dedicated SQL pools in a Synapse workspace. [What's the difference?](https://aka.ms/dedicatedSQLpooldiff) |

+| April 2022 | **Database Designer** | The database designer allows users to visually create databases within Synapse Studio without writing a single line of code. For more information, see [Announcing General Availability of Database Designer](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/announcing-general-availability-of-database-designer-amp/ba-p/3294234). Read more about [lake databases](database-designer/concepts-lake-database.md) and learn [How to modify an existing lake database using the database designer](database-designer/modify-lake-database.md).|

+| April 2022 | **Database Templates** | New industry-specific database templates were introduced in the [Synapse Database Templates General Availability blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/synapse-database-templates-general-availability-and-new-synapse/ba-p/3289790). Learn more about [Database templates](database-designer/concepts-database-templates.md) and [the improved exploration experience](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-april-update-2022/ba-p/3295633#TOCREF_5).|

+| April 2022 | **Synapse Monitoring Operator RBAC role** | The Synapse Monitoring Operator RBAC (role-based access control) role allows a user persona to monitor the execution of Synapse Pipelines and Spark applications without having the ability to run or cancel the execution of these applications. For more information, review the [Synapse RBAC Roles](security/synapse-workspace-synapse-rbac-roles.md).|

+| March 2022 | **Flowlets** | Flowlets help you design portions of new data flow logic, or to extract portions of an existing data flow, and save them as separate artifact inside your Synapse workspace. Then, you can reuse these Flowlets can inside other data flows. To learn more, review the [Flowlets GA announcement blog post](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/flowlets-and-change-feed-now-ga-in-azure-data-factory/ba-p/3267450) and read [Flowlets in mapping data flow](../data-factory/concepts-data-flow-flowlet.md). |

+| March 2022 | **Change Feed connectors** | Changed data capture (CDC) feed data flow source transformations for Cosmos DB, Azure Blob Storage, ADLS Gen1, ADLS Gen2, and Common Data Model (CDM) are now generally available. By simply checking a box, you can tell ADF to manage a checkpoint automatically for you and only read the latest rows that were updated or inserted since the last pipeline run. To learn more, review the [Change Feed connectors GA preview blog post](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/flowlets-and-change-feed-now-ga-in-azure-data-factory/ba-p/3267450) and read [Copy and transform data in Azure Data Lake Storage Gen2 using Azure Data Factory or Azure Synapse Analytics](../data-factory/connector-azure-data-lake-storage.md).|

+| March 2022 | **Column level encryption for dedicated SQL pools** | [Column level encryption](/sql/relational-databases/security/encryption/encrypt-a-column-of-data?view=azure-sqldw-latest&preserve-view=true) is now generally available for use on new and existing Azure SQL logical servers with Azure Synapse dedicated SQL pools, as well as the dedicated SQL pools in Azure Synapse workspaces. SQL Server Data Tools (SSDT) support for column level encryption for the dedicated SQL pools is available starting with the 17.2 Preview 2 build of Visual Studio 2022. |

+| March 2022 | **Synapse Spark Common Data Model (CDM) connector** | The CDM format reader/writer enables a Spark program to read and write CDM entities in a CDM folder via Spark dataframes. To learn more, see [how the CDM connector supports reading, writing data, examples, & known issues](./spark/data-sources/apache-spark-cdm-connector.md). |

+| November 2021 | **PREDICT** | The T-SQL [PREDICT](/sql/t-sql/queries/predict-transact-sql) syntax is now generally available for dedicated SQL pools. Get started with the [Machine learning model scoring wizard for dedicated SQL pools](./machine-learning/tutorial-sql-pool-model-scoring-wizard.md).|

+| October 2021 | **Synapse RBAC Roles** | [Synapse role-based access control (RBAC) roles are now generally available](https://techcommunity.microsoft.com/t5/azure-synapse-analytics/azure-synapse-analytics-october-update/ba-p/2875372#synapse-rbac). Learn more about [Synapse RBAC roles](./security/synapse-workspace-synapse-rbac-roles.md) and [Azure Synapse role-based access control (RBAC) using PowerShell](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/retrieve-azure-synapse-role-based-access-control-rbac/ba-p/3466419#:~:text=Synapse%20RBAC%20is%20used%20to%20manage%20who%20can%3A,job%20execution%2C%20review%20job%20output%2C%20and%20execution%20logs.).|

+## Community

+This section summarizes new Azure Synapse Analytics community opportunities and the [Azure Synapse Influencers program](https://aka.ms/synapseinfluencers) from Microsoft. Follow us on our [@Azure_Synapse](https://twitter.com/Azure_Synapse/) Twitter account or [#AzureSynapse](https://twitter.com/hashtag/AzureSynapse?src=hashtag_click) for announcements on upcoming Azure Synapse Influencer events in the coming weeks.

+|**Month** | **Feature** | **Learn more**|

+|:-- |:-- | :-- |

+| May 2022 | **Azure Synapse influencer program** | Sign up for our free [Azure Synapse Influencers program](https://aka.ms/synapseinfluencers) and get connected with a community of Synapse-users who are dedicated to helping others achieve more with cloud analytics. Register now for our next [Synapse Influencers Ask the Experts session](https://aka.ms/synapseinfluencers/#events). It's free to attend and everyone is welcome to participate and join the discussion on Synapse-related topics. You can [watch past recorded Ask the Experts events](https://aka.ms/ATE-RecordedSessions) on the [Azure Synapse YouTube channel](https://www.youtube.com/channel/UCsZ4IlYjjVxqe5OZ14tyh5g). |

+| March 2022 | **Azure Synapse Analytics and Microsoft MVP YouTube video series** | A joint activity with the Azure Synapse product team and the Microsoft MVP community, a new [YouTube MVP Video Series about the Azure Synapse features](https://www.youtube.com/playlist?list=PLzUAjXZBFU9MEK2trKw_PGk4o4XrOzw4H) has launched. See more at the [Azure Synapse Analytics YouTube channel](https://www.youtube.com/channel/UCsZ4IlYjjVxqe5OZ14tyh5g).|

+## Apache Spark for Azure Synapse Analytics

+This section summarizes recent new features and capabilities of [Apache Spark for Azure Synapse Analytics](spark/apache-spark-overview.md).

+|**Month** | **Feature** | **Learn more**|

+|:-- |:-- | :-- |

+| September 2022 | **New query optimization techniques in Apache Spark for Azure Synapse Analytics** | Read the [findings from Microsoft's work](https://vldb.org/pvldb/vol15/p936-rajan.pdf) to gain considerable performance benefits across the board on the reference TPC-DS workload as well as a significant reduction in query plan generation time. |

+| August 2022 | **Spark elastic pool storage** | Azure Synapse Analytics Spark pools now support elastic pool storage in preview. Elastic pool storage allows the Spark engine to monitor worker nodes temporary storage and attach additional disks if needed. No action is required, and you should see fewer job failures as a result. For more information, see [Blog: Azure Synapse Analytics Spark elastic pool storage is available for public preview](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-august-update-2022/ba-p/3535126#TOCREF_8).|

+| August 2022 | **Spark Optimized Write** | Optimize Write is a Delta Lake on Synapse preview feature that reduces the number of files written by Apache Spark 3 (3.1 and 3.2) and aims to increase individual file size of the written data. To learn more, see [The need for optimize write on Apache Spark](spark/optimize-write-for-apache-spark.md).|

+| July 2022 | **Apache Spark 2.4 enters retirement lifecycle** | With the general availability of the Apache Spark 3.2 runtime, the Azure Synapse runtime for Apache Spark 2.4 enters a 12-month retirement cycle. You should relocate your workloads to the newer Apache Spark 3.2 runtime within this period. Read more at [Apache Spark runtimes in Azure Synapse](spark/apache-spark-version-support.md).|

+| May 2022 | **Azure Synapse dedicated SQL pool connector for Apache Spark now available in Python** | Previously, the [Azure Synapse Dedicated SQL Pool Connector for Apache Spark](./spark/synapse-spark-sql-pool-import-export.md) was only available using Scala. Now, [the dedicated SQL pool connector for Apache Spark can be used with Python on Spark 3](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-may-update-2022/ba-p/3430970#TOCREF_6). |

+| May 2022 | **Manage Azure Synapse Apache Spark configuration** | With the new [Apache Spark configurations](./spark/apache-spark-azure-create-spark-configuration.md) feature, you can create a standalone Spark configuration artifact with auto-suggestions and built-in validation rules. The Spark configuration artifact allows you to share your Spark configuration within and across Azure Synapse workspaces. You can also easily associate your Spark configuration with a Spark pool, a Notebook, and a Spark job definition for reuse and minimize the need to copy the Spark configuration in multiple places. |

+| April 2022 | **Apache Spark 3.2 on Synapse Analytics** | Apache Spark 3.2 on Synapse Analytics with preview availability. Review the [official Spark 3.2 release notes](https://spark.apache.org/releases/spark-release-3-2-0.html) and [migration guidelines between Spark 3.1 and 3.2](https://spark.apache.org/docs/latest/sql-migration-guide.html#upgrading-from-spark-sql-31-to-32) to assess potential changes to your applications. For more details, read [Apache Spark version support and Azure Synapse Runtime for Apache Spark 3.2](./spark/apache-spark-version-support.md). |

+| April 2022 | **Parameterization for Spark job definition** | You can now assign parameters dynamically based on variables, metadata, or specifying Pipeline specific parameters for the Spark job definition activity. For more details, read [Transform data using Apache Spark job definition](quickstart-transform-data-using-spark-job-definition.md#settings-tab). |

+| April 2022 | **Spark notebook snapshot** | You can access a snapshot of the Notebook when there is a Pipeline Notebook run failure or when there is a long-running Notebook job. To learn more, read [Transform data by running a Synapse notebook](synapse-notebook-activity.md?tabs=classical#see-notebook-activity-run-history) and [Introduction to Microsoft Spark utilities](./spark/microsoft-spark-utilities.md?pivots=programming-language-scala#reference-a-notebook-1). |

+| March 2022 | **Synapse Spark Common Data Model (CDM) connector** | The CDM format reader/writer enables a Spark program to read and write CDM entities in a CDM folder via Spark dataframes. To learn more, see [how the CDM connector supports reading, writing data, examples, & known issues](./spark/data-sources/apache-spark-cdm-connector.md). |

+| March 2022 | **Performance optimization for Synapse Spark dedicated SQL pool connector** | New improvements to the [Azure Synapse Dedicated SQL Pool Connector for Apache Spark](spark/synapse-spark-sql-pool-import-export.md) reduce data movement and leverage `COPY INTO`. Performance tests indicated at least ~5x improvement over the previous version. No action is required from the user to leverage these enhancements. For more information, see [Blog: Synapse Spark Dedicated SQL Pool (DW) Connector: Performance Improvements](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-march-update-2022/ba-p/3269194#TOCREF_10).|

+| March 2022 | **Support for all Spark Dataframe SaveMode choices** | The [Azure Synapse Dedicated SQL Pool Connector for Apache Spark](spark/synapse-spark-sql-pool-import-export.md) now supports all four Spark Dataframe SaveMode choices: Append, Overwrite, ErrorIfExists, Ignore. For more information on Spark SaveMode, read the [official Apache Spark documentation](https://spark.apache.org/docs/1.6.0/api/java/org/apache/spark/sql/SaveMode.html?wt.mc_id=azsynapseblog_mar2022_blog_azureeng). |

+| March 2022 | **Apache Spark in Azure Synapse Analytics Intelligent Cache feature** | Intelligent Cache for Spark automatically stores each read within the allocated cache storage space, detecting underlying file changes and refreshing the files to provide the most recent data. To learn more on this preview feature, see how to [Enable/Disable the cache for your Apache Spark pool](./spark/apache-spark-intelligent-cache-concept.md) or see the [blog post](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-march-update-2022/ba-p/3269194#TOCREF_12).|

+This section summarizes recent new features and capabilities of Azure Synapse Analytics data integration. Learn how to [Load data into Azure Synapse Analytics using Azure Data Factory (ADF) or a Synapse pipeline](../data-factory/load-azure-sql-data-warehouse.md).

+|**Month** | **Feature** | **Learn more**|

+|:-- |:-- | :-- |

+| August 2022 | **Mapping data flows now support visual Cast transformation** | You can [use the cast transformation](/azure/data-factory/data-flow-cast) to easily modify the data types of individual columns in a data flow. |

+| August 2022 | **Default activity timeout changed to 12 hours** | The [default activity timeout is now 12 hours](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/azure-data-factory-changing-default-pipeline-activity-timeout/ba-p/3598729). |

+| August 2022 | **Pipeline expression builder ease-of-use enhancements** | We've [updated our expression builder UI to make pipeline designing easier](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/coming-soon-to-adf-more-pipeline-expression-builder-ease-of-use/ba-p/3567196). |

+| August 2022 | **New UI for mapping dataflow inline dataset types**| We've updated our data flow source UI to [make it easier to find your inline dataset type](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-august-update-2022/ba-p/3535126#TOCREF_21).|

+| July 2022 | **Time-To-Live in managed virtual network (VNet)** | Reserve compute for the time-to-live (TTL) in managed virtual network TTL period, saving time and improving efficiency. For more information on this preview, see [Announcing public preview of Time-To-Live (TTL) in managed virtual network](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/announcing-public-preview-of-time-to-live-ttl-in-managed-virtual/ba-p/3552879).|

+| June 2022 | **SAP CDC connector preview** | A new data connector for SAP Change Data Capture (CDC) is now available in preview. For more information, see [Announcing Public Preview of the SAP CDC solution in Azure Data Factory and Azure Synapse Analytics](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/announcing-public-preview-of-the-sap-cdc-solution-in-azure-data/ba-p/3420904) and [SAP CDC solution in Azure Data Factory](/azure/data-factory/sap-change-data-capture-introduction-architecture).|

+| June 2022 | **Fuzzy join option in Join Transformation** | Use fuzzy matching with a similarity threshold score slider has been added to the [Join transformation in Mapping Data Flows](../data-factory/data-flow-join.md). |

+| June 2022 | **Map Data tool GA** | We're excited to announce that the [Map Data tool](./database-designer/overview-map-data.md) is now Generally Available. The Map Data tool is a guided process to help you create ETL mappings and mapping data flows from your source data to Synapse without writing code. |

+| June 2022 | **Rerun pipeline with new parameters** | You can now change pipeline parameters when rerunning a pipeline from the Monitoring page without having to return to the pipeline editor. To learn more, read [Rerun pipelines and activities](../data-factory/monitor-visually.md#rerun-pipelines-and-activities).|

+| June 2022 | **User Defined Functions GA** | [User defined functions (UDFs) in mapping data flows](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/introducing-user-defined-functions-preview-for-mapping-data/ba-p/3414628) are now generally available (GA). |

+| May 2022 | **Export pipeline monitoring as a CSV** | The ability to [export pipeline monitoring to CSV and other monitoring improvements](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/adf-monitoring-improvements/ba-p/3295531) have been introduced to ADF. |

+| May 2022 | **Automatic incremental source data loading from PostgreSQL and MySQL** | Automatic [incremental source data loading from PostgreSQL and MySQL](/azure/data-factory/tutorial-incremental-copy-overview) to Synapse SQL and Azure Database is now natively available in ADF. |

+| May 2022 | **Assert transformation error handling** | Error handling has now been added to sinks following an [assert transformation in mapping data flow](/azure/data-factory/data-flow-assert). You can now choose whether to output the failed rows to the selected sink or to a separate file. |

+| May 2022 | **Mapping data flows projection editing** | In mapping data flows, you can now [update source projection column names and column types](/azure/data-factory/data-flow-source). |

+| April 2022 | **Dataverse connector for Synapse Data Flows** | Dataverse is now a source and sink connector to Synapse Data Flows. You can [Copy and transform data from Dynamics 365 (Microsoft Dataverse) or Dynamics CRM using Azure Data Factory or Azure Synapse Analytics](/azure/data-factory/connector-dynamics-crm-office-365?tabs=data-factory).|

+| April 2022 | **Configurable Synapse Pipelines Web activity response timeout** | With the response timeout property `httpRequestTimeout`, you can [define a timeout for the HTTP request up to 10 minutes](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/web-activity-response-timeout-improvement/ba-p/3260307). Web activities work exceptionally well with APIs that follow [the asynchronous request-reply pattern](/azure/architecture/patterns/async-request-reply), a suggested approach for building scalable web APIs/services. |

+| March 2022 | **sFTP connector for Synapse data flows** | A native sftp connector in Synapse data flows is supported to read and write data from sFTP using the visual low-code data flows interface in Synapse. To learn more, see [Copy and transform data in SFTP server using Azure Data Factory or Azure Synapse Analytics](../data-factory/connector-sftp.md).|

+| March 2022 | **Data flow improvements to Data Preview** | Review features added to the [Data Preview and debug improvements in Mapping Data Flows](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/data-preview-and-debug-improvements-in-mapping-data-flows/ba-p/3268254?wt.mc_id=azsynapseblog_mar2022_blog_azureeng). |

+| March 2022 | **Pipeline script activity** | You can now [Transform data by using the Script activity](/azure/data-factory/transform-data-using-script) to invoke SQL commands to perform both DDL and DML. |

+| December 2021 | **Custom partitions for Synapse link for Azure Cosmos DB** | Improve query execution times for your Spark queries, by creating custom partitions based on fields frequently used in your queries. To learn more, see [Custom partitioning in Azure Synapse Link for Azure Cosmos DB (Preview)](../cosmos-db/custom-partitioning-analytical-store.md). |

+## Database Templates & Database Designer

+This section summarizes recent new features and capabilities of [database templates](./database-designer/overview-database-templates.md) and [the database designer](database-designer/quick-start-create-lake-database.md).

+|**Month** | **Feature** | **Learn more**|

+|:-- |:-- | :-- |

+| July 2022 | **Browse industry templates** | Browse industry templates and add tables to create your own lake database. Learn more about [ways you can browse industry templates](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/ways-you-can-browse-industry-templates-and-add-tables-to-create/ba-p/3495011) and get started with [Quickstart: Create a new lake database leveraging database templates](database-designer/quick-start-create-lake-database.md).|

+| April 2022 | **Database Designer** | The database designer allows users to visually create databases within Synapse Studio without writing a single line of code. For more information, see [Announcing General Availability of Database Designer](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/announcing-general-availability-of-database-designer-amp/ba-p/3294234). Read more about [lake databases](database-designer/concepts-lake-database.md) and learn [How to modify an existing lake database using the database designer](database-designer/modify-lake-database.md).|

+| April 2022 | **Database Templates** | New industry-specific database templates were introduced in the [Synapse Database Templates General Availability blog](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/synapse-database-templates-general-availability-and-new-synapse/ba-p/3289790). Learn more about [Database templates](database-designer/concepts-database-templates.md) and [the improved exploration experience](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-april-update-2022/ba-p/3295633#TOCREF_5).|

+| April 2022 | **Clone lake database** | In Synapse Studio, you can now clone a database using the action menu available on the lake database. To learn more, read [How-to: Clone a lake database](./database-designer/clone-lake-database.md). |

+| April 2022 | **Use wildcards to specify custom folder hierarchies** | Lake databases sit on top of data that is in the lake and this data can live in nested folders that don't fit into clean partition patterns. You can now use wildcards to specify custom folder hierarchies. To learn more, read [How-to: Modify a datalake](./database-designer/modify-lake-database.md). |

+| January 2022 | **New database templates** | Learn more about new industry-specific [Automotive, Genomics, Manufacturing, and Pharmaceuticals templates](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/four-additional-azure-synapse-database-templates-now-available/ba-p/3058044) and get started with [database templates](./database-designer/overview-database-templates.md) in the Synapse Studio gallery. |

+## Developer experience

+This section summarizes recent new quality of life and feature improvements for [developers in Azure Synapse Analytics](sql/develop-overview.md).

+|**Month** | **Feature** | **Learn more**|

+|:-- |:-- | :-- |

+| July 2022 | **Synapse Notebooks compatibility with IPython** | The official kernel for Jupyter notebooks is IPython and it is now supported in Synapse Notebooks. For more information, see [Synapse Notebooks is now fully compatible with IPython](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-july-update-2022/ba-p/3535089#TOCREF_14).|

+| July 2022 | **Mssparkutils now has spark.stop() method** | A new API `mssparkutils.session.stop()` has been added to the mssparkutils package. This feature becomes handy when there are multiple sessions running against the same Spark pool. The new API is available for Scala and Python. To learn more, see [Stop an interactive session](spark/microsoft-spark-utilities.md#stop-an-interactive-session).|

+| May 2022 | **Updated Azure Synapse Analyzer Report** | Learn about the new features in [version 2.0 of the Synapse Analyzer report](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/updated-synapse-analyzer-report-workload-management-and-ability/ba-p/3580269).|

+| April 2022 | **Azure Synapse Analyzer Report** | The [Azure Synapse Analyzer Report](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analyzer-report-to-monitor-and-improve-azure/ba-p/3276960) helps you identify common issues that may be present in your database that can lead to performance issues.|

+| April 2022 | **Reference unpublished notebooks** | Now, when using %run notebooks, you can [enable 'unpublished notebook reference'](spark/apache-spark-development-using-notebooks.md#reference-unpublished-notebook), which will allow you to reference unpublished notebooks. When enabled, notebook run will fetch the current contents in the notebook web cache, meaning the changes in your notebook editor can be referenced immediately by other notebooks without having to be published (Live mode) or committed (Git mode). |

+| March 2022 | **Code cells with exception to show standard output**| Now in Synapse notebooks, both standard output and exception messages are shown when a code statement fails for Python and Scala languages. For examples, see [Synapse notebooks: Code cells with exception to show standard output](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-march-update-2022/ba-p/3269194#TOCREF_1).|

+| March 2022 | **Partial output is available for running notebook code cells** | Now in Synapse notebooks, you can see anything you write (with `println` commands, for example) as the cell executes, instead of waiting until it ends. For examples, see [Synapse notebooks: Partial output is available for running notebook code cells ](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-march-update-2022/ba-p/3269194#TOCREF_1).|

+| March 2022 | **Dynamically control your Spark session configuration with pipeline parameters** | Now in Synapse notebooks, you can use pipeline parameters to configure the session with the notebook %%configure magic. For examples, see [Synapse notebooks: Dynamically control your Spark session configuration with pipeline parameters](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-march-update-2022/ba-p/3269194#TOCREF_2).|

+| March 2022 | **Reuse and manage notebook sessions** | Now in Synapse notebooks, it is easy to reuse an active session conveniently without having to start a new one and to see and manage your active sessions in the **Active sessions** list. To view your sessions, select the 3 dots in the notebook and select **Manage sessions.** For examples, see [Synapse notebooks: Reuse and manage notebook sessions](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-march-update-2022/ba-p/3269194#TOCREF_3).|

+| March 2022 | **Support for Python logging** | Now in Synapse notebooks, anything written through the Python logging module is captured, in addition to the driver logs. For examples, see [Synapse notebooks: Support for Python logging](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-march-update-2022/ba-p/3269194#TOCREF_4).|

+## Machine Learning

+This section summarizes recent new features and improvements to using machine learning models in Azure Synapse Analytics.

+|**Month** | **Feature** | **Learn more**|

+|:-- |:-- | :-- |

+| August 2022 | **SynapseML v.0.10.0** | New [release of SynapseML v0.10.0](https://github.com/microsoft/SynapseML/releases/tag/v0.10.0) (previously MMLSpark), an open-source library that aims to simplify the creation of massively scalable machine learning pipelines. Learn more about the [latest additions to SynapseML](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/exciting-new-release-of-synapseml/ba-p/3589606) and get started with [SynapseML](https://aka.ms/spark).|

+| August 2022 | **.NET support** | SynapseML v0.10 [adds full support for .NET languages](https://devblogs.microsoft.com/dotnet/announcing-synapseml-for-dotnet/) like C# and F#. For a .NET SynapseML example, see [.NET Example with LightGBMClassifier](https://microsoft.github.io/SynapseML/docs/getting_started/dotnet_example/).|

+| August 2022 | **Azure Open AI Service support** | SynapseML now allows users to tap into 175-Billion parameter language models (GPT-3) from OpenAI that can generate and complete text and code near human parity. For more information, see [Azure OpenAI for Big Data](https://microsoft.github.io/SynapseML/docs/features/cognitive_services/CognitiveServices%20-%20OpenAI/).|

+| August 2022 | **MLflow platform support** | SynapseML models now integrate with [MLflow](https://microsoft.github.io/SynapseML/docs/mlflow/introduction/) with full support for saving, loading, deployment, and [autologging](https://microsoft.github.io/SynapseML/docs/mlflow/autologging/).|

+| August 2022 | **SynapseML in Binder** | We know that Spark can be intimidating for first users but fear not because with the technology Binder, you can [explore and experiment with SynapseML in Binder](https://mybinder.org/v2/gh/microsoft/SynapseML/93d7ccf?labpath=notebooks%2Ffeatures) with zero setup, install, infrastructure, or Azure account required.|

+| June 2022 | **Distributed Deep Neural Network Training (preview)** | The Azure Synapse runtime also includes supporting libraries like Petastorm and Horovod, which are commonly used for distributed training. This feature is currently available in preview. The Azure Synapse Analytics runtime for Apache Spark 3.1 and 3.2 also now includes support for the most common deep learning libraries like TensorFlow and PyTorch. To learn more about how to leverage these libraries within your Azure Synapse Analytics GPU-accelerated pools, read the [Deep learning tutorials](./machine-learning/concept-deep-learning.md). |

+| November 2021 | **PREDICT** | The T-SQL [PREDICT](/sql/t-sql/queries/predict-transact-sql) syntax is now generally available for dedicated SQL pools. Get started with the [Machine learning model scoring wizard for dedicated SQL pools](./machine-learning/tutorial-sql-pool-model-scoring-wizard.md).|

+## Samples and guidance

+This section summarizes new guidance and sample project resources for Azure Synapse Analytics.

+|**Month** | **Feature** | **Learn more**|

+|:-- |:-- | :-- |

+| September 2022 | **Azure Synapse Customer Success Engineering blog series** | The new [Azure Synapse Customer Success Engineering blog series](https://aka.ms/synapsecseblog) launches with a detailed introduction to [Building the Lakehouse - Implementing a Data Lake Strategy with Azure Synapse](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/building-the-lakehouse-implementing-a-data-lake-strategy-with/ba-p/3612291).|

+| June 2022 | **Azure Orbital analytics with Synapse Analytics** | We now offer an [Azure Orbital analytics sample solution](https://github.com/Azure/Azure-Orbital-Analytics-Samples) showing an end-to-end implementation of extracting, loading, transforming, and analyzing spaceborne data by using geospatial libraries and AI models with Azure Synapse Analytics. The sample solution also demonstrates how to integrate geospatial-specific [Azure Cognitive Services](../cognitive-services/index.yml) models, AI models from partners, and bring-your-own-data models. |

+| June 2022 | **Migration guides for Oracle** | A new Microsoft-authored migration guide for Oracle to Azure Synapse Analytics is now available. [Design and performance for Oracle migrations](migration-guides/oracle/1-design-performance-migration.md). |

+| June 2022 | **Azure Synapse success by design** | The [Azure Synapse proof of concept playbook](./guidance/proof-of-concept-playbook-overview.md) provides a guide to scope, design, execute, and evaluate a proof of concept for SQL or Spark workloads. |

+| June 2022 | **Migration guides for Teradata** | A new Microsoft-authored migration guide for Teradata to Azure Synapse Analytics is now available. [Design and performance for Teradata migrations](migration-guides/teradat). |

+| June 2022 | **Migration guides for IBM Netezza** | A new Microsoft-authored migration guide for IBM Netezza to Azure Synapse Analytics is now available. [Design and performance for IBM Netezza migrations](migration-guides/netezz). |

+## Security

+This section summarizes recent new security features and settings in Azure Synapse Analytics.

+|**Month** | **Feature** | **Learn more**|

+|:-- |:-- | :-- |

+| August 2022 | **Execute Azure Synapse Spark Notebooks with system-assigned managed identity** | You can [now execute Spark Notebooks with the system-assigned managed identity (or workspace managed identity)](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-august-update-2022/ba-p/3535126#TOCREF_30) by enabling *Run as managed identity* from the **Configure** session menu. With this feature, you will be able to validate that your notebook works as expected when using the system-assigned managed identity, before using the notebook in a pipeline. For more information, see [Managed identity for Azure Synapse](synapse-service-identity.md).|

+| July 2022 | **Changes to permissions needed for publishing to Git** | Now, only Git permissions and the Synapse Artifact Publisher (Synapse RBAC) role are needed to commit changes in Git-mode. For more information, see [Access control enforcement in Synapse Studio](security/synapse-workspace-access-control-overview.md#access-control-enforcement-in-synapse-studio).|

+| April 2022 | **Synapse Monitoring Operator RBAC role** | The Synapse Monitoring Operator role-based access control (RBAC) role allows a user persona to monitor the execution of Synapse Pipelines and Spark applications without having the ability to run or cancel the execution of these applications. For more information, review the [Synapse RBAC Roles](security/synapse-workspace-synapse-rbac-roles.md).|

+| March 2022 | **Enforce minimal TLS version** | You can now raise or lower the minimum TLS version for dedicated SQL pools in Synapse workspaces. To learn more, see [Azure SQL connectivity settings](/sql/azure-sql/database/connectivity-settings#minimal-tls-version). The [workspace managed SQL API](/rest/api/synapse/sqlserver/workspace-managed-sql-server-dedicated-sql-minimal-tls-settings/update) can be used to modify the minimum TLS settings.|

+| March 2022 | **Azure Synapse Analytics now supports Azure Active Directory (Azure AD) only authentication** | You can now use Azure Active Directory authentication to centrally manage access to all Azure Synapse resources, including SQL pools. You can [disable local authentication](sql/active-directory-authentication.md#disable-local-authentication) upon creation or after a workspace is created through the Azure portal.|

+| December 2021 | **User-Assigned managed identities** | Now you can use user-assigned managed identities in linked services for authentication in Synapse Pipelines and Dataflows. To learn more, see [Credentials in Azure Data Factory and Azure Synapse](../data-factory/credentials.md?context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext&tabs=data-factory).|

+| December 2021 | **Browse ADLS Gen2 folders in the Azure Synapse Analytics workspace** | You can now [browse and secure an Azure Data Lake Storage Gen2 (ADLS Gen2) container or folder](how-to-access-container-with-access-control-lists.md) in your Azure Synapse Analytics workspace by connecting to a specific container or folder in Synapse Studio.|

+| December 2021 | **TLS 2.1 enforced for new Synapse Workspaces** | Starting in December 2021, [a requirement for TLS 1.2](security/connectivity-settings.md#minimal-tls-version) has been implemented for new Synapse Workspaces only. |

+## Azure Synapse Data Explorer (preview)

+Azure Data Explorer (ADX) is a fast and highly scalable data exploration service for log and telemetry data. It offers ingestion from Event Hubs, IoT Hubs, blobs written to blob containers, and Azure Stream Analytics jobs. This section summarizes recent new features and capabilities of [the Azure Synapse Data Explorer](data-explorer/data-explorer-overview.md) and [the Kusto Query Language (KQL)](/azure/data-explorer/kusto/query/). Read more about [What is the difference between Azure Synapse Data Explorer and Azure Data Explorer? (Preview)](data-explorer/data-explorer-compare.md)

+|**Month** | **Feature** | **Learn more**|

+|:-- |:-- | :-- |

+| August 2022 | **Free cluster upgrade option** | You can now [upgrade your Azure Data Explorer free cluster to a full cluster](/azure/data-explorer/start-for-free-upgrade) that removes the storage limitation allowing you more capacity to grow your data. |

+| August 2022 | **Analyze fresh ADX data from Excel pivot table** | Now you can [Use fresh and unlimited volume of ADX data (Kusto) from your favorite analytic tool, Excel pivot tables](https://techcommunity.microsoft.com/t5/azure-data-explorer-blog/use-fresh-and-unlimited-volume-of-adx-data-kusto-from-your/ba-p/3588894). MDX queries generated by the Pivot code, will find their way to the Kusto backend as KQL statements that will aggregate the data as needed by the pivot and back to Excel.|

+| August 2022 | **Query results - color by value** | Highlight unique data at-a-glance in query results to visually group rows that share identical values for a specific column. Use **Explore results** and **Color by value** to [apply color to rows based on the selected column](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-august-update-2022/ba-p/3535126#TOCREF_14).|

+| August 2022 | **Web explorer - crosshair support for charts** | The `ysplit` property now supports [the crosshair visual](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-august-update-2022/ba-p/3535126#TOCREF_15) (vertical lines that move along the mouse pointer) for many charts. |

+| July 2022 | **Ingest data from Azure Stream Analytics into Synapse Data Explorer (Preview)** | You can now use a Streaming Analytics job to collect data from an event hub and send it to your Azure Data Explorer cluster using the Azure portal or an ARM template. For more information, see [Ingest data from Azure Stream Analytics into Azure Data Explorer](/azure/data-explorer/stream-analytics-connector). |

+| July 2022 | **Render charts for each y column** | Synapse Web Data Explorer now supports rendering charts for each y column. For an example, see the [Azure Synapse Analytics July Update 2022](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-july-update-2022/ba-p/3535089#TOCREF_6).|

+| June 2022 | **Web Explorer new homepage** | The new Azure Synapse [Web Explorer homepage](https://dataexplorer.azure.com/home) makes it even easier to get started with Synapse Web Explorer. |

+| June 2022 | **Web Explorer sample gallery** | The [Web Explorer sample gallery]((https://techcommunity.microsoft.com/t5/azure-data-explorer-blog/azure-data-explorer-in-60-minutes-with-the-new-samples-gallery/ba-p/3447552) provides end-to-end samples of how customers leverage Synapse Data Explorer popular use cases such as Logs Data, Metrics Data, IoT data and Basic big data examples. |

+| June 2022 | **Web Explorer dashboards drill through capabilities** | You can now [use drillthroughs as parameters in your Synapse Web Explorer dashboards](/azure/data-explorer/dashboard-parameters#use-drillthroughs-as-dashboard-parameters). |

+| June 2022 | **Time Zone settings for Web Explorer** | The [Time Zone settings of the Web Explorer](/azure/data-explorer/web-query-data#change-datetime-to-specific-time-zone) now apply to both the Query results and to the Dashboard. By changing the time zone, the dashboards will be automatically refreshed to present the data with the selected time zone. |

+| May 2022 | **Synapse Data Explorer live query in Excel** | Using the [new Data Explorer web experience Open in Excel feature](https://techcommunity.microsoft.com/t5/azure-data-explorer-blog/open-live-kusto-query-in-excel/ba-p/3198500), you can now provide access to live results of your query by sharing the connected Excel Workbook with colleagues and team members. You can open the live query in an Excel Workbook and refresh it directly from Excel to get the most up to date query results. To create an Excel Workbook connected to Synapse Data Explorer, [start by running a query in the Web experience](https://aka.ms/adx.help.livequery). |

+| May 2022 | **Use Managed Identities for external SQL Server tables** | With Managed Identity support, Synapse Data Explorer table definition is now simpler and more secure. You can now [use managed identities](/azure/data-explorer/managed-identities-overview) instead of entering in your credentials. To learn more about external tables, read [Create and alter SQL Server external tables](/azure/data-explorer/kusto/management/external-sql-tables).|

+| May 2022 | **Azure Synapse Data Explorer connector for Microsoft Power Automate, Logic Apps, and Power Apps** | New Azure Data Explorer connectors for Power Automate are generally available (GA). To learn more, read [Azure Data Explorer connector for Microsoft Power Automate](/azure/data-explorer/flow), the [Microsoft Logic App and Azure Data Explorer](/azure/data-explorer/kusto/tools/logicapps), and the ability to [Create Power Apps application to query data in Azure Data Explorer](/azure/data-explorer/power-apps-connector). |

+| May 2022 | **Dynamic events routing from event hub to multiple databases** | We now support [routing events data from Azure Event Hub/Azure IoT Hub/Azure Event Grid to multiple databases](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-may-update-2022/ba-p/3430970#TOCREF_15) hosted in a single ADX cluster. To learn more about dynamic routing, read [Ingest from event hub](/azure/data-explorer/ingest-data-event-hub-overview#events-routing). |

+| May 2022 | **Configure a database using a KQL inline script as part of JSON ARM deployment template** | Running a [Kusto Query Language (KQL) script to configure your database](/azure/data-explorer/database-script) can now be done using an inline script provided inline as a parameter to a JSON ARM template. |

+## Azure Synapse Link

+Azure Synapse Link is an automated system for replicating data from [SQL Server or Azure SQL Database](synapse-link/sql-synapse-link-overview.md), [Cosmos DB](/azure/cosmos-db/synapse-link?context=/azure/synapse-analytics/context/context), or [Dataverse](/power-apps/maker/data-platform/export-to-data-lake?context=%2Fazure%2Fsynapse-analytics%2Fcontext%2Fcontext) into Azure Synapse Analytics. This section summarizes recent news about the Azure Synapse Link feature.

+|**Month** | **Feature** | **Learn more**|

+|:-- |:-- | :-- |

+| July 2022 | **Batch mode** | Decide between cost and latency in Azure Synapse Link to SQL by selecting *continuous* or *batch* mode to replicate your data. Batch mode allows you to save even more on costs by only paying for ingestion service during the batch loads instead of it being continuously on. You can select between 20 and 60 minutes for batch processing.|

+| May 2022 | **Synapse Link for SQL preview** | Azure Synapse Link for SQL is in preview for both SQL Server 2022 and Azure SQL Database. The Azure Synapse Link feature provides low- and no-code, near real-time data replication from your SQL-based operational stores into Azure Synapse Analytics. Provide BI reporting on operational data in near real-time, with minimal impact on your operational store. The [Azure Synapse Link for SQL preview has been announced](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/announcing-the-public-preview-of-azure-synapse-link-for-sql/ba-p/3372986). For more information, see [Blog: Azure Synapse Link for SQL Deep Dive](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/synapse-link-for-sql-deep-dive/ba-p/3567645).|

+## Synapse SQL

+This section summarizes recent improvements and features in SQL pools in Azure Synapse Analytics.

+|**Month** | **Feature** | **Learn more**|

+|:-- |:-- | :-- |

+| August 2022| **Spark Delta Lake tables in serverless SQL pools** | The ability to for serverless SQL pools to access Delta Lake tables created in Spark databases is in preview. For more information, see [Azure Synapse Analytics shared metadata tables](metadat).|

+| August 2022| **Multi-column distribution in dedicated SQL pools** | You can now Hash Distribute tables on multiple columns for a more even distribution of the base table, reducing data skew over time and improving query performance. For more information on opting-in to the preview, see [CREATE TABLE distribution options](/sql/t-sql/statements/create-table-azure-sql-data-warehouse#TableDistributionOptions) or [CREATE TABLE AS SELECT distribution options](/sql/t-sql/statements/create-table-as-select-azure-sql-data-warehouse#table-distribution-options).|

+| August 2022| **Distribution Advisor**| The Distribution Advisor is a new preview feature in Azure Synapse dedicated SQL pools Gen2 that analyzes queries and recommends the best distribution strategies for tables to improve query performance. For more information, see [Distribution Advisor in Azure Synapse SQL](sql/distribution-advisor.md).|

+| August 2022 | **Add SQL objects and users in Lake databases** | New capabilities announced for lake databases in serverless SQL pools: create schemas, views, procedures, inline table-valued functions. You can also database users from your Azure Active Directory domain and assign them to the db_datareader role. For more information, see [Access lake databases using serverless SQL pool in Azure Synapse Analytics](metadat).|

+| June 2022 | **Result set size limit increase** | The [maximum size of query result sets](./sql/resources-self-help-sql-on-demand.md?tabs=x80070002#constraints) in serverless SQL pools has been increased from 200 GB to 400 GB. |

+| May 2022 | **Automatic character column length calculation for serverless SQL pools** | It is no longer necessary to define character column lengths for serverless SQL pools in the data lake. You can get optimal query performance [without having to define the schema](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-may-update-2022/ba-p/3430970#TOCREF_4), because the serverless SQL pool will use automatically calculated average column lengths and cardinality estimation. |

+| April 2022 | **Cross-subscription restore for Azure Synapse SQL GA** | With the PowerShell `Az.Sql` module 3.8 update, the [Restore-AzSqlDatabase](/powershell/module/az.sql/restore-azsqldatabase) cmdlet can be used for cross-subscription restore of dedicated SQL pools. To learn more, see [Restore a dedicated SQL pool to a different subscription](sql-data-warehouse/sql-data-warehouse-restore-active-paused-dw.md#restore-an-existing-dedicated-sql-pool-formerly-sql-dw-to-a-different-subscription-through-powershell). This feature is now generally available for dedicated SQL pools (formerly SQL DW) and dedicated SQL pools in a Synapse workspace. [What's the difference?](https://aka.ms/dedicatedSQLpooldiff)|

+| April 2022 | **Recover SQL pool from dropped server or workspace** | With the PowerShell Restore cmdlets in `Az.Sql` and `Az.Synapse` modules, you can now restore from a deleted server or workspace without filing a support ticket. For more information, see [Restore a dedicated SQL pool from a deleted Azure Synapse workspace](backuprestore/restore-sql-pool-from-deleted-workspace.md) or [Restore a standalone dedicated SQL pools (formerly SQL DW) from a deleted server](backuprestore/restore-sql-pool-from-deleted-workspace.md), depending on your scenario. |

+| March 2022 | **Column level encryption for dedicated SQL pools** | [Column level encryption](/sql/relational-databases/security/encryption/encrypt-a-column-of-data?view=azure-sqldw-latest&preserve-view=true) is now generally available for use on new and existing Azure SQL logical servers with Azure Synapse dedicated SQL pools, as well as the dedicated SQL pools in Azure Synapse workspaces. SQL Server Data Tools (SSDT) support for column level encryption for the dedicated SQL pools is available starting with the 17.2 Preview 2 build of Visual Studio 2022.|

+| March 2022 | **Parallel execution for CETAS** | Better performance for [CREATE TABLE AS SELECT](sql/develop-tables-cetas.md) (CETAS) and subsequent SELECT statements now made possible by use of parallel execution plans. For examples, see [Better performance for CETAS and subsequent SELECTs](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/azure-synapse-analytics-march-update-2022/ba-p/3269194#TOCREF_7).|

+## Learn more

+- [Get started with Azure Synapse Analytics](get-started.md)

+- [Introduction to Azure Synapse Analytics](/training/modules/introduction-azure-synapse-analytics/)

+- [Realize Integrated Analytical Solutions with Azure Synapse Analytics](/training/paths/realize-integrated-analytical-solutions-with-azure-synapse-analytics/)

+- [Data integration at scale with Azure Data Factory or Azure Synapse Pipeline](/training/paths/data-integration-scale-azure-data-factory/)

+- [Microsoft Training Learning Paths for Azure Synapse](/training/browse/?terms=synapse&resource_type=learning%20path)

+- [Azure Synapse Analytics in Microsoft Q&A](/answers/topics/azure-synapse-analytics.html)

+- [Azure Synapse Analytics Blog](https://aka.ms/SynapseMonthlyUpdate)

+- [Become a Azure Synapse Influencer](https://aka.ms/synapseinfluencers)

+- [Azure Synapse Analytics terminology](overview-terminology.md)

+- [Azure Synapse Analytics migration guides](migration-guides/index.yml)

+- [Azure Synapse Analytics frequently asked questions](overview-faq.yml)

+You can create host pools in the following Azure regions:

+- Australia East

+- Canada Central

+- Canada East

+- Central US

+- East US

+- East US 2

+- Japan East

+- North Central US

+- North Europe

+- South Central US

+- UK South

+- UK West

+- West Central US

+- West Europe

+- West US

+- West US 2

+You can create host pools in the following Azure regions:

+- Australia East

+- Canada Central

+- Canada East

+- Central US

+- East US

+- East US 2

+- Japan East

+- North Central US

+- North Europe

+- South Central US

+- UK South

+- UK West

+- West Central US

+- West Europe

+- West US

+- West US 2